-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsuricata.html
308 lines (307 loc) · 11.7 KB
/
suricata.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<!-- 2023-01-06 Fri 19:33 -->
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>使用suricata屏蔽APP</title>
<meta name="author" content="jamesarch" />
<meta name="generator" content="Org Mode" />
<style>
#content { max-width: 60em; margin: auto; }
.title { text-align: center;
margin-bottom: .2em; }
.subtitle { text-align: center;
font-size: medium;
font-weight: bold;
margin-top:0; }
.todo { font-family: monospace; color: red; }
.done { font-family: monospace; color: green; }
.priority { font-family: monospace; color: orange; }
.tag { background-color: #eee; font-family: monospace;
padding: 2px; font-size: 80%; font-weight: normal; }
.timestamp { color: #bebebe; }
.timestamp-kwd { color: #5f9ea0; }
.org-right { margin-left: auto; margin-right: 0px; text-align: right; }
.org-left { margin-left: 0px; margin-right: auto; text-align: left; }
.org-center { margin-left: auto; margin-right: auto; text-align: center; }
.underline { text-decoration: underline; }
#postamble p, #preamble p { font-size: 90%; margin: .2em; }
p.verse { margin-left: 3%; }
pre {
border: 1px solid #e6e6e6;
border-radius: 3px;
background-color: #f2f2f2;
padding: 8pt;
font-family: monospace;
overflow: auto;
margin: 1.2em;
}
pre.src {
position: relative;
overflow: auto;
}
pre.src:before {
display: none;
position: absolute;
top: -8px;
right: 12px;
padding: 3px;
color: #555;
background-color: #f2f2f299;
}
pre.src:hover:before { display: inline; margin-top: 14px;}
/* Languages per Org manual */
pre.src-asymptote:before { content: 'Asymptote'; }
pre.src-awk:before { content: 'Awk'; }
pre.src-authinfo::before { content: 'Authinfo'; }
pre.src-C:before { content: 'C'; }
/* pre.src-C++ doesn't work in CSS */
pre.src-clojure:before { content: 'Clojure'; }
pre.src-css:before { content: 'CSS'; }
pre.src-D:before { content: 'D'; }
pre.src-ditaa:before { content: 'ditaa'; }
pre.src-dot:before { content: 'Graphviz'; }
pre.src-calc:before { content: 'Emacs Calc'; }
pre.src-emacs-lisp:before { content: 'Emacs Lisp'; }
pre.src-fortran:before { content: 'Fortran'; }
pre.src-gnuplot:before { content: 'gnuplot'; }
pre.src-haskell:before { content: 'Haskell'; }
pre.src-hledger:before { content: 'hledger'; }
pre.src-java:before { content: 'Java'; }
pre.src-js:before { content: 'Javascript'; }
pre.src-latex:before { content: 'LaTeX'; }
pre.src-ledger:before { content: 'Ledger'; }
pre.src-lisp:before { content: 'Lisp'; }
pre.src-lilypond:before { content: 'Lilypond'; }
pre.src-lua:before { content: 'Lua'; }
pre.src-matlab:before { content: 'MATLAB'; }
pre.src-mscgen:before { content: 'Mscgen'; }
pre.src-ocaml:before { content: 'Objective Caml'; }
pre.src-octave:before { content: 'Octave'; }
pre.src-org:before { content: 'Org mode'; }
pre.src-oz:before { content: 'OZ'; }
pre.src-plantuml:before { content: 'Plantuml'; }
pre.src-processing:before { content: 'Processing.js'; }
pre.src-python:before { content: 'Python'; }
pre.src-R:before { content: 'R'; }
pre.src-ruby:before { content: 'Ruby'; }
pre.src-sass:before { content: 'Sass'; }
pre.src-scheme:before { content: 'Scheme'; }
pre.src-screen:before { content: 'Gnu Screen'; }
pre.src-sed:before { content: 'Sed'; }
pre.src-sh:before { content: 'shell'; }
pre.src-sql:before { content: 'SQL'; }
pre.src-sqlite:before { content: 'SQLite'; }
/* additional languages in org.el's org-babel-load-languages alist */
pre.src-forth:before { content: 'Forth'; }
pre.src-io:before { content: 'IO'; }
pre.src-J:before { content: 'J'; }
pre.src-makefile:before { content: 'Makefile'; }
pre.src-maxima:before { content: 'Maxima'; }
pre.src-perl:before { content: 'Perl'; }
pre.src-picolisp:before { content: 'Pico Lisp'; }
pre.src-scala:before { content: 'Scala'; }
pre.src-shell:before { content: 'Shell Script'; }
pre.src-ebnf2ps:before { content: 'ebfn2ps'; }
/* additional language identifiers per "defun org-babel-execute"
in ob-*.el */
pre.src-cpp:before { content: 'C++'; }
pre.src-abc:before { content: 'ABC'; }
pre.src-coq:before { content: 'Coq'; }
pre.src-groovy:before { content: 'Groovy'; }
/* additional language identifiers from org-babel-shell-names in
ob-shell.el: ob-shell is the only babel language using a lambda to put
the execution function name together. */
pre.src-bash:before { content: 'bash'; }
pre.src-csh:before { content: 'csh'; }
pre.src-ash:before { content: 'ash'; }
pre.src-dash:before { content: 'dash'; }
pre.src-ksh:before { content: 'ksh'; }
pre.src-mksh:before { content: 'mksh'; }
pre.src-posh:before { content: 'posh'; }
/* Additional Emacs modes also supported by the LaTeX listings package */
pre.src-ada:before { content: 'Ada'; }
pre.src-asm:before { content: 'Assembler'; }
pre.src-caml:before { content: 'Caml'; }
pre.src-delphi:before { content: 'Delphi'; }
pre.src-html:before { content: 'HTML'; }
pre.src-idl:before { content: 'IDL'; }
pre.src-mercury:before { content: 'Mercury'; }
pre.src-metapost:before { content: 'MetaPost'; }
pre.src-modula-2:before { content: 'Modula-2'; }
pre.src-pascal:before { content: 'Pascal'; }
pre.src-ps:before { content: 'PostScript'; }
pre.src-prolog:before { content: 'Prolog'; }
pre.src-simula:before { content: 'Simula'; }
pre.src-tcl:before { content: 'tcl'; }
pre.src-tex:before { content: 'TeX'; }
pre.src-plain-tex:before { content: 'Plain TeX'; }
pre.src-verilog:before { content: 'Verilog'; }
pre.src-vhdl:before { content: 'VHDL'; }
pre.src-xml:before { content: 'XML'; }
pre.src-nxml:before { content: 'XML'; }
/* add a generic configuration mode; LaTeX export needs an additional
(add-to-list 'org-latex-listings-langs '(conf " ")) in .emacs */
pre.src-conf:before { content: 'Configuration File'; }
table { border-collapse:collapse; }
caption.t-above { caption-side: top; }
caption.t-bottom { caption-side: bottom; }
td, th { vertical-align:top; }
th.org-right { text-align: center; }
th.org-left { text-align: center; }
th.org-center { text-align: center; }
td.org-right { text-align: right; }
td.org-left { text-align: left; }
td.org-center { text-align: center; }
dt { font-weight: bold; }
.footpara { display: inline; }
.footdef { margin-bottom: 1em; }
.figure { padding: 1em; }
.figure p { text-align: center; }
.equation-container {
display: table;
text-align: center;
width: 100%;
}
.equation {
vertical-align: middle;
}
.equation-label {
display: table-cell;
text-align: right;
vertical-align: middle;
}
.inlinetask {
padding: 10px;
border: 2px solid gray;
margin: 10px;
background: #ffffcc;
}
#org-div-home-and-up
{ text-align: right; font-size: 70%; white-space: nowrap; }
textarea { overflow-x: auto; }
.linenr { font-size: smaller }
.code-highlighted { background-color: #ffff00; }
.org-info-js_info-navigation { border-style: none; }
#org-info-js_console-label
{ font-size: 10px; font-weight: bold; white-space: nowrap; }
.org-info-js_search-highlight
{ background-color: #ffff00; color: #000000; font-weight: bold; }
.org-svg { }
</style>
<link rel="stylesheet" type="text/css" href="https://gongzhitaao.org/orgcss/org.css"/>
</head>
<body>
<div id="org-div-home-and-up">
<a accesskey="h" href="index.html"> UP </a>
|
<a accesskey="H" href="index.html"> HOME </a>
</div><div id="content" class="content">
<header>
<h1 class="title">使用suricata屏蔽APP</h1>
</header><nav id="table-of-contents" role="doc-toc">
<h2>目录</h2>
<div id="text-table-of-contents" role="doc-toc">
<ul>
<li><a href="#orge1a2832">原理</a></li>
<li><a href="#org2932347">具体操作</a>
<ul>
<li><a href="#org3b88ddb">安装suricata</a></li>
<li><a href="#org4ca0fa0">配置IDS模式</a></li>
<li><a href="#org15c7b57">编写规则文件</a></li>
</ul>
</li>
<li><a href="#org68d6377">缺点</a></li>
</ul>
</div>
</nav>
<div id="outline-container-orge1a2832" class="outline-2">
<h2 id="orge1a2832">原理</h2>
<div class="outline-text-2" id="text-orge1a2832">
<p>
suricata是一套IDS/IPS系统,因为需要实现一个拦截的功能,这里就需要使用到IPS模式,利用IPS来过滤数据包,从而实现拦截的方法。
</p>
</div>
</div>
<div id="outline-container-org2932347" class="outline-2">
<h2 id="org2932347">具体操作</h2>
<div class="outline-text-2" id="text-org2932347">
</div>
<div id="outline-container-org3b88ddb" class="outline-3">
<h3 id="org3b88ddb">安装suricata</h3>
<div class="outline-text-3" id="text-org3b88ddb">
<p>
这里以centos 7为例
</p>
<pre class="example">
yum install epel-release yum-plugin-copr
yum copr enable @oisf/suricata-latest
yum install suricata
</pre>
</div>
</div>
<div id="outline-container-org4ca0fa0" class="outline-3">
<h3 id="org4ca0fa0">配置IDS模式</h3>
<div class="outline-text-3" id="text-org4ca0fa0">
<p>
IDS模式有网卡过滤和NFQUEUE两种模式,这里使用NFQUEUE,也可以根据自身需求来选择,安装完成之后,需要使用iptables来创建对应的规则拦截所有流量
</p>
<pre class="example">
sudo iptables -A INPUT -j NFQUEUE --queue-bypass
sudo iptables -A OUTPUT -j NFQUEUE --queue-bypass
</pre>
<p>
这里的–queue-bypass选项是为了防止在流量没有进行处理的时候,不丢弃流量,从而影响正常的网络连接。
之后在/etc/sysconfig/suricata文件里面将OPTIONS的内容改为以下内容
</p>
<pre class="example">
OPTIONS="-q 0 --user suricata"
</pre>
<p>
-q 0的意思是处理NFQUEUE 0的所有内容
</p>
</div>
</div>
<div id="outline-container-org15c7b57" class="outline-3">
<h3 id="org15c7b57">编写规则文件</h3>
<div class="outline-text-3" id="text-org15c7b57">
<p>
在编写规则文件之前,需要运行suricata-update更新下默认的规则,之后将以下规覆盖入到/var/lib/suricata/suricata.yaml文件中
</p>
<pre class="example">
drop tcp any any <> any any (msg:"drop WeChat tcp 16 "; content:"|16 F1 04|"; sid:6;)
drop tcp any any <> any any (msg:"drop WeChat tcp 17 "; content:"|17 F1 04|"; sid:7;)
drop tcp any any <> any any (msg:"drop WeChat tcp 19 "; content:"|19 F1 04|"; sid:8;)
drop tcp any any <> any any (msg:"drop upgrade mmtls"; content:"Upgrade|3A| mmtls";nocase; sid:16;)
drop tcp any any <> any any (msg:"drop WeChat tcp UA"; content:"User-Agent|3A| MicroMessenger Client"; sid:5;)
drop tcp any any <> any any (msg:"drop qq start tcp";content:"|02|";startswith;content:"|03|";endswith;sid:10;)
drop udp any any <> any any (msg:"drop qq start udp";content:"|02|";startswith;content:"|03|";endswith;sid:11;)
drop tls any any -> any any (msg:"block wx.qq.com";tls.cert_subject;content:"wx.qq.com"; sid:18;)
</pre>
<p>
最后运行suricata -T检测规则是否合格,如果正常没报错的话,可以重启服务观察是否有拦截到流量
</p>
<pre class="example">
systemctl restart suricata
iptables -nvL #查看是否有流量经过
tail -f /var/log/suricata/fast.log #查看是否有对应的输出
</pre>
</div>
</div>
</div>
<div id="outline-container-org68d6377" class="outline-2">
<h2 id="org68d6377">缺点</h2>
<div class="outline-text-2" id="text-org68d6377">
<p>
经过测试在hyper-v环境下过滤100台左右的虚拟机会出现延迟高丢包的情况,猜测和网卡以及NFQUEUE性能有关。暂时没有深入研究原因
</p>
</div>
</div>
</div>
<div id="postamble" class="status">
<p class="author">作者: jamesarch</p>
<p class="date">Created: 2023-01-06 Fri 19:33</p>
</div>
</body>
</html>