10.3. snort.conf到suricata.yaml¶
本指南适用于熟悉snort和snort.conf配置格式的用户。本指南将尽可能提供Snort和Suricata配置之间的1:1映射。
10.3.1. 变量¶
snort.conf
ipvar HOME_NET any
ipvar EXTERNAL_NET any
...
portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9000,9080,9090,9091,9443,9999,11371,55555]
portvar SHELLCODE_PORTS !80
...
suricata.yaml
vars:
address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
请注意,无论使用哪个端口,Surica都可以自动检测HTTP流量。所以http_ports变量并不像snort那么重要, if 使用启用了Suricata的规则集。
10.3.2. 解码器警报¶
snort.conf
# Stop generic decode events:
config disable_decode_alerts
# Stop Alerts on experimental TCP options
config disable_tcpopt_experimental_alerts
# Stop Alerts on obsolete TCP options
config disable_tcpopt_obsolete_alerts
# Stop Alerts on T/TCP alerts
config disable_tcpopt_ttcp_alerts
# Stop Alerts on all other TCPOption type events:
config disable_tcpopt_alerts
# Stop Alerts on invalid ip options
config disable_ipopt_alerts
suricata.yaml
Suricata没有特定的解码器选项。所有与解码器相关的警报都由规则控制。参见下面的规则。
10.3.3. 校验和处理¶
snort.conf
config checksum_mode: all
suricata.yaml
Suricata的校验和处理工作 on-demand .流引擎默认检查TCP和IP校验和:
stream:
checksum-validation: yes # reject wrong csums
错误校验和的警报可以用常规规则完成。具体见规则,decoder-events.rules。
10.3.4. 各种配置¶
10.3.4.1. 主动响应¶
snort.conf
# Configure active response for non inline operation. For more information, see REAMDE.active
# config response: eth0 attempts 2
suricata.yaml
如果使用了带有“拒绝”操作的规则,则在不配置的情况下自动处理活动响应。
10.3.4.2. 删除权限¶
snort.conf
# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options
#
# config set_gid:
# config set_uid:
沼狸属
要设置用户和组,请使用--user<username>和--group<groupname>命令行选项。
10.3.4.3. 斯内普伦¶
snort.conf
# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README
#
# config snaplen:
#
Suricata始终以全长工作,以提供完整的交通可视性。
10.3.4.4. 双酚F¶
snort.conf
# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
#
# config bpf_file:
#
suricata.yaml
可以使用“bpf filter:<file>”yaml选项在每个数据包获取方法中设置bpf过滤器,并使用-f命令行选项在文件中设置。
例如:
pcap:
- interface: eth0
#buffer-size: 16777216
#bpf-filter: "tcp and port 25"
#checksum-checks: auto
#threads: 16
#promisc: no
#snaplen: 1518
10.3.5. 日志目录¶
snort.conf
# Configure default log directory for snort to log to. For more information see snort -h command line options (-l)
#
# config logdir:
suricata.yaml
default-log-dir: /var/log/suricata/
该值被-l命令行选项覆盖。
10.3.6. 数据包获取¶
snort.conf
# Configure DAQ related options for inline operation. For more information, see README.daq
#
# config daq: <type>
# config daq_dir: <dir>
# config daq_mode: <mode>
# config daq_var: <var>
#
# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
# <mode> ::= read-file | passive | inline
# <var> ::= arbitrary <name>=<value passed to DAQ
# <dir> ::= path as to where to look for DAQ module so's
suricata.yaml
Suricata内置了所有数据包获取支持。它的配置格式非常冗长。
pcap:
- interface: eth0
#buffer-size: 16777216
#bpf-filter: "tcp and port 25"
#checksum-checks: auto
#threads: 16
#promisc: no
#snaplen: 1518
pfring:
afpacket:
nfq:
ipfw:
被动vs内联vs读取文件取决于如何在命令行上调用suricata。
10.3.7. 规则¶
snort.conf:呼噜。
在snort.conf中,设置了一个规则路径变量,以及共享对象(so)规则和预处理器规则的变量。
var RULE_PATH ../rules
var SO_RULE_PATH ../so_rules
var PREPROC_RULE_PATH ../preproc_rules
include $RULE_PATH/local.rules
include $RULE_PATH/emerging-activex.rules
...
苏里塔.yaml:
在suricata.yaml中,设置默认规则路径,后跟规则文件列表。Suricata没有共享对象规则或预处理器规则的概念。对于解码器、流引擎、HTTP解析器等设置的事件,Suricata没有预处理器规则,而是有多个规则文件。
default-rule-path: /etc/suricata/rules
rule-files:
- local.rules
- emerging-activex.rules
与普通规则文件一样,加载等效的预处理器规则:
rule-files:
- decoder-events.rules
- stream-events.rules
- http-events.rules
- smtp-events.rules