Installing and Configuring Suricata On Centos 7
Installing and Configuring Suricata On Centos 7
Installing and Configuring Suricata On Centos 7
We need to install the kernel with suport to work with huge values on network throughput.
rpm -ivh
http://elrepo.org/linux/elrepo/el7/x86_64/RPMS/elrepo-release-7.0-2.el7.elre
po.noarch.rpm
Now it'd better clean up the /boot with the other kernels and recreate the grub with the follow
command.
grub2-mkconfig -o /boot/grub2/grub.cfg
reboot
Prerequisites:
CentOS 7 working as Suricata
IP: 192.168.1.252
Debian Wheezy working as Snorby
IP: 192.168.1.251
Debian Wheezy working as Apache
IP: 192.168.1.250
Now we need to install the dependences for Suricata, let's update the repositories
yum check-update
cd /usr/src
wget http://wiki.douglasqsantos.com.br/Downloads/snort/suricata-2.0.7.tar.gz
tar -xvzf suricata-2.0.7.tar.gz
cd suricata-2.0.7
Now we need to configure the the sources to compile the suricata as IPS
ldconfig
Whether you have some problems with the rules we can get it with the follow command
wget -qO -
http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz |
tar -x -z -C "/etc/suricata/" -f -
vim /etc/suricata/suricata.yaml
[...]
- drop:
enabled: yes
[...]
- dns-log:
enabled: yes
[...]
#line 784
outputs:
- console:
enabled: yes
- file:
enabled: yes
http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:23
2018/01/23 17:23 3/28 Installing and Configuring Suricata on CentOS 7
filename: /var/log/suricata/suricata.log
[...]
classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
[...]
# Here we need to set up the networks in our company like below.
HOME_NET: "[192.168.1.0/24]"
[...]
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [192.168.1.0/24, 192.168.1.252]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Now we need to adjust some variables on the kernel that able work with a huge amount of packets
per second.
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose
echo 2000000 > /proc/sys/net/netfilter/nf_conntrack_max
PSNI=/proc/sys/net/ipv4
for END in $PSNI/conf/*/rp_filter ; do echo 1 > $END ; done
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
PSNI=/proc/sys/net/ipv6
for END in $PSNI/conf/*/disable_ipv6 ; do echo 1 > $END ; done
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
As we are enabling the ips/ids we need to disable the interface to filtering the packets and send all of
them to ips/ids.
Now we need to redirect the connetion to the port 80 to another server that I shall use the Apache
Here we made the redirect the incoming connection that arrive in Suricata to Apache server and after
that we need to masquerade the network.
Now on the Apache server we need to configure it to use the Suricata as Gateway.
Now we need to test the connection with the internet like this
ping 8.8.8.8
Now on suricata let's open the http log files like this
tail -f /var/log/suricata/http.log
Now from another computer we need to open a test attack like this
tail -f /var/log/suricata/eve.json
Now from another machine let's open a Scanner to the Suricata like this
{"timestamp":"2015-04-13T17:11:31.308899","event_type":"http","src_ip":"192.
168.1.254","src_port":34461,"dest_ip":"192.168.1.252","dest_port":80,"proto"
:"TCP","http":{"url":"\/","http_content_type":"text\/html","http_method":"GE
T","protocol":"HTTP\/1.0","status":"200","length":177}}
{"timestamp":"2015-04-13T17:11:31.308910","event_type":"http","src_ip":"192.
168.1.252","src_port":34461,"dest_ip":"192.168.1.250","dest_port":80,"proto"
:"TCP","http":{"url":"\/","http_content_type":"text\/html","http_method":"GE
T","protocol":"HTTP\/1.0","status":"200","length":177}}
{"timestamp":"2015-04-13T17:11:31.310502","event_type":"fileinfo","src_ip":"
192.168.1.250","src_port":80,"dest_ip":"192.168.1.252","dest_port":34461,"pr
oto":"TCP","http":{"url":"\/"},"fileinfo":{"filename":"\/","state":"CLOSED",
"stored":false,"size":177}}
{"timestamp":"2015-04-13T17:11:31.310528","event_type":"fileinfo","src_ip":"
192.168.1.252","src_port":80,"dest_ip":"192.168.1.254","dest_port":34461,"pr
oto":"TCP","http":{"url":"\/"},"fileinfo":{"filename":"\/","state":"CLOSED",
"stored":false,"size":177}}
{"timestamp":"2015-04-13T17:11:32.011592","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.011676","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.287971","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.288004","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.538840","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.538873","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.790094","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.790130","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:34.779427","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:34.779493","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
{"timestamp":"2015-04-13T17:11:42.184192","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:42.184238","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:42.514244","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:42.514282","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:44.588082","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:44.588140","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:44.838373","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:44.838415","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.017505","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.017541","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.244572","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.244597","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.792743","event_type":"http","src_ip":"192.
168.1.254","src_port":34475,"dest_ip":"192.168.1.252","dest_port":80,"proto"
:"TCP","http":{"hostname":"192.168.1.252","url":"\/","http_user_agent":"Mozi
We can check in the Apache server too that we have a lot of connections like this.
tail -f /var/log/apache2/access.log
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/cgi-915/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1"
404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/cgi/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/mpcgi/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ows-
bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
sys/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
local/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
545 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
(Test:003589)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/webservices/IlaWebServices HTTP/1.1" 404 541 "-" "Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003590)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /SoundBridgeStatus.html
HTTP/1.1" 404 537 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003591)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/CFIDE/componentutils/cfcexplorer.cfc HTTP/1.1" 404 551 "-" "Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003592)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /phone/ HTTP/1.1" 404
521 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003593)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/Host/Portals/tabid/19/ctl/Login/portalid/0/Default.aspx HTTP/1.1" 404 570
"-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003594)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-
examples/jsp2/jspx/textRotate.jspx?name=<script>alert(111)</script>
HTTP/1.1" 404 553 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003595)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-
examples/jsp2/el/implicit-objects.jsp?foo=<script>alert(112)</script>
HTTP/1.1" 404 556 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003596)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-
examples/jsp2/el/functions.jsp?foo=<script>alert(113)</script> HTTP/1.1" 404
549 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003597)"
Now let's put the Suricata to work as IPS, let's change some informations in the suricata main file only
for testing here.
vim /etc/suricata/suricata.yaml
[...]
HOME_NET: "any"
#HOME_NET: "[192.168.1.0/24]"
EXTERNAL_NET: "any"
#EXTERNAL_NET: "!$HOME_NET"
Now we need to start the suricata in the inline mode (IPS) like this
suricata -c /etc/suricata/suricata.yaml -q 0 -D
Now we need to redirect all connection in the port 80 to the queue afterwards the Suricata will
process all of them and decide what will happen with the packet.
Now we need to open an test attack from another machine against the Suricata like this.
As we can see here in the fast.log we have the [Drop] that indicates the packet was dropped and
won't sent to the Apache Server in the drop.log we have the connections that were dropped.
Whether we check the apache log files now we will get a little access unlike before without the IPS.
tail -f /var/log/apache2/access.log
Testing ddos.
Barnyard2 will feed the Snorby database with the logs let's install this guy need to install on the
Suricata Server.
cd /usr/src
wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/barnyard2-1.9.tar.gz
tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9
mkdir /var/log/barnyard2
vim /etc/suricata/barnyard2.conf
[...]
config reference_file: /etc/suricata/rules/reference.config
config classification_file: /etc/suricata/rules/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
[...]
config hostname: ips01
config interface: enp0s3
[...]
output alert_fast
#Let's input this line below in the end of the file, change the values
whether you need.
output database: log, mysql, user=snorby password=senha dbname=snorby
host=192.168.1.251
suricata -c /etc/suricata/suricata.yaml -q 0 -D
barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f
unified2.alert -w /var/log/suricata/suricata.waldo -D
Now we need to kill the process of the suricata and barnyard2 like this
Now we need to create the scripts to work with SystemD and enable the suricata and barnyard to
vim /usr/lib/systemd/system/suricata.service
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network.target auditd.service
[Service]
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml $OPTIONS
EnvironmentFile=-/etc/sysconfig/suricata
[Install]
WantedBy=multi-user.target
vim /etc/sysconfig/suricata
# The following parameters are the most commonly needed to configure
# # suricata. A full list can be seen by running /sbin/suricata --help
# # -i <network interface device>
# # --user <acct name>
# # --group <group name>
#
# # Add options to be passed to the daemon
OPTIONS="-q 0 "
We can display the services that is current running with the follow command
systemd-cgls -l
vim /usr/lib/systemd/system/barnyard2.service
[Unit]
Description=Barnyard2 Spooler Service
After=syslog.target suricata.service
[Service]
ExecStart=/usr/bin/barnyard2 -c /etc/suricata/barnyard2.conf -d
/var/log/suricata \
-f unified2.alert -w /var/log/suricata/suricata.waldo $OPTIONS
EnvironmentFile=-/etc/sysconfig/barnyard2
[Install]
WantedBy=multi-user.target
vim /etc/sysconfig/barnyard2
# The following parameters are the most commonly needed to configure
# barnyard2. A full list can be seen by running /usr/local/bin/barnyard2 --
help
vim /usr/lib/systemd/system/firewall.service
[Unit]
Description=Firewall ConfiServ
After=barnyard2.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/etc/firewall/firewall-start
ExecStop=/etc/firewall/firewall-stop
[Install]
WantedBy=multi-user.target
Now we need to create the directory that will store all the scripts files like this
mkdir /etc/firewall
vim /etc/firewall/firewall-start
#!/bin/bash
### Cleaning up
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t raw -F
iptables -t raw -X
### INPUT
iptables -P INPUT DROP
iptables -t filter -A INPUT -m state --state INVALID -j DROP
### NAT
iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT --
to 192.168.1.250
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
### FORWARD
iptables -P FORWARD DROP
iptables -t filter -A FORWARD -p tcp -m tcp --dport 80 -j NFQUEUE --queue-
num 0
iptables -t filter -A FORWARD -p tcp -m tcp --sport 80 -j NFQUEUE --queue-
num 0
vim /etc/firewall/firewall-stop
#!/bin/bash
iptables -t filter -F
iptables -t filter -X
iptables -t raw -F
iptables -t raw -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
Now we need to set up the execution permission to our script like this
chmod +x /etc/firewall/firewall*
Note: Be aware that when you start the service yours sshd connection will be shutdown because we
need to make sure that all connection on this port pass by suricata.
To check the status of the script we can use the following command
Sample FW
vim /etc/firewall/variables
### VARIABLES
### PATH
PSNI="/proc/sys/net/ipv4"
PSNN="/proc/sys/net/netfilter"
### COMMANDS
MODPROBE="/sbin/modprobe"
ETHTOOL="/sbin/ethtool"
IPTABLES="/sbin/iptables"
### NETWORKS
LAN_NETWORK="10.23.0.0/24"
### SERVERS
ZABBIX="10.23.0.117"
BACULA="10.23.0.198"
WAPP01="10.23.0.247"
KACE_INT="172.33.0.194"
KACE_EXT="200.200.200.34"
EXT_FTP01="200.200.200.46"
DMZ_FTP01="10.23.0.147"
DMZ_FTP02="10.23.0.246"
DMZ_HTTP02="10.23.0.143"
DMZ_HTTP01="10.23.0.247"
## EXTERNAL IP
EXT_F10="177.177.177.10"
EXT_F14="177.177.177.14"
### PORTS
BACULA_PORT="9102"
ZABBIX_PORT="10050"
DEV_PORT="2000"
WTS_PORT="3389"
SSH_PORT="22022"
VOIP_TCP_PORTS="5060:5061"
VOIP_UDP_PORTS="5040:5081,10000:20000"
KACE_PORTS="80,139,443,445,52230"
FTP_PORTS="20,21,12000:12100"
HTTP_PORT="80"
HTTP_PORTS="80,443"
HTTPS_PORT="443"
WEB_PORTS="80,443,3306"
DNS_PORT="53"
### ALIAS
PRE_EXT="${IPTABLES} -t nat -A PREROUTING -i eno2 "
POS_EXT="${IPTABLES} -t nat -A POSTROUTING -o eno2 "
COM="-m comment --comment"
TCP="-p tcp -m tcp"
UDP="-p udp -m udp"
ICMP="-p icmp --icmp-type"
LIMIT="-m limit --limit"
DMULTIPORT="-m multiport --dports"
SMULTIPORT="-m multiport --sports"
LOG="LOG --log-prefix"
LOG_LEV="--log-level info"
SURICATA="--queue-num 0"
vim /etc/firewall/firewall-start
#!/bin/bash
### Loading variables
. /etc/firewall/variables
### Cleaning up
${IPTABLES} -t filter -F
${IPTABLES} -t filter -X
${IPTABLES} -t nat -F
${IPTABLES} -t nat -X
${IPTABLES} -t raw -F
${IPTABLES} -t raw -X
### INPUT
${IPTABLES} -P INPUT DROP
${IPTABLES} -t filter -A INPUT -m state --state INVALID -j DROP
${IPTABLES} -A INPUT -f -j DROP
${IPTABLES} -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j NFQUEUE
${SURICATA}
### FORWARD
${IPTABLES} -P FORWARD DROP
${IPTABLES} -t filter -A FORWARD -m state --state INVALID -j DROP
${IPTABLES} -A FORWARD -f -j DROP
${IPTABLES} -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j
NFQUEUE ${SURICATA}
### MASQUERADE
${IPTABLES} -t nat -A POSTROUTING -s ${LAN_NETWORK} -j MASQUERADE
cat /etc/firewall/firewall-stop
#!/bin/bash
### Loading variables
. /etc/firewall/variables
References
1. http://techminded.net/blog/using-snort-as-service-ips.html
2. http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attac
ks
3. http://repo.hackerzvoice.net/depot_madchat/reseau/ids|nids/snort_rules.html
4. http://books.gigatux.nl/mirror/snortids/0596006616/snortids-CHP-7-SECT-3.html
5. http://manual.snort.org/node27.html
6. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Tuning_and_
Optimizing_Red_Hat_Enterprise_Linux_for_Oracle_9i_and_10g_Databases/sect-
Oracle_9i_and_10g_Tuning_Guide-Adjusting_Network_Settings-
Flow_Control_for_e1000_Network_Interface_Cards.html
8. http://docs.oracle.com/cd/E24290_01/coh.371/e22838/tune_perftune.htm#COHAG5263
9. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_7_Installation
10. http://www.darknet.org.uk/
11. http://www.spamhaus.org/drop/
12. http://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time
13. http://myip.ms/files/blacklist/csf/latest_blacklist.txt
14. http://www10.org/cdrom/papers/409/
15. https://r00t-services.net/knowledgebase/14/Homemade-DDoS-Protection-Using-IPTables-SYNPR
OXY.html
16. http://hackerzelite.blogspot.com.br/2014/01/top-10-ddos-and-dos-attacking-tools.html
17. http://ddoshackingarticles.blogspot.com.br/2014/07/how-to-use-metagoofil-on-kali-linux.html
18. http://www.kalitutorials.net/2014/03/denial-of-service-attacks-explained-for.html
19. http://www.darkmoreops.com/2014/08/21/dos-using-hping3-spoofed-ip-kali-linux/
20. http://null-byte.wonderhowto.com/how-to/become-elite-hacker-part-3-easy-ddos-0147212/
21. http://ha.ckers.org/slowloris/
22. http://www.r00tsec.com/2012/02/ddos-tool-list-from-anonymous.html
23. https://www.frozentux.net/iptables-tutorial/iptables-tutorial.htmlhttps://www.frozentux.net/iptabl
es-tutorial/iptables-tutorial.html
24. https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NETFILTERHACKINGHOWTO
25. http://www.ibm.com/developerworks/library/se-intrusion/index.html
26. http://rules.emergingthreats.net/open/
From:
http://wiki.douglasqsantos.com.br/ - DQS CONSULTORIA E TREINAMENTOS
Permanent link:
http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_centos7_en