suricata-4.1.4（二）基于lua脚本实现IP地址及端

实验说明

1. 提前准备好测试用pcap文件，存放在/root/area2pcap目录下

[root@localhost area2pcap]# pwd
/root/area2pcap
[root@localhost area2pcap]# ls
train_area2_00000_20210104202426.pcap  train_area2_00076_20210104205411.pcap  train_area2_00152_20210104210529.pcap
train_area2_00001_20210104202441.pcap  train_area2_00077_20210104205419.pcap  train_area2_00153_20210104210536.pcap
train_area2_00002_20210104202459.pcap  train_area2_00078_20210104205428.pcap  train_area2_00154_20210104210542.pcap
train_area2_00003_20210104202522.pcap  train_area2_00079_20210104205436.pcap  train_area2_00155_20210104210549.pcap
train_area2_00004_20210104202549.pcap  train_area2_00080_20210104205444.pcap  train_area2_00156_20210104210557.pcap
train_area2_00005_20210104202619.pcap  train_area2_00081_20210104205451.pcap  train_area2_00157_20210104210605.pcap
train_area2_00006_20210104202649.pcap  train_area2_00082_20210104205457.pcap  train_area2_00158_20210104210614.pcap
train_area2_00007_20210104202714.pcap  train_area2_00083_20210104205504.pcap  train_area2_00159_20210104210623.pcap
train_area2_00008_20210104202748.pcap  train_area2_00084_20210104205514.pcap  train_area2_00160_20210104210632.pcap
train_area2_00009_20210104202815.pcap  train_area2_00085_20210104205523.pcap  train_area2_00161_20210104210640.pcap
train_area2_00010_20210104202903.pcap  train_area2_00086_20210104205534.pcap  train_area2_00162_20210104210647.pcap
train_area2_00011_20210104203043.pcap  train_area2_00087_20210104205547.pcap  train_area2_00163_20210104210653.pcap
train_area2_00012_20210104203219.pcap  train_area2_00088_20210104205601.pcap  train_area2_00164_20210104210659.pcap

2. 这些pcap文件记录了某集群内部terminal之间的tcp连接数据，每个terminal都有固定的服务端口，terminal的IP地址以及port组成一个白名单。
3. 但是上述pcap文件中混杂了很多外部IP地址的访问行为，实验目的在于，通过suricata将这些白名单以外的IP以及port过滤出来。具体来说，需要过滤出三类信息：
   • 试图访问内部terminal的白名单外IP（源IP不在白名单内，目的IP却在白名单内）
   • 内部terminal试图访问的白名单外IP（源IP在白名单内，目的IP却不在白名单内）
   • 内部terminal上有哪些端口本不该被访问，却被访问了

环境准备

1. 已安装suricata，支持lua脚本扩展，本次实验中suricata安装在/home/nsa/suricata/目录下

[root@localhost scripts]# cd /home/nsa/suricata/
[root@localhost suricata]# ll
total 4176
-rw-r--r--   1 root root 4269492 Feb 27 10:25 eve.json
drwxr-xr-x.  2 root root      22 Feb 17 22:45 log
drwxr-xr-x. 15 root root    4096 Feb 17 22:45 suricata-4.1.4
[root@localhost suricata]# pwd
/home/nsa/suricata
[root@localhost suricata]# ls suricata-4.1.4/
aclocal.m4             COPYING      Makefile.in
ChangeLog              depcomp      missing
classification.config  doc          python
compile                ebpf         qa
config.guess           etc          reference.config
config.h               install-sh   rules
config.h.in            libhtp       rust
config.log             libtool      src
config.rpath           LICENSE      stamp-h1
config.status          ltmain.sh    suricata-update
config.sub             lua          suricata.yaml
configure              m4           suricata.yaml.in
configure.ac           Makefile     threshold.config
contrib                Makefile.am

2. /etc/suricata目录下，存放了suricata.yaml配置文件，以及lua-output文件夹（该文件夹需要手动创建）

[root@localhost ~]# cd /etc/suricata/
[root@localhost suricata]# ll
total 80
drwxr-xr-x. 2 root root    25 Feb 25 17:15 lua-output
-rw-r--r--  1 root root 74745 Feb 26 15:52 suricata.yaml
-rw-r--r--. 1 root root  1644 Feb 17 14:13 threshold.config

3. suricata.yaml中，修改部分配置，如下所示

classification-file: /var/lib/suricata/update/cache/rules/classification.config
reference-config-file: /var/lib/suricata/update/cache/rules/reference.config
default-log-dir: /home/nsa/suricata
#记录suricata检测结果的eve.json文件存放在上述目录中
default-rule-path: /var/lib/suricata/update/cache/rules
rule-files:
- custom.rules
#自定义规则文件custom.rules，存放在default-rule-path目录下
#classification.config文件，也存放在default-rule-path目录下
- lua:
      enabled: yes

4. 提前准备好实验用pcap文件
5. 手动创建目录/var/lib/suricata/update/cache/rules/scripts，并准备terminal IP地址及端口的白名单，将其json文件形式存放在刚刚创建的目录下（terminal.json）。

[root@localhost scripts]# pwd
/var/lib/suricata/update/cache/rules/scripts
[root@localhost scripts]# ll
total 20
-rw-r--r-- 1 root root 508 Feb 25 21:13 abnormal_dst_ip.lua
-rw-r--r-- 1 root root 707 Feb 25 21:00 abnormal_port.lua
-rw-r--r-- 1 root root 508 Feb 25 21:10 abnormal_src_ip.lua
-rw-r--r-- 1 root root  79 Feb 25 18:05 server.json
-rw-r--r-- 1 root root 124 Feb 25 21:04 terminal.json
[root@localhost scripts]# cat terminal.json 
{"ip":"10.79.10.87","port":[]}
{"ip":"10.79.59.247","port":[]}
{"ip":"10.79.39.8","port":[]}
{"ip":"10.79.39.9","port":[]}

编写自定义规则

#以第一类信息为样例进行说明，也即试图访问内部terminal的白名单外IP（源IP不在白名单内，目的IP却在白名单内）
cd /var/lib/suricata/update/cache/rules/
vi custom.rules
#编辑内容如下
alert tcp any any -> $HOME_NET any (msg:"Suspicious external IP trying to access internal service terminal"; lua:scripts/abnormal_src_ip.lua; sid:20210225; rev:1; classtype:src-ip-violation;)
#在自定义的规则中，lua:scripts/*.lua的方式嵌入自定义的lua脚本

修改classification文件

[root@localhost rules]# pwd
/var/lib/suricata/update/cache/rules
[root@localhost rules]# vi classification.config 
#在该文件最后追加一行，内容如下
config classification: src-ip-violation, IP_VIOLATION,1

编写自定义脚本

[root@localhost scripts]# pwd
/var/lib/suricata/update/cache/rules/scripts
[root@localhost scripts]# vi abnormal_src_ip.lua 
#编辑内容如下
function init(args)
  local needs = {}
  needs["packet"] = tostring(true)
  return needs
end

function match(args)
  ipver, srcip, dstip, proto, sp, dp = SCPacketTuple()
  local cjson = require("cjson")
  local file = io.open("/var/lib/suricata/update/cache/rules/scripts/terminal.json")
  for line in file:lines()
  do
    local line_json = cjson.decode(line)
    terminal_ip = line_json.ip
    --terminal_port = line_json.port
    if srcip == terminal_ip then return 0 end
  end
  return 1
end

return 0

运行suricata

suricata -c /etc/suricata/suricata.yaml -r area2pcap/*.pcap
#上述指令运行完毕之后，查看eve.json文件，判断是否实现过滤
tail -F /home/nsa/suricata/eve.json
#eve.json文件内容如下：
{"timestamp":"2021-01-04T20:24:41.500337+0800","flow_id":981015779183716,"pcap_cnt":993,"event_type":"alert","src_ip":"10.79.83.55","src_port":9001,"dest_ip":"10.79.69.9","dest_port":36773,"proto":"TCP","alert":{"action":"allowed","gid":1,"signature_id":20210225,"rev":1,"signature":"Suspicious external IP trying to access internal service terminal","category":"IP_VIOLATION","severity":1},"flow":{"pkts_toserver":1,"pkts_toclient":1,"bytes_toserver":74,"bytes_toclient":74,"start":"2021-01-04T20:24:41.494692+0800"},"payload":"","payload_printable":"","stream":0,"packet":"hFsSS6QOZNgU3LtCCABFAAA8AABAADsGkt4KT1M3Ck9FCSMpj6WjLt78HEL\/iqASFqCRlwAAAgQFtAEBCAoAcp+NeD+M3AEDAwA=","packet_info":{"linktype":1}}
# 观察上述检测结果 
#"signature":"Suspicious external IP trying to access internal service terminal"
#"category":"IP_VIOLATION",说明检测到了，试图访问内部terminal的白名单外IP