Deploys and configures Suricata as network IPS on Linux using custom rules, Emerging Threats sets, NFQUEUE inline mode, and rule management for real-time threat blocking.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Suricata 是由开放信息安全基金会(OISF)开发的高性能开源网络威胁检测引擎。它既可作为入侵检测系统(IDS)、入侵防御系统(IPS),也可作为网络安全监控工具。Suricata 使用大量规则集、协议分析和文件提取功能进行深度包检测(Deep Packet Inspection)。在 IPS 模式下,Suricata 内联检测数据包并能主动阻断恶意流量。本技能涵盖以 IPS 模式部署 Suricata、配置规则集、编写自定义规则、性能调优以及与日志基础设施集成。
Deploys and configures Suricata as a network IPS with custom rules, Emerging Threats rulesets, NFQUEUE/AF_PACKET inline modes for real-time threat blocking. For securing Linux networks.
Deploys and configures Suricata as Linux-based IPS with custom/Emerging Threats rules and inline NFQUEUE for real-time threat blocking.
Deploys and configures Suricata IDS/IPS with Emerging Threats rules, EVE JSON logging, and custom rules for real-time network intrusion detection, threat monitoring, and SIEM integration on high-speed networks.
Share bugs, ideas, or general feedback.
Suricata 是由开放信息安全基金会(OISF)开发的高性能开源网络威胁检测引擎。它既可作为入侵检测系统(IDS)、入侵防御系统(IPS),也可作为网络安全监控工具。Suricata 使用大量规则集、协议分析和文件提取功能进行深度包检测(Deep Packet Inspection)。在 IPS 模式下,Suricata 内联检测数据包并能主动阻断恶意流量。本技能涵盖以 IPS 模式部署 Suricata、配置规则集、编写自定义规则、性能调优以及与日志基础设施集成。
| 模式 | 功能 | 网络位置 |
|---|---|---|
| IDS (AF_PACKET) | 被动监控,仅告警 | TAP/SPAN 镜像 |
| IPS (NFQUEUE) | 通过 netfilter 内联阻断 | 流量路径中 |
| IPS (AF_PACKET) | 通过 AF_PACKET 内联阻断 | 接口之间的桥接 |
| 离线 (PCAP) | 分析捕获的流量文件 | 不适用 |
Suricata 规则遵循结构化格式:
动作 协议 源IP 源端口 -> 目标IP 目标端口 (规则选项;)
alert、pass、drop、reject、rejectsrc、rejectdst、rejectbothtcp、udp、icmp、ip、http、tls、dns、smtp、ftp-> 单向,<> 双向# 添加 Suricata PPA(Ubuntu)
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install -y suricata suricata-update
# 验证安装
suricata --build-info
suricata -V
编辑 /etc/suricata/suricata.yaml:
%YAML 1.1
---
vars:
address-groups:
HOME_NET: "[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
DNS_SERVERS: "[10.0.1.10/32,10.0.1.11/32]"
SMTP_SERVERS: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
SSH_PORTS: "22"
DNS_PORTS: "53"
# IPS 模式使用 NFQUEUE
nfq:
mode: accept
repeat-mark: 1
repeat-mask: 1
route-queue: 2
fail-open: yes
# 线程配置
threading:
set-cpu-affinity: yes
cpu-affinity:
- management-cpu-set:
cpu: [0]
- receive-cpu-set:
cpu: [1,2]
- worker-cpu-set:
cpu: [3,4,5,6,7]
mode: exclusive
# 检测引擎
detect-engine:
- profile: high
- custom-values:
toclient-groups: 50
toserver-groups: 50
- sgh-mpm-context: auto
- inspection-recursion-limit: 3000
# 流引擎
stream:
memcap: 512mb
checksum-validation: yes
inline: auto
reassembly:
memcap: 1gb
depth: 1mb
toserver-chunk-size: 2560
toclient-chunk-size: 2560
# 日志配置
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: /var/log/suricata/eve.json
types:
- alert:
payload: yes
payload-buffer-size: 4kb
payload-printable: yes
packet: yes
metadata: yes
tagged-packets: yes
- http:
extended: yes
- dns:
query: yes
answer: yes
- tls:
extended: yes
- files:
force-magic: yes
force-hash: [md5, sha256]
- flow
- netflow
- stats:
totals: yes
threads: no
deltas: yes
- fast:
enabled: yes
filename: /var/log/suricata/fast.log
- stats:
enabled: yes
filename: /var/log/suricata/stats.log
interval: 30
# 规则文件
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
设置 iptables 将流量重定向到 Suricata:
# 启用 IP 转发
echo 1 > /proc/sys/net/ipv4/ip_forward
# 将 FORWARD 链重定向到 NFQUEUE
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0 --queue-bypass
# 多队列(更好的性能)
sudo iptables -I FORWARD -j NFQUEUE --queue-balance 0:3 --queue-bypass
# 保存 iptables 规则
sudo iptables-save > /etc/iptables/rules.v4
AF_PACKET 内联模式(两个接口之间):
# 在 suricata.yaml 中
af-packet:
- interface: eth0
cluster-id: 98
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth1
- interface: eth1
cluster-id: 97
cluster-type: cluster_flow
defrag: yes
use-mmap: yes
copy-mode: ips
copy-iface: eth0
# 从默认源(ET Open)更新规则
sudo suricata-update
# 列出可用规则源
sudo suricata-update list-sources
# 启用 ET Pro(需要许可证密钥)
sudo suricata-update enable-source et/pro secret-code=YOUR_OINKCODE
# 启用其他来源
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source sslbl/ssl-fp-blacklist
# 禁用产生误报的特定规则
echo "2100498" >> /etc/suricata/disable.conf
echo "group:emerging-policy.rules" >> /etc/suricata/disable.conf
# 修改规则动作(将 alert 改为 drop)
echo 're:ET MALWARE' >> /etc/suricata/modify.conf
# 应用更新
sudo suricata-update --reload-command="suricatasc -c reload-rules"
创建 /var/lib/suricata/rules/local.rules:
# 检测 TCP 上的潜在反向 shell
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL 潜在反向 Shell - 载荷中含 /bin/bash"; flow:to_server,established; content:"/bin/bash"; content:"-i"; within:20; classtype:trojan-activity; sid:1000001; rev:1;)
# 阻断已知恶意 User-Agent
drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL 恶意 User-Agent - Cobalt Strike"; http.user_agent; content:"Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/5.0)"; classtype:trojan-activity; sid:1000002; rev:1;)
# 检测对已知 DGA 域名模式的 DNS 查询
alert dns $HOME_NET any -> any 53 (msg:"LOCAL 可疑 DGA 域名查询"; dns.query; content:".top"; pcre:"/^[a-z0-9]{12,30}\.(top|xyz|club|online|site)$/"; classtype:bad-unknown; sid:1000003; rev:1;)
# 检测大型 DNS TXT 响应(潜在 C2)
alert dns any 53 -> $HOME_NET any (msg:"LOCAL 大型 DNS TXT 响应 - 潜在 C2"; dns.opcode:0; content:"|00 10|"; byte_test:2,>,500,0,relative; classtype:bad-unknown; sid:1000004; rev:1;)
# 阻断出站到已知 Tor 出口节点的流量
drop tcp $HOME_NET any -> [100.2.18.10,104.244.76.13,109.70.100.1] any (msg:"LOCAL 出站连接到已知 Tor 出口节点"; classtype:policy-violation; sid:1000005; rev:1;)
# 检测 SMB 横向移动尝试
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"LOCAL 内部 SMB 连接 - 可能存在横向移动"; flow:to_server,established; content:"|ff|SMB"; offset:4; depth:4; threshold:type both,track by_src,count 5,seconds 60; classtype:attempted-admin; sid:1000006; rev:1;)
# 检测 PowerShell 下载命令
drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL 检测到 PowerShell 下载命令"; http.user_agent; content:"PowerShell"; nocase; http.method; content:"GET"; classtype:trojan-activity; sid:1000007; rev:1;)
# 检测 ICMP 隧道(大型 ICMP 数据包)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL 超大 ICMP 数据包 - 可能存在隧道"; dsize:>800; threshold:type both,track by_src,count 10,seconds 60; classtype:bad-unknown; sid:1000008; rev:1;)
# 测试配置
sudo suricata -T -c /etc/suricata/suricata.yaml
# 以 NFQUEUE IPS 模式启动
sudo suricata -c /etc/suricata/suricata.yaml -q 0
# 以 AF_PACKET 内联模式启动
sudo suricata -c /etc/suricata/suricata.yaml --af-packet
# 作为 systemd 服务启动
sudo systemctl enable suricata
sudo systemctl start suricata
# 监控性能统计
tail -f /var/log/suricata/stats.log
# 不重启重新加载规则
sudo suricatasc -c reload-rules
# 检查内核丢包
sudo suricatasc -c dump-counters | grep -E "capture.kernel_drops|decoder.pkts"
# 监控 EVE JSON 告警
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
# 检查规则加载
grep -c "rules loaded" /var/log/suricata/suricata.log
# 内存使用
sudo suricatasc -c dump-counters | grep memuse
# 识别噪音规则
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="alert") | .alert.signature_id' | sort | uniq -c | sort -rn | head -20
# 按源抑制特定规则
echo "suppress gen_id 1, sig_id 2100498, track by_src, ip 10.0.5.0/24" >> /etc/suricata/threshold.config
# 对告警进行速率限制
echo "rate_filter gen_id 1, sig_id 2100366, track by_src, count 10, seconds 60, new_action alert, timeout 300" >> /etc/suricata/threshold.config
pass 规则以降低处理负载suricata-update 保持签名最新