KEMBAR78
Installing and Configuring Suricata On Debian Wheezy | PDF | Computer Networking | Internet Protocols
Scribd
Upload
23 views30 pages

Installing and Configuring Suricata On Debian Wheezy

The document provides a detailed guide for installing and configuring Suricata on Debian Wheezy, including steps for updating the kernel and IPTables, installing dependencies, and configuring Suricata as an Intrusion Prevention System (IPS). It outlines necessary commands for repository updates, package installations, and Suricata configuration adjustments, as well as network settings for optimal performance. The document concludes with instructions for testing the setup using a vulnerability scanner and monitoring logs for activity.

Uploaded by

arkilaramisses
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
23 views30 pages

Installing and Configuring Suricata On Debian Wheezy

The document provides a detailed guide for installing and configuring Suricata on Debian Wheezy, including steps for updating the kernel and IPTables, installing dependencies, and configuring Suricata as an Intrusion Prevention System (IPS). It outlines necessary commands for repository updates, package installations, and Suricata configuration adjustments, as well as network settings for optimal performance. The document concludes with instructions for testing the setup using a vulnerability scanner and monitoring logs for activity.

Uploaded by

arkilaramisses
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 30

2018/01/23 17:24 1/30 Installing and Configuring Suricata on Debian Wheezy

Installing and Configuring Suricata on Debian


Wheezy

Configuring the new Kernel

We need to get at least 3.12 kernel and IPTables version 1.4.21 let's add two new repositories.

vim /etc/apt/sources.list
[...]
deb http://ftp.br.debian.org/debian testing main contrib non-free
deb http://ftp.br.debian.org/debian/ wheezy-backports main

Now we need to define the default values when installing some new packet from the repositories.

vim /etc/apt/preferences
Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=wheezy-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Now we need to update the repositories

apt-get update

Now let's install the new kernel image

apt-get -t wheezy-backports install linux-image-amd64 -y

Now let's install the latest iptables version

apt-get -t testing install iptables -y

Now we need to reboot the server

reboot

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

Installing the Suricata

Prerequisites:
Debian Wheezy working as Suricata
IP: 192.168.1.252
Debian Wheezy working as Snorby
IP: 192.168.1.251
Debian Wheezy working as Apache
IP: 192.168.1.250

Now we need to install the dependences for Suricata, let's update the repositories

aptitude update && aptitude dist-upgrade -y

Now we need to install the dependences like this

aptitude install build-essential pkg-config libpcre3 libpcre3-dbg libpcre3-


dev libyaml-0-2 libyaml-dev \
autoconf automake libtool libpcap-dev libnet1-dev zlib1g zlib1g-dev
libmagic-dev libcap-ng-dev libjansson-dev \
libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
libgeoip-dev ethtool libmysqlclient-dev -y

Now we need to fetch the suricata tarball and decompress it.

cd /usr/src
wget http://wiki.douglasqsantos.com.br/Downloads/snort/suricata-2.0.7.tar.gz
tar -xvzf suricata-2.0.7.tar.gz
cd suricata-2.0.7

Now we need to configure the the sources to compile the suricata as IPS

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --


localstatedir=/var --enable-geoip

Now let's compile the suricata like this

make && make install-full

Now let's update the libraries.

ldconfig

Whether you have some problems with the rules we can get it with the follow command

wget -qO -
http://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz |
tar -x -z -C "/etc/suricata/" -f -

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 3/30 Installing and Configuring Suricata on Debian Wheezy

Now we need to configure the suricata main file like this

vim /etc/suricata/suricata.yaml
[...]
- drop:
enabled: yes
[...]
- dns-log:
enabled: yes
[...]
#line 784
outputs:
- console:
enabled: yes
- file:
enabled: yes
filename: /var/log/suricata/suricata.log
[...]
classification-file: /etc/suricata/rules/classification.config
reference-config-file: /etc/suricata/rules/reference.config
[...]
# Here we need to set up the networks in our company like below.
HOME_NET: "[192.168.1.0/24]"
[...]
host-os-policy:
# Make the default policy windows.
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: [192.168.1.0/24, 192.168.1.252]
old-solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []

Now we need to adjust some variables on the kernel that able work with a huge amount of packets
per second.

modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/ip_forward

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

echo 0 > /proc/sys/net/netfilter/nf_conntrack_tcp_loose


echo 2000000 > /proc/sys/net/netfilter/nf_conntrack_max
PSNI=/proc/sys/net/ipv4
for END in $PSNI/conf/*/rp_filter ; do echo 1 > $END ; done
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
PSNI=/proc/sys/net/ipv6
for END in $PSNI/conf/*/disable_ipv6 ; do echo 1 > $END ; done
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper

As we are enabling the ips/ids we need to disable the interface to filtering the packets and send all of
them to ips/ids.

ethtool -K eth0 tx off


ethtool -K eth0 tso off
ethtool -K eth0 gro off
ethtool -K eth0 rxvlan off
ethtool -K eth0 txvlan off

Now we can star the Suricata

suricata -c /etc/suricata/suricata.yaml -i eth0 -D

Now we need to redirect the connetion to the port 80 to another server that I shall use the Apache

iptables -t nat -A PREROUTING -d 192.168.1.252 -p tcp --dport 80 -j DNAT --


to 192.168.1.250
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE

Here we made the redirect the incoming connection that arrive in Suricata to Apache server and after
that we need to masquerade the network.

Now on the Apache server we need to configure it to use the Suricata as Gateway.

route del default


route add default gw 192.168.1.252

Now we need to test the connection with the internet like this

ping 8.8.8.8

Now on suricata let's open the http log files like this

tail -f /var/log/suricata/http.log

Now from another computer we need to open a test attack like this

nikto -h 192.168.1.252 -C all

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 5/30 Installing and Configuring Suricata on Debian Wheezy

In the log files we'll get something like this

04/13/2015-17:08:43.040495 192.168.1.252 [**]


/Script/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 ->
192.168.1.252:80
04/13/2015-17:08:43.040511 192.168.1.252 [**]
/Script/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 ->
192.168.1.250:80
04/13/2015-17:08:43.041728 192.168.1.252 [**]
/sites/all/modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**]
Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**]
192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.041742 192.168.1.252 [**]
/sites/all/modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**]
Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003562) [**]
192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.043356 192.168.1.252 [**]
/modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 ->
192.168.1.252:80
04/13/2015-17:08:43.043366 192.168.1.252 [**]
/modules/fckeditor/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 ->
192.168.1.250:80
04/13/2015-17:08:43.044312 192.168.1.252 [**]
/class/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4)
(Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.044312 192.168.1.252 [**]
/class/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4)
(Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.045458 192.168.1.252 [**]
/inc/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4)
(Evasions:None) (Test:003562) [**] 192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.045487 192.168.1.252 [**]
/inc/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75 (Nikto/2.1.4)
(Evasions:None) (Test:003562) [**] 192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.046864 192.168.1.252 [**]
/sites/all/libraries/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.254:34356 ->
192.168.1.252:80
04/13/2015-17:08:43.046878 192.168.1.252 [**]
/sites/all/libraries/fckeditor/editor/dialog/fck_link.html [**] Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003562) [**] 192.168.1.252:34356 ->
192.168.1.250:80
04/13/2015-17:08:43.047958 192.168.1.252 [**]
/FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**]
192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.047965 192.168.1.252 [**]

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

/FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**]
192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.049023 192.168.1.252 [**]
/Script/fckeditor/editor/filemanager/browser/default/connectors/asp/connecto
r.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**]
192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.049023 192.168.1.252 [**]
/Script/fckeditor/editor/filemanager/browser/default/connectors/asp/connecto
r.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**]
192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.050128 192.168.1.252 [**]
/sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/co
nnectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.050128 192.168.1.252 [**]
/sites/all/modules/fckeditor/fckeditor/editor/filemanager/browser/default/co
nnectors/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.051718 192.168.1.252 [**]
/modules/fckeditor/fckeditor/editor/filemanager/browser/default/connectors/a
sp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.051819 192.168.1.252 [**]
/modules/fckeditor/fckeditor/editor/filemanager/browser/default/connectors/a
sp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.054704 192.168.1.252 [**]
/class/fckeditor/editor/filemanager/browser/default/connectors/asp/connector
.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**]
192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.054727 192.168.1.252 [**]
/class/fckeditor/editor/filemanager/browser/default/connectors/asp/connector
.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**]
192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.056559 192.168.1.252 [**]
/inc/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.a
sp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**]
192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.056605 192.168.1.252 [**]
/inc/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.a
sp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003563) [**]
192.168.1.252:34356 -> 192.168.1.250:80
04/13/2015-17:08:43.058358 192.168.1.252 [**]
/sites/all/libraries/fckeditor/editor/filemanager/browser/default/connectors
/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003563) [**] 192.168.1.254:34356 -> 192.168.1.252:80
04/13/2015-17:08:43.058358 192.168.1.252 [**]
/sites/all/libraries/fckeditor/editor/filemanager/browser/default/connectors
/asp/connector.asp [**] Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 7/30 Installing and Configuring Suricata on Debian Wheezy

(Test:003563) [**] 192.168.1.252:34356 -> 192.168.1.250:80

Now on Suricata let's open another log file.

tail -f /var/log/suricata/eve.json

Now from another machine let's open a Scanner to the Suricata like this

nmap -sS -v -n -A 192.168.1.252 -T4

In the logs we'll get something like this

{"timestamp":"2015-04-13T17:11:31.308899","event_type":"http","src_ip":"192.
168.1.254","src_port":34461,"dest_ip":"192.168.1.252","dest_port":80,"proto"
:"TCP","http":{"url":"\/","http_content_type":"text\/html","http_method":"GE
T","protocol":"HTTP\/1.0","status":"200","length":177}}
{"timestamp":"2015-04-13T17:11:31.308910","event_type":"http","src_ip":"192.
168.1.252","src_port":34461,"dest_ip":"192.168.1.250","dest_port":80,"proto"
:"TCP","http":{"url":"\/","http_content_type":"text\/html","http_method":"GE
T","protocol":"HTTP\/1.0","status":"200","length":177}}
{"timestamp":"2015-04-13T17:11:31.310502","event_type":"fileinfo","src_ip":"
192.168.1.250","src_port":80,"dest_ip":"192.168.1.252","dest_port":34461,"pr
oto":"TCP","http":{"url":"\/"},"fileinfo":{"filename":"\/","state":"CLOSED",
"stored":false,"size":177}}
{"timestamp":"2015-04-13T17:11:31.310528","event_type":"fileinfo","src_ip":"
192.168.1.252","src_port":80,"dest_ip":"192.168.1.254","dest_port":34461,"pr
oto":"TCP","http":{"url":"\/"},"fileinfo":{"filename":"\/","state":"CLOSED",
"stored":false,"size":177}}
{"timestamp":"2015-04-13T17:11:32.011592","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.011676","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.287971","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.288004","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.538840","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.538873","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/
Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}


{"timestamp":"2015-04-13T17:11:32.790094","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:32.790130","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:34.779427","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:34.779493","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:34.955370","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:34.955402","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:35.081111","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:35.081145","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:35.231245","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:35.231273","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:37.107218","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:37.107283","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:41.356211","event_type":"alert","src_ip":"192

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 9/30 Installing and Configuring Suricata on Debian Wheezy

.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:41.356276","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:41.856659","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:41.856711","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:42.184192","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:42.184238","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:42.514244","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:42.514282","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:44.588082","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:44.588140","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:44.838373","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:44.838415","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.017505","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

{"timestamp":"2015-04-13T17:11:45.017541","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.244572","event_type":"alert","src_ip":"192
.168.1.254","dest_ip":"192.168.1.252","proto":"ICMP","icmp_type":8,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.244597","event_type":"alert","src_ip":"192
.168.1.252","dest_ip":"192.168.1.254","proto":"ICMP","icmp_type":0,"icmp_cod
e":9,"alert":{"action":"allowed","gid":1,"signature_id":2200025,"rev":1,"sig
nature":"SURICATA ICMPv4 unknown code","category":"","severity":3}}
{"timestamp":"2015-04-13T17:11:45.792743","event_type":"http","src_ip":"192.
168.1.254","src_port":34475,"dest_ip":"192.168.1.252","dest_port":80,"proto"
:"TCP","http":{"hostname":"192.168.1.252","url":"\/","http_user_agent":"Mozi
lla\/5.0 (compatible; Nmap Scripting Engine;
http:\/\/nmap.org\/book\/nse.html)","http_content_type":"text\/html","http_m
ethod":"GET","protocol":"HTTP\/1.1","status":"200","length":177}}
{"timestamp":"2015-04-13T17:11:45.792753","event_type":"http","src_ip":"192.
168.1.252","src_port":34475,"dest_ip":"192.168.1.250","dest_port":80,"proto"
:"TCP","http":{"hostname":"192.168.1.252","url":"\/","http_user_agent":"Mozi
lla\/5.0 (compatible; Nmap Scripting Engine;
http:\/\/nmap.org\/book\/nse.html)","http_content_type":"text\/html","http_m
ethod":"GET","protocol":"HTTP\/1.1","status":"200","length":177}}
{"timestamp":"2015-04-13T17:11:45.792766","event_type":"fileinfo","src_ip":"
192.168.1.250","src_port":80,"dest_ip":"192.168.1.252","dest_port":34475,"pr
oto":"TCP","http":{"url":"\/","hostname":"192.168.1.252","http_user_agent":"
Mozilla\/5.0 (compatible; Nmap Scripting Engine;
http:\/\/nmap.org\/book\/nse.html)"},"fileinfo":{"filename":"\/","state":"CL
OSED","stored":false,"size":177}}
{"timestamp":"2015-04-13T17:11:45.792771","event_type":"fileinfo","src_ip":"
192.168.1.252","src_port":80,"dest_ip":"192.168.1.254","dest_port":34475,"pr
oto":"TCP","http":{"url":"\/","hostname":"192.168.1.252","http_user_agent":"
Mozilla\/5.0 (compatible; Nmap Scripting Engine;
http:\/\/nmap.org\/book\/nse.html)"},"fileinfo":{"filename":"\/","state":"CL
OSED","stored":false,"size":177}}

We can check in the Apache server too that we have a lot of connections like this.

tail -f /var/log/apache2/access.log
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/cgi-915/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1"
404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/cgi/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24
2018/01/23 17:24 11/30 Installing and Configuring Suricata on Debian Wheezy

/mpcgi/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404


541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ows-
bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
sys/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
local/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
545 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/htbin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
541 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/cgibin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1"
404 542 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/cgis/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
540 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/scripts/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1"
404 543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
win/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /fcgi-
bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
exe/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
543 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
home/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-
perl/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /scgi-
bin/c32web.exe/GetImage?ImageName=CustomerEmail.txt%00.pdf HTTP/1.1" 404
544 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003581)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /sitemap.gz HTTP/1.1"
404 526 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003582)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /content/sitemap.gz
HTTP/1.1" 404 534 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003583)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /icons/README HTTP/1.1"
200 5375 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003584)"

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /localstart.asp


HTTP/1.1" 404 530 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003585)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/update.php
HTTP/1.1" 404 534 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003586)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/login.php
HTTP/1.1" 404 533 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003587)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /ampache/docs/README
HTTP/1.1" 404 535 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003588)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /cgi-bin/webcgi/about
HTTP/1.1" 404 536 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003589)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/webservices/IlaWebServices HTTP/1.1" 404 541 "-" "Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003590)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /SoundBridgeStatus.html
HTTP/1.1" 404 537 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003591)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/CFIDE/componentutils/cfcexplorer.cfc HTTP/1.1" 404 551 "-" "Mozilla/4.75
(Nikto/2.1.4) (Evasions:None) (Test:003592)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /phone/ HTTP/1.1" 404
521 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003593)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET
/Host/Portals/tabid/19/ctl/Login/portalid/0/Default.aspx HTTP/1.1" 404 570
"-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003594)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-
examples/jsp2/jspx/textRotate.jspx?name=<script>alert(111)</script>
HTTP/1.1" 404 553 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003595)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-
examples/jsp2/el/implicit-objects.jsp?foo=<script>alert(112)</script>
HTTP/1.1" 404 556 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:003596)"
192.168.1.252 - - [13/Apr/2015:17:08:44 -0300] "GET /jsp-
examples/jsp2/el/functions.jsp?foo=<script>alert(113)</script> HTTP/1.1" 404
549 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:003597)"

Now let's put the Suricata to work as IPS, let's change some informations in the suricata main file only
for testing here.

vim /etc/suricata/suricata.yaml
[...]
HOME_NET: "any"
#HOME_NET: "[192.168.1.0/24]"
EXTERNAL_NET: "any"
http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24
2018/01/23 17:24 13/30 Installing and Configuring Suricata on Debian Wheezy

#EXTERNAL_NET: "!$HOME_NET"

Now we need to make a back up of the rule files

cp -Rfa /etc/suricata/rules ~/rules

Now we need to drop some kind of attacks like this

sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-scan.rules


sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-web_server.rules
sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-
web_specific_apps.rules
sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-web_client.rules
sed -i 's/^alert/drop/g' /etc/suricata/rules/drop.rules
sed -i 's/^alert/drop/g' /etc/suricata/rules/stream-events.rules
sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-policy.rules
sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-shellcode.rules
sed -i 's/^alert/drop/g' /etc/suricata/rules/decoder-events.rules
sed -i 's/^alert/drop/g' /etc/suricata/rules/emerging-exploit.rules

Now we need to kill the suricata process like this

PSU=$(pidof suricata); kill -9 $PSU

Now we need to start the suricata in the inline mode (IPS) like this

suricata -c /etc/suricata/suricata.yaml -q 0 -D

Now we need to redirect all connection in the port 80 to the queue afterwards the Suricata will
process all of them and decide what will happen with the packet.

iptables -P FORWARD DROP


iptables -A FORWARD -p tcp --dport 80 -j NFQUEUE
iptables -A FORWARD -p tcp --sport 80 -j NFQUEUE

Now we can open the logs of the suricata like this

tail -f /var/log/suricata/fast.log /var/log/suricata/drop.log

Now we need to open an test attack from another machine against the Suricata like this.

nikto -h 192.168.1.252 -C all

Now we can check in the Suricata log files like this

tail -f /var/log/suricata/fast.log /var/log/suricata/drop.log


==> /var/log/suricata/fast.log <==
04/13/2015-17:21:44.772236 [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App
Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1]
{TCP} 192.168.1.254:34840 -> 192.168.1.250:80

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

==> /var/log/suricata/drop.log <==


04/13/2015-17:21:44.772236: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=200 TOS=0x00 TTL=63 ID=7455 PROTO=TCP SPT=34840 DPT=80 SEQ=812639632
ACK=3464940515 WINDOW=262 ACK PSH RES=0x00 URGP=0
04/13/2015-17:21:47.918031: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=586 TOS=0x00 TTL=63 ID=47579 PROTO=TCP SPT=80 DPT=34840 SEQ=3464939981
ACK=812639632 WINDOW=2346 ACK PSH RES=0x00 URGP=0
04/13/2015-17:21:54.774944: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=200 TOS=0x00 TTL=63 ID=23285 PROTO=TCP SPT=34845 DPT=80 SEQ=1536905794
ACK=3348384629 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:21:55.772148: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34845 SEQ=3348384628
ACK=1536905794 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:22:04.779775: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=202 TOS=0x00 TTL=63 ID=49545 PROTO=TCP SPT=34858 DPT=80 SEQ=1308021760
ACK=1100202517 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:22:05.972261: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34858 SEQ=1100202516
ACK=1308021760 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:22:14.790753: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=202 TOS=0x00 TTL=63 ID=3168 PROTO=TCP SPT=34866 DPT=80 SEQ=3727036513
ACK=3268194257 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:22:16.171470: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34866 SEQ=3268194256
ACK=3727036513 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:22:24.795966: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=199 TOS=0x00 TTL=63 ID=50075 PROTO=TCP SPT=34878 DPT=80 SEQ=3459769758
ACK=1952858872 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:22:25.971993: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34878 SEQ=1952858871
ACK=3459769758 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:22:34.808455: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=199 TOS=0x00 TTL=63 ID=57943 PROTO=TCP SPT=34885 DPT=80 SEQ=2584071583
ACK=1252079019 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:22:36.172188: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34885 SEQ=1252079018
ACK=2584071583 WINDOW=14480 SYN ACK RES=0x00 URGP=0

==> /var/log/suricata/fast.log <==


04/13/2015-17:22:44.827179 [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App
Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1]
{TCP} 192.168.1.254:34894 -> 192.168.1.250:80

==> /var/log/suricata/drop.log <==


04/13/2015-17:22:44.827179: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=201 TOS=0x00 TTL=63 ID=51878 PROTO=TCP SPT=34894 DPT=80 SEQ=675935592
ACK=4002722971 WINDOW=262 ACK PSH RES=0x00 URGP=0
04/13/2015-17:22:47.995799: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=580 TOS=0x00 TTL=63 ID=5199 PROTO=TCP SPT=80 DPT=34894 SEQ=4002722443
ACK=675935592 WINDOW=2346 ACK PSH RES=0x00 URGP=0

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 15/30 Installing and Configuring Suricata on Debian Wheezy

04/13/2015-17:22:54.829643: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250


LEN=201 TOS=0x00 TTL=63 ID=26662 PROTO=TCP SPT=34897 DPT=80 SEQ=3048942461
ACK=420962227 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:22:56.372487: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34897 SEQ=420962226
ACK=3048942461 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:23:04.838129: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=200 TOS=0x00 TTL=63 ID=13814 PROTO=TCP SPT=34900 DPT=80 SEQ=292845803
ACK=2369351393 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:23:06.172247: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34900 SEQ=2369351392
ACK=292845803 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:23:14.849031: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=200 TOS=0x00 TTL=63 ID=10016 PROTO=TCP SPT=34909 DPT=80 SEQ=2092855804
ACK=2654305631 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:23:15.972834: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34909 SEQ=2654305630
ACK=2092855804 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:23:24.859782: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=200 TOS=0x00 TTL=63 ID=37382 PROTO=TCP SPT=34912 DPT=80 SEQ=4239520425
ACK=1204384680 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:23:26.372347: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34912 SEQ=1204384679
ACK=4239520425 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:23:34.867725: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=200 TOS=0x00 TTL=63 ID=20552 PROTO=TCP SPT=34917 DPT=80 SEQ=821639733
ACK=3031914370 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:23:36.172463: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34917 SEQ=3031914369
ACK=821639733 WINDOW=14480 SYN ACK RES=0x00 URGP=0

==> /var/log/suricata/fast.log <==


04/13/2015-17:23:44.916071 [Drop] [**] [1:2002677:13] ET SCAN Nikto Web App
Scan in Progress [**] [Classification: Web Application Attack] [Priority: 1]
{TCP} 192.168.1.254:34927 -> 192.168.1.250:80

==> /var/log/suricata/drop.log <==


04/13/2015-17:23:44.916071: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=201 TOS=0x00 TTL=63 ID=37617 PROTO=TCP SPT=34927 DPT=80 SEQ=2943871269
ACK=1547692160 WINDOW=262 ACK PSH RES=0x00 URGP=0
04/13/2015-17:23:48.076577: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=580 TOS=0x00 TTL=63 ID=4861 PROTO=TCP SPT=80 DPT=34927 SEQ=1547691632
ACK=2943871269 WINDOW=2346 ACK PSH RES=0x00 URGP=0
04/13/2015-17:23:54.927989: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=201 TOS=0x00 TTL=63 ID=4771 PROTO=TCP SPT=34930 DPT=80 SEQ=1683975337
ACK=473377258 WINDOW=229 ACK PSH RES=0x00 URGP=0
04/13/2015-17:23:56.172266: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34930 SEQ=473377257
ACK=1683975337 WINDOW=14480 SYN ACK RES=0x00 URGP=0
04/13/2015-17:24:04.939915: IN= OUT= SRC=192.168.1.254 DST=192.168.1.250
LEN=200 TOS=0x00 TTL=63 ID=27939 PROTO=TCP SPT=34933 DPT=80 SEQ=539880178

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

ACK=2700461480 WINDOW=229 ACK PSH RES=0x00 URGP=0


04/13/2015-17:24:06.372664: IN= OUT= SRC=192.168.1.250 DST=192.168.1.254
LEN=60 TOS=0x00 TTL=63 ID=0 PROTO=TCP SPT=80 DPT=34933 SEQ=2700461479
ACK=539880178 WINDOW=14480 SYN ACK RES=0x00 URGP=0

As we can see here in the fast.log we have the [Drop] that indicates the packet was dropped and
won't sent to the Apache Server in the drop.log we have the connections that were dropped.

Whether we check the apache log files now we will get a little access unlike before without the IPS.

tail -f /var/log/apache2/access.log
192.168.1.252 - - [13/Apr/2015:17:22:45 -0300] "GET /PIzR7b1c.el HTTP/1.1"
404 527 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:22:45 -0300] "GET /PIzR7b1c.axd HTTP/1.1"
404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.jse HTTP/1.1"
404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.tmp HTTP/1.1"
404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.dpgs HTTP/1.1"
404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:23:45 -0300] "GET /PIzR7b1c.mdb HTTP/1.1"
404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.shtml
HTTP/1.1" 404 531 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.cfg HTTP/1.1"
404 528 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.bas:ShowVolume
HTTP/1.1" 404 539 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None)
(Test:map_codes)"
192.168.1.252 - - [13/Apr/2015:17:24:46 -0300] "GET /PIzR7b1c.chl+ HTTP/1.1"
404 529 "-" "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:map_codes)"

Testing ddos.

Note: Be aware the it can shutdown the switch or router.

We can test the syn flood with the following commands

t50 192.168.1.252 --flood -S --turbo --dport 80

or we can use the follow command

hping3 -S 192.168.1.252 -p 80 --flood

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 17/30 Installing and Configuring Suricata on Debian Wheezy

Installing and Configuring the Barnyard2

Barnyard2 will feed the Snorby database with the logs let's install this guy need to install on the
Suricata Server.

We need to fetch the tarball and decompress it.

cd /usr/src
wget -c http://wiki.douglasqsantos.com.br/Downloads/ips/barnyard2-1.9.tar.gz
tar -zxf barnyard2-1.9.tar.gz && cd barnyard2-1.9

Now we need to configure the packet to work with MySQL

./configure --with-mysql --with-mysql-libraries=/usr/lib/x86_64-linux-gnu/ -


-sysconfdir=/etc/suricata --prefix=/usr --localstatedir=/var

Now let's compile it.

make && make install clean

Now we need to create the barnyard log directory like this

mkdir /var/log/barnyard2

Now let's make some changes in barnyard configuration file

vim /etc/suricata/barnyard2.conf
[...]
config reference_file: /etc/suricata/rules/reference.config
config classification_file: /etc/suricata/rules/classification.config
config gen_file: /etc/suricata/rules/gen-msg.map
config sid_file: /etc/suricata/rules/sid-msg.map
[...]
config hostname: ips01
config interface: eth0
[...]
output alert_fast
#Let's input this line below in the end of the file, change the values
whether you need.
output database: log, mysql, user=snorby password=senha dbname=snorby
host=192.168.1.251

Now we need to kill the suricata

PSU=$(pidof suricata); kill -9 $PSU

Now let's start the barnyard2 and the suricata daemons.

suricata -c /etc/suricata/suricata.yaml -q 0 -D

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

barnyard2 -c /etc/suricata/barnyard2.conf -d /var/log/suricata -f


unified2.alert -w /var/log/suricata/suricata.waldo -D

Configuring the Scripts

Now we need to kill the process of the suricata and barnyard2 like this

PSU=$(pidof suricata); kill -9 $PSU


PSU=$(pidof barnyard2); kill -9 $PSU

Now we need to create the scripts to work with SystemV and enable the suricata and barnyard to
launch on boot time.

vim /etc/init.d/suribarn
#!/bin/bash
### BEGIN INIT INFO
# Provides: suribarn
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Bring up/Down Suricata and Barnyard
### END INIT INFO
### VARIAVEIS UTILIZADAS NO SCRIPT ###
BARNYARD="/usr/bin/barnyard2"
SURICATA="/usr/bin/suricata"
SURICATA_CONF="/etc/suricata/suricata.yaml"
SURICATA_LOG="/var/log/suricata"
BARNYARD_CONF="/etc/suricata/barnyard2.conf"
BARNYARD_ALERT="unified2.alert"
WALDO="/var/log/suricata/suricata.waldo"
KILL="/bin/kill"
RED="\033[01;31m"
GREEN="\033[01;32m"
YELLOW="\033[01;33m"
CLOSE="\033[m"

case $1 in
start)
echo -e "${GREEN} Starting Suricata !!! ${CLOSE}"
${SURICATA} -c ${SURICATA_CONF} -q 0 -D >> /dev/null
echo -e "${GREEN} Starting Barnyard2 !!! ${CLOSE}"
${BARNYARD} -c ${BARNYARD_CONF} -d ${SURICATA_LOG} -f
${BARNYARD_ALERT} -w ${WALDO} -D >> /dev/null
;;
stop)
PSU=$(pidof suricata);

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 19/30 Installing and Configuring Suricata on Debian Wheezy

if [ ! -z ${PSU} ];then
echo -e "${RED} Stopping Suricata !!! ${CLOSE}"
kill -9 $PSU
else
echo -e "${RED} Suricata is not running!!!${CLOSE}"
fi

PBA=$(pidof barnyard2);
if [ ! -z ${PBA} ];then
echo -e "${RED} Stopping Barnyard2 !!! ${CLOSE}"
kill -9 $PBA
else
echo -e "${RED} Barnyard2 is not running!!!${CLOSE}"
fi
;;
restart)
$0 stop
$0 start
;;
status)
PSU=$(pidof suricata);
if [ ! -z ${PSU} ];then
echo -e "${YELLOW} Suricata is running with PID: ${GREEN} $PSU
${CLOSE} ${CLOSE}"
else
echo -e "${RED} Suricata is not running!!!${CLOSE}"
fi

PBA=$(pidof barnyard2);
if [ ! -z ${PSU} ];then
echo -e "${YELLOW} Barnyard2 is running with PID: ${GREEN} $PBA
${CLOSE} ${CLOSE}"
else
echo -e "${RED} Barnyard2 is not running!!! ${CLOSE}"
fi
;;
*)
echo -e "${RED} usage: $0 (start|stop|restart|status)
${CLOSE}"
;;
esac

Now we need to give the execution permission to our script

chmod +x /etc/init.d/suribarn

Now we need to insert this service to be launched in the boot time.

insserv -f -v suribarn

Now we need to create the directory that will store all the scripts files like this

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

mkdir /etc/firewall

Now let's create the firewall script

vim /etc/init.d/rc.firewall
#!/bin/sh
#-------------------------------------------------#
# Author: Douglas Quintiliano dos Santos
# Date: 14/04/2015
#-------------------------------------------------#
### BEGIN INIT INFO
# Provides: rc.firewall
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Firewall
### END INIT INFO

#Load the Variables


. /etc/firewall/variables

case $1 in
start)
echo "${GREEN}[ Iniciando Firewall ]${CLOSE}"
. /etc/firewall/firewall-start
echo "${GREEN}[ Firewall Iniciado ]${CLOSE}"

;;
stop)
echo "${RED}[ Parando Firewall ... ]${CLOSE}";
. /etc/firewall/firewall-stop
echo "${RED}[ Firewall Parado ] ${CLOSE}";
;;
restart)
$0 stop
$0 start
;;

*)
echo "${RED}Valid Options:(start|stop|restart)${CLOSE}"
;;
esac

Now let's create the firewall-start script file

vim /etc/firewall/firewall-start
#Load the Variables
. /etc/firewall/variables

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 21/30 Installing and Configuring Suricata on Debian Wheezy

### Loading some modules


${MODPROBE} ip_conntrack
${MODPROBE} ip_conntrack_ftp
${MODPROBE} ip_nat_ftp

### Adjusting some variables


echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
echo 1 > ${PSNIV4}/tcp_syncookies
echo 1 > ${PSNIV4}/tcp_timestamps
echo 1 > ${PSNIV4}/ip_forward
echo 0 > ${PSNN}/nf_conntrack_tcp_loose
echo 2000000 > ${PSNN}/nf_conntrack_max
for END in ${PSNIV4}/conf/*/rp_filter ; do echo 1 > ${END} ; done
echo 0 > ${PSNIV4}/icmp_echo_ignore_all
echo 1 > ${PSNIV4}/icmp_echo_ignore_broadcasts
for END in ${PSNIV6}/conf/*/disable_ipv6 ; do echo 1 > ${END} ; done
echo 0 > ${PSNN}/nf_conntrack_helper

### Cleaning up the interface


${ETHTOOL} -K ${INT_LAN} tx off
${ETHTOOL} -K ${INT_LAN} tso off
${ETHTOOL} -K ${INT_LAN} gro off
${ETHTOOL} -K ${INT_LAN} rxvlan off
# ${ETHTOOL} -K ${INT_LAN} txvlan off

### Cleaning up
${IPTABLES} -t filter -F
${IPTABLES} -t filter -X
${IPTABLES} -t nat -F
${IPTABLES} -t nat -X
${IPTABLES} -t raw -F
${IPTABLES} -t raw -X

### ALLOWING LOOPBACK


${IPTABLES} -A INPUT -s 127.0.0.1/32 -j ACCEPT

### INPUT
${IPTABLES} -P INPUT DROP
${IPTABLES} -t filter -A INPUT -m state --state INVALID -j DROP
${IPTABLES} -A INPUT -f -j DROP

### Allowing access to SSH


${IPTABLES} -t filter -A INPUT -p tcp --dport ${SSH_PORT} -j NFQUEUE
${SURICATA}
${IPTABLES} -t filter -A INPUT -p tcp --sport ${SSH_PORT} -j NFQUEUE
${SURICATA}

### ALLOWING ACCESS FROM LAN


${IPTABLES} -A INPUT -s ${LAN_NETWORK} -j ACCEPT ${COM} "ACCESS FROM LAN"
${IPTABLES} -A OUTPUT -d ${LAN_NETWORK} -j ACCEPT ${COM} "ACCESS FROM LAN"

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

### NAT
${PRE_EXT} -d ${EXT_F252} ${TCP} --dport ${HTTP_PORT} -j DNAT --to ${APACHE}
${POS_EXT} -s ${LAN_NETWORK} -j MASQUERADE

### FORWARD
${IPTABLES} -P FORWARD DROP
${IPTABLES} -t filter -A FORWARD -m state --state INVALID -j DROP
${IPTABLES} -A FORWARD -f -j DROP
${IPTABLES} -A FORWARD ${TCP} --dport ${HTTP_PORT} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD ${TCP} --sport ${HTTP_PORT} -j NFQUEUE ${SURICATA}

Now we need to create the firewall-stop script like this

vim /etc/firewall/firewall-stop
### Loading variables
. /etc/firewall/variables

### Cleaning up the rules


${IPTABLES} -t filter -F
${IPTABLES} -t filter -X
${IPTABLES} -t raw -F
${IPTABLES} -t raw -X
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT

Now we need to create the variables file

vim /etc/firewall/variables
### Colors used
GREY="\033[01;30m"
RED="\033[01;31m"
GREEN="\033[01;32m"
YELLOW="\033[01;33m"
BLUE="\033[01;34m"
PURPLE="\033[01;35m"
CYAN="\033[01;36m"
WHITE="\033[01;37m"
CLOSE="\033[m"

### path of the ipv4 on the kernel


PSNIV4="/proc/sys/net/ipv4"
PSNIV6="/proc/sys/net/ipv6"
PSNN="/proc/sys/net/netfilter"

## Commands
IPTABLES="/sbin/iptables"
MODPROBE="/sbin/modprobe"
ETHTOOL="/sbin/ethtool"

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 23/30 Installing and Configuring Suricata on Debian Wheezy

## NETWORKS
LAN_NETWORK="192.168.1.0/24"

## INTERFACES
INT_LAN="eth0"
INT_WAN="eth0"

## EXTERNAL IP
EXT_F252="192.168.1.252"

## SERVERS
APACHE="192.168.1.250"

## PORTS
BACULA_PORT="9102"
ZABBIX_PORT="10050"
WTS_PORT="3389"
SSH_PORT="22022"
HTTP_PORT="80"
HTTP_PORTS="80,443"
HTTPS_PORT="443"
WEB_PORTS="80,443,3306"
DNS_PORT="53"

## ALIAS
PRE_EXT="${IPTABLES} -t nat -A PREROUTING -i ${INT_WAN} "
POS_EXT="${IPTABLES} -t nat -A POSTROUTING -o ${INT_WAN} "
COM="-m comment --comment"
TCP="-p tcp -m tcp"
UDP="-p udp -m udp"
ICMP="-p icmp --icmp-type"
LIMIT="-m limit --limit"
DMULTIPORT="-m multiport --dports"
SMULTIPORT="-m multiport --sports"
LOG="LOG --log-prefix"
LOG_LEV="--log-level info"
SURICATA="--queue-num 0"

Now we need to set up the execution permission to our script like this

chmod +x /etc/init.d/rc.firewall

Now we need to enable our new service like this

insserv -f -v rc.firewall

Note: Be aware that when you start the service yours sshd connection will be shutdown because we
need to make sure that all connection on this port pass by suricata.

Now we need to start the service like this

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

/etc/init.d/rc.firewall restart

Sample FW

Here let's get one sample of production

Let's take a look at variables

vim /etc/firewall/variables
### VARIABLES

### PATH
PSNI="/proc/sys/net/ipv4"
PSNN="/proc/sys/net/netfilter"

### COMMANDS
MODPROBE="/sbin/modprobe"
ETHTOOL="/sbin/ethtool"
IPTABLES="/sbin/iptables"

### NETWORKS
LAN_NETWORK="10.23.0.0/24"

### SERVERS
ZABBIX="10.23.0.117"
BACULA="10.23.0.198"
WAPP01="10.23.0.247"
KACE_INT="172.33.0.194"
KACE_EXT="200.200.200.34"
EXT_FTP01="200.200.200.46"
DMZ_FTP01="10.23.0.147"
DMZ_FTP02="10.23.0.246"
DMZ_HTTP01="10.23.0.143"
DMZ_HTTP02="10.23.0.247"

## EXTERNAL IP
EXT_F10="177.177.177.10"
EXT_F14="177.177.177.14"

### PORTS
BACULA_PORT="9102"
ZABBIX_PORT="10050"
DEV_PORT="2000"
WTS_PORT="3389"
SSH_PORT="22022"
VOIP_TCP_PORTS="5060:5061"
VOIP_UDP_PORTS="5040:5081,10000:20000"

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 25/30 Installing and Configuring Suricata on Debian Wheezy

KACE_PORTS="80,139,443,445,52230"
FTP_PORTS="20,21,12000:12100"
HTTP_PORT="80"
HTTP_PORTS="80,443"
HTTPS_PORT="443"
WEB_PORTS="80,443,3306"
DNS_PORT="53"

### ALIAS
PRE_EXT="${IPTABLES} -t nat -A PREROUTING -i eno2 "
POS_EXT="${IPTABLES} -t nat -A POSTROUTING -o eno2 "
COM="-m comment --comment"
TCP="-p tcp -m tcp"
UDP="-p udp -m udp"
ICMP="-p icmp --icmp-type"
LIMIT="-m limit --limit"
DMULTIPORT="-m multiport --dports"
SMULTIPORT="-m multiport --sports"
LOG="LOG --log-prefix"
LOG_LEV="--log-level info"
SURICATA="--queue-num 0"

Let's take a look at firewall-start

vim /etc/firewall/firewall-start
#!/bin/bash
### Loading variables
. /etc/firewall/variables

### Loading some modules


${MODPROBE} ip_conntrack
${MODPROBE} ip_conntrack_ftp
${MODPROBE} ip_nat_ftp

### Adjusting some variables


echo 1000000 > /sys/module/nf_conntrack/parameters/hashsize
echo 1 > ${PSNI}/tcp_syncookies
echo 1 > ${PSNI}/tcp_timestamps
echo 1 > ${PSNI}/ip_forward
echo 0 > ${PSNN}/nf_conntrack_tcp_loose
echo 2000000 > ${PSNN}/nf_conntrack_max
for END in ${PSNI}/conf/*/rp_filter ; do echo 1 > ${END} ; done
echo 0 > ${PSNI}/icmp_echo_ignore_all
echo 1 > ${PSNI}/icmp_echo_ignore_broadcasts
PSNI=/proc/sys/net/ipv6
for END in ${PSNI}/conf/*/disable_ipv6 ; do echo 1 > ${END} ; done
## IF ENABLE THE VARIABLE BELOW THE NAT DOES NOT WORK PROPERLY AND FTP
DOESNT WORK IN EXPLORER OR NAUTILUS
#echo 0 > ${PSNN}/nf_conntrack_helper

### Cleaning up the interface

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

${ETHTOOL} -K eno1 tx off


${ETHTOOL} -K eno1 tso off
${ETHTOOL} -K eno1 gro off
${ETHTOOL} -K eno1 rxvlan off
${ETHTOOL} -K eno1 txvlan off

${ETHTOOL} -K eno2 tx off


${ETHTOOL} -K eno2 tso off
${ETHTOOL} -K eno2 gro off
${ETHTOOL} -K eno2 rxvlan off
${ETHTOOL} -K eno2 txvlan off

### Cleaning up
${IPTABLES} -t filter -F
${IPTABLES} -t filter -X
${IPTABLES} -t nat -F
${IPTABLES} -t nat -X
${IPTABLES} -t raw -F
${IPTABLES} -t raw -X

### ALLOWING LOOPBACK


${IPTABLES} -A INPUT -s 127.0.0.1/32 -j ACCEPT

## Given more priority to VOIP


${IPTABLES} -t mangle -A OUTPUT -p udp -j DSCP --set-dscp-class EF
${IPTABLES} -t mangle -A FORWARD -p udp -j DSCP --set-dscp-class EF

### INPUT
${IPTABLES} -P INPUT DROP
${IPTABLES} -t filter -A INPUT -m state --state INVALID -j DROP
${IPTABLES} -A INPUT -f -j DROP
${IPTABLES} -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j NFQUEUE
${SURICATA}

### FORWARD
${IPTABLES} -P FORWARD DROP
${IPTABLES} -t filter -A FORWARD -m state --state INVALID -j DROP
${IPTABLES} -A FORWARD -f -j DROP
${IPTABLES} -A FORWARD -p tcp -m state --state ESTABLISHED,RELATED -j
NFQUEUE ${SURICATA}

### Allowing access to SSH


${IPTABLES} -t filter -A INPUT -p tcp --dport ${SSH_PORT} -j NFQUEUE
${SURICATA}
${IPTABLES} -t filter -A INPUT -p tcp --sport ${SSH_PORT} -j NFQUEUE
${SURICATA}

### DEV ACCESS TO WTS

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 27/30 Installing and Configuring Suricata on Debian Wheezy

${PRE_EXT} -d ${EXT_F10} -p tcp --dport ${DEV_PORT} -j DNAT --to


${WAPP01}:${WTS_PORT} ${COM} "Joel access to WTS"
${POS_EXT} -d ${WAPP01} ${TCP} --dport ${WTS_PORT} -j SNAT --to
${EXT_F10}:${DEV_PORT} ${COM} "Joel access to WTS"
${IPTABLES} -t filter -A FORWARD ${TCP} ${SMULTIPORT}
${DEV_PORT},${WTS_PORT} -j NFQUEUE ${SURICATA}
${IPTABLES} -t filter -A FORWARD ${TCP} ${DMULTIPORT}
${DEV_PORT},${WTS_PORT} -j NFQUEUE ${SURICATA}

### ALLOWING VOIP


${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${VOIP_TCP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A FORWARD ${UDP} ${DMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A FORWARD ${UDP} ${SMULTIPORT} ${VOIP_UDP_PORTS} -j NFQUEUE
${SURICATA}

### ALLOWING KACE


${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_INT} ${TCP} ${DMULTIPORT}
${KACE_PORTS} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_INT} ${TCP} ${SMULTIPORT}
${KACE_PORTS} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_EXT} ${TCP} ${DMULTIPORT}
${KACE_PORTS} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD -s ${LAN_NETWORK} -d ${KACE_EXT} ${TCP} ${SMULTIPORT}
${KACE_PORTS} -j NFQUEUE ${SURICATA}

### ALLOWING ZABBIX


${IPTABLES} -A INPUT ${TCP} --dport ${ZABBIX_PORT} -s ${ZABBIX} -j NFQUEUE
${SURICATA}
${IPTABLES} -A OUTPUT ${TCP} --sport ${ZABBIX_PORT} -d ${ZABBIX} -j NFQUEUE
${SURICATA}

### ALLOWING BACULA


${IPTABLES} -A INPUT ${TCP} --dport ${BACULA_PORT} -s ${BACULA} -j NFQUEUE
${SURICATA}
${IPTABLES} -A OUTPUT ${TCP} --sport ${BACULA_PORT} -d ${BACULA} -j NFQUEUE
${SURICATA}

### ALLOWING FTP


${IPTABLES} -A FORWARD -d ${EXT_FTP01} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD -s ${EXT_FTP01} -j NFQUEUE ${SURICATA}

### ALLOWING FTP 2


${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to
${DMZ_FTP01} ${COM} "FTP VARIAVEIS"
${IPTABLES} -A FORWARD -s ${DMZ_FTP01} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD -d ${DMZ_FTP01} -j NFQUEUE ${SURICATA}

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to


${EXT_F10} ${COM} "FTP VARIAVEIS"
${POS_EXT} -s ${DMZ_FTP01} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to
${EXT_F10} ${COM} "FTP VARIAVEIS"

### ALLOWING FTP 3


${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j DNAT --to
${DMZ_FTP02} ${COM} "FTP EDUCACIONAL VARIAVEIS"
${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD -s ${DMZ_FTP02} -j NFQUEUE ${SURICATA}
${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j SNAT --to
${EXT_F14} ${COM} "FTP EDUCACIONAL VARIAVEIS"
${POS_EXT} -s ${DMZ_FTP02} ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j SNAT --to
${EXT_F14} ${COM} "FTP EDUCACIONAL VARIAVEIS"

### ALLOWING HTTP


${PRE_EXT} -d ${EXT_F14} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to
${DMZ_HTTP02} ${COM} "GABARITOS EDUCACIONAL"
${POS_EXT} -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to
${EXT_F14} ${COM} "GABARITOS EDUCACIONAL"
${IPTABLES} -A FORWARD -s ${DMZ_HTTP02} ${TCP} ${DMULTIPORT} ${HTTP_PORTS}
-j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD -d ${DMZ_HTTP02} ${TCP} ${SMULTIPORT} ${HTTP_PORTS}
-j NFQUEUE ${SURICATA}

### ALLOWING HTTP2


${PRE_EXT} -d ${EXT_F10} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j DNAT --to
${DMZ_HTTP01} ${COM} "WEB 2VIA"
${POS_EXT} -s ${DMZ_HTTP01} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j SNAT --to
${EXT_F10} ${COM} "WEB 2VIA"
${IPTABLES} -A FORWARD -s ${DMZ_HTTP01} ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -
j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD -d ${DMZ_HTTP01} ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -
j NFQUEUE ${SURICATA}

### ALLOWING ACCESS FROM LAN


${IPTABLES} -A INPUT -s ${LAN_NETWORK} -j ACCEPT ${COM} "ACCESS FROM LAN"
${IPTABLES} -A OUTPUT -d ${LAN_NETWORK} -j ACCEPT ${COM} "ACCESS FROM LAN"

### ALLOWING DNS QUERY


${IPTABLES} -A INPUT ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
${IPTABLES} -A INPUT ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD ${TCP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD ${TCP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD ${UDP} --sport ${DNS_PORT} -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD ${UDP} --dport ${DNS_PORT} -j NFQUEUE ${SURICATA}

### ALLOWING HTTP AND FTP ACCESS


${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24


2018/01/23 17:24 29/30 Installing and Configuring Suricata on Debian Wheezy

${SURICATA}
${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${HTTP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${HTTP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A INPUT ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A INPUT ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A FORWARD ${TCP} ${SMULTIPORT} ${FTP_PORTS} -j NFQUEUE
${SURICATA}
${IPTABLES} -A FORWARD ${TCP} ${DMULTIPORT} ${FTP_PORTS} -j NFQUEUE
${SURICATA}

### ALLOWING ICMP


${IPTABLES} -A INPUT ${ICMP} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
${IPTABLES} -A INPUT ${ICMP} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD ${ICMP} 0 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}
${IPTABLES} -A FORWARD ${ICMP} 8 ${LIMIT} 1/s -j NFQUEUE ${SURICATA}

### MASQUERADE
${IPTABLES} -t nat -A POSTROUTING -s ${LAN_NETWORK} -j MASQUERADE

Let's take a look at firewall-stop

cat /etc/firewall/firewall-stop
#!/bin/bash
### Loading variables
. /etc/firewall/variables

### Cleaning up the rules


${IPTABLES} -t filter -F
${IPTABLES} -t filter -X
${IPTABLES} -t raw -F
${IPTABLES} -t raw -X
${IPTABLES} -P INPUT ACCEPT
${IPTABLES} -P FORWARD ACCEPT

Here we have the rules with some fixes: http://wiki.douglasqsantos.com.br/Downloads/ips/rules.tar.xz

References
1. http://techminded.net/blog/using-snort-as-service-ips.html
2. http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attac

DQS CONSULTORIA E TREINAMENTOS - http://wiki.douglasqsantos.com.br/


Last
update:
installing_and_configuring_suricata_on_debian_wheezy_en http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en
2017/09/05
12:18

ks
3. http://repo.hackerzvoice.net/depot_madchat/reseau/ids|nids/snort_rules.html
4. http://books.gigatux.nl/mirror/snortids/0596006616/snortids-CHP-7-SECT-3.html
5. http://manual.snort.org/node27.html
6. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml
7. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Tuning_and_
Optimizing_Red_Hat_Enterprise_Linux_for_Oracle_9i_and_10g_Databases/sect-
Oracle_9i_and_10g_Tuning_Guide-Adjusting_Network_Settings-
Flow_Control_for_e1000_Network_Interface_Cards.html
8. http://docs.oracle.com/cd/E24290_01/coh.371/e22838/tune_perftune.htm#COHAG5263
9. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_7_Installation
10. http://www.darknet.org.uk/
11. http://www.spamhaus.org/drop/
12. http://myip.ms/browse/blacklist/Blacklist_IP_Blacklist_IP_Addresses_Live_Database_Real-time
13. http://myip.ms/files/blacklist/csf/latest_blacklist.txt
14. http://www10.org/cdrom/papers/409/
15. https://r00t-services.net/knowledgebase/14/Homemade-DDoS-Protection-Using-IPTables-SYNPR
OXY.html
16. http://hackerzelite.blogspot.com.br/2014/01/top-10-ddos-and-dos-attacking-tools.html
17. http://ddoshackingarticles.blogspot.com.br/2014/07/how-to-use-metagoofil-on-kali-linux.html
18. http://www.kalitutorials.net/2014/03/denial-of-service-attacks-explained-for.html
19. http://www.darkmoreops.com/2014/08/21/dos-using-hping3-spoofed-ip-kali-linux/
20. http://null-byte.wonderhowto.com/how-to/become-elite-hacker-part-3-easy-ddos-0147212/
21. http://ha.ckers.org/slowloris/
22. http://www.r00tsec.com/2012/02/ddos-tool-list-from-anonymous.html
23. https://www.frozentux.net/iptables-tutorial/iptables-tutorial.htmlhttps://www.frozentux.net/iptabl
es-tutorial/iptables-tutorial.html
24. https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#NETFILTERHACKINGHOWTO
25. http://www.ibm.com/developerworks/library/se-intrusion/index.html
26. http://rules.emergingthreats.net/open/

From:
http://wiki.douglasqsantos.com.br/ - DQS CONSULTORIA E TREINAMENTOS

Permanent link:
http://wiki.douglasqsantos.com.br/doku.php/installing_and_configuring_suricata_on_debian_wheezy_en

Last update: 2017/09/05 12:18

http://wiki.douglasqsantos.com.br/ Printed on 2018/01/23 17:24

You might also like