Binatang Suricata |
Oke, kalo setuju bahwa Suricata memang menggemaskan, maka mari kita coba install Suricata.
Yang pertama kita install dulu pre-requisite nya.
saya@kumputersaya:~#sudo apt-get install libpcap-dev libpcap0.8 libpcap0.8-dev coccinelle libmagic-dev \
>libjansson4 libjansson-dev python-simplejson libdumbnet-dev libnfnetlink-dev libnfnetlink0 \
>ibnetfilter-queue-dev libgnetfilter-log-dev libprelude-dev liblua5.2-dev libua5.1-0 liblua5.1-0-dev
Kemudian kita ambil source suricata 2.1 beta 4 (terakhir per 21 Agustus 2015).>libjansson4 libjansson-dev python-simplejson libdumbnet-dev libnfnetlink-dev libnfnetlink0 \
>ibnetfilter-queue-dev libgnetfilter-log-dev libprelude-dev liblua5.2-dev libua5.1-0 liblua5.1-0-dev
saya@kumputersaya:~#mkdir scata
saya@kumputersaya:~#cd scata
saya@kumputersaya:scata#wget http://www.openinfosecfoundation.org/download/suricata-2.1beta4.tar.gz
..
--2015-08-21 11:00:00-- (try: 2) http://www.openinfosecfoundation.org/download/suricata-2.1beta4.tar.gz
Connecting to www.openinfosecfoundation.org (www.openinfosecfoundation.org)|96.43.130.5|:80... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 3232615 (3.1M), 619367 (605K) remaining [application/x-gzip]
Saving to: ‘suricata-2.1beta4.tar.gz’
100%[++++++++++++++++++++++++++++++=============>] 3,232,615 125KB/s in 5.5s
saya@kumputersaya:~#cd scata
saya@kumputersaya:scata#wget http://www.openinfosecfoundation.org/download/suricata-2.1beta4.tar.gz
..
--2015-08-21 11:00:00-- (try: 2) http://www.openinfosecfoundation.org/download/suricata-2.1beta4.tar.gz
Connecting to www.openinfosecfoundation.org (www.openinfosecfoundation.org)|96.43.130.5|:80... connected.
HTTP request sent, awaiting response... 206 Partial Content
Length: 3232615 (3.1M), 619367 (605K) remaining [application/x-gzip]
Saving to: ‘suricata-2.1beta4.tar.gz’
100%[++++++++++++++++++++++++++++++=============>] 3,232,615 125KB/s in 5.5s
Kemudian kita extract
saya@kumputer:scata#tar -xzvf suricata-2.1beta4.tar.gz
..
..
..
..
suricata-2.1beta4/contrib/file_processor/Processor/Malwr.pm
suricata-2.1beta4/contrib/file_processor/Processor/ThreatExpert.pm
suricata-2.1beta4/contrib/file_processor/Processor/Makefile.in
suricata-2.1beta4/contrib/file_processor/Processor/Anubis.pm
suricata-2.1beta4/contrib/file_processor/Processor/ShadowServer.pm
suricata-2.1beta4/contrib/file_processor/Processor/Makefile.am
suricata-2.1beta4/contrib/file_processor/Processor/VirusTotal.pm
suricata-2.1beta4/contrib/file_processor/LICENSE
suricata-2.1beta4/contrib/file_processor/Makefile.am
suricata-2.1beta4/contrib/Makefile.in
suricata-2.1beta4/contrib/Makefile.am
suricata-2.1beta4/contrib/suri-graphite
..
..
..
..
suricata-2.1beta4/contrib/file_processor/Processor/Malwr.pm
suricata-2.1beta4/contrib/file_processor/Processor/ThreatExpert.pm
suricata-2.1beta4/contrib/file_processor/Processor/Makefile.in
suricata-2.1beta4/contrib/file_processor/Processor/Anubis.pm
suricata-2.1beta4/contrib/file_processor/Processor/ShadowServer.pm
suricata-2.1beta4/contrib/file_processor/Processor/Makefile.am
suricata-2.1beta4/contrib/file_processor/Processor/VirusTotal.pm
suricata-2.1beta4/contrib/file_processor/LICENSE
suricata-2.1beta4/contrib/file_processor/Makefile.am
suricata-2.1beta4/contrib/Makefile.in
suricata-2.1beta4/contrib/Makefile.am
suricata-2.1beta4/contrib/suri-graphite
Setalah kita ekstrak, kemudian kita lanjut dengan menjalankan ./configure
saya@kumputersaya:scata#cd suricata-2.1beta4
saya@kumputersaya:scata/suricata-2.1beta4#./configure --prefix=/opt/suricatab1 --sysconfdir=/opt/suricatab1/etc --localstatedir=/opt/suricatab1/var --enable-nfqueue --enable-nflog --enable-lua --enable-luajit --enable-unix-socket --enable-prelude
Sorry gak nampilin sampel response nya. Bila konfigurasi telah selesai, langkah bisa dilanjutkan dengan 'make all' dan 'make install-full'
saya@kumputersaya:scata/suricata-2.1beta4#sudo make all
[ :::::
... Tampilan proses/progress dari proses make
::::]
[ :::::
... Tampilan proses/progress dari proses make
::::]
Bila proses make juga tidak mengalami kegagalan maka silakan dilanjtu dengan 'make instll-full'
saya@kumputersaya:scata/suricata-2.1beta4#sudo make install-full
[ :::::
... Tampilan proses/progress dari proses make
::::]
[ :::::
... Tampilan proses/progress dari proses make
::::]
Sebelum menjalankan suricata, maka kita edit terlebih dahulu file konfigurasinya yang terletak di '/opt/suricatab1/etc/suricata' dengan namafile suricata.yaml
Untuk memanfaatkan fitur json maka kita langsung point ke 'eve-log'
- eve-log:
enabled: yes
filetype: syslog #regular|syslog|unix_dgram|unix_stream
filename: eve.json
# the following are valid when type: syslog above
identity: "suricata"
facility: local5
level: Info ## possible levels: Emergency, Alert, Critical,
## Error, Warning, Notice, Info, Debug
types:
- alert:
payload: yes # enable dumping payload in Base64
payload-printable: yes # enable dumping payload in printable (lossy) format
packet: yes # enable dumping of packet (without stream segments)
http: yes # enable dumping of http fields
# HTTP X-Forwarded-For support by adding an extra field or overwriting
# the source or destination IP address (depending on flow direction)
# with the one reported in the X-Forwarded-For HTTP header. This is
# helpful when reviewing alerts for traffic that is being reverse
# or forward proxied.
xff:
enabled: no
# Two operation modes are available, "extra-data" and "overwrite".
mode: extra-data
# Two proxy deployments are supported, "reverse" and "forward". In
# a "reverse" deployment the IP address used is the last one, in a
# "forward" deployment the first IP address is used.
deployment: reverse
# Header name where the actual IP address will be reported, if more
# than one IP address is present, the last IP address will be the
# one taken into consideration.
header: X-Forwarded-For
- http:
extended: yes # enable this for extended logging information
# custom allows additional http fields to be included in eve-log
# the example below adds three additional fields when uncommented
#custom: [Accept-Encoding, Accept-Language, Authorization]
- dns
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
force-md5: no # force logging of md5 checksums
#- drop:
# alerts: no # log alerts that caused drops
- smtp
- ssh
# bi-directional flows
#- flow
# uni-directional flows
#- newflow
Sebaiknya output yang lain didisabe ("enable: no") untuk menghemat space pada hardisk. Dan, perhatikan pula bagian yang di-bold. Kita focus ke situ. Kita meng-enable-kan output eve-log dengan target syslog. Syslog dipilih agar event log yang dihasilkan bisa kita redirect ke log server pada mesin lain. Perhatikan juga bahwa kita meng-enable-kan payload baik yang base64 maupun yang printable. Ini penting untuk melakukan analisis.
Setelah semua siap, jalankan dengan perintah ini:
LD_LIBRARY_PATH=/opt/suricatab1/lib /opt/suricatab1/bin/suricata -c /opt/suricatab1/etc/suricata//suricata.yaml -i eth1 -D
-i eth1 bila sniffing mau dilakukan melalui eth1. Pada kasus kami eth1 berasal dari mikrotik yang dimirror dengan kabel trunk dari seluruh vlan yang ada.