配置篇-suricata.yaml-2

2018-02-26 14:04 更新

本文接上一篇配置文件說明1,是了解suricata配置文件的第二篇。suricata版本為4.0.3。

threading

Suricata是一個多線程的程序,當(dāng)它在擁有多核CPU的計算機(jī)上運(yùn)行時會產(chǎn)生多線程以同時處理多個網(wǎng)絡(luò)流量。在前一篇文章中介紹過suricata其實(shí)是有thread,thread-module和queue組成,而thread-module按照功能分為數(shù)據(jù)包獲取、解碼數(shù)據(jù)包和應(yīng)用層流信息、檢測、輸出四種模塊。

  1. 數(shù)據(jù)包獲取模塊是從網(wǎng)絡(luò)流量或文件中獲取數(shù)據(jù)包。
  2. 解碼前面獲取的數(shù)據(jù)包,如果是基于TCP協(xié)議的流則需要分三步:首先是跟蹤每一條流的所有鏈接信息,然后使用流重組(stream-assembly)對已經(jīng)完成的流進(jìn)行重組,最后則是根據(jù)對應(yīng)的應(yīng)用層協(xié)議對其進(jìn)一步分析,比如HTTP協(xié)議有專門的分析模塊。
  3. 檢測模塊則是對上一步解碼或重組的流量進(jìn)行檢測。檢測模塊可以是多線程因此它可以同時檢測多個數(shù)據(jù)包或流。
  4. 輸出模塊則會針對配置文件中的配置,對所有的警告、事件以及需要輸出的額外信息進(jìn)行處理并格式化輸出。

下面這個圖是一種典型的運(yùn)行模式表明了模塊間的協(xié)作關(guān)系,1、2、3、4分別代表四種模塊:

這里寫圖片描述

Suricata的多個線程通過下面的選項可以選擇是否綁定特定的CPU核心,如果是no則不綁定,每次運(yùn)行的時候每個線程對應(yīng)的CPU核心可能都不是同一個,是yes則每次運(yùn)行的時候指定的線程只能運(yùn)行在特定的核心上。通過綁定線程和CPU核心,能夠提高CPU cache的命中率,減少內(nèi)存訪問的損耗,提高程序的運(yùn)行速度:

set-cpu-affinity: no

下面這幅圖可以很清楚地解釋。上面的是綁定的情況,數(shù)據(jù)包獲取、解密和輸出模塊均在core 0這個核心上,且每個核心都有一個detect線程,但是相對來說其在core 0上的優(yōu)先級比較低,只有當(dāng)core 0的其他線程不工作時才會運(yùn)行,這樣suricata也會把較少的檢測任務(wù)分配給它,而是分配給其他核心上的檢測線程;但是如果是下面哪種未綁定的情況,則是由系統(tǒng)根據(jù)CPU每個核心的負(fù)載程度來分配每個線程運(yùn)行所在的核心:

這里寫圖片描述

用戶可以根據(jù)自己的具體情況配置線程和CPU核心的對應(yīng)關(guān)系,下面是一種配置方法,management-, receive-, decode-, stream-, detect-, verdict-, reject-和outputs-set這些字段都是固定的,每個字段擁有cpu、mode和prio三個選項。cpu自然就是選擇線程執(zhí)行的cpu核心編號,數(shù)字從0到3或是all,[0,1]表示core 0和core 1,[1-3]表示core 1,core 2, core 3三個核心。mode可以“balance”或“exclusive”,balance表示可以在所有cpu字段定義的核心中選擇最合理的核心運(yùn)行,比如下面的decode-cpu-set這次可以在core 0上種運(yùn)行,等下個時間片可以在core 1上運(yùn)行;而exclusive則表示固定cpu核心,第一次時間片在core 0上運(yùn)行,直到線程結(jié)束都不能更換核心。prio則是線程在核心中的權(quán)限高低,有l(wèi)ow,medium和high以及default。除此之外在detect-cpu-set中還可以有threads字段直接指定檢測線程的數(shù)量而不是根據(jù)CPU核心數(shù)來計算:

  # Tune cpu affinity of threads. Each family of threads can be bound
  # on specific CPUs.
  #
  # These 2 apply to the all runmodes:
  # management-cpu-set is used for flow timeout handling, counters
  # worker-cpu-set is used for 'worker' threads
  #
  # Additionally, for autofp these apply:
  # receive-cpu-set is used for capture threads
  # verdict-cpu-set is used for IPS verdict threads
  #
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]  # include only these cpus in affinity settings
    - receive-cpu-set:
        cpu: [ 0 ]  # include only these cpus in affinity settings
    - worker-cpu-set:
        cpu: [ "all" ]
        mode: "exclusive" # run detect threads in these cpus
        # Use explicitely 3 threads and don't compute number by using
        # detect-thread-ratio variable:
        # threads: 3
        prio:
          low: [ 0 ]
          medium: [ "1-2" ]
          high: [ 3 ]
          default: "medium"
    #- verdict-cpu-set:
    #    cpu: [ 0 ]
    #    prio:
    #      default: "high"

上面提到的檢測線程的數(shù)量可以直接指定,也可以根據(jù)CPU核心數(shù)計算,而計算的系數(shù)就是由detect-thread-ratio來指定,默認(rèn)系數(shù)是1.0,比如你的CPU是4核,detect-thread-ratio系數(shù)是1.5,那就會有6個檢測線程:

detect-thread-ratio: 1.0

IP Defrag

在之前介紹suricata規(guī)則檢測IP頭的時候介紹過,IP協(xié)議可以對較大的數(shù)據(jù)進(jìn)行分片傳輸,然后在目的端進(jìn)行重組,suricata中就有一個叫做defragment-engine的模塊對分片的IP數(shù)據(jù)包進(jìn)行監(jiān)視和重組然后傳給后續(xù)的處理模塊。配置比較簡單,max-frags指出最大的分片數(shù)量,prealloc表明是否在程序啟動時預(yù)分配部分空間,timeout則是超時的時間。因?yàn)樵跀?shù)據(jù)包監(jiān)測及重組的過程中,未處理的數(shù)據(jù)包都會在內(nèi)存中,如果數(shù)量太大或是長時間未進(jìn)行處理就會降低性能:

# Defrag settings:

defrag:

  memcap: 32mb

  hash-size: 65536

  trackers: 65535 # number of defragmented flows to follow

  max-frags: 65535 # number of fragments to keep (higher than trackers)

  prealloc: yes

  timeout: 60

Flow和Stream

在suricata中flow配置的是網(wǎng)絡(luò)流方面的選項,而stream則專門針對TCP協(xié)議的重組進(jìn)行配置。

flow

flow在概念上比較大,它和一次網(wǎng)絡(luò)連接比較相似。Suricata通過五元組(協(xié)議,源IP,源端口,目的IP,目的端口)來識別流量中的數(shù)據(jù)包是否屬于同一個流:

這里寫圖片描述

持續(xù)的跟蹤網(wǎng)絡(luò)中的流需要占用大量的內(nèi)存,為了控制占用的內(nèi)存不至于太大,這里有幾個選項需要配置。memcap表示最大跟蹤流量所使用的內(nèi)存,默認(rèn)為128MB;由于suricata是通過五元組計算出一個hash值判斷數(shù)據(jù)包屬于哪個流,hash_size指的就是這個hash表的大小;Prealloc表示預(yù)先分配的內(nèi)存,這樣在識別流的時候會有更好的性能;emergency-recovery表示的是當(dāng)前占用的內(nèi)存大于memcap時進(jìn)入內(nèi)存緊急模式(emergency-mode),需要刪除的流的百分比(相對于prealloc來說),這里表示需要刪除30%的prealloc設(shè)置的空間的流,而刪除的原則是根據(jù)后面會配置的flow-timeouts也就是超時時間來確定,如果沒有流超時則會設(shè)置更嚴(yán)格的超時時間,如果還是沒用suricata會刪除最久未使用過的流;prune_flows表示處于緊急模式的時候每新增一條流將會刪除掉舊的流的數(shù)量:

# Flow settings:
# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
# for flow allocation inside the engine. You can change this value to allow
# more memory usage for flows.
# The hash-size determine the size of the hash used to identify flows inside
# the engine, and by default the value is 65536.
# At the startup, the engine can preallocate a number of flows, to get a better
# performance. The number of flows preallocated is 10000 by default.
# emergency-recovery is the percentage of flows that the engine need to
# prune before unsetting the emergency state. The emergency state is activated
# when the memcap limit is reached, allowing to create new flows, but
# prunning them with the emergency timeouts (they are defined below).
# If the memcap is reached, the engine will try to prune flows
# with the default timeouts. If it doens't find a flow to prune, it will set
# the emergency bit and it will try again with more agressive timeouts.
# If that doesn't work, then it will try to kill the last time seen flows
# not in use.
# The memcap can be specified in kb, mb, gb.  Just a number indicates it's
# in bytes.

flow:
  memcap: 128mb           # The maximum amount of bytes the flow-engine will make use of.
  hash-size: 65536        # Flows will be organized in a hash-table. With this option you can set the.
                          # size of the hash-table.
  prealloc: 10000         # The amount of flows Suricata has to keep ready in memory.
  emergency-recovery: 30  # Percentage of 1000 prealloc'd flows.
  #managers: 1            # default to one flow manager
  #recyclers: 1           # default to one flow recycler thread

flow-timeouts

上一節(jié)中提到的流的超時時間在此處設(shè)置。由于協(xié)議的不同,因此需要對不同的協(xié)議設(shè)置不同的階段,對應(yīng)的超時時間也會不同。TCP協(xié)議包括新建連接,建立連接和關(guān)閉連接,UDP只有新建連接和建立連接兩個階段。

TCP新建連接就是三次握手,建立連接則是完成三次握手之后,而關(guān)閉連接則是reset數(shù)據(jù)包或是關(guān)閉tcp連接的四次握手。UDP新建連接是只有一方發(fā)送數(shù)據(jù)包,建立連接則是兩方都發(fā)送數(shù)據(jù)包。下面是TCP、UDP、ICMP和default(其他協(xié)議)的超時配置,沒有emergency前綴的是正常模式下的超時,帶有emergency前綴的是在內(nèi)存緊急模式下的超時時間:

# Specific timeouts for flows. Here you can specify the timeouts that the
# active flows will wait to transit from the current state to another, on each
# protocol. The value of "new" determine the seconds to wait after a hanshake or
# stream startup before the engine free the data of that flow it doesn't
# change the state to established (usually if we don't receive more packets
# of that flow). The value of "established" is the amount of
# seconds that the engine will wait to free the flow if it spend that amount
# without receiving new packets or closing the connection. "closed" is the
# amount of time to wait after a flow is closed (usually zero). "bypassed"
# timeout controls locally bypassed flows. For these flows we don't do any other
# tracking. If no packets have been seen after this timeout, the flow is discarded.
#
# There's an emergency mode that will become active under attack circumstances,
# making the engine to check flow status faster. This configuration variables
# use the prefix "emergency-" and work similar as the normal ones.
# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
# icmp.

flow-timeouts:

  default:
    new: 30                     # Time-out in seconds after the last activity in this flow in a New state.
    established: 300            # Time-out in seconds after the last activity in this flow in a Established state.
    closed: 0
    bypassed: 100
    emergency-new: 10           # Time-out in seconds after the last activity in this flow in a New state during the emergency mode.
    emergency-established: 100  # Time-out in seconds after the last activity in this flow in a Established state in the emergency mode.
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50

stream

Stream引擎用于跟蹤TCP連接,它有兩個模塊,分別是TCP數(shù)據(jù)流的跟蹤和數(shù)據(jù)包重組引擎,前者用于監(jiān)視TCP連接的狀態(tài)并確定一個完整的數(shù)據(jù)流,后者則用于將數(shù)據(jù)流進(jìn)行重組以便讓后續(xù)的處理模塊能夠識別。

首先是數(shù)據(jù)流跟蹤模塊的配置,和flow的一樣,這里的memcap也是當(dāng)前模塊能占用內(nèi)存的最大值;checksum_validation設(shè)置是否檢查TCP數(shù)據(jù)包的CRC校驗(yàn)和,這個值用于保證數(shù)據(jù)包的完整性,如果設(shè)為yes則會丟棄那些校驗(yàn)失敗的數(shù)據(jù)包;max_sessions對最大的TCP連接數(shù)進(jìn)行了限制,防止其占用過多的內(nèi)存;prealloc_sessions則是為了提高性能預(yù)先分配的連接數(shù);midstream配置是否允許suricata從一個TCP連接的中間開始跟蹤,出現(xiàn)這種情況幾乎每次都會發(fā)生,因?yàn)楫?dāng)啟動suricata時有部分TCP連接已經(jīng)開始并處于建立連接的狀態(tài)了,若設(shè)為true則表示可以從流中間跟蹤,默認(rèn)為false;async_oneside設(shè)置是否打開異步數(shù)據(jù)包處理,因?yàn)橛袝r一個流可能不是從一個路由器而是多個不同的路由器進(jìn)行傳輸,這樣會導(dǎo)致數(shù)據(jù)包并不同步,true表示處理這種異步情況,默認(rèn)為false。

Stream引擎的第二部分便是數(shù)據(jù)包重組,memcap就不做介紹了;因?yàn)閿?shù)據(jù)包重組的代價比較大,需要的資源較多,為了避免無限制的重組超大數(shù)據(jù)包,depth對其進(jìn)行了限制,默認(rèn)為1MB;toserver_chunk_size和toclient_chunk_size只有超過設(shè)置的大小的原始數(shù)據(jù)包才會調(diào)用重組(字面上是這么理解):

# Stream engine settings. Here the TCP stream tracking and reassembly
# engine is configured.
#
# stream:
#   memcap: 32mb                # Can be specified in kb, mb, gb.  Just a
#                               # number indicates it's in bytes.
#   checksum-validation: yes    # To validate the checksum of received
#                               # packet. If csum validation is specified as
#                               # "yes", then packet with invalid csum will not
#                               # be processed by the engine stream/app layer.
#                               # Warning: locally generated trafic can be
#                               # generated without checksum due to hardware offload
#                               # of checksum. You can control the handling of checksum
#                               # on a per-interface basis via the 'checksum-checks'
#                               # option
#   prealloc-sessions: 2k       # 2k sessions prealloc'd per stream thread
#   midstream: false            # don't allow midstream session pickups
#   async-oneside: false        # don't enable async stream handling
#   inline: no                  # stream inline mode
#   drop-invalid: yes           # in inline mode, drop packets that are invalid with regards to streaming engine
#   max-synack-queued: 5        # Max different SYN/ACKs to queue
#   bypass: no                  # Bypass packets when stream.depth is reached
#
#   reassembly:
#     memcap: 64mb              # Can be specified in kb, mb, gb.  Just a number
#                               # indicates it's in bytes.
#     depth: 1mb                # Can be specified in kb, mb, gb.  Just a number
#                               # indicates it's in bytes.
#     toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
#                               # this size.  Can be specified in kb, mb,
#                               # gb.  Just a number indicates it's in bytes.
#     toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
#                               # this size.  Can be specified in kb, mb,
#                               # gb.  Just a number indicates it's in bytes.
#     randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
#                               # This lower the risk of some evasion technics but could lead
#                               # detection change between runs. It is set to 'yes' by default.
#     randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
#                               # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
#                               # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
#                               # calculation for toclient-chunk-size.
#                               # Default value of randomize-chunk-range is 10.
#
#     raw: yes                  # 'Raw' reassembly enabled or disabled.
#                               # raw is for content inspection by detection
#                               # engine.
#
#     segment-prealloc: 2048    # number of segments preallocated per thread
#
#     check-overlap-different-data: true|false
#                               # check if a segment contains different data
#                               # than what we've already seen for that
#                               # position in the stream.
#                               # This is enabled automatically if inline mode
#                               # is used or when stream-event:reassembly_overlap_different_data;
#                               # is used in a rule.
#
stream:
  memcap: 64mb
  checksum-validation: yes      # reject wrong csums
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    memcap: 256mb
    depth: 1mb                  # reassemble 1mb into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes
    #randomize-chunk-range: 10
    #raw: yes
    #segment-prealloc: 2048
    #check-overlap-different-data: true

而inline就看不大懂了,難道是選擇yes就可以在IPS模式下工作,而no就不工作?官方文檔中只提到了IDS和IPS模式下的流跟蹤模塊的不同,可以看到在IDS模式下只有服務(wù)端發(fā)送了ACK包suricata才會將之前監(jiān)視的客戶端數(shù)據(jù)包重組并進(jìn)行下一步處理,而在IPS模式下由于需要實(shí)時監(jiān)控并丟棄符合規(guī)則的包所以采用的是滑動窗口的方式,每當(dāng)客戶端發(fā)送一個數(shù)據(jù)包就會進(jìn)行下一步處理:


IDS模式下

 這里寫圖片描述

IPS模式下

 這里寫圖片描述

應(yīng)用層解析器

如果希望Suricata解析應(yīng)用層協(xié)議的數(shù)據(jù)包則需要對其進(jìn)行配置。包括tls、ftp、smtp、ssh、http等。下面是部分默認(rèn)的配置,enable可以選擇yes、no或detection-only,yes表示既解析和檢測數(shù)據(jù)包,detection-only則是只檢測不做額外的解析,no則不檢測也不解析:

# Configure the app-layer parsers. The protocols section details each
# protocol.
#
# The option "enabled" takes 3 values - "yes", "no", "detection-only".
# "yes" enables both detection and the parser, "no" disables both, and
# "detection-only" enables protocol detection only (parser disabled).
app-layer:
  protocols:
    tls:
      enabled: yes
      detection-ports:
        dp: 443

      # Completely stop processing TLS/SSL session after the handshake
      # completed. If bypass is enabled this will also trigger flow
      # bypass. If disabled (the default), TLS/SSL session is still
      # tracked for Heartbleed and other anomalies.
      #no-reassemble: yes
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes
      # Configure SMTP-MIME Decoder
      mime:
        # Decode MIME messages from SMTP transactions
        # (may be resource intensive)
        # This field supercedes all others because it turns the entire
        # process on or off
        decode-mime: yes

        # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
        decode-base64: yes
        decode-quoted-printable: yes

        # Maximum bytes per header data value stored in the data structure
        # (default is 2000)
        header-value-depth: 2000

        # Extract URLs and save in state data structure
        extract-urls: yes
        # Set to yes to compute the md5 of the mail body. You will then
        # be able to journalize it.
        body-md5: no
      # Configure inspected-tracker for file_data keyword
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    msn:
      enabled: detection-only
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445
    # smb2 detection is disabled internally inside the engine.
    #smb2:
    #  enabled: yes
    # Note: NFS parser depends on Rust support: pass --enable-rust
    # to configure.
    nfs:
      enabled: no
    dns:
      # memcaps. Globally and per flow/state.
      #global-memcap: 16mb
      #state-memcap: 512kb

      # How many unreplied DNS requests are considered a flood.
      # If the limit is reached, app-layer-event:dns.flooded; will match.
      #request-flood: 500

      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes
      # memcap: 64mb

      # default-config:           Used when no server-config matches
      #   personality:            List of personalities used by default
      #   request-body-limit:     Limit reassembly of request body for inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #   response-body-decompress-layer-limit:
      #                           Limit to how many layers of compression will be
      #                           decompressed. Defaults to 2.
      #
      # server-config:            List of server configurations to use if address matches
      #   address:                List of ip addresses or networks for this block
      #   personalitiy:           List of personalities used by this block
      #   request-body-limit:     Limit reassembly of request body for inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #
      #   uri-include-all:        Include all parts of the URI. By default the
      #                           'scheme', username/password, hostname and port
      #                           are excluded. Setting this option to true adds
      #                           all of them to the normalized uri as inspected
      #                           by http_uri, urilen, pcre with /U and the other
      #                           keywords that inspect the normalized uri.
      #                           Note that this does not affect http_raw_uri.
      #                           Also, note that including all was the default in
      #                           1.4 and 2.0beta1.
      #
      #   meta-field-limit:       Hard size limit for request and response size
      #                           limits. Applies to request line and headers,
      #                           response line and headers. Does not apply to
      #                           request or response bodies. Default is 18k.
      #                           If this limit is reached an event is raised.
      #
      # Currently Available Personalities:
      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
      #   IIS_7_0, IIS_7_5, Apache_2
      libhtp:
         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 100kb
           response-body-limit: 100kb

           # inspection limits
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb

           # response body decompression (0 disables)
           response-body-decompress-layer-limit: 2

           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
           http-body-inline: auto

           # Take a random value for inspection sizes around the specified value.
           # This lower the risk of some evasion technics but could lead
           # detection change between runs. It is set to 'yes' by default.
           #randomize-inspection-sizes: yes
           # If randomize-inspection-sizes is active, the value of various
           # inspection size will be choosen in the [1 - range%, 1 + range%]
           # range
           # Default value of randomize-inspection-range is 10.
           #randomize-inspection-range: 10

           # decoding
           double-decode-path: no
           double-decode-query: no

         server-config:

           #- apache:
           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
           #    personality: Apache_2
           #    # Can be specified in kb, mb, gb.  Just a number indicates
           #    # it's in bytes.
           #    request-body-limit: 4096
           #    response-body-limit: 4096
           #    double-decode-path: no
           #    double-decode-query: no

           #- iis7:
           #    address:
           #      - 192.168.0.0/24
           #      - 192.168.10.0/24
           #    personality: IIS_7_0
           #    # Can be specified in kb, mb, gb.  Just a number indicates
           #    # it's in bytes.
           #    request-body-limit: 4096
           #    response-body-limit: 4096
           #    double-decode-path: no
           #    double-decode-query: no

    # Note: Modbus probe parser is minimalist due to the poor significant field
    # Only Modbus message length (greater than Modbus header length)
    # And Protocol ID (equal to 0) are checked in probing parser
    # It is important to enable detection port and define Modbus port
    # to avoid false positive
    modbus:
      # How many unreplied Modbus requests are considered a flood.
      # If the limit is reached, app-layer-event:modbus.flooded; will match.
      #request-flood: 500

      enabled: no
      detection-ports:
        dp: 502
      # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
      # is recommended to keep the TCP connection opened with a remote device
      # and not to open and close it for each MODBUS/TCP transaction. In that
      # case, it is important to set the depth of the stream reassembling as
      # unlimited (stream.reassembly.depth: 0)

      # Stream reassembly size for modbus. By default track it completely.
      stream-depth: 0

    # DNP3
    dnp3:
      enabled: no
      detection-ports:
        dp: 20000

    # SCADA EtherNet/IP and CIP protocol support
    enip:
      enabled: no
      detection-ports:
        dp: 44818
        sp: 44818

    # Note: parser depends on experimental Rust support
    # with --enable-rust-experimental passed to configure
    ntp:
      enabled: no

由于http協(xié)議的數(shù)據(jù)包比較復(fù)雜和常用,且它的解析器使用第三方庫,因此下面對其單獨(dú)說明。

libhtp

Suricata使用libhtp庫對HTTP會話數(shù)據(jù)包進(jìn)行解析。由于http的web服務(wù)器種類非常多導(dǎo)致了suricata必須處理每一種不同服務(wù)器所產(chǎn)生的http流量,用戶在這里可以配置IP地址和web服務(wù)器種類的對應(yīng)關(guān)系。可以選擇的web服務(wù)器包括,默認(rèn)的是IDS模式的服務(wù)器:

Minimal 
Generic 
IDS (default) 
IIS_4_0 
IIS_5_0 
IIS_5_1 
IIS_6_0 
IIS_7_0 
IIS_7_5 
Apache_2

在每一種模式下可以配置IP地址、web服務(wù)器種類以及對request、response數(shù)據(jù)包大小的限制,默認(rèn)的IDS模式表示所有的IP都使用這套配置。一套典型的配置如下,前面幾項配置都容易理解double-decode-path和double-decode-query需要進(jìn)行特殊說明。有些攻擊web服務(wù)器的手法是通過在URI中加入特定的攻擊字段來完成,URI由協(xié)議、主機(jī)名、端口號(大部分http協(xié)議是80端口,因此可省略)、路徑和查詢參數(shù)五部分組成(詳情參考統(tǒng)一資源定位符-維基百科),能夠控制的便是路徑和查詢參數(shù),double-decode-path和double-decode-query就是可以檢查這兩部分是否經(jīng)過了雙重URL編碼(可參考Double Encoding-OWASP):

    http:
      enabled: yes
      # memcap: 64mb

      # default-config:           Used when no server-config matches
      #   personality:            List of personalities used by default
      #   request-body-limit:     Limit reassembly of request body for inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #   response-body-decompress-layer-limit:
      #                           Limit to how many layers of compression will be
      #                           decompressed. Defaults to 2.
      #
      # server-config:            List of server configurations to use if address matches
      #   address:                List of ip addresses or networks for this block
      #   personalitiy:           List of personalities used by this block
      #   request-body-limit:     Limit reassembly of request body for inspection
      #                           by http_client_body & pcre /P option.
      #   response-body-limit:    Limit reassembly of response body for inspection
      #                           by file_data, http_server_body & pcre /Q option.
      #   double-decode-path:     Double decode path section of the URI
      #   double-decode-query:    Double decode query section of the URI
      #
      #   uri-include-all:        Include all parts of the URI. By default the
      #                           'scheme', username/password, hostname and port
      #                           are excluded. Setting this option to true adds
      #                           all of them to the normalized uri as inspected
      #                           by http_uri, urilen, pcre with /U and the other
      #                           keywords that inspect the normalized uri.
      #                           Note that this does not affect http_raw_uri.
      #                           Also, note that including all was the default in
      #                           1.4 and 2.0beta1.
      #
      #   meta-field-limit:       Hard size limit for request and response size
      #                           limits. Applies to request line and headers,
      #                           response line and headers. Does not apply to
      #                           request or response bodies. Default is 18k.
      #                           If this limit is reached an event is raised.
      #
      # Currently Available Personalities:
      #   Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
      #   IIS_7_0, IIS_7_5, Apache_2
      libhtp:
         default-config:
           personality: IDS

           # Can be specified in kb, mb, gb.  Just a number indicates
           # it's in bytes.
           request-body-limit: 100kb
           response-body-limit: 100kb

           # inspection limits
           request-body-minimal-inspect-size: 32kb
           request-body-inspect-window: 4kb
           response-body-minimal-inspect-size: 40kb
           response-body-inspect-window: 16kb

           # response body decompression (0 disables)
           response-body-decompress-layer-limit: 2

           # auto will use http-body-inline mode in IPS mode, yes or no set it statically
           http-body-inline: auto

           # Take a random value for inspection sizes around the specified value.
           # This lower the risk of some evasion technics but could lead
           # detection change between runs. It is set to 'yes' by default.
           #randomize-inspection-sizes: yes
           # If randomize-inspection-sizes is active, the value of various
           # inspection size will be choosen in the [1 - range%, 1 + range%]
           # range
           # Default value of randomize-inspection-range is 10.
           #randomize-inspection-range: 10

           # decoding
           double-decode-path: no
           double-decode-query: no

         server-config:

           #- apache:
           #    address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
           #    personality: Apache_2
           #    # Can be specified in kb, mb, gb.  Just a number indicates
           #    # it's in bytes.
           #    request-body-limit: 4096
           #    response-body-limit: 4096
           #    double-decode-path: no
           #    double-decode-query: no

           #- iis7:
           #    address:
           #      - 192.168.0.0/24
           #      - 192.168.10.0/24
           #    personality: IIS_7_0
           #    # Can be specified in kb, mb, gb.  Just a number indicates
           #    # it's in bytes.
           #    request-body-limit: 4096
           #    response-body-limit: 4096
           #    double-decode-path: no
           #    double-decode-query: no

asn1-max-frames

Asn1是一種標(biāo)準(zhǔn)的描述數(shù)據(jù)和結(jié)構(gòu)體的標(biāo)準(zhǔn)符號,大量用于通信和計算機(jī)網(wǎng)絡(luò)中解碼和傳輸數(shù)據(jù),詳細(xì)可以參考Abstract Syntax Notation One-維基百科。這里就是配置使用asn1進(jìn)行解碼的數(shù)據(jù)包的最大數(shù)量:

 # Limit for the maximum number of asn1 frames to decode (default 256)
 asn1-max-frames: 256
以上內(nèi)容是否對您有幫助:
在線筆記
App下載
App下載

掃描二維碼

下載編程獅App

公眾號
微信公眾號

編程獅公眾號