Solidot: Suricata 2.0: 审计下载文件

Solidot

奇客的资讯，重要的东西

Suricata 2.0: 审计下载文件
http://solidot.org.feedsportal.com/c/33236/f/556826/s/38d5a9ef/sc/28/l/0L0Ssolidot0Borg0Cstory0Dsid0F38956/story01.htm
Apr 1st 2014, 02:33

Shawn the R0ck 写道 "Suricata是一个高性能的开源IDS/IPS项目，Suricata 1.0的发布到现在已经有一段时间了，BRO和最近的Suricata版本都可以实现保存HTTP流量中的指定后缀或者特定格式的文件，比如jpg, pdf, exe等。这个特性对希望抓去恶意软件样本的黑客( 或安全研究人员)会有兴趣，还是按照老规矩，在最简易的Debian中来测试一下。
下载一个最小版本的Debian镜像，在虚拟机( vmware/virtualbox)中进行安装，模拟2块网卡: eth0, eth1。eth0使用NAT模式用于与host通信，eth1使用bridge模式不需要分配IP地址用于抓包。安装完成Debian后，安装一些依赖的包：#apt-get install vim openssh-server ethtool libpcap-dev libnfnetlink-dev libnetfilter-queue-dev libdnet-dev libdumbnet-dev libpcre3-dev libpcre3-dbg bison flex make zlib1g-dev autoconf libtool libnss3-dev libnspr4-dev libjansson4 libjansson-dev libyaml-dev libcap-ng0 libcap-ng-dev libnet1-dev libmagic-dev build-essential
获取Suricata的源代码:
#cd /tmp
#wget wget http://www.openinfosecfoundation.org/download/suricata-2.0.tar.gz
#tar zxvf suricata-2.0.tar.gz
#cd suricata-2.0
编译与安装:
#./configure --enable-nfqueue --enable-gccprotect --prefix=/usr/local/suricata --localstatedir=/var
#make -j3
#make make-full
编辑配置文件suricata.yaml:
1, 设置以下2项大一点:
     request-body-limit: 1gb #3072
     response-body-limit: 1gb #3072
2, 启动文件保存功能:  
- file-store:      
   enabled: yes       # set to yes to enable      
   log-dir: files    # directory to store the files      
   force-magic: no   # force logging magic on all stored files
   force-md5: no     # force logging of md5 checksums
   waldo: file.waldo # waldo file to store the file_id across runs
  # output module to log files tracked in a easily parsable json format
- file-log:      
   enabled: yes      
   filename: files-json.log      
   append: yes    #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' 
3, 增加我们的测试文件( test.rules)到"default-rule-path:", 像下面这样:
default-rule-path: /usr/local/suricata/etc/suricata/rules
rule-files:  - test.rules  - botcc.rules
创建测试规则文件:
/usr/local/suricata/etc/suricata/rules/test.rules
加一行测试规则到test.rules，这行规则会保存jpg文件 :
alert http any any -> any any (msg:"FILESTORE jpg"; fileext:"jpg"; filestore; sid:6; rev:1;)
启动eth1:
#ifconfig eth1 up
根据Suricata社区的wiki，我们必须关闭TCP GSO:
ethtool -K eth1 tso off
ethtool -K eth1 gro off
ethtool -K eth1 lro off
ethtool -K eth1 gso off
ethtool -K eth1 rx off
ethtool -K eth1 tx off
ethtool -K eth1 sg off
ethtool -K eth1 rxvlan off
ethtool -K eth1 txvlan off
ethtool -N eth1 rx-flow-hash udp4 sdfn
ethtool -N eth1 rx-flow-hash udp6 sdfn
ethtool -n eth1 rx-flow-hash udp6
ethtool -n eth1 rx-flow-hash udp4
ethtool -C eth1 rx-usecs 1000
ethtool -C eth1 adaptive-rx off
现在可以运行Suricata: /usr/local/suricata/bin/suricata -c /usr/local/suricata/etc/suricata//suricata.yaml -i eth1
在HOST系统上使用Firefox/Chrome访问一些网站，比如这些链接。之后你应该能在/var/log/suricata/files文件夹下面看到美女图片了。感谢Suricata社区的黑客们为自由软件社区所作的贡献。"
This entry passed through the Full-Text RSS service — if this is your content and you're reading it on someone else's site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.



You are receiving this email because you subscribed to this feed at https://blogtrottr.com

If you no longer wish to receive these emails, you can unsubscribe here:
https://blogtrottr.com/unsubscribe/cz0/jPbdSR