网络监控与威胁检测:IDS/IPS规则与告警分析
入侵检测系统(IDS)和入侵防御系统(IPS)是网络安全的"监控摄像头"和"保安"。IDS检测并报警,IPS还能自动阻断。两者是纵深防御的关键层。
Snort是最经典的开源IDS/IPS,其规则语法被广泛采用。理解规则语法是安全分析师的核心技能。
# Snort规则基本结构
# 动作 协议 源IP 源端口 → 目标IP 目标端口 (选项;)
# 规则组成:
# ┌─────┐ ┌──┐ ┌─────────┐ ┌──┐ ┌─────────┐ ┌──┐ ┌──────────────────┐
# │alert│ │tcp│ │any │ │any│ → │any │ │80 │ (msg:"..."; ...) │
# │动作 │ │协议│ │源地址 │ │端口│ │目标地址 │ │端口│ (规则选项) │
# └─────┘ └──┘ └─────────┘ └──┘ └─────────┘ └──┘ └──────────────────┘
# 动作类型:
# alert → 生成告警
# log → 记录日志
# pass → 忽略
# drop → 丢弃(IPS模式)
# reject → 丢弃并返回RST
# === 基础规则示例 ===
# 检测SQL注入
alert tcp any any -> any 80 (msg:"SQL Injection Attempt"; content:"UNION SELECT"; nocase; sid:1000001; rev:1;)
# 检测XSS
alert tcp any any -> any 80 (msg:"XSS Attempt - Script Tag"; content:"<script>"; nocase; sid:1000002; rev:1;)
# 检测SSH暴力破解
alert tcp any any -> any 22 (msg:"SSH Brute Force Attempt"; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000003; rev:1;)
# 检测ICMP Flood
alert icmp any any -> any any (msg:"ICMP Flood Detected"; dsize:>1000; sid:1000004; rev:1;)
# 检测Heartbleed
alert tcp any any -> any 443 (msg:"Possible Heartbleed Attack"; content:"|18 03 00 40 00|"; sid:1000005; rev:1;)
# 检测路径遍历
alert tcp any any -> any 80 (msg:"Path Traversal Attempt"; content:"../"; content:"etc/passwd"; distance:0; nocase; sid:1000006; rev:1;)
# 检测Web Shell上传
alert tcp any any -> any 80 (msg:"Web Shell Upload Attempt"; content:"POST"; http_method; content:"eval"; http_client_body; nocase; sid:1000007; rev:1;)
# 关键规则选项
# msg → 告警消息
# content → 内容匹配(最核心的选项)
# nocase → 大小写不敏感
# sid → 规则唯一ID
# rev → 规则版本号
# 内容匹配选项
# content:"pattern" → 精确匹配
# content:"pattern"; nocase → 不区分大小写
# content:"|hex bytes|" → 十六进制匹配
# content:"A"; content:"B"; distance:0 → A和B紧邻
# content:"A"; within:10 → A之后10字节内
# pcre:"/regex/" → 正则匹配
# HTTP专用选项
# http_method → HTTP方法(GET/POST等)
# http_uri → URI路径
# http_header → HTTP头
# http_cookie → Cookie
# http_user_agent → User-Agent
# http_client_body → 请求体
# 阈值选项
# threshold:type threshold, track by_src, count 5, seconds 60
# 60秒内同一来源5次匹配才告警
# flow选项
# flow:to_server,established → 已建立的连接,客户端到服务器
# flow:from_server,established → 服务器到客户端
Suricata是Snort的现代替代品,支持多线程、更快的处理速度和更丰富的协议解析。
# Suricata兼容Snort规则,同时支持自己的扩展
# Suricata特有: HTTP关键字
alert http any any -> any any (msg:"SQL Injection via URI"; http.uri; content:"UNION"; nocase; content:"SELECT"; nocase; distance:0; sid:2000001; rev:1;)
# 检测恶意User-Agent
alert http any any -> any any (msg:"Malicious User-Agent"; http.user_agent; content:"sqlmap"; nocase; sid:2000002; rev:1;)
# 检测恶意文件下载
alert http any any -> any any (msg:"Malware Download"; http.response_body; content:"MZ"; within:2; filestore; sid:2000003; rev:1;)
# DNS隧道检测
alert dns any any -> any any (msg:"DNS Tunneling - Long Subdomain"; dns.query; content:"."; pcre:"/^([a-z0-9]{20,}\.){2,}/i"; sid:2000004; rev:1;)
# TLS证书检测
alert tls any any -> any any (msg:"Self-Signed Certificate"; tls.cert_subject; content:"CN="; tls.cert_issuer; content:"CN="; sid:2000005; rev:1;)
# Suricata配置 /etc/suricata/suricata.yaml
# af-packet:
# - interface: eth0
# cluster-id: 99
# cluster-type: cluster_flow
# defrag: yes
# 运行Suricata
suricata -c /etc/suricata/suricata.yaml -i eth0
# 查看告警
cat /var/log/suricata/fast.log
cat /var/log/suricata/eve.json | jq .
SIEM(Security Information and Event Management)是安全运营中心(SOC)的核心,集中收集、分析和关联来自所有安全设备的日志。
# ELK Stack (Elasticsearch + Logstash + Kibana)
# 最流行的开源SIEM方案
# 部署ELK
docker run -d --name elasticsearch \
-p 9200:9200 -e "discovery.type=single-node" \
docker.elastic.co/elasticsearch/elasticsearch:8.x
docker run -d --name kibana \
-p 5601:5601 --link elasticsearch \
docker.elastic.co/kibana/kibana:8.x
# Filebeat收集日志
docker run -d --name filebeat \
-v /var/log:/var/log:ro \
docker.elastic.co/beats/filebeat:8.x
# Suricata日志接入ELK
# Filebeat自带Suricata模块
filebeat modules enable suricata
# 自动解析eve.json
# 常用KQL查询 (Kibana Query Language)
# 查找SQL注入告警
event.module: "suricata" AND rule.category: "Web Application Attack"
# 查找特定源IP的所有告警
source.ip: "192.168.1.100"
# 查找高危告警
event.severity: [1 TO 2]
# 查找SSH暴力破解
event.module: "suricata" AND rule.category: "Authentication"
# Sigma是安全检测规则的通用格式
# 可以转换为Snort/Suricata/ELK/Splunk等格式
# SSH暴力破解Sigma规则
title: SSH Brute Force Attempt
status: experimental
logsource:
category: authentication
product: linux
detection:
selection:
event.action: 'login'
event.outcome: 'failure'
condition: selection | count() by source.ip > 5
timeframe: 5m
level: high
tags:
- attack.t1110
- attack.credential_access
# 使用sigmac转换工具
# 转换为Elasticsearch查询
sigmac -t es-qs -c elk-default rule.yml
# 转换为Splunk查询
sigmac -t splunk -c splunk-default rule.yml
# 告警分析流程
# 1. 确认告警有效性(排除误报)
# 2. 确定影响范围
# 3. 查找攻击来源
# 4. 评估危害程度
# 5. 执行响应措施
# 常见误报处理
# 1. 安全扫描器触发的告警 → 加入白名单
# 2. 内部应用的特征 → 调整规则
# 3. 已知业务行为 → 排除特定IP
# Suricata告警分析
# 查看详细告警
cat /var/log/suricata/eve.json | \
jq 'select(.alert.signature_id == 1000001)'
# 按源IP统计告警
cat /var/log/suricata/eve.json | \
jq -r '.src_ip' | sort | uniq -c | sort -rn | head -10
# 按告警类型统计
cat /var/log/suricata/eve.json | \
jq -r '.alert.signature' | sort | uniq -c | sort -rn
# 时间线分析
cat /var/log/suricata/eve.json | \
jq -r '[.timestamp, .alert.signature] | @tsv' | sort
# 关联分析
# 同一IP触发了多种不同类型的告警?
# 告警时间是否与已知攻击活动吻合?
# 是否有横向移动的迹象?
# 使用Docker快速部署Suricata
docker run --rm --net=host --cap-add=NET_ADMIN \
-v /var/log/suricata:/var/log/suricata \
-v /etc/suricata:/etc/suricata \
jasonish/suricata:latest -i eth0
# 使用Security Onion(一体化安全监控平台)
# https://securityonionsolutions.com/
# 包含: Suricata + Zeek + ELK + Wazuh
# Wazuh(主机入侵检测)
docker run -d --name wazuh-manager \
-p 1514:1514 -p 1515:1515 -p 514:514/udp \
-p 55000:55000 \
wazuh/wazuh-manager
# Zeek(网络分析框架,原Bro)
# 专注于网络行为分析,补充Snort/Suricata
zeek -r capture.pcap
# 生成连接日志、DNS日志、HTTP日志等
content和pcre选项各有什么优缺点?