{"id":213,"date":"2017-02-10T09:06:08","date_gmt":"2017-02-10T09:06:08","guid":{"rendered":""},"modified":"2021-09-09T21:29:45","modified_gmt":"2021-09-09T13:29:45","slug":"selks%e5%bc%80%e6%ba%90ids%e9%83%a8%e7%bd%b2","status":"publish","type":"post","link":"http:\/\/weizn.net\/?p=213","title":{"rendered":"SELKS\u5f00\u6e90IDS\u90e8\u7f72"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_17 counter-hierarchy\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" style=\"display: none;\"><i class=\"ez-toc-glyphicon ez-toc-icon-toggle\"><\/i><\/a><\/span><\/div>\n<nav><ul class=\"ez-toc-list ez-toc-list-level-1\"><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-1\" href=\"http:\/\/weizn.net\/?p=213\/#%E4%B8%80_%E3%80%81Suricata_%E5%88%86%E5%B8%83%E5%BC%8FIDS%E9%A1%B9%E7%9B%AE_%E7%9B%AE%E7%9A%84%E5%AF%B9%E5%8A%9E%E5%85%AC%E7%BD%91%E6%B5%81%E9%87%8F%E7%9B%91%E5%90%AC%EF%BC%8C%E5%85%A5%E4%BE%B5%E5%92%8C%E8%BF%9D%E8%A7%84%E8%A1%8C%E4%B8%BA%E5%91%8A%E8%AD%A6\" title=\"\u4e00\u00a0\u3001Suricata\u00a0\u5206\u5e03\u5f0fIDS\u9879\u76ee \u76ee\u7684\u5bf9\u529e\u516c\u7f51\u6d41\u91cf\u76d1\u542c\uff0c\u5165\u4fb5\u548c\u8fdd\u89c4\u884c\u4e3a\u544a\u8b66\">\u4e00\u00a0\u3001Suricata\u00a0\u5206\u5e03\u5f0fIDS\u9879\u76ee \u76ee\u7684\u5bf9\u529e\u516c\u7f51\u6d41\u91cf\u76d1\u542c\uff0c\u5165\u4fb5\u548c\u8fdd\u89c4\u884c\u4e3a\u544a\u8b66<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-2\" href=\"http:\/\/weizn.net\/?p=213\/#1_Highly_Scalable\" title=\"1. Highly Scalable\">1. Highly Scalable<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-3\" href=\"http:\/\/weizn.net\/?p=213\/#2_Protocol_Identification\" title=\"2. Protocol Identification\">2. Protocol Identification<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-4\" href=\"http:\/\/weizn.net\/?p=213\/#3_File_Identification_MD5_Checksums_and_File_Extraction\" title=\"3. File Identification, MD5 Checksums, and File Extraction\">3. File Identification, MD5 Checksums, and File Extraction<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-5\" href=\"http:\/\/weizn.net\/?p=213\/#%E4%BA%8C%E3%80%81%E9%83%A8%E7%BD%B2%E6%AD%A5%E9%AA%A4\" title=\"\u4e8c\u3001\u90e8\u7f72\u6b65\u9aa4\">\u4e8c\u3001\u90e8\u7f72\u6b65\u9aa4<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-6\" href=\"http:\/\/weizn.net\/?p=213\/#1%E5%AE%89%E8%A3%85pf_ring\" title=\"1.\u5b89\u88c5pf_ring\">1.\u5b89\u88c5pf_ring<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-7\" href=\"http:\/\/weizn.net\/?p=213\/#2%E5%AE%89%E8%A3%85Redis\" title=\"2.\u5b89\u88c5Redis\">2.\u5b89\u88c5Redis<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-8\" href=\"http:\/\/weizn.net\/?p=213\/#3%E5%AE%89%E8%A3%85Suricata\" title=\"3.\u5b89\u88c5Suricata\">3.\u5b89\u88c5Suricata<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-9\" href=\"http:\/\/weizn.net\/?p=213\/#4%E5%AE%89%E8%A3%85Logstash\" title=\"4.\u5b89\u88c5Logstash\">4.\u5b89\u88c5Logstash<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-10\" href=\"http:\/\/weizn.net\/?p=213\/#5%E5%AE%89%E8%A3%85Scirius\" title=\"5.\u5b89\u88c5Scirius\">5.\u5b89\u88c5Scirius<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-11\" href=\"http:\/\/weizn.net\/?p=213\/#6%E5%AE%89%E8%A3%85ES\" title=\"6.\u5b89\u88c5ES\">6.\u5b89\u88c5ES<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-12\" href=\"http:\/\/weizn.net\/?p=213\/#7%E5%AE%89%E8%A3%85Kibana\" title=\"7.\u5b89\u88c5Kibana\">7.\u5b89\u88c5Kibana<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-13\" href=\"http:\/\/weizn.net\/?p=213\/#%E4%B8%89%E3%80%81%E9%85%8D%E7%BD%AE\" title=\"\u4e09\u3001\u914d\u7f6e\">\u4e09\u3001\u914d\u7f6e<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-14\" href=\"http:\/\/weizn.net\/?p=213\/#1%E4%BF%AE%E6%94%B9Scirius%E5%8A%9F%E8%83%BD%E4%BB%A3%E7%A0%81%EF%BC%9A\" title=\"1.\u4fee\u6539Scirius\u529f\u80fd\u4ee3\u7801\uff1a\">1.\u4fee\u6539Scirius\u529f\u80fd\u4ee3\u7801\uff1a<\/a><ul class=\"ez-toc-list-level-4\"><li class=\"ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-15\" href=\"http:\/\/weizn.net\/?p=213\/#%EF%BC%881%EF%BC%89%E7%BC%96%E8%BE%91sciriussettingpy\" title=\"\uff081\uff09\u7f16\u8f91scirius\/setting.py\">\uff081\uff09\u7f16\u8f91scirius\/setting.py<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-16\" href=\"http:\/\/weizn.net\/?p=213\/#%EF%BC%882%EF%BC%89%E7%BC%96%E8%BE%91ruleses_graphspy\" title=\"\uff082\uff09\u7f16\u8f91rules\/es_graphs.py\">\uff082\uff09\u7f16\u8f91rules\/es_graphs.py<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-4\"><a class=\"ez-toc-link ez-toc-heading-17\" href=\"http:\/\/weizn.net\/?p=213\/#%EF%BC%883%EF%BC%89%E7%BC%96%E8%BE%91ruleses_datapy\" title=\"\uff083\uff09\u7f16\u8f91rules\/es_data.py\">\uff083\uff09\u7f16\u8f91rules\/es_data.py<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-18\" href=\"http:\/\/weizn.net\/?p=213\/#2%E7%BC%96%E8%BE%91logstash%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6\" title=\"2.\u7f16\u8f91logstash\u914d\u7f6e\u6587\u4ef6\">2.\u7f16\u8f91logstash\u914d\u7f6e\u6587\u4ef6<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-19\" href=\"http:\/\/weizn.net\/?p=213\/#3logstash%E6%B7%BB%E5%8A%A0ES%E6%95%B0%E6%8D%AE%E6%A8%A1%E6%9D%BF%EF%BC%9A\" title=\"3.logstash\u6dfb\u52a0ES\u6570\u636e\u6a21\u677f\uff1a\">3.logstash\u6dfb\u52a0ES\u6570\u636e\u6a21\u677f\uff1a<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-20\" href=\"http:\/\/weizn.net\/?p=213\/#5%E4%BF%AE%E6%94%B9%E5%91%8A%E8%AD%A6%E5%B1%95%E7%A4%BA%E4%BB%A3%E7%A0%81\" title=\"5.\u4fee\u6539\u544a\u8b66\u5c55\u793a\u4ee3\u7801\">5.\u4fee\u6539\u544a\u8b66\u5c55\u793a\u4ee3\u7801<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-21\" href=\"http:\/\/weizn.net\/?p=213\/#6%E9%85%8D%E7%BD%AEKibana_dashboards\" title=\"6.\u914d\u7f6eKibana dashboards\">6.\u914d\u7f6eKibana dashboards<\/a><\/li><\/ul><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-2\"><a class=\"ez-toc-link ez-toc-heading-22\" href=\"http:\/\/weizn.net\/?p=213\/#%E5%9B%9B%E3%80%81%E5%90%AF%E5%8A%A8\" title=\"\u56db\u3001\u542f\u52a8\">\u56db\u3001\u542f\u52a8<\/a><ul class=\"ez-toc-list-level-3\"><li class=\"ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-23\" href=\"http:\/\/weizn.net\/?p=213\/#1%E5%90%AF%E5%8A%A8Redis\" title=\"1.\u542f\u52a8Redis\">1.\u542f\u52a8Redis<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-24\" href=\"http:\/\/weizn.net\/?p=213\/#2%E5%90%AF%E5%8A%A8ES\" title=\"2.\u542f\u52a8ES\">2.\u542f\u52a8ES<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-25\" href=\"http:\/\/weizn.net\/?p=213\/#3%E5%90%AF%E5%8A%A8Logstash\" title=\"3.\u542f\u52a8Logstash\">3.\u542f\u52a8Logstash<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-26\" href=\"http:\/\/weizn.net\/?p=213\/#4%E5%90%AF%E5%8A%A8Suricata\" title=\"4.\u542f\u52a8Suricata\">4.\u542f\u52a8Suricata<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-27\" href=\"http:\/\/weizn.net\/?p=213\/#5%E5%90%AF%E5%8A%A8Scirius\" title=\"5.\u542f\u52a8Scirius\">5.\u542f\u52a8Scirius<\/a><\/li><li class=\"ez-toc-page-1 ez-toc-heading-level-3\"><a class=\"ez-toc-link ez-toc-heading-28\" href=\"http:\/\/weizn.net\/?p=213\/#6%E5%90%AF%E5%8A%A8Kibana\" title=\"6.\u542f\u52a8Kibana\">6.\u542f\u52a8Kibana<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<div class=\"gfmr-markdown-container\"><div class=\"gfmr-markdown-source\" style=\"display: none;\">&lt;p&gt;&lt;strong&gt;\u00a0 \u00a0 \u6b64\u6587\u7ae0\u7531\u6211\u521d\u6b21\u63a5\u89e6SELKS\u8fd9\u5957\u7cfb\u7edf\u65f6\u6240\u5199\uff0c\u6587\u4e2d\u5f88\u591a\u914d\u7f6e\u5e76\u4e0d\u662f\u6700\u4e3a\u5408\u7406\u7684\uff0c\u56e0\u6b64&lt;span style=&quot;color: #ff0000;&quot;&gt;\u672c\u6587\u4e0d\u662f\u4e00\u7bc7\u6700\u4f73\u5b9e\u8df5&lt;\/span&gt;\uff0c\u5982\u9700\u90e8\u7f72\u6b64\u7cfb\u7edf\u6700\u597d\u4ee5\u7814\u7a76\u5b98\u65b9\u6587\u6863\u4e3a\u4e3b\u3002&lt;\/strong&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;strong&gt;\u00a0 \u00a0 \u603b\u6709\u670b\u53cb\u90ae\u4ef6\u95ee\u6211\u4e00\u4e9b\u6027\u80fd\u65b9\u9762\u7684\u95ee\u9898\uff0c\u6211\u5927\u6982\u8bf4\u4e00\u4e0b\u76ee\u524d\u6211\u5728\u771f\u5b9e\u751f\u4ea7\u73af\u588320G\u6d41\u91cf\u4e0b\u7684\u6d4b\u8bd5\u7ed3\u679c\uff0cSuricata 4.0.4 + PF_RING 7.0.0(ZC\u6a21\u5f0f) + CentOS7.2 + CPU 40\u6838 + \u5185\u5b58 64G\uff0cSuricata\u5728\u4e0d\u52a0\u8f7d\u4efb\u4f55\u89c4\u5219\u7684\u60c5\u51b5\u4e0b\u4ec5\u4ec5\u8fd0\u884c\u6d41\u91cf\u91cd\u7ec4\u5f15\u64ce\u53ef\u4ee5\u5b8c\u5168\u4e0d\u4e22\u5305\uff0c\u5f53\u52a0\u8f7d5W\u6761Snort\u89c4\u5219\u540e\u5076\u5c14\u4f1a\u6709\u8f7b\u5fae\u4e22\u5305\u60c5\u51b5\uff0c\u76ee\u524d\u770b\u6765Suricata\u89c4\u5219\u68c0\u6d4b\u5f15\u64ce\u5bf9\u6027\u80fd\u7684\u5360\u7528\u8981\u8fdc\u5927\u4e8e\u6d41\u91cf\u91cd\u7ec4\u5f15\u64ce\u5bf9\u6027\u80fd\u7684\u5360\u7528\uff0c\u53ef\u4ee5\u6ce8\u610f\u4e00\u4e0b\u540e\u7eed\u7684\u4f18\u5316\u65b9\u5411\u3002&lt;\/strong&gt;&lt;\/p&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;p&gt;\u9ad8\u6027\u80fdSuricata\u90e8\u7f72\u53c2\u8003\u8fd9\u91cc\uff1a&lt;\/p&gt;\n&lt;blockquote class=&quot;wp-embedded-content&quot; data-secret=&quot;2JFaLF4QUO&quot;&gt;&lt;p&gt;&lt;a href=&quot;http:\/\/weizn.net\/?p=904&quot;&gt;Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668&lt;\/a&gt;&lt;\/p&gt;&lt;\/blockquote&gt;\n&lt;p&gt;&lt;iframe class=&quot;wp-embedded-content&quot; sandbox=&quot;allow-scripts&quot; security=&quot;restricted&quot; style=&quot;position: absolute; clip: rect(1px, 1px, 1px, 1px);&quot; title=&quot;\u300aSuricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668\u300b\u2014Wayne&#039;s Blog&quot; src=&quot;http:\/\/weizn.net\/?p=904&#038;embed=true#?secret=2JFaLF4QUO&quot; data-secret=&quot;2JFaLF4QUO&quot; width=&quot;600&quot; height=&quot;338&quot; frameborder=&quot;0&quot; marginwidth=&quot;0&quot; marginheight=&quot;0&quot; scrolling=&quot;no&quot;&gt;&lt;\/iframe&gt;&lt;\/p&gt;\n&lt;p&gt;&nbsp;&lt;\/p&gt;\n&lt;h2&gt;\u4e00\u00a0\u3001Suricata\u00a0\u5206\u5e03\u5f0fIDS\u9879\u76ee \u76ee\u7684\u5bf9\u529e\u516c\u7f51\u6d41\u91cf\u76d1\u542c\uff0c\u5165\u4fb5\u548c\u8fdd\u89c4\u884c\u4e3a\u544a\u8b66&lt;\/h2&gt;\n&lt;p&gt;Suricata\u00a0\u7531OISF(Open Information Security Foundation\u00a0)\u5f00\u53d1\u4e3a\u6807\u51c6libpcap\u6216libpfring\u63a5\u53e3\uff0c\u652f\u6301snort\u89c4\u5219\u3002OISF\u7531DHS(United States Department of Homeland Security)\u53caBreach Security\u7b49\u591a\u5bb6\u4f01\u4e1a\u8d44\u8d28\u5f00\u53d1&lt;\/p&gt;\n&lt;h3&gt;1. Highly Scalable&lt;\/h3&gt;\n&lt;p&gt;Suricata is multi threaded. This means you can run one instance and it will balance the load of processing across every processor on a sensor Suricata is configured to use. This allows commodity hardware to achieve 10 gigabit speeds on real life traffic without sacrificing ruleset coverage.&lt;\/p&gt;\n&lt;h3&gt;2. Protocol Identification&lt;\/h3&gt;\n&lt;p&gt;The most common protocols are automatically recognized by Suricata as the stream starts, thus allowing rule writers to write a rule to the protocol, not to the port expected. This makes Suricata a Malware Command and Control Channel hunter like no other. Off port HTTP CnC channels, which normally slide right by most IDS systems, are child\u2019s play for Suricata! Furthermore, thanks to dedicated keywords you can match on protocol fields which range from http URI to a SSL certificate identifier.&lt;\/p&gt;\n&lt;h3&gt;3. File Identification, MD5 Checksums, and File Extraction&lt;\/h3&gt;\n&lt;p&gt;Suricata can identify thousands of file types while crossing your network! Not only can you identify it, but should you decide you want to look at it further you can tag it for extraction and the file will be written to disk with a meta data file describing the capture situation and flow. The file\u2019s MD5 checksum is calculated on the fly, so if you have a list of md5 hashes you want to keep in your network, or want to keep out, Suricata can find it.&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/suricata-ids.org\/features\/&quot;&gt;http:\/\/suricata-ids.org\/features\/&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/www.aldeid.com\/wiki\/Suricata-vs-snort&quot;&gt;http:\/\/www.aldeid.com\/wiki\/Suricata-vs-snort&lt;\/a&gt;\u00a0\u00a0\u5bf9\u6bd4&lt;\/p&gt;\n&lt;p&gt;\u90e8\u7f72\u53c2\u8003\uff1a&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/suricata_snorby_and_barnyard2_set_up_guide&quot;&gt;https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/suricata_snorby_and_barnyard2_set_up_guide&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/_Logstash_Kibana_and_Suricata_JSON_output&quot;&gt;https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/_Logstash_Kibana_and_Suricata_JSON_output&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/shaurong.blogspot.com\/2016\/02\/suricata-30-centos-72-x64_22.html&quot;&gt;http:\/\/shaurong.blogspot.com\/2016\/02\/suricata-30-centos-72-x64_22.html&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/www.weizn.net\/admin\/#L21&quot;&gt;https:\/\/github.com\/StamusNetworks\/scirius-docker\/blob\/master\/django\/scirius.sh#L21&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;S &#8211; \u00a0\u00a0\u00a0\u00a0 Suricata IDPS &#8211;\u00a0&lt;a href=&quot;http:\/\/suricata-ids.org\/&quot;&gt;http:\/\/suricata-ids.org\/&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;E &#8211; \u00a0 \u00a0 \u00a0Elasticsearch\u00a0&#8211;\u00a0&lt;a href=&quot;http:\/\/www.elasticsearch.org\/overview\/&quot;&gt;http:\/\/www.elasticsearch.org\/overview\/&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;L &#8211; \u00a0\u00a0\u00a0\u00a0 Logstash &#8211;\u00a0&lt;a href=&quot;http:\/\/www.elasticsearch.org\/overview\/&quot;&gt;http:\/\/www.elasticsearch.org\/overview\/&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;K &#8211; \u00a0\u00a0\u00a0\u00a0 Kibana &#8211;\u00a0&lt;a href=&quot;http:\/\/www.elasticsearch.org\/overview\/&quot;&gt;http:\/\/www.elasticsearch.org\/overview\/&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;S &#8211; \u00a0\u00a0\u00a0\u00a0 Scirius &#8211;\u00a0&lt;a href=&quot;https:\/\/github.com\/StamusNetworks\/scirius&quot;&gt;https:\/\/github.com\/StamusNetworks\/scirius&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;https:\/\/github.com\/StamusNetworks\/scirius&quot;&gt;https:\/\/github.com\/StamusNetworks\/scirius&lt;\/a&gt;\u00a0\u00a0IDS Rule and Signature management&lt;\/p&gt;\n&lt;p&gt;\u56fe\u5f62\u754c\u9762\u00a0Python django\u5f00\u53d1&lt;\/p&gt;\n&lt;h2&gt;\u4e8c\u3001\u90e8\u7f72\u6b65\u9aa4&lt;\/h2&gt;\n&lt;h3&gt;1.\u5b89\u88c5pf_ring&lt;\/h3&gt;\n&lt;p&gt;\u53c2\u8003\uff1ahttp:\/\/www.ntop.org\/pf_ring\/installation-guide-for-pf_ring\/&lt;\/p&gt;\n&lt;p&gt;\u52a0\u8f7dpf_ring\u9a71\u52a8:&lt;\/p&gt;\n&lt;p&gt;modprobe pf_ring transparent_mode=2\u00a0min_num_slots=16384&lt;\/p&gt;\n&lt;p&gt;ixgbe\u5b89\u88c5\u53c2\u8003\uff1ahttp:\/\/techedemic.com\/2015\/08\/04\/installing-ixgbe-driver-on-ubuntu-server-14-04-lts\/&lt;\/p&gt;\n&lt;p&gt;https:\/\/linux.cn\/article-5149-1.html&lt;\/p&gt;\n&lt;p&gt;\u52a0\u8f7dpf_ring_aware\u7684ixgbe\u7f51\u5361\u9a71\u52a8:&lt;\/p&gt;\n&lt;p&gt;modprobe ixgbe RSS=1&lt;\/p&gt;\n&lt;p&gt;\uff08\u666e\u901a\u9a71\u52a8.\/ixgbe-4.1.2-2.6.32\/src\/ixgbe.ko\uff09&lt;\/p&gt;\n&lt;p&gt;\u5c06RSS\u6570\u51cf\u5c11\u4e3a1\uff1a&lt;\/p&gt;\n&lt;p&gt;http:\/\/suricata.readthedocs.io\/en\/latest\/performance\/packet-capture.html&lt;\/p&gt;\n&lt;p&gt;\u542f\u52a8eth4\u7f51\u5361&lt;\/p&gt;\n&lt;p&gt;sudo ifconfig eth4 up&lt;\/p&gt;\n&lt;p&gt;pfring\u63a5\u6536\u6d4b\u8bd5\u7a0b\u5e8f&lt;\/p&gt;\n&lt;p&gt;sudo .\/PF_RING\/userland\/examples\/pfcount -i eth4&lt;\/p&gt;\n&lt;p&gt;sar -n EDEV 2 10000 | grep eth4&lt;\/p&gt;\n&lt;p&gt;\/usr\/local\/sbin\/tcpdump \u00a0\u00a0\u57fa\u4e8epfring\u5e93\u7684tcpdump&lt;\/p&gt;\n&lt;p&gt;\u6ce8\u610f\u5404CPU\u7684\u8f6f\u4e2d\u65ad\u4f7f\u7528\u7387\uff0c\u53ef\u80fd\u9700\u8981\u8fdb\u884c\u8c03\u4f18\uff0c\u53c2\u8003\uff1a&lt;\/p&gt;\n&lt;blockquote class=&quot;wp-embedded-content&quot; data-secret=&quot;DPyEcUFWwW&quot;&gt;&lt;p&gt;&lt;a href=&quot;https:\/\/www.vpsee.com\/2010\/07\/load-balancing-with-irq-smp-affinity\/&quot;&gt;Linux \u591a\u6838\u4e0b\u7ed1\u5b9a\u786c\u4ef6\u4e2d\u65ad\u5230\u4e0d\u540c CPU\uff08IRQ Affinity\uff09&lt;\/a&gt;&lt;\/p&gt;&lt;\/blockquote&gt;\n&lt;p&gt;&lt;iframe class=&quot;wp-embedded-content&quot; sandbox=&quot;allow-scripts&quot; security=&quot;restricted&quot; style=&quot;position: absolute; clip: rect(1px, 1px, 1px, 1px);&quot; title=&quot;&#8220;Linux \u591a\u6838\u4e0b\u7ed1\u5b9a\u786c\u4ef6\u4e2d\u65ad\u5230\u4e0d\u540c CPU\uff08IRQ Affinity\uff09&#8221; &#8212; vpsee.com&quot; src=&quot;https:\/\/www.vpsee.com\/2010\/07\/load-balancing-with-irq-smp-affinity\/embed\/#?secret=DPyEcUFWwW&quot; data-secret=&quot;DPyEcUFWwW&quot; width=&quot;600&quot; height=&quot;338&quot; frameborder=&quot;0&quot; marginwidth=&quot;0&quot; marginheight=&quot;0&quot; scrolling=&quot;no&quot;&gt;&lt;\/iframe&gt;&lt;\/p&gt;\n&lt;h3&gt;2.\u5b89\u88c5Redis&lt;\/h3&gt;\n&lt;p&gt;\uff08\u8fc7\u7a0b\u7565\uff09&lt;\/p&gt;\n&lt;p&gt;Log\u4f7f\u7528redis\u4e34\u65f6\u4fdd\u5b58\uff0c\u65e5\u5fd7\u4e0d\u843d\u5730\u76f4\u63a5\u4fdd\u5b58\u8fdbES\u3002&lt;\/p&gt;\n&lt;h3&gt;3.\u5b89\u88c5Suricata&lt;\/h3&gt;\n&lt;p&gt;\u5b89\u88c5\u4f9d\u8d56\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel&lt;\/pre&gt;\n&lt;p&gt;\u5b89\u88c5Hiredis\uff1ahttps:\/\/github.com\/redis\/hiredis&lt;\/p&gt;\n&lt;p&gt;\u5b83\u662fRedis\u6700\u5c0f\u7684C\u5ba2\u6237\u7aef&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;git clone https:\/\/github.com\/redis\/hiredis.git \u00a0\r\ncd hiredis\/ \u00a0\r\nmake \u00a0\r\nsudo make install&lt;\/pre&gt;\n&lt;p&gt;\u5b89\u88c5Hyperscan\u652f\u6301\uff1a&lt;\/p&gt;\n&lt;p&gt;http:\/\/suricata.readthedocs.io\/en\/latest\/performance\/hyperscan.html&lt;\/p&gt;\n&lt;p&gt;\u5b89\u88c5Tcmalloc\uff1a&lt;\/p&gt;\n&lt;p&gt;http:\/\/suricata.readthedocs.io\/en\/latest\/performance\/tcmalloc.html&lt;\/p&gt;\n&lt;p&gt;suricata configure\u00a0\u53c2\u6570&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;.\/configure --enable-lua --enable-pfring --enable-old-barnyard2 --enable-hiredis --enable-unix-socket --enable-profiling --enable-geoip --with-libnss-libraries=\/usr\/lib64 --with-libnss-includes=\/usr\/include\/nss3 --with-libnspr-libraries=\/usr\/lib64 --with-libnspr-includes=\/usr\/include\/nspr4 --enable-pfring --with-libpfring-includes=\/usr\/local\/include --with-libpfring-libraries=\/usr\/local\/lib\u00a0--with-libhs-includes=\/usr\/local\/include\/hs\/ --with-libhs-libraries=\/usr\/local\/lib\/\r\nmake\r\nmake install\r\nldconfig&lt;\/pre&gt;\n&lt;h3&gt;4.\u5b89\u88c5Logstash&lt;\/h3&gt;\n&lt;p&gt;\u8fd9\u91cc\u9700\u8981\u4fee\u6539logstash\u5411ES\u4e2d\u5199\u6570\u636e\u65f6\u6dfb\u52a0\u7684\u9690\u542b\u5b57\u6bb5\u6a21\u677f\uff0clogstash\u5728\u5411ES\u4e2d\u5199\u6570\u636e\u65f6\uff0c\u5728\u7f3a\u7701\u914d\u7f6e\u4e0b\uff0c\u53ea\u5411\u540d\u4e3a&#8221;logstash-&#8220;\u7684\u7d22\u5f15\u4e2d\u7684\u6bcf\u4e2a\u6587\u6863\u6dfb\u52a0\u9690\u542b\u7684\u9ed8\u8ba4\u5b57\u6bb5\uff0c\u800cscirius\u5728\u8bfb\u53d6ES\u4e2d\u7684\u6570\u636e\u65f6\u9700\u8981\u8c03\u7528\u8fd9\u4e9b\u9ed8\u8ba4\u5b57\u6bb5\uff0c\u56e0\u6b64\u82e5\u9700\u8981\u66f4\u6539logstash\u5199\u5165ES\u4e2d\u7684\u7d22\u5f15\u540d\uff0c\u5219\u8fd8\u9700\u8981\u66f4\u6539\u5efa\u7acb\u9ed8\u8ba4\u5b57\u6bb5\u7684\u6a21\u677f\uff0c\u5728logstash v2.3.4\u4e2d\uff0c\u7f16\u8f91\u6587\u4ef6\uff1a.\/vendor\/bundle\/jruby\/1.9\/gems\/logstash-output-elasticsearch-2.7.1-java\/lib\/logstash\/outputs\/elasticsearch\/elasticsearch-template.json&lt;\/p&gt;\n&lt;p&gt;\u4fee\u6539&#8221;template&#8221;\u5b57\u6bb5\u503c\u4e3a\u81ea\u5b9a\u4e49\u7684\u7d22\u5f15\u540d\u3002&lt;\/p&gt;\n&lt;h3&gt;5.\u5b89\u88c5Scirius&lt;\/h3&gt;\n&lt;p&gt;\u8be6\u89c1Github\uff1a&lt;a href=&quot;https:\/\/github.com\/StamusNetworks\/scirius&quot;&gt;https:\/\/github.com\/StamusNetworks\/scirius&lt;\/a&gt;&lt;\/p&gt;\n&lt;h3&gt;6.\u5b89\u88c5ES&lt;\/h3&gt;\n&lt;p&gt;\uff08\u8fc7\u7a0b\u7565\uff09&lt;\/p&gt;\n&lt;h3&gt;7.\u5b89\u88c5Kibana&lt;\/h3&gt;\n&lt;p&gt;\uff08\u8fc7\u7a0b\u7565\uff09&lt;\/p&gt;\n&lt;h2&gt;\u4e09\u3001\u914d\u7f6e&lt;\/h2&gt;\n&lt;p&gt;Suricata\u00a0\u6587\u6863&lt;a href=&quot;https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricata_User_Guide&quot;&gt;https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricata_User_Guide&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;Suricata\u914d\u7f6e\u6587\u4ef6\u548c\u89e3\u91ca&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/www.ntop.org\/pf_ring\/accelerating-suricata-with-pf_ring-dna\/&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;http:\/\/www.ntop.org\/pf_ring\/accelerating-suricata-with-pf_ring-dna\/&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;https:\/\/home.regit.org\/2012\/07\/suricata-to-10gbps-and-beyond\/&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;https:\/\/home.regit.org\/2012\/07\/suricata-to-10gbps-and-beyond\/&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricatayaml&quot;&gt;https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricatayaml&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/blog.csdn.net\/wuyangbotianshi\/article\/&quot;&gt;http:\/\/blog.csdn.net\/wuyangbotianshi\/article\/&lt;\/a&gt;&lt;\/p&gt;\n&lt;h3&gt;1.\u4fee\u6539Scirius\u529f\u80fd\u4ee3\u7801\uff1a&lt;\/h3&gt;\n&lt;p&gt;&lt;span style=&quot;color: #ff0000;&quot;&gt;&lt;strong&gt;\u6700\u65b0\u7248Scirius\u5df2\u4e0d\u9700\u8981\u4fee\u6539\u4efb\u4f55\u4ee3\u7801\u4e86\uff01&lt;\/strong&gt;&lt;\/span&gt;&lt;\/p&gt;\n&lt;p&gt;\u8fd9\u90e8\u5206\u5c06\u6dfb\u52a0Scirius\u8fde\u63a5ES\u65f6\u7684HTTP\u8ba4\u8bc1\u7684\u529f\u80fd\u3002&lt;\/p&gt;\n&lt;p&gt;Scirius\u7248\u672c\uff1aScirius version: 1.2.2&lt;\/p&gt;\n&lt;h4&gt;\uff081\uff09\u7f16\u8f91scirius\/setting.py&lt;\/h4&gt;\n&lt;p&gt;\u6dfb\u52a0\u4ee5\u4e0b\u4ee3\u7801\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;python&quot;&gt;#########################################################\r\n# HTTP AUTH\r\nELASTICSEARCH_HTTP_AUTH = True\r\nELASTICSEARCH_HTTP_AUTH_USER = &quot;username&quot;\r\nELASTICSEARCH_HTTP_AUTH_PASS = &quot;password&quot;\r\n\r\n\r\n#########################################################&lt;\/pre&gt;\n&lt;h4&gt;\uff082\uff09\u7f16\u8f91rules\/es_graphs.py&lt;\/h4&gt;\n&lt;p&gt;\u5728\u5f00\u5934\u6dfb\u52a0\u4ee5\u4e0b\u4e24\u4e2a\u51fd\u6570\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;python&quot;&gt;#########################################################\r\ndef gen_http_auth_field():\r\n    base64string = base64.encodestring(&#039;%s:%s&#039; % (settings.ELASTICSEARCH_HTTP_AUTH_USER,\r\n    settings.ELASTICSEARCH_HTTP_AUTH_PASS)).replace(&#039;\\n&#039;, &#039;&#039;)\r\n    auth_field = &quot;Authorization&quot;, &quot;Basic %s&quot; % base64string\r\n    return auth_field\r\ndef add_http_auth_field(req):\r\n    if settings.ELASTICSEARCH_HTTP_AUTH is False:\r\n        return req\r\n    auth_field = gen_http_auth_field()\r\n    req.add_header(auth_field[0], auth_field[1])\r\n    return req\r\n\r\n\r\n#########################################################&lt;\/pre&gt;\n&lt;p&gt;\u7136\u540e\u641c\u7d22\u5168\u6587\uff0c\u5728\u6240\u6709urllib2.Request()\u8c03\u7528\u524d\u6dfb\u52a0add_http_auth_field()\u51fd\u6570\u3002&lt;br \/&gt;\n\u8fd8\u9700\u4fee\u6539es_delete_alerts_by_sid_v2()\u51fd\u6570\u4e2d\u63d0\u4ea4\u8bf7\u6c42\u7684\u4ee3\u7801\u4e3a\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;python&quot;&gt;#########################################################\r\nif settings.ELASTICSEARCH_HTTP_AUTH is True:\r\n    auth_field = gen_http_auth_field()\r\n    r = requests.delete(delete_url, headers={auth_field[0]:auth_field[1]})\r\nelse:\r\n    r = requests.delete(delete_url)\r\n\r\n\r\n#########################################################&lt;\/pre&gt;\n&lt;p&gt;\u4fee\u6539es_delete_alerts_by_sid_v5()\u51fd\u6570\u4e2d\u63d0\u4ea4\u8bf7\u6c42\u7684\u4ee3\u7801\u4e3a\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;python&quot;&gt;#########################################################\r\nif settings.ELASTICSEARCH_HTTP_AUTH is True:\r\n    auth_field = gen_http_auth_field()\r\n    r = requests.post(delete_url, headers={auth_field[0]:auth_field[1]}, data = json.dumps(data))\r\nelse:\r\n    r = requests.post(delete_url, data = json.dumps(data))\r\n\r\n\r\n#########################################################&lt;\/pre&gt;\n&lt;h4&gt;\uff083\uff09\u7f16\u8f91rules\/es_data.py&lt;\/h4&gt;\n&lt;p&gt;\u4fee\u6539ESData\u7c7b\u4e2d\u7684__init__()\u51fd\u6570\u4ee3\u7801\u5982\u4e0b\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;python&quot;&gt;#########################################################\r\nes_addr = &#039;http:\/\/%s\/&#039; % settings.ELASTICSEARCH_ADDRESS\r\nif settings.ELASTICSEARCH_HTTP_AUTH is True:\r\n    self.client = Elasticsearch([es_addr], http_auth=(settings.ELASTICSEARCH_HTTP_AUTH_USER, settings.ELASTICSEARCH_HTTP_AUTH_PASS))\r\nelse:\r\n    self.client = Elasticsearch([es_addr])\r\n\r\n\r\n#########################################################&lt;\/pre&gt;\n&lt;p&gt;\u7136\u540e\u641c\u7d22\u6574\u4e2a\u6587\u4ef6\uff0c\u5c06\u6240\u6709\u786c\u7f16\u7801\u7684\u7d22\u5f15\u540dindex=\u2019.kibana\u2019\u6539\u4e3a\uff1aindex=settings.KIBANA_INDEX&lt;\/p&gt;\n&lt;h3&gt;2.\u7f16\u8f91logstash\u914d\u7f6e\u6587\u4ef6&lt;\/h3&gt;\n&lt;p&gt;\u6574\u4e2a\u914d\u7f6e\u6587\u4ef6logstash.conf\u6587\u4ef6\u5185\u5bb9\u5982\u4e0b\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;raw&quot;&gt;input\r\n{ \u00a0\r\nredis\r\n\u00a0{\r\n\u00a0 data_type =&gt; &quot;list&quot;\r\n\u00a0 key =&gt; &quot;suricata&quot;\r\n\u00a0 host =&gt; &quot;127.0.0.1&quot;\r\n\u00a0 port =&gt; 6379\r\n\u00a0 db =&gt; 0\r\n\u00a0 threads =&gt; 5\r\n\u00a0 codec =&gt; json\r\n\u00a0 type =&gt; &quot;SELKS&quot;\r\n\u00a0}\r\n}\r\n\r\nfilter {\r\n\u00a0 if [type] == &quot;SELKS&quot; {\r\n\u00a0 \u00a0 date {\r\n\u00a0 \u00a0 \u00a0 match =&gt; [ &quot;timestamp&quot;, &quot;ISO8601&quot; ]\r\n\u00a0 \u00a0 }\r\n\u00a0 \u00a0 ruby {\r\n\u00a0 \u00a0 \u00a0 code =&gt; &quot;if event[&#039;event_type&#039;] == &#039;fileinfo&#039;; event[&#039;fileinfo&#039;][&#039;type&#039;]=event[&#039;fileinfo&#039;][&#039;magic&#039;].to_s.split(&#039;,&#039;)[0]; end;&quot;\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n\r\n\u00a0 if ([src_ip] =~ \/^10\\.(10[1-9]{1}|1[1-9]{1}[0-9]{1}|2[0-9]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3}\/) { \u00a0#IDC IP\r\n\u00a0 \u00a0 if([dest_ip] =~ \/(^10\\.([0-9]{1,2}|100)\\.[0-9]{1,3}\\.[0-9]{1,3})|(^192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3})|(^172\\.([123]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3})\/) { \u00a0#Home IP\r\n\u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;direction&quot;, &quot;idc_to_home&quot; ]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n\r\n\u00a0 if ([direction] != &quot;idc_to_home&quot;) {\r\n\u00a0 \u00a0 if ([src_ip] =~ \/(^192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3})|(^10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})|(^172\\.([123]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3})\/) {\r\n\u00a0 \u00a0 \u00a0 if ([dest_ip] =~ \/(^192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3})|(^10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})|(^172\\.([123]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3})\/) {\r\n\u00a0 \u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;direction&quot;, &quot;intranet&quot; ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 else {\r\n\u00a0 \u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;direction&quot;, &quot;outbound&quot; ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 \u00a0 else {\r\n\u00a0 \u00a0 \u00a0 if ([dest_ip] =~ \/(^192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3})|(^10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})|(^172\\.([123]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3})\/) {\r\n\u00a0 \u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;direction&quot;, &quot;inbound&quot; ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 else {\r\n\u00a0 \u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;direction&quot;, &quot;internet&quot; ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n\r\n\u00a0 if ([direction] == &quot;inbound&quot; or [direction] == &quot;internet&quot;) {\r\n\u00a0 \u00a0 if [src_ip] \u00a0{\r\n\u00a0 \u00a0 \u00a0 geoip {\r\n\u00a0 \u00a0 \u00a0 \u00a0 source =&gt; &quot;src_ip&quot;\u00a0\r\n\u00a0 \u00a0 \u00a0 \u00a0 target =&gt; &quot;geoip&quot;\u00a0\r\n\u00a0 \u00a0 \u00a0 \u00a0 #database =&gt; &quot;\/opt\/logstash\/vendor\/geoip\/GeoLiteCity.dat&quot;\u00a0\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;%{[geoip][longitude]}&quot; ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;%{[geoip][latitude]}&quot; \u00a0]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 convert =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;float&quot; ]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n\r\n\u00a0 if ([direction] == &quot;outbound&quot; or [direction] == &quot;internet&quot;) {\r\n\u00a0 \u00a0 if [dest_ip] \u00a0{\r\n\u00a0 \u00a0 \u00a0 geoip {\r\n\u00a0 \u00a0 \u00a0 \u00a0 source =&gt; &quot;dest_ip&quot;\r\n\u00a0 \u00a0 \u00a0 \u00a0 target =&gt; &quot;geoip&quot;\r\n\u00a0 \u00a0 \u00a0 \u00a0 #database =&gt; &quot;\/opt\/logstash\/vendor\/geoip\/GeoLiteCity.dat&quot;\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;%{[geoip][longitude]}&quot; ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;%{[geoip][latitude]}&quot; \u00a0]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 convert =&gt; [ &quot;[geoip][coordinates]&quot;, &quot;float&quot; ]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n}\r\n\r\noutput {\r\n\u00a0 elasticsearch {\r\n\u00a0 \u00a0 hosts =&gt; [&quot;http:\/\/ip_address:9200\/&quot;]\r\n\u00a0 \u00a0 manage_template =&gt; true\r\n\u00a0 \u00a0 template =&gt; &quot;\/ids\/logstash-2.3.4\/selks_template.json&quot;\r\n\u00a0 \u00a0 template_name =&gt; &quot;ids_log_*&quot;\r\n\u00a0 \u00a0 user =&gt; &quot;username&quot;\r\n\u00a0 \u00a0 password =&gt; &quot;password&quot;\r\n\u00a0 \u00a0 index =&gt; &quot;ids_log_%{+YYYY.MM.dd}&quot;\r\n\u00a0 }\r\n}\r\n#########################################################&lt;\/pre&gt;\n&lt;h3&gt;3.logstash\u6dfb\u52a0ES\u6570\u636e\u6a21\u677f\uff1a&lt;\/h3&gt;\n&lt;p&gt;&lt;span style=&quot;color: #ff0000;&quot;&gt;&lt;strong&gt;\u4ec5\u9002\u7528\u4e8eES 5.X&lt;\/strong&gt;&lt;\/span&gt;&lt;\/p&gt;\n&lt;p&gt;logstash\u5728\u5411ES\u4e2d\u5199\u6570\u636e\u65f6\uff0c\u5728\u7f3a\u7701\u914d\u7f6e\u4e0b\uff0c\u53ea\u5411\u540d\u4e3a&#8221;logstash-&#8220;\u7684\u7d22\u5f15\u4e2d\u7684\u6bcf\u4e2a\u6587\u6863\u6dfb\u52a0\u9690\u542b\u7684\u9ed8\u8ba4\u5b57\u6bb5\uff0c\u800cscirius\u5728\u8bfb\u53d6ES\u4e2d\u7684\u6570\u636e\u65f6\u9700\u8981\u8c03\u7528\u8fd9\u4e9b\u9ed8\u8ba4\u5b57\u6bb5\uff0c\u56e0\u6b64\u82e5\u9700\u8981\u66f4\u6539logstash\u5199\u5165ES\u4e2d\u7684\u7d22\u5f15\u540d\uff0c\u5219\u8fd8\u9700\u8981\u66f4\u6539\u5efa\u7acb\u9ed8\u8ba4\u5b57\u6bb5\u7684\u6a21\u677f\uff0c\u5728logstash v2.3.4\u4e2d\uff0c\u7f16\u8f91\u6587\u4ef6\uff1a.\/vendor\/bundle\/jruby\/1.9\/gems\/logstash-output-elasticsearch-2.7.1-java\/lib\/logstash\/outputs\/elasticsearch\/elasticsearch-template.json&lt;br \/&gt;\n\u4fee\u6539&#8221;template&#8221;\u5b57\u6bb5\u503c\u4e3a\u81ea\u5b9a\u4e49\u7684\u7d22\u5f15\u540d\uff0c\u5e76\u5728geoip\u5bf9\u8c61\u4e2d\u65b0\u6dfb\u52a0\u4e00\u4e2a\u540d\u4e3adirection\u7684string\u7c7b\u578b\u53d8\u91cf\uff0c\u6700\u540e\u4fdd\u5b58\u4e3alogstash\u8c03\u7528\u7684\u6a21\u677f\u6587\u4ef6selks_template.json\uff0c\u5b8c\u6574\u5185\u5bb9\u5982\u4e0b\uff1a&lt;br \/&gt;\n#########################################################&lt;br \/&gt;\n{&lt;br \/&gt;\n&#8220;template&#8221; : &#8220;ids_log_*&#8221;,&lt;br \/&gt;\n&#8220;settings&#8221; : {&lt;br \/&gt;\n&#8220;index.refresh_interval&#8221; : &#8220;5s&#8221;&lt;br \/&gt;\n},&lt;br \/&gt;\n&#8220;mappings&#8221; : {&lt;br \/&gt;\n&#8220;_default_&#8221; : {&lt;br \/&gt;\n&#8220;_all&#8221; : {&#8220;enabled&#8221; : true, &#8220;omit_norms&#8221; : true},&lt;br \/&gt;\n&#8220;dynamic_templates&#8221; : [ {&lt;br \/&gt;\n&#8220;message_field&#8221; : {&lt;br \/&gt;\n&#8220;match&#8221; : &#8220;message&#8221;,&lt;br \/&gt;\n&#8220;match_mapping_type&#8221; : &#8220;string&#8221;,&lt;br \/&gt;\n&#8220;mapping&#8221; : {&lt;br \/&gt;\n&#8220;type&#8221; : &#8220;string&#8221;, &#8220;index&#8221; : &#8220;analyzed&#8221;, &#8220;omit_norms&#8221; : true,&lt;br \/&gt;\n&#8220;fielddata&#8221; : { &#8220;format&#8221; : &#8220;disabled&#8221; }&lt;br \/&gt;\n}&lt;br \/&gt;\n}&lt;br \/&gt;\n}, {&lt;br \/&gt;\n&#8220;string_fields&#8221; : {&lt;br \/&gt;\n&#8220;match&#8221; : &#8220;*&#8221;,&lt;br \/&gt;\n&#8220;match_mapping_type&#8221; : &#8220;string&#8221;,&lt;br \/&gt;\n&#8220;mapping&#8221; : {&lt;br \/&gt;\n&#8220;type&#8221; : &#8220;string&#8221;, &#8220;index&#8221; : &#8220;analyzed&#8221;, &#8220;omit_norms&#8221; : true,&lt;br \/&gt;\n&#8220;fielddata&#8221; : { &#8220;format&#8221; : &#8220;disabled&#8221; },&lt;br \/&gt;\n&#8220;fields&#8221; : {&lt;br \/&gt;\n&#8220;raw&#8221; : {&#8220;type&#8221;: &#8220;string&#8221;, &#8220;index&#8221; : &#8220;not_analyzed&#8221;, &#8220;ignore_above&#8221; : 256}&lt;br \/&gt;\n}&lt;br \/&gt;\n}&lt;br \/&gt;\n}&lt;br \/&gt;\n} ],&lt;br \/&gt;\n&#8220;properties&#8221; : {&lt;br \/&gt;\n&#8220;@timestamp&#8221;: { &#8220;type&#8221;: &#8220;date&#8221; },&lt;br \/&gt;\n&#8220;@version&#8221;: { &#8220;type&#8221;: &#8220;string&#8221;, &#8220;index&#8221;: &#8220;not_analyzed&#8221; },&lt;br \/&gt;\n&#8220;geoip&#8221; \u00a0: {&lt;br \/&gt;\n&#8220;dynamic&#8221;: true,&lt;br \/&gt;\n&#8220;properties&#8221; : {&lt;br \/&gt;\n&#8220;ip&#8221; \u00a0 \u00a0 \u00a0 \u00a0: { &#8220;type&#8221; : &#8220;ip&#8221; },&lt;br \/&gt;\n&#8220;location&#8221; \u00a0: { &#8220;type&#8221; : &#8220;geo_point&#8221; },&lt;br \/&gt;\n&#8220;latitude&#8221; \u00a0: { &#8220;type&#8221; : &#8220;float&#8221; },&lt;br \/&gt;\n&#8220;longitude&#8221; : { &#8220;type&#8221; : &#8220;float&#8221; }&lt;br \/&gt;\n}&lt;br \/&gt;\n}&lt;br \/&gt;\n}&lt;br \/&gt;\n}&lt;br \/&gt;\n}&lt;br \/&gt;\n}&lt;br \/&gt;\n#########################################################&lt;br \/&gt;\n4.\u5411Scirius\u4e2d\u6dfb\u52a0\u89c4\u5219\u6e90&lt;\/p&gt;\n&lt;p&gt;\u5728Scirius\u6839\u76ee\u5f55\u4e0b\u6267\u884c\u4e0b\u5217\u547d\u4ee4\uff1a&lt;\/p&gt;\n&lt;pre class=&quot;EnlighterJSRAW&quot; data-enlighter-language=&quot;shell&quot;&gt;python manage.py addsource &quot;ETOpen Ruleset&quot;\u00a0https:\/\/rules.emergingthreats.net\/open\/suricata-3.0\/emerging.rules.tar.gz\u00a0http sigs\r\npython manage.py addsource &quot;SSLBL\u00a0abuse.ch&quot;\u00a0https:\/\/sslbl.abuse.ch\/blacklist\/sslblacklist.rules\u00a0http sig\r\npython manage.py addsource &quot;PT Research Ruleset&quot;\u00a0https:\/\/github.com\/ptresearch\/AttackDetection\/raw\/master\/pt.rules.tar.gz\u00a0http sigs&lt;\/pre&gt;\n&lt;h3&gt;5.\u4fee\u6539\u544a\u8b66\u5c55\u793a\u4ee3\u7801&lt;\/h3&gt;\n&lt;p&gt;.\/scirius\/rules\/es_graphs.py&lt;\/p&gt;\n&lt;p&gt;560,def es_get_rules_stats(request, hostname, count=100, from_date=0 , qfilter = None)&lt;\/p&gt;\n&lt;p&gt;604 \u00a0tables.RequestConfig(request,paginate={&#8216;per_page&#8217;:100}).configure(rules)&lt;\/p&gt;\n&lt;p&gt;607 tables.RequestConfig(request,paginate={&#8216;per_page&#8217;:100}).configure(rules)&lt;\/p&gt;\n&lt;h3&gt;&lt;!-- [if !supportLists]--&gt;6.&lt;!--[endif]--&gt;\u914d\u7f6eKibana dashboards&lt;\/h3&gt;\n&lt;p&gt;\u7f51\u4e0a\u6709\u516c\u5f00\u7684dashboards\u6a21\u677f\uff0c\u94fe\u63a5\uff1a&lt;a href=&quot;https:\/\/github.com\/StamusNetworks\/KTS&quot;&gt;https:\/\/github.com\/StamusNetworks\/KTS&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;\u4f7f\u7528\u8fd9\u4e2a\u6a21\u677f\u524d\uff0c\u9700\u5148\u4fee\u6539\u6a21\u677f\u4e2d\u7684ES\u7d22\u5f15\u540d\uff0c\u547d\u4ee4\u5982\u4e0b\uff1a&lt;\/p&gt;\n&lt;p&gt;$ find .\/ -name &#8216;*.json&#8217; -type f -exec sed -i &#8216;s\/logstash.*-\\*\/ids_log_*\/g&#8217; {} \\;&lt;\/p&gt;\n&lt;p&gt;\u7136\u540e\u4fee\u6539load.sh\u6587\u4ef6\u4e2d\u7684kibana\u7d22\u5f15\u540d\u548cES\u5730\u5740\u3002&lt;\/p&gt;\n&lt;p&gt;\u4e5f\u53ef\u4ee5\u7528elasticdump\u5de5\u5177\u5c06dashboards\u7684\u6570\u636e\u5bfc\u5165\u5230ES\u4e2d\uff0c\u5148\u5bfc\u5165\u7d22\u5f15mapping\uff0c\u518d\u5bfc\u5165\u6570\u636e\uff0c\u6587\u4ef6\u5730\u5740\uff1a&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/weizn.net\/file\/kibana_mapping.json&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;http:\/\/weizn.net\/file\/kibana_mapping.json&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/weizn.net\/file\/kibana_data.json&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;http:\/\/weizn.net\/file\/kibana_data.json&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;\u6216\u76f4\u63a5\u901a\u8fc7Kibana\u5bfc\u5165\uff1a&lt;\/p&gt;\n&lt;p&gt;&lt;a href=&quot;http:\/\/weizn.net\/file\/Dashboards.zip&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;http:\/\/weizn.net\/file\/Dashboards.zip&lt;\/a&gt;&lt;\/p&gt;\n&lt;h2&gt;\u56db\u3001\u542f\u52a8&lt;\/h2&gt;\n&lt;h3&gt;1.\u542f\u52a8Redis&lt;\/h3&gt;\n&lt;p&gt;\u542f\u52a8\u547d\u4ee4\uff1a&lt;\/p&gt;\n&lt;p&gt;$ redis-server \/ids\/redis-3.2.0\/redis.conf&lt;\/p&gt;\n&lt;p&gt;\u76d1\u63a7\u547d\u4ee4\uff1a&lt;\/p&gt;\n&lt;p&gt;$ redis-cli \u00a0MONITOR&lt;\/p&gt;\n&lt;h3&gt;2.\u542f\u52a8ES&lt;\/h3&gt;\n&lt;p&gt;\uff08\u7565\uff09&lt;\/p&gt;\n&lt;h3&gt;3.\u542f\u52a8Logstash&lt;\/h3&gt;\n&lt;p&gt;$ bin\/logstash -f \/ids\/logstash-2.3.4\/logstash.conf&lt;\/p&gt;\n&lt;h3&gt;4.\u542f\u52a8Suricata&lt;\/h3&gt;\n&lt;p&gt;$ suricata &#8211;pfring -c \/ids\/suricata\/suricata_SELKS_redis.yaml -v&lt;\/p&gt;\n&lt;h3&gt;5.\u542f\u52a8Scirius&lt;\/h3&gt;\n&lt;p&gt;\u521d\u59cb\u5316\u547d\u4ee4\uff1a&lt;\/p&gt;\n&lt;p&gt;$ python manage.py syncdb&lt;\/p&gt;\n&lt;p&gt;\u5f00\u542fWeb\u670d\u52a1\uff1a&lt;\/p&gt;\n&lt;p&gt;$ python manage.py runserver 0.0.0.0:80&lt;\/p&gt;\n&lt;h3&gt;&lt;!-- [if !supportLists]--&gt;6.&lt;!--[endif]--&gt;\u542f\u52a8Kibana&lt;\/h3&gt;\n&lt;p&gt;\uff08\u7565\uff09&lt;\/p&gt;\n&lt;p&gt;\u56fe\u793a\uff1a&lt;\/p&gt;\n&lt;p&gt;&lt;a id=&quot;ematt:485&quot; href=&quot;http:\/\/www.weizn.net\/content\/uploadfile\/201702\/34ec1487064592.jpg&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;&lt;img class=&quot;alignnone size-full wp-image-916&quot; title=&quot;34ec1487064592&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/34ec1487064592.jpg&quot; alt=&quot;34ec1487064592&quot; \/&gt;&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a id=&quot;ematt:487&quot; href=&quot;http:\/\/www.weizn.net\/content\/uploadfile\/201702\/945e1487064616.jpg&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;&lt;img class=&quot;alignnone size-full wp-image-917&quot; title=&quot;945e1487064616&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/945e1487064616.jpg&quot; alt=&quot;945e1487064616&quot; \/&gt;&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a id=&quot;ematt:489&quot; href=&quot;http:\/\/www.weizn.net\/content\/uploadfile\/201702\/dbf21487064631.jpg&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;&lt;img class=&quot;alignnone size-full wp-image-918&quot; title=&quot;dbf21487064631&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/dbf21487064631.jpg&quot; alt=&quot;dbf21487064631&quot; \/&gt;&lt;\/a&gt;&lt;\/p&gt;\n&lt;p&gt;&lt;a id=&quot;ematt:491&quot; href=&quot;http:\/\/www.weizn.net\/content\/uploadfile\/201702\/f6501487064643.jpg&quot; target=&quot;_blank&quot; rel=&quot;noopener noreferrer&quot;&gt;&lt;img class=&quot;alignnone size-full wp-image-919&quot; title=&quot;f6501487064643&quot; src=&quot;http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/f6501487064643.jpg&quot; alt=&quot;f6501487064643&quot; \/&gt;&lt;\/a&gt;&lt;\/p&gt;\n<\/div><div class=\"gfmr-markdown-rendered\"><p><strong>\u00a0 \u00a0 \u6b64\u6587\u7ae0\u7531\u6211\u521d\u6b21\u63a5\u89e6SELKS\u8fd9\u5957\u7cfb\u7edf\u65f6\u6240\u5199\uff0c\u6587\u4e2d\u5f88\u591a\u914d\u7f6e\u5e76\u4e0d\u662f\u6700\u4e3a\u5408\u7406\u7684\uff0c\u56e0\u6b64<span style=\"color: #ff0000\">\u672c\u6587\u4e0d\u662f\u4e00\u7bc7\u6700\u4f73\u5b9e\u8df5<\/span>\uff0c\u5982\u9700\u90e8\u7f72\u6b64\u7cfb\u7edf\u6700\u597d\u4ee5\u7814\u7a76\u5b98\u65b9\u6587\u6863\u4e3a\u4e3b\u3002<\/strong><\/p>\n<p><strong>\u00a0 \u00a0 \u603b\u6709\u670b\u53cb\u90ae\u4ef6\u95ee\u6211\u4e00\u4e9b\u6027\u80fd\u65b9\u9762\u7684\u95ee\u9898\uff0c\u6211\u5927\u6982\u8bf4\u4e00\u4e0b\u76ee\u524d\u6211\u5728\u771f\u5b9e\u751f\u4ea7\u73af\u588320G\u6d41\u91cf\u4e0b\u7684\u6d4b\u8bd5\u7ed3\u679c\uff0cSuricata 4.0.4 + PF_RING 7.0.0(ZC\u6a21\u5f0f) + CentOS7.2 + CPU 40\u6838 + \u5185\u5b58 64G\uff0cSuricata\u5728\u4e0d\u52a0\u8f7d\u4efb\u4f55\u89c4\u5219\u7684\u60c5\u51b5\u4e0b\u4ec5\u4ec5\u8fd0\u884c\u6d41\u91cf\u91cd\u7ec4\u5f15\u64ce\u53ef\u4ee5\u5b8c\u5168\u4e0d\u4e22\u5305\uff0c\u5f53\u52a0\u8f7d5W\u6761Snort\u89c4\u5219\u540e\u5076\u5c14\u4f1a\u6709\u8f7b\u5fae\u4e22\u5305\u60c5\u51b5\uff0c\u76ee\u524d\u770b\u6765Suricata\u89c4\u5219\u68c0\u6d4b\u5f15\u64ce\u5bf9\u6027\u80fd\u7684\u5360\u7528\u8981\u8fdc\u5927\u4e8e\u6d41\u91cf\u91cd\u7ec4\u5f15\u64ce\u5bf9\u6027\u80fd\u7684\u5360\u7528\uff0c\u53ef\u4ee5\u6ce8\u610f\u4e00\u4e0b\u540e\u7eed\u7684\u4f18\u5316\u65b9\u5411\u3002<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u9ad8\u6027\u80fdSuricata\u90e8\u7f72\u53c2\u8003\u8fd9\u91cc\uff1a<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"2JFaLF4QUO\"><p><a href=\"http:\/\/weizn.net\/?p=904\">Suricata + PF_RING\uff08ZC\u6a21\u5f0f\uff09\u90e8\u7f7215G+\u91c7\u96c6\u5668<\/a><\/p><\/blockquote>\n<p><\/p>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E4%B8%80_%E3%80%81Suricata_%E5%88%86%E5%B8%83%E5%BC%8FIDS%E9%A1%B9%E7%9B%AE_%E7%9B%AE%E7%9A%84%E5%AF%B9%E5%8A%9E%E5%85%AC%E7%BD%91%E6%B5%81%E9%87%8F%E7%9B%91%E5%90%AC%EF%BC%8C%E5%85%A5%E4%BE%B5%E5%92%8C%E8%BF%9D%E8%A7%84%E8%A1%8C%E4%B8%BA%E5%91%8A%E8%AD%A6\"><\/span>\u4e00\u00a0\u3001Suricata\u00a0\u5206\u5e03\u5f0fIDS\u9879\u76ee \u76ee\u7684\u5bf9\u529e\u516c\u7f51\u6d41\u91cf\u76d1\u542c\uff0c\u5165\u4fb5\u548c\u8fdd\u89c4\u884c\u4e3a\u544a\u8b66<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Suricata\u00a0\u7531OISF(Open Information Security Foundation\u00a0)\u5f00\u53d1\u4e3a\u6807\u51c6libpcap\u6216libpfring\u63a5\u53e3\uff0c\u652f\u6301snort\u89c4\u5219\u3002OISF\u7531DHS(United States Department of Homeland Security)\u53caBreach Security\u7b49\u591a\u5bb6\u4f01\u4e1a\u8d44\u8d28\u5f00\u53d1<\/p>\n<h3><span class=\"ez-toc-section\" id=\"1_Highly_Scalable\"><\/span>1. Highly Scalable<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Suricata is multi threaded. This means you can run one instance and it will balance the load of processing across every processor on a sensor Suricata is configured to use. This allows commodity hardware to achieve 10 gigabit speeds on real life traffic without sacrificing ruleset coverage.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"2_Protocol_Identification\"><\/span>2. Protocol Identification<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The most common protocols are automatically recognized by Suricata as the stream starts, thus allowing rule writers to write a rule to the protocol, not to the port expected. This makes Suricata a Malware Command and Control Channel hunter like no other. Off port HTTP CnC channels, which normally slide right by most IDS systems, are child\u2019s play for Suricata! Furthermore, thanks to dedicated keywords you can match on protocol fields which range from http URI to a SSL certificate identifier.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"3_File_Identification_MD5_Checksums_and_File_Extraction\"><\/span>3. File Identification, MD5 Checksums, and File Extraction<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Suricata can identify thousands of file types while crossing your network! Not only can you identify it, but should you decide you want to look at it further you can tag it for extraction and the file will be written to disk with a meta data file describing the capture situation and flow. The file\u2019s MD5 checksum is calculated on the fly, so if you have a list of md5 hashes you want to keep in your network, or want to keep out, Suricata can find it.<\/p>\n<p><a href=\"http:\/\/suricata-ids.org\/features\/\">http:\/\/suricata-ids.org\/features\/<\/a><\/p>\n<p><a href=\"http:\/\/www.aldeid.com\/wiki\/Suricata-vs-snort\">http:\/\/www.aldeid.com\/wiki\/Suricata-vs-snort<\/a>\u00a0\u00a0\u5bf9\u6bd4<\/p>\n<p>\u90e8\u7f72\u53c2\u8003\uff1a<\/p>\n<p><a href=\"https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/suricata_snorby_and_barnyard2_set_up_guide\">https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/suricata_snorby_and_barnyard2_set_up_guide<\/a><\/p>\n<p><a href=\"https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/_Logstash_Kibana_and_Suricata_JSON_output\">https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/_Logstash_Kibana_and_Suricata_JSON_output<\/a><\/p>\n<p><a href=\"http:\/\/shaurong.blogspot.com\/2016\/02\/suricata-30-centos-72-x64_22.html\">http:\/\/shaurong.blogspot.com\/2016\/02\/suricata-30-centos-72-x64_22.html<\/a><\/p>\n<p><a href=\"http:\/\/www.weizn.net\/admin\/#L21\">https:\/\/github.com\/StamusNetworks\/scirius-docker\/blob\/master\/django\/scirius.sh#L21<\/a><\/p>\n<p>S &#8211; \u00a0\u00a0\u00a0\u00a0 Suricata IDPS &#8211;\u00a0<a href=\"http:\/\/suricata-ids.org\/\">http:\/\/suricata-ids.org\/<\/a><\/p>\n<p>E &#8211; \u00a0 \u00a0 \u00a0Elasticsearch\u00a0&#8211;\u00a0<a href=\"http:\/\/www.elasticsearch.org\/overview\/\">http:\/\/www.elasticsearch.org\/overview\/<\/a><\/p>\n<p>L &#8211; \u00a0\u00a0\u00a0\u00a0 Logstash &#8211;\u00a0<a href=\"http:\/\/www.elasticsearch.org\/overview\/\">http:\/\/www.elasticsearch.org\/overview\/<\/a><\/p>\n<p>K &#8211; \u00a0\u00a0\u00a0\u00a0 Kibana &#8211;\u00a0<a href=\"http:\/\/www.elasticsearch.org\/overview\/\">http:\/\/www.elasticsearch.org\/overview\/<\/a><\/p>\n<p>S &#8211; \u00a0\u00a0\u00a0\u00a0 Scirius &#8211;\u00a0<a href=\"https:\/\/github.com\/StamusNetworks\/scirius\">https:\/\/github.com\/StamusNetworks\/scirius<\/a><\/p>\n<p><a href=\"https:\/\/github.com\/StamusNetworks\/scirius\">https:\/\/github.com\/StamusNetworks\/scirius<\/a>\u00a0\u00a0IDS Rule and Signature management<\/p>\n<p>\u56fe\u5f62\u754c\u9762\u00a0Python django\u5f00\u53d1<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E4%BA%8C%E3%80%81%E9%83%A8%E7%BD%B2%E6%AD%A5%E9%AA%A4\"><\/span>\u4e8c\u3001\u90e8\u7f72\u6b65\u9aa4<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"1%E5%AE%89%E8%A3%85pf_ring\"><\/span>1.\u5b89\u88c5pf_ring<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u53c2\u8003\uff1ahttp:\/\/www.ntop.org\/pf_ring\/installation-guide-for-pf_ring\/<\/p>\n<p>\u52a0\u8f7dpf_ring\u9a71\u52a8:<\/p>\n<p>modprobe pf_ring transparent_mode=2\u00a0min_num_slots=16384<\/p>\n<p>ixgbe\u5b89\u88c5\u53c2\u8003\uff1ahttp:\/\/techedemic.com\/2015\/08\/04\/installing-ixgbe-driver-on-ubuntu-server-14-04-lts\/<\/p>\n<p>https:\/\/linux.cn\/article-5149-1.html<\/p>\n<p>\u52a0\u8f7dpf_ring_aware\u7684ixgbe\u7f51\u5361\u9a71\u52a8:<\/p>\n<p>modprobe ixgbe RSS=1<\/p>\n<p>\uff08\u666e\u901a\u9a71\u52a8.\/ixgbe-4.1.2-2.6.32\/src\/ixgbe.ko\uff09<\/p>\n<p>\u5c06RSS\u6570\u51cf\u5c11\u4e3a1\uff1a<\/p>\n<p>http:\/\/suricata.readthedocs.io\/en\/latest\/performance\/packet-capture.html<\/p>\n<p>\u542f\u52a8eth4\u7f51\u5361<\/p>\n<p>sudo ifconfig eth4 up<\/p>\n<p>pfring\u63a5\u6536\u6d4b\u8bd5\u7a0b\u5e8f<\/p>\n<p>sudo .\/PF_RING\/userland\/examples\/pfcount -i eth4<\/p>\n<p>sar -n EDEV 2 10000 | grep eth4<\/p>\n<p>\/usr\/local\/sbin\/tcpdump \u00a0\u00a0\u57fa\u4e8epfring\u5e93\u7684tcpdump<\/p>\n<p>\u6ce8\u610f\u5404CPU\u7684\u8f6f\u4e2d\u65ad\u4f7f\u7528\u7387\uff0c\u53ef\u80fd\u9700\u8981\u8fdb\u884c\u8c03\u4f18\uff0c\u53c2\u8003\uff1a<\/p>\n<blockquote class=\"wp-embedded-content\" data-secret=\"DPyEcUFWwW\"><p><a href=\"https:\/\/www.vpsee.com\/2010\/07\/load-balancing-with-irq-smp-affinity\/\">Linux \u591a\u6838\u4e0b\u7ed1\u5b9a\u786c\u4ef6\u4e2d\u65ad\u5230\u4e0d\u540c CPU\uff08IRQ Affinity\uff09<\/a><\/p><\/blockquote>\n<p><\/p>\n<h3><span class=\"ez-toc-section\" id=\"2%E5%AE%89%E8%A3%85Redis\"><\/span>2.\u5b89\u88c5Redis<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\uff08\u8fc7\u7a0b\u7565\uff09<\/p>\n<p>Log\u4f7f\u7528redis\u4e34\u65f6\u4fdd\u5b58\uff0c\u65e5\u5fd7\u4e0d\u843d\u5730\u76f4\u63a5\u4fdd\u5b58\u8fdbES\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"3%E5%AE%89%E8%A3%85Suricata\"><\/span>3.\u5b89\u88c5Suricata<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u5b89\u88c5\u4f9d\u8d56\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel<\/pre>\n<p>\u5b89\u88c5Hiredis\uff1ahttps:\/\/github.com\/redis\/hiredis<\/p>\n<p>\u5b83\u662fRedis\u6700\u5c0f\u7684C\u5ba2\u6237\u7aef<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">git clone https:\/\/github.com\/redis\/hiredis.git \u00a0\r\ncd hiredis\/ \u00a0\r\nmake \u00a0\r\nsudo make install<\/pre>\n<p>\u5b89\u88c5Hyperscan\u652f\u6301\uff1a<\/p>\n<p>http:\/\/suricata.readthedocs.io\/en\/latest\/performance\/hyperscan.html<\/p>\n<p>\u5b89\u88c5Tcmalloc\uff1a<\/p>\n<p>http:\/\/suricata.readthedocs.io\/en\/latest\/performance\/tcmalloc.html<\/p>\n<p>suricata configure\u00a0\u53c2\u6570<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">.\/configure --enable-lua --enable-pfring --enable-old-barnyard2 --enable-hiredis --enable-unix-socket --enable-profiling --enable-geoip --with-libnss-libraries=\/usr\/lib64 --with-libnss-includes=\/usr\/include\/nss3 --with-libnspr-libraries=\/usr\/lib64 --with-libnspr-includes=\/usr\/include\/nspr4 --enable-pfring --with-libpfring-includes=\/usr\/local\/include --with-libpfring-libraries=\/usr\/local\/lib\u00a0--with-libhs-includes=\/usr\/local\/include\/hs\/ --with-libhs-libraries=\/usr\/local\/lib\/\r\nmake\r\nmake install\r\nldconfig<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"4%E5%AE%89%E8%A3%85Logstash\"><\/span>4.\u5b89\u88c5Logstash<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u8fd9\u91cc\u9700\u8981\u4fee\u6539logstash\u5411ES\u4e2d\u5199\u6570\u636e\u65f6\u6dfb\u52a0\u7684\u9690\u542b\u5b57\u6bb5\u6a21\u677f\uff0clogstash\u5728\u5411ES\u4e2d\u5199\u6570\u636e\u65f6\uff0c\u5728\u7f3a\u7701\u914d\u7f6e\u4e0b\uff0c\u53ea\u5411\u540d\u4e3a&#8221;logstash-&#8220;\u7684\u7d22\u5f15\u4e2d\u7684\u6bcf\u4e2a\u6587\u6863\u6dfb\u52a0\u9690\u542b\u7684\u9ed8\u8ba4\u5b57\u6bb5\uff0c\u800cscirius\u5728\u8bfb\u53d6ES\u4e2d\u7684\u6570\u636e\u65f6\u9700\u8981\u8c03\u7528\u8fd9\u4e9b\u9ed8\u8ba4\u5b57\u6bb5\uff0c\u56e0\u6b64\u82e5\u9700\u8981\u66f4\u6539logstash\u5199\u5165ES\u4e2d\u7684\u7d22\u5f15\u540d\uff0c\u5219\u8fd8\u9700\u8981\u66f4\u6539\u5efa\u7acb\u9ed8\u8ba4\u5b57\u6bb5\u7684\u6a21\u677f\uff0c\u5728logstash v2.3.4\u4e2d\uff0c\u7f16\u8f91\u6587\u4ef6\uff1a.\/vendor\/bundle\/jruby\/1.9\/gems\/logstash-output-elasticsearch-2.7.1-java\/lib\/logstash\/outputs\/elasticsearch\/elasticsearch-template.json<\/p>\n<p>\u4fee\u6539&#8221;template&#8221;\u5b57\u6bb5\u503c\u4e3a\u81ea\u5b9a\u4e49\u7684\u7d22\u5f15\u540d\u3002<\/p>\n<h3><span class=\"ez-toc-section\" id=\"5%E5%AE%89%E8%A3%85Scirius\"><\/span>5.\u5b89\u88c5Scirius<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u8be6\u89c1Github\uff1a<a href=\"https:\/\/github.com\/StamusNetworks\/scirius\">https:\/\/github.com\/StamusNetworks\/scirius<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"6%E5%AE%89%E8%A3%85ES\"><\/span>6.\u5b89\u88c5ES<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\uff08\u8fc7\u7a0b\u7565\uff09<\/p>\n<h3><span class=\"ez-toc-section\" id=\"7%E5%AE%89%E8%A3%85Kibana\"><\/span>7.\u5b89\u88c5Kibana<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\uff08\u8fc7\u7a0b\u7565\uff09<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E4%B8%89%E3%80%81%E9%85%8D%E7%BD%AE\"><\/span>\u4e09\u3001\u914d\u7f6e<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Suricata\u00a0\u6587\u6863<a href=\"https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricata_User_Guide\">https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricata_User_Guide<\/a><\/p>\n<p>Suricata\u914d\u7f6e\u6587\u4ef6\u548c\u89e3\u91ca<\/p>\n<p><a href=\"http:\/\/www.ntop.org\/pf_ring\/accelerating-suricata-with-pf_ring-dna\/\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.ntop.org\/pf_ring\/accelerating-suricata-with-pf_ring-dna\/<\/a><\/p>\n<p><a href=\"https:\/\/home.regit.org\/2012\/07\/suricata-to-10gbps-and-beyond\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/home.regit.org\/2012\/07\/suricata-to-10gbps-and-beyond\/<\/a><\/p>\n<p><a href=\"https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricatayaml\">https:\/\/redmine.openinfosecfoundation.org\/projects\/suricata\/wiki\/Suricatayaml<\/a><\/p>\n<p><a href=\"http:\/\/blog.csdn.net\/wuyangbotianshi\/article\/\">http:\/\/blog.csdn.net\/wuyangbotianshi\/article\/<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"1%E4%BF%AE%E6%94%B9Scirius%E5%8A%9F%E8%83%BD%E4%BB%A3%E7%A0%81%EF%BC%9A\"><\/span>1.\u4fee\u6539Scirius\u529f\u80fd\u4ee3\u7801\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"color: #ff0000\"><strong>\u6700\u65b0\u7248Scirius\u5df2\u4e0d\u9700\u8981\u4fee\u6539\u4efb\u4f55\u4ee3\u7801\u4e86\uff01<\/strong><\/span><\/p>\n<p>\u8fd9\u90e8\u5206\u5c06\u6dfb\u52a0Scirius\u8fde\u63a5ES\u65f6\u7684HTTP\u8ba4\u8bc1\u7684\u529f\u80fd\u3002<\/p>\n<p>Scirius\u7248\u672c\uff1aScirius version: 1.2.2<\/p>\n<h4><span class=\"ez-toc-section\" id=\"%EF%BC%881%EF%BC%89%E7%BC%96%E8%BE%91sciriussettingpy\"><\/span>\uff081\uff09\u7f16\u8f91scirius\/setting.py<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u6dfb\u52a0\u4ee5\u4e0b\u4ee3\u7801\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">#########################################################\r\n# HTTP AUTH\r\nELASTICSEARCH_HTTP_AUTH = True\r\nELASTICSEARCH_HTTP_AUTH_USER = \"username\"\r\nELASTICSEARCH_HTTP_AUTH_PASS = \"password\"\r\n\r\n\r\n#########################################################<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"%EF%BC%882%EF%BC%89%E7%BC%96%E8%BE%91ruleses_graphspy\"><\/span>\uff082\uff09\u7f16\u8f91rules\/es_graphs.py<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u5728\u5f00\u5934\u6dfb\u52a0\u4ee5\u4e0b\u4e24\u4e2a\u51fd\u6570\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">#########################################################\r\ndef gen_http_auth_field():\r\n    base64string = base64.encodestring('%s:%s' % (settings.ELASTICSEARCH_HTTP_AUTH_USER,\r\n    settings.ELASTICSEARCH_HTTP_AUTH_PASS)).replace('\\n', '')\r\n    auth_field = \"Authorization\", \"Basic %s\" % base64string\r\n    return auth_field\r\ndef add_http_auth_field(req):\r\n    if settings.ELASTICSEARCH_HTTP_AUTH is False:\r\n        return req\r\n    auth_field = gen_http_auth_field()\r\n    req.add_header(auth_field[0], auth_field[1])\r\n    return req\r\n\r\n\r\n#########################################################<\/pre>\n<p>\u7136\u540e\u641c\u7d22\u5168\u6587\uff0c\u5728\u6240\u6709urllib2.Request()\u8c03\u7528\u524d\u6dfb\u52a0add_http_auth_field()\u51fd\u6570\u3002<br \/>\n\u8fd8\u9700\u4fee\u6539es_delete_alerts_by_sid_v2()\u51fd\u6570\u4e2d\u63d0\u4ea4\u8bf7\u6c42\u7684\u4ee3\u7801\u4e3a\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">#########################################################\r\nif settings.ELASTICSEARCH_HTTP_AUTH is True:\r\n    auth_field = gen_http_auth_field()\r\n    r = requests.delete(delete_url, headers={auth_field[0]:auth_field[1]})\r\nelse:\r\n    r = requests.delete(delete_url)\r\n\r\n\r\n#########################################################<\/pre>\n<p>\u4fee\u6539es_delete_alerts_by_sid_v5()\u51fd\u6570\u4e2d\u63d0\u4ea4\u8bf7\u6c42\u7684\u4ee3\u7801\u4e3a\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">#########################################################\r\nif settings.ELASTICSEARCH_HTTP_AUTH is True:\r\n    auth_field = gen_http_auth_field()\r\n    r = requests.post(delete_url, headers={auth_field[0]:auth_field[1]}, data = json.dumps(data))\r\nelse:\r\n    r = requests.post(delete_url, data = json.dumps(data))\r\n\r\n\r\n#########################################################<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"%EF%BC%883%EF%BC%89%E7%BC%96%E8%BE%91ruleses_datapy\"><\/span>\uff083\uff09\u7f16\u8f91rules\/es_data.py<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>\u4fee\u6539ESData\u7c7b\u4e2d\u7684__init__()\u51fd\u6570\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\">#########################################################\r\nes_addr = 'http:\/\/%s\/' % settings.ELASTICSEARCH_ADDRESS\r\nif settings.ELASTICSEARCH_HTTP_AUTH is True:\r\n    self.client = Elasticsearch([es_addr], http_auth=(settings.ELASTICSEARCH_HTTP_AUTH_USER, settings.ELASTICSEARCH_HTTP_AUTH_PASS))\r\nelse:\r\n    self.client = Elasticsearch([es_addr])\r\n\r\n\r\n#########################################################<\/pre>\n<p>\u7136\u540e\u641c\u7d22\u6574\u4e2a\u6587\u4ef6\uff0c\u5c06\u6240\u6709\u786c\u7f16\u7801\u7684\u7d22\u5f15\u540dindex=\u2019.kibana\u2019\u6539\u4e3a\uff1aindex=settings.KIBANA_INDEX<\/p>\n<h3><span class=\"ez-toc-section\" id=\"2%E7%BC%96%E8%BE%91logstash%E9%85%8D%E7%BD%AE%E6%96%87%E4%BB%B6\"><\/span>2.\u7f16\u8f91logstash\u914d\u7f6e\u6587\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u6574\u4e2a\u914d\u7f6e\u6587\u4ef6logstash.conf\u6587\u4ef6\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\">input\r\n{ \u00a0\r\nredis\r\n\u00a0{\r\n\u00a0 data_type =&gt; \"list\"\r\n\u00a0 key =&gt; \"suricata\"\r\n\u00a0 host =&gt; \"127.0.0.1\"\r\n\u00a0 port =&gt; 6379\r\n\u00a0 db =&gt; 0\r\n\u00a0 threads =&gt; 5\r\n\u00a0 codec =&gt; json\r\n\u00a0 type =&gt; \"SELKS\"\r\n\u00a0}\r\n}\r\n\r\nfilter {\r\n\u00a0 if [type] == \"SELKS\" {\r\n\u00a0 \u00a0 date {\r\n\u00a0 \u00a0 \u00a0 match =&gt; [ \"timestamp\", \"ISO8601\" ]\r\n\u00a0 \u00a0 }\r\n\u00a0 \u00a0 ruby {\r\n\u00a0 \u00a0 \u00a0 code =&gt; \"if event['event_type'] == 'fileinfo'; event['fileinfo']['type']=event['fileinfo']['magic'].to_s.split(',')[0]; end;\"\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n\r\n\u00a0 if ([src_ip] =~ \/^10\\.(10[1-9]{1}|1[1-9]{1}[0-9]{1}|2[0-9]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3}\/) { \u00a0#IDC IP\r\n\u00a0 \u00a0 if([dest_ip] =~ \/(^10\\.([0-9]{1,2}|100)\\.[0-9]{1,3}\\.[0-9]{1,3})|(^192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3})|(^172\\.([123]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3})\/) { \u00a0#Home IP\r\n\u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"direction\", \"idc_to_home\" ]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n\r\n\u00a0 if ([direction] != \"idc_to_home\") {\r\n\u00a0 \u00a0 if ([src_ip] =~ \/(^192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3})|(^10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})|(^172\\.([123]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3})\/) {\r\n\u00a0 \u00a0 \u00a0 if ([dest_ip] =~ \/(^192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3})|(^10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})|(^172\\.([123]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3})\/) {\r\n\u00a0 \u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"direction\", \"intranet\" ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 else {\r\n\u00a0 \u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"direction\", \"outbound\" ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 \u00a0 else {\r\n\u00a0 \u00a0 \u00a0 if ([dest_ip] =~ \/(^192\\.168\\.[0-9]{1,3}\\.[0-9]{1,3})|(^10\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})|(^172\\.([123]{1}[0-9]{1})\\.[0-9]{1,3}\\.[0-9]{1,3})\/) {\r\n\u00a0 \u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"direction\", \"inbound\" ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 else {\r\n\u00a0 \u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"direction\", \"internet\" ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n\r\n\u00a0 if ([direction] == \"inbound\" or [direction] == \"internet\") {\r\n\u00a0 \u00a0 if [src_ip] \u00a0{\r\n\u00a0 \u00a0 \u00a0 geoip {\r\n\u00a0 \u00a0 \u00a0 \u00a0 source =&gt; \"src_ip\"\u00a0\r\n\u00a0 \u00a0 \u00a0 \u00a0 target =&gt; \"geoip\"\u00a0\r\n\u00a0 \u00a0 \u00a0 \u00a0 #database =&gt; \"\/opt\/logstash\/vendor\/geoip\/GeoLiteCity.dat\"\u00a0\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"[geoip][coordinates]\", \"%{[geoip][longitude]}\" ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"[geoip][coordinates]\", \"%{[geoip][latitude]}\" \u00a0]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 convert =&gt; [ \"[geoip][coordinates]\", \"float\" ]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n\r\n\u00a0 if ([direction] == \"outbound\" or [direction] == \"internet\") {\r\n\u00a0 \u00a0 if [dest_ip] \u00a0{\r\n\u00a0 \u00a0 \u00a0 geoip {\r\n\u00a0 \u00a0 \u00a0 \u00a0 source =&gt; \"dest_ip\"\r\n\u00a0 \u00a0 \u00a0 \u00a0 target =&gt; \"geoip\"\r\n\u00a0 \u00a0 \u00a0 \u00a0 #database =&gt; \"\/opt\/logstash\/vendor\/geoip\/GeoLiteCity.dat\"\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"[geoip][coordinates]\", \"%{[geoip][longitude]}\" ]\r\n\u00a0 \u00a0 \u00a0 \u00a0 add_field =&gt; [ \"[geoip][coordinates]\", \"%{[geoip][latitude]}\" \u00a0]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 \u00a0 mutate {\r\n\u00a0 \u00a0 \u00a0 \u00a0 convert =&gt; [ \"[geoip][coordinates]\", \"float\" ]\r\n\u00a0 \u00a0 \u00a0 }\r\n\u00a0 \u00a0 }\r\n\u00a0 }\r\n}\r\n\r\noutput {\r\n\u00a0 elasticsearch {\r\n\u00a0 \u00a0 hosts =&gt; [\"http:\/\/ip_address:9200\/\"]\r\n\u00a0 \u00a0 manage_template =&gt; true\r\n\u00a0 \u00a0 template =&gt; \"\/ids\/logstash-2.3.4\/selks_template.json\"\r\n\u00a0 \u00a0 template_name =&gt; \"ids_log_*\"\r\n\u00a0 \u00a0 user =&gt; \"username\"\r\n\u00a0 \u00a0 password =&gt; \"password\"\r\n\u00a0 \u00a0 index =&gt; \"ids_log_%{+YYYY.MM.dd}\"\r\n\u00a0 }\r\n}\r\n#########################################################<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"3logstash%E6%B7%BB%E5%8A%A0ES%E6%95%B0%E6%8D%AE%E6%A8%A1%E6%9D%BF%EF%BC%9A\"><\/span>3.logstash\u6dfb\u52a0ES\u6570\u636e\u6a21\u677f\uff1a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><span style=\"color: #ff0000\"><strong>\u4ec5\u9002\u7528\u4e8eES 5.X<\/strong><\/span><\/p>\n<p>logstash\u5728\u5411ES\u4e2d\u5199\u6570\u636e\u65f6\uff0c\u5728\u7f3a\u7701\u914d\u7f6e\u4e0b\uff0c\u53ea\u5411\u540d\u4e3a&#8221;logstash-&#8220;\u7684\u7d22\u5f15\u4e2d\u7684\u6bcf\u4e2a\u6587\u6863\u6dfb\u52a0\u9690\u542b\u7684\u9ed8\u8ba4\u5b57\u6bb5\uff0c\u800cscirius\u5728\u8bfb\u53d6ES\u4e2d\u7684\u6570\u636e\u65f6\u9700\u8981\u8c03\u7528\u8fd9\u4e9b\u9ed8\u8ba4\u5b57\u6bb5\uff0c\u56e0\u6b64\u82e5\u9700\u8981\u66f4\u6539logstash\u5199\u5165ES\u4e2d\u7684\u7d22\u5f15\u540d\uff0c\u5219\u8fd8\u9700\u8981\u66f4\u6539\u5efa\u7acb\u9ed8\u8ba4\u5b57\u6bb5\u7684\u6a21\u677f\uff0c\u5728logstash v2.3.4\u4e2d\uff0c\u7f16\u8f91\u6587\u4ef6\uff1a.\/vendor\/bundle\/jruby\/1.9\/gems\/logstash-output-elasticsearch-2.7.1-java\/lib\/logstash\/outputs\/elasticsearch\/elasticsearch-template.json<br \/>\n\u4fee\u6539&#8221;template&#8221;\u5b57\u6bb5\u503c\u4e3a\u81ea\u5b9a\u4e49\u7684\u7d22\u5f15\u540d\uff0c\u5e76\u5728geoip\u5bf9\u8c61\u4e2d\u65b0\u6dfb\u52a0\u4e00\u4e2a\u540d\u4e3adirection\u7684string\u7c7b\u578b\u53d8\u91cf\uff0c\u6700\u540e\u4fdd\u5b58\u4e3alogstash\u8c03\u7528\u7684\u6a21\u677f\u6587\u4ef6selks_template.json\uff0c\u5b8c\u6574\u5185\u5bb9\u5982\u4e0b\uff1a<br \/>\n#########################################################<br \/>\n{<br \/>\n&#8220;template&#8221; : &#8220;ids_log_*&#8221;,<br \/>\n&#8220;settings&#8221; : {<br \/>\n&#8220;index.refresh_interval&#8221; : &#8220;5s&#8221;<br \/>\n},<br \/>\n&#8220;mappings&#8221; : {<br \/>\n&#8220;_default_&#8221; : {<br \/>\n&#8220;_all&#8221; : {&#8220;enabled&#8221; : true, &#8220;omit_norms&#8221; : true},<br \/>\n&#8220;dynamic_templates&#8221; : [ {<br \/>\n&#8220;message_field&#8221; : {<br \/>\n&#8220;match&#8221; : &#8220;message&#8221;,<br \/>\n&#8220;match_mapping_type&#8221; : &#8220;string&#8221;,<br \/>\n&#8220;mapping&#8221; : {<br \/>\n&#8220;type&#8221; : &#8220;string&#8221;, &#8220;index&#8221; : &#8220;analyzed&#8221;, &#8220;omit_norms&#8221; : true,<br \/>\n&#8220;fielddata&#8221; : { &#8220;format&#8221; : &#8220;disabled&#8221; }<br \/>\n}<br \/>\n}<br \/>\n}, {<br \/>\n&#8220;string_fields&#8221; : {<br \/>\n&#8220;match&#8221; : &#8220;*&#8221;,<br \/>\n&#8220;match_mapping_type&#8221; : &#8220;string&#8221;,<br \/>\n&#8220;mapping&#8221; : {<br \/>\n&#8220;type&#8221; : &#8220;string&#8221;, &#8220;index&#8221; : &#8220;analyzed&#8221;, &#8220;omit_norms&#8221; : true,<br \/>\n&#8220;fielddata&#8221; : { &#8220;format&#8221; : &#8220;disabled&#8221; },<br \/>\n&#8220;fields&#8221; : {<br \/>\n&#8220;raw&#8221; : {&#8220;type&#8221;: &#8220;string&#8221;, &#8220;index&#8221; : &#8220;not_analyzed&#8221;, &#8220;ignore_above&#8221; : 256}<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\n} ],<br \/>\n&#8220;properties&#8221; : {<br \/>\n&#8220;@timestamp&#8221;: { &#8220;type&#8221;: &#8220;date&#8221; },<br \/>\n&#8220;@version&#8221;: { &#8220;type&#8221;: &#8220;string&#8221;, &#8220;index&#8221;: &#8220;not_analyzed&#8221; },<br \/>\n&#8220;geoip&#8221; \u00a0: {<br \/>\n&#8220;dynamic&#8221;: true,<br \/>\n&#8220;properties&#8221; : {<br \/>\n&#8220;ip&#8221; \u00a0 \u00a0 \u00a0 \u00a0: { &#8220;type&#8221; : &#8220;ip&#8221; },<br \/>\n&#8220;location&#8221; \u00a0: { &#8220;type&#8221; : &#8220;geo_point&#8221; },<br \/>\n&#8220;latitude&#8221; \u00a0: { &#8220;type&#8221; : &#8220;float&#8221; },<br \/>\n&#8220;longitude&#8221; : { &#8220;type&#8221; : &#8220;float&#8221; }<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\n#########################################################<br \/>\n4.\u5411Scirius\u4e2d\u6dfb\u52a0\u89c4\u5219\u6e90<\/p>\n<p>\u5728Scirius\u6839\u76ee\u5f55\u4e0b\u6267\u884c\u4e0b\u5217\u547d\u4ee4\uff1a<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">python manage.py addsource \"ETOpen Ruleset\"\u00a0https:\/\/rules.emergingthreats.net\/open\/suricata-3.0\/emerging.rules.tar.gz\u00a0http sigs\r\npython manage.py addsource \"SSLBL\u00a0abuse.ch\"\u00a0https:\/\/sslbl.abuse.ch\/blacklist\/sslblacklist.rules\u00a0http sig\r\npython manage.py addsource \"PT Research Ruleset\"\u00a0https:\/\/github.com\/ptresearch\/AttackDetection\/raw\/master\/pt.rules.tar.gz\u00a0http sigs<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"5%E4%BF%AE%E6%94%B9%E5%91%8A%E8%AD%A6%E5%B1%95%E7%A4%BA%E4%BB%A3%E7%A0%81\"><\/span>5.\u4fee\u6539\u544a\u8b66\u5c55\u793a\u4ee3\u7801<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>.\/scirius\/rules\/es_graphs.py<\/p>\n<p>560,def es_get_rules_stats(request, hostname, count=100, from_date=0 , qfilter = None)<\/p>\n<p>604 \u00a0tables.RequestConfig(request,paginate={&#8216;per_page&#8217;:100}).configure(rules)<\/p>\n<p>607 tables.RequestConfig(request,paginate={&#8216;per_page&#8217;:100}).configure(rules)<\/p>\n<h3><span class=\"ez-toc-section\" id=\"6%E9%85%8D%E7%BD%AEKibana_dashboards\"><\/span><!-- [if !supportLists]-->6.<!--[endif]-->\u914d\u7f6eKibana dashboards<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u7f51\u4e0a\u6709\u516c\u5f00\u7684dashboards\u6a21\u677f\uff0c\u94fe\u63a5\uff1a<a href=\"https:\/\/github.com\/StamusNetworks\/KTS\">https:\/\/github.com\/StamusNetworks\/KTS<\/a><\/p>\n<p>\u4f7f\u7528\u8fd9\u4e2a\u6a21\u677f\u524d\uff0c\u9700\u5148\u4fee\u6539\u6a21\u677f\u4e2d\u7684ES\u7d22\u5f15\u540d\uff0c\u547d\u4ee4\u5982\u4e0b\uff1a<\/p>\n<p>$ find .\/ -name &#8216;*.json&#8217; -type f -exec sed -i &#8216;s\/logstash.*-\\*\/ids_log_*\/g&#8217; {} \\;<\/p>\n<p>\u7136\u540e\u4fee\u6539load.sh\u6587\u4ef6\u4e2d\u7684kibana\u7d22\u5f15\u540d\u548cES\u5730\u5740\u3002<\/p>\n<p>\u4e5f\u53ef\u4ee5\u7528elasticdump\u5de5\u5177\u5c06dashboards\u7684\u6570\u636e\u5bfc\u5165\u5230ES\u4e2d\uff0c\u5148\u5bfc\u5165\u7d22\u5f15mapping\uff0c\u518d\u5bfc\u5165\u6570\u636e\uff0c\u6587\u4ef6\u5730\u5740\uff1a<\/p>\n<p><a href=\"http:\/\/weizn.net\/file\/kibana_mapping.json\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/weizn.net\/file\/kibana_mapping.json<\/a><\/p>\n<p><a href=\"http:\/\/weizn.net\/file\/kibana_data.json\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/weizn.net\/file\/kibana_data.json<\/a><\/p>\n<p>\u6216\u76f4\u63a5\u901a\u8fc7Kibana\u5bfc\u5165\uff1a<\/p>\n<p><a href=\"http:\/\/weizn.net\/file\/Dashboards.zip\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/weizn.net\/file\/Dashboards.zip<\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E5%9B%9B%E3%80%81%E5%90%AF%E5%8A%A8\"><\/span>\u56db\u3001\u542f\u52a8<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"1%E5%90%AF%E5%8A%A8Redis\"><\/span>1.\u542f\u52a8Redis<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u542f\u52a8\u547d\u4ee4\uff1a<\/p>\n<p>$ redis-server \/ids\/redis-3.2.0\/redis.conf<\/p>\n<p>\u76d1\u63a7\u547d\u4ee4\uff1a<\/p>\n<p>$ redis-cli \u00a0MONITOR<\/p>\n<h3><span class=\"ez-toc-section\" id=\"2%E5%90%AF%E5%8A%A8ES\"><\/span>2.\u542f\u52a8ES<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\uff08\u7565\uff09<\/p>\n<h3><span class=\"ez-toc-section\" id=\"3%E5%90%AF%E5%8A%A8Logstash\"><\/span>3.\u542f\u52a8Logstash<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>$ bin\/logstash -f \/ids\/logstash-2.3.4\/logstash.conf<\/p>\n<h3><span class=\"ez-toc-section\" id=\"4%E5%90%AF%E5%8A%A8Suricata\"><\/span>4.\u542f\u52a8Suricata<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>$ suricata &#8211;pfring -c \/ids\/suricata\/suricata_SELKS_redis.yaml -v<\/p>\n<h3><span class=\"ez-toc-section\" id=\"5%E5%90%AF%E5%8A%A8Scirius\"><\/span>5.\u542f\u52a8Scirius<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u521d\u59cb\u5316\u547d\u4ee4\uff1a<\/p>\n<p>$ python manage.py syncdb<\/p>\n<p>\u5f00\u542fWeb\u670d\u52a1\uff1a<\/p>\n<p>$ python manage.py runserver 0.0.0.0:80<\/p>\n<h3><span class=\"ez-toc-section\" id=\"6%E5%90%AF%E5%8A%A8Kibana\"><\/span><!-- [if !supportLists]-->6.<!--[endif]-->\u542f\u52a8Kibana<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\uff08\u7565\uff09<\/p>\n<p>\u56fe\u793a\uff1a<\/p>\n<p><a id=\"ematt:485\" href=\"http:\/\/www.weizn.net\/content\/uploadfile\/201702\/34ec1487064592.jpg\" data-rel=\"penci-gallery-image-content\"  target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"alignnone size-full wp-image-916\" title=\"34ec1487064592\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/34ec1487064592.jpg\" alt=\"34ec1487064592\" \/><\/a><\/p>\n<p><a id=\"ematt:487\" href=\"http:\/\/www.weizn.net\/content\/uploadfile\/201702\/945e1487064616.jpg\" data-rel=\"penci-gallery-image-content\"  target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"alignnone size-full wp-image-917\" title=\"945e1487064616\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/945e1487064616.jpg\" alt=\"945e1487064616\" \/><\/a><\/p>\n<p><a id=\"ematt:489\" href=\"http:\/\/www.weizn.net\/content\/uploadfile\/201702\/dbf21487064631.jpg\" data-rel=\"penci-gallery-image-content\"  target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"alignnone size-full wp-image-918\" title=\"dbf21487064631\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/dbf21487064631.jpg\" alt=\"dbf21487064631\" \/><\/a><\/p>\n<p><a id=\"ematt:491\" href=\"http:\/\/www.weizn.net\/content\/uploadfile\/201702\/f6501487064643.jpg\" data-rel=\"penci-gallery-image-content\"  target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"alignnone size-full wp-image-919\" title=\"f6501487064643\" src=\"http:\/\/weizn.net\/wp-content\/uploads\/2021\/09\/f6501487064643.jpg\" alt=\"f6501487064643\" \/><\/a><\/p>\n<\/div><\/div>","protected":false},"excerpt":{"rendered":"<p class=\"p\" style=\"margin-left:0.0000pt;text-indent:0.0000pt;background:#FFFFFF;\">\n\t<b><span>\u4e00<\/span><span>\u3001<\/span>Suricata <span>\u5206\u5e03\u5f0f<\/span><span>IDS<\/span><span>\u9879\u76ee \u76ee\u7684\u5bf9\u529e\u516c\u7f51\u6d41\u91cf\u76d1\u542c\uff0c\u5165\u4fb5\u548c\u8fdd\u89c4\u884c\u4e3a\u544a\u8b66<\/span><\/b>\n<\/p>\n<p class=\"p\" style=\"margin-left:0.0000pt;text-indent:0.0000pt;background:#FFFFFF;\">\n\tSuricata <span>\u7531<\/span><span>OISF(Open Information Security Foundation&nbsp;)<\/span><span>\u5f00\u53d1\u4e3a\u6807\u51c6<\/span><span>libpcap<\/span><span>\u6216<\/span><span>libpfring<\/span><span>\u63a5\u53e3\uff0c\u652f\u6301<\/span><span>snort<\/span><span>\u89c4\u5219\u3002<\/span><span>OISF<\/span><span>\u7531<\/span><span>DHS(United States Department of Homeland Security)<\/span><span>\u53ca<\/span><span>Breach S&#8230;<\/span><\/p>\n","protected":false},"author":1,"featured_media":416,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[321],"tags":[],"class_list":["post-213","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>SELKS\u5f00\u6e90IDS\u90e8\u7f72 - Wayne&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/weizn.net\/?p=213\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SELKS\u5f00\u6e90IDS\u90e8\u7f72 - Wayne&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"\u4e00\u3001Suricata \u5206\u5e03\u5f0fIDS\u9879\u76ee \u76ee\u7684\u5bf9\u529e\u516c\u7f51\u6d41\u91cf\u76d1\u542c\uff0c\u5165\u4fb5\u548c\u8fdd\u89c4\u884c\u4e3a\u544a\u8b66    Suricata \u7531OISF(Open Information Security Foundation&nbsp;)\u5f00\u53d1\u4e3a\u6807\u51c6libpcap\u6216libpfring\u63a5\u53e3\uff0c\u652f\u6301snort\u89c4\u5219\u3002OISF\u7531DHS(United States Department of Homeland Security)\u53caBreach S...\" \/>\n<meta property=\"og:url\" content=\"http:\/\/weizn.net\/?p=213\" \/>\n<meta property=\"og:site_name\" content=\"Wayne&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-02-10T09:06:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-09-09T13:29:45+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/weizn.net\/wp-content\/uploads\/2017\/02\/images.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"322\" \/>\n\t<meta property=\"og:image:height\" content=\"156\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"zinan\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"http:\/\/weizn.net\/#website\",\"url\":\"http:\/\/weizn.net\/\",\"name\":\"Wayne&#039;s Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/weizn.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"ImageObject\",\"@id\":\"http:\/\/weizn.net\/?p=213#primaryimage\",\"inLanguage\":\"zh-Hans\",\"url\":\"http:\/\/weizn.net\/wp-content\/uploads\/2017\/02\/images.jpeg\",\"contentUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2017\/02\/images.jpeg\",\"width\":322,\"height\":156},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/weizn.net\/?p=213#webpage\",\"url\":\"http:\/\/weizn.net\/?p=213\",\"name\":\"SELKS\\u5f00\\u6e90IDS\\u90e8\\u7f72 - Wayne&#039;s Blog\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=213#primaryimage\"},\"datePublished\":\"2017-02-10T09:06:08+00:00\",\"dateModified\":\"2021-09-09T13:29:45+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/weizn.net\/?p=213#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/weizn.net\/?p=213\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/weizn.net\/?p=213#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\\u9996\\u9875\",\"item\":\"http:\/\/weizn.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SELKS\\u5f00\\u6e90IDS\\u90e8\\u7f72\"}]},{\"@type\":\"Article\",\"@id\":\"http:\/\/weizn.net\/?p=213#article\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/?p=213#webpage\"},\"author\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"headline\":\"SELKS\\u5f00\\u6e90IDS\\u90e8\\u7f72\",\"datePublished\":\"2017-02-10T09:06:08+00:00\",\"dateModified\":\"2021-09-09T13:29:45+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=213#webpage\"},\"wordCount\":876,\"commentCount\":4,\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"image\":{\"@id\":\"http:\/\/weizn.net\/?p=213#primaryimage\"},\"thumbnailUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2017\/02\/images.jpeg\",\"articleSection\":[\"\\u5e94\\u7528\\u5b89\\u5168\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/weizn.net\/?p=213#respond\"]}]},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\",\"name\":\"zinan\",\"logo\":{\"@id\":\"http:\/\/weizn.net\/#personlogo\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SELKS\u5f00\u6e90IDS\u90e8\u7f72 - Wayne&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/weizn.net\/?p=213","og_locale":"zh_CN","og_type":"article","og_title":"SELKS\u5f00\u6e90IDS\u90e8\u7f72 - Wayne&#039;s Blog","og_description":"\u4e00\u3001Suricata \u5206\u5e03\u5f0fIDS\u9879\u76ee \u76ee\u7684\u5bf9\u529e\u516c\u7f51\u6d41\u91cf\u76d1\u542c\uff0c\u5165\u4fb5\u548c\u8fdd\u89c4\u884c\u4e3a\u544a\u8b66    Suricata \u7531OISF(Open Information Security Foundation&nbsp;)\u5f00\u53d1\u4e3a\u6807\u51c6libpcap\u6216libpfring\u63a5\u53e3\uff0c\u652f\u6301snort\u89c4\u5219\u3002OISF\u7531DHS(United States Department of Homeland Security)\u53caBreach S...","og_url":"http:\/\/weizn.net\/?p=213","og_site_name":"Wayne&#039;s Blog","article_published_time":"2017-02-10T09:06:08+00:00","article_modified_time":"2021-09-09T13:29:45+00:00","og_image":[{"width":322,"height":156,"url":"http:\/\/weizn.net\/wp-content\/uploads\/2017\/02\/images.jpeg","path":"\/app\/wp-content\/uploads\/2017\/02\/images.jpeg","size":"full","id":416,"alt":"","pixels":50232,"type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"zinan","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"6 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"http:\/\/weizn.net\/#website","url":"http:\/\/weizn.net\/","name":"Wayne&#039;s Blog","description":"","publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/weizn.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"ImageObject","@id":"http:\/\/weizn.net\/?p=213#primaryimage","inLanguage":"zh-Hans","url":"http:\/\/weizn.net\/wp-content\/uploads\/2017\/02\/images.jpeg","contentUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2017\/02\/images.jpeg","width":322,"height":156},{"@type":"WebPage","@id":"http:\/\/weizn.net\/?p=213#webpage","url":"http:\/\/weizn.net\/?p=213","name":"SELKS\u5f00\u6e90IDS\u90e8\u7f72 - Wayne&#039;s Blog","isPartOf":{"@id":"http:\/\/weizn.net\/#website"},"primaryImageOfPage":{"@id":"http:\/\/weizn.net\/?p=213#primaryimage"},"datePublished":"2017-02-10T09:06:08+00:00","dateModified":"2021-09-09T13:29:45+00:00","breadcrumb":{"@id":"http:\/\/weizn.net\/?p=213#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["http:\/\/weizn.net\/?p=213"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/weizn.net\/?p=213#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"http:\/\/weizn.net\/"},{"@type":"ListItem","position":2,"name":"SELKS\u5f00\u6e90IDS\u90e8\u7f72"}]},{"@type":"Article","@id":"http:\/\/weizn.net\/?p=213#article","isPartOf":{"@id":"http:\/\/weizn.net\/?p=213#webpage"},"author":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"headline":"SELKS\u5f00\u6e90IDS\u90e8\u7f72","datePublished":"2017-02-10T09:06:08+00:00","dateModified":"2021-09-09T13:29:45+00:00","mainEntityOfPage":{"@id":"http:\/\/weizn.net\/?p=213#webpage"},"wordCount":876,"commentCount":4,"publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"image":{"@id":"http:\/\/weizn.net\/?p=213#primaryimage"},"thumbnailUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2017\/02\/images.jpeg","articleSection":["\u5e94\u7528\u5b89\u5168"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/weizn.net\/?p=213#respond"]}]},{"@type":["Person","Organization"],"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264","name":"zinan","logo":{"@id":"http:\/\/weizn.net\/#personlogo"}}]}},"_links":{"self":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/213","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=213"}],"version-history":[{"count":12,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/213\/revisions"}],"predecessor-version":[{"id":920,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/213\/revisions\/920"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/media\/416"}],"wp:attachment":[{"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=213"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=213"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=213"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}