Suricata: Manajemen Rule dengan Oinkmaster

From OnnoWiki
Revision as of 14:36, 7 July 2023 by Onnowpurbo (talk | contribs)
Jump to navigation Jump to search

Manajemen Rules dengan Oinkmaster

Dimungkinkan untuk mengunduh dan menginstal aturan secara manual, tetapi ada cara yang jauh lebih mudah dan lebih cepat untuk melakukannya. Ada program khusus yang dapat Anda gunakan untuk mengunduh dan memasang rules. Ada misalnya Pulled Pork dan Oinkmaster. Dalam dokumentasi ini akan dijelaskan penggunaan Oinkmaster.

Untuk menginstal Oinkmaster, masukkan: 


sudo apt-get install oinkmaster

Ada beberapa rules. Ada misalnya Emerging Threats (ET) Emerging Threats Pro dan VRT. Dalam contoh ini kami menggunakan Ancaman yang Muncul.

Oinkmaster harus tahu di mana rules itu bisa ditemukan. Rules ini dapat ditemukan di: 

http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz

Bukan oinkmaster.conf tambahkan link di atas, 

sudo nano /etc/oinkmaster.conf

Letakan # di depan URL yang sudah ada, dan tambahkan URL yang baru.

Langkah selanjutnya membuat directory untuk rules baru, ketik, 

sudo mkdir /etc/suricata/rules

Selanjutnya, ketik, 

cd /etc
sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

Oinkmaster harus tahu di mana rules itu bisa ditemukan. Aturan-aturan ini dapat ditemukan di: 

sudo nano /etc/suricata/suricata.yaml

And add the new file locations instead of the file locations already present, like this:

To see if everything works as pleased, run Suricata: 

suricata -c /etc/suricata/suricata.yaml -i wlan0 (atau eth0)

You will notice there are several rule-files Suricata tries to load, but are not available. It is possible to disable those rule-sets in suricata.yaml by deleting them or by putting a # in front of them. To stop Suricata from running, press ctrl c.

Emerging Threats contains more rules than loaded in Suricata. To see which rules are available in your rules directory, enter: 

ls /etc/suricata/rules/*.rules

Find those that are not yet present in suricata.yaml and add them in yaml if desired.

You can do so by entering : 

sudo nano /etc/suricata/suricata.yaml

If you disable a rule in your rule file by putting a # in front of it, it will be enabled again the next time you run Oinkmaster. You can disable it through Oinkmaster instead, by entering the following: 

cd /etc/suricata/rules

and find the sid of the rule(s) you want to disable.

Subsequently enter: 

sudo nano /etc/oinkmaster.conf

and go all the way to the end of the file. Type there: 

disablesid 2010495

Instead of 2010495, type the sid of the rule you would like to disable. It is also possible to disable multiple rules, by entering their sids separated by a comma.

If you run Oinkmaster again, you can see the amount of rules you have disabled. You can also enable rules that are disabled by default. Do so by entering: 

ls /etc/suricata/rules

In this directory you can see several rule-sets Enter for example: 

sudo nano /etc/suricata/rules/emerging-malware.rules

In this file you can see which rules are enabled en which are not. You can not enable them for the long-term just by simply removing the #. Because each time you will run Oinkmaster, the rule will be disabled again. Instead, look up the sid of the rule you want to enable. Place the sid in the correct place of oinkmaster.config: 

sudo nano /etc/oinkmaster.conf

do so by typing: 

enablesid: 2010495

Instead of 2010495, type the sid of the rule you would like to to enable. It is also possible to enable multiple rules, by entering their sids separated by a comma.

In oinkmaster.conf you can modify rules. For example, if you use Suricata as inline/IPS and you want to modify a rule that sends an alert when it matches and you would like the rule to drop the packet instead, you can do so by entering the following: 

sudo nano oinkmaster.conf

At the part where you can modify rules, type: 

modifysid 2010495 “alert” | “drop”

The sid 2010495 is an example. Type the sid of the rule you desire to change, instead.

Rerun Oinkmaster to notice the change. Updating your rules

If you have already downloaded a ruleset (in the way described in this file), and you would like to update the rules, enter: 

sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

It is recommended to update your rules frequently. Emerging Threats is modified daily, VRT is updated weekly or multiple times a week.


Referensi

Pranala Menarik

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Suricata:_Manajemen_Rule_dengan_Oinkmaster&oldid=69009"