implementing-network-intrusion-prevention-with-suricata

使用自定义规则、Emerging Threats 规则集和内联流量检测部署和配置 Suricata 作为网络入侵防御系统,实现实时威胁阻断。

9 stars

Best use case

implementing-network-intrusion-prevention-with-suricata is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用自定义规则、Emerging Threats 规则集和内联流量检测部署和配置 Suricata 作为网络入侵防御系统,实现实时威胁阻断。

Teams using implementing-network-intrusion-prevention-with-suricata should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-network-intrusion-prevention-with-suricata/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-network-intrusion-prevention-with-suricata Compares

Feature / Agentimplementing-network-intrusion-prevention-with-suricataStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用自定义规则、Emerging Threats 规则集和内联流量检测部署和配置 Suricata 作为网络入侵防御系统,实现实时威胁阻断。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用 Suricata 实施网络入侵防御

## 概述

Suricata 是由开放信息安全基金会(OISF)开发的高性能开源网络威胁检测引擎。它既可作为入侵检测系统(IDS)、入侵防御系统(IPS),也可作为网络安全监控工具。Suricata 使用大量规则集、协议分析和文件提取功能进行深度包检测(Deep Packet Inspection)。在 IPS 模式下,Suricata 内联检测数据包并能主动阻断恶意流量。本技能涵盖以 IPS 模式部署 Suricata、配置规则集、编写自定义规则、性能调优以及与日志基础设施集成。

## 前置条件

- 4+ CPU 核心和 8GB+ RAM 的 Linux 服务器(Ubuntu 22.04+ 或 CentOS 8+)
- 已安装 Suricata 7.0+
- 内联部署的网络位置(桥接模式或 NFQUEUE)
- Emerging Threats Open 或 ET Pro 规则集订阅
- 用于规则管理的 suricata-update 工具
- 日志基础设施(ELK Stack、Splunk 或 Wazuh)

## 核心概念

### 运行模式

| 模式 | 功能 | 网络位置 |
|------|------|---------|
| IDS (AF_PACKET) | 被动监控,仅告警 | TAP/SPAN 镜像 |
| IPS (NFQUEUE) | 通过 netfilter 内联阻断 | 流量路径中 |
| IPS (AF_PACKET) | 通过 AF_PACKET 内联阻断 | 接口之间的桥接 |
| 离线 (PCAP) | 分析捕获的流量文件 | 不适用 |

### 规则结构

Suricata 规则遵循结构化格式:

```
动作 协议 源IP 源端口 -> 目标IP 目标端口 (规则选项;)
```

- **动作(Action)**:`alert`、`pass`、`drop`、`reject`、`rejectsrc`、`rejectdst`、`rejectboth`
- **协议(Protocol)**:`tcp`、`udp`、`icmp`、`ip`、`http`、`tls`、`dns`、`smtp`、`ftp`
- **方向(Direction)**:`->` 单向,`<>` 双向

### 规则类别

- **Emerging Threats Open** - 社区维护的免费规则集,覆盖范围广
- **ET Pro** - Proofpoint 商业规则集,覆盖范围更强
- **Suricata Traffic ID** - 应用识别规则
- **自定义规则(Custom Rules)** - 组织特定的检测规则

## 实施步骤

### 步骤 1:安装 Suricata

```bash
# 添加 Suricata PPA(Ubuntu)
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install -y suricata suricata-update

# 验证安装
suricata --build-info
suricata -V
```

### 步骤 2:配置 IPS 模式的 Suricata

编辑 `/etc/suricata/suricata.yaml`:

```yaml
%YAML 1.1
---

vars:
  address-groups:
    HOME_NET: "[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    DNS_SERVERS: "[10.0.1.10/32,10.0.1.11/32]"
    SMTP_SERVERS: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    SSH_PORTS: "22"
    DNS_PORTS: "53"

# IPS 模式使用 NFQUEUE
nfq:
  mode: accept
  repeat-mark: 1
  repeat-mask: 1
  route-queue: 2
  fail-open: yes

# 线程配置
threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [0]
    - receive-cpu-set:
        cpu: [1,2]
    - worker-cpu-set:
        cpu: [3,4,5,6,7]
        mode: exclusive

# 检测引擎
detect-engine:
  - profile: high
  - custom-values:
      toclient-groups: 50
      toserver-groups: 50
  - sgh-mpm-context: auto
  - inspection-recursion-limit: 3000

# 流引擎
stream:
  memcap: 512mb
  checksum-validation: yes
  inline: auto
  reassembly:
    memcap: 1gb
    depth: 1mb
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560

# 日志配置
outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: /var/log/suricata/eve.json
      types:
        - alert:
            payload: yes
            payload-buffer-size: 4kb
            payload-printable: yes
            packet: yes
            metadata: yes
            tagged-packets: yes
        - http:
            extended: yes
        - dns:
            query: yes
            answer: yes
        - tls:
            extended: yes
        - files:
            force-magic: yes
            force-hash: [md5, sha256]
        - flow
        - netflow
        - stats:
            totals: yes
            threads: no
            deltas: yes

  - fast:
      enabled: yes
      filename: /var/log/suricata/fast.log

  - stats:
      enabled: yes
      filename: /var/log/suricata/stats.log
      interval: 30

# 规则文件
default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules
```

### 步骤 3:配置 NFQUEUE 用于内联 IPS

设置 iptables 将流量重定向到 Suricata:

```bash
# 启用 IP 转发
echo 1 > /proc/sys/net/ipv4/ip_forward

# 将 FORWARD 链重定向到 NFQUEUE
sudo iptables -I FORWARD -j NFQUEUE --queue-num 0 --queue-bypass

# 多队列(更好的性能)
sudo iptables -I FORWARD -j NFQUEUE --queue-balance 0:3 --queue-bypass

# 保存 iptables 规则
sudo iptables-save > /etc/iptables/rules.v4
```

AF_PACKET 内联模式(两个接口之间):

```yaml
# 在 suricata.yaml 中
af-packet:
  - interface: eth0
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    copy-mode: ips
    copy-iface: eth1
  - interface: eth1
    cluster-id: 97
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    copy-mode: ips
    copy-iface: eth0
```

### 步骤 4:使用 Suricata-Update 管理规则

```bash
# 从默认源(ET Open)更新规则
sudo suricata-update

# 列出可用规则源
sudo suricata-update list-sources

# 启用 ET Pro(需要许可证密钥)
sudo suricata-update enable-source et/pro secret-code=YOUR_OINKCODE

# 启用其他来源
sudo suricata-update enable-source oisf/trafficid
sudo suricata-update enable-source ptresearch/attackdetection
sudo suricata-update enable-source sslbl/ssl-fp-blacklist

# 禁用产生误报的特定规则
echo "2100498" >> /etc/suricata/disable.conf
echo "group:emerging-policy.rules" >> /etc/suricata/disable.conf

# 修改规则动作(将 alert 改为 drop)
echo 're:ET MALWARE' >> /etc/suricata/modify.conf

# 应用更新
sudo suricata-update --reload-command="suricatasc -c reload-rules"
```

### 步骤 5:编写自定义规则

创建 `/var/lib/suricata/rules/local.rules`:

```
# 检测 TCP 上的潜在反向 shell
drop tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL 潜在反向 Shell - 载荷中含 /bin/bash"; flow:to_server,established; content:"/bin/bash"; content:"-i"; within:20; classtype:trojan-activity; sid:1000001; rev:1;)

# 阻断已知恶意 User-Agent
drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL 恶意 User-Agent - Cobalt Strike"; http.user_agent; content:"Mozilla/5.0 (compatible|3b| MSIE 9.0|3b| Windows NT 6.1|3b| WOW64|3b| Trident/5.0)"; classtype:trojan-activity; sid:1000002; rev:1;)

# 检测对已知 DGA 域名模式的 DNS 查询
alert dns $HOME_NET any -> any 53 (msg:"LOCAL 可疑 DGA 域名查询"; dns.query; content:".top"; pcre:"/^[a-z0-9]{12,30}\.(top|xyz|club|online|site)$/"; classtype:bad-unknown; sid:1000003; rev:1;)

# 检测大型 DNS TXT 响应(潜在 C2)
alert dns any 53 -> $HOME_NET any (msg:"LOCAL 大型 DNS TXT 响应 - 潜在 C2"; dns.opcode:0; content:"|00 10|"; byte_test:2,>,500,0,relative; classtype:bad-unknown; sid:1000004; rev:1;)

# 阻断出站到已知 Tor 出口节点的流量
drop tcp $HOME_NET any -> [100.2.18.10,104.244.76.13,109.70.100.1] any (msg:"LOCAL 出站连接到已知 Tor 出口节点"; classtype:policy-violation; sid:1000005; rev:1;)

# 检测 SMB 横向移动尝试
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"LOCAL 内部 SMB 连接 - 可能存在横向移动"; flow:to_server,established; content:"|ff|SMB"; offset:4; depth:4; threshold:type both,track by_src,count 5,seconds 60; classtype:attempted-admin; sid:1000006; rev:1;)

# 检测 PowerShell 下载命令
drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL 检测到 PowerShell 下载命令"; http.user_agent; content:"PowerShell"; nocase; http.method; content:"GET"; classtype:trojan-activity; sid:1000007; rev:1;)

# 检测 ICMP 隧道(大型 ICMP 数据包)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"LOCAL 超大 ICMP 数据包 - 可能存在隧道"; dsize:>800; threshold:type both,track by_src,count 10,seconds 60; classtype:bad-unknown; sid:1000008; rev:1;)
```

### 步骤 6:以 IPS 模式启动 Suricata

```bash
# 测试配置
sudo suricata -T -c /etc/suricata/suricata.yaml

# 以 NFQUEUE IPS 模式启动
sudo suricata -c /etc/suricata/suricata.yaml -q 0

# 以 AF_PACKET 内联模式启动
sudo suricata -c /etc/suricata/suricata.yaml --af-packet

# 作为 systemd 服务启动
sudo systemctl enable suricata
sudo systemctl start suricata

# 监控性能统计
tail -f /var/log/suricata/stats.log

# 不重启重新加载规则
sudo suricatasc -c reload-rules
```

## 监控与调优

### 性能指标

```bash
# 检查内核丢包
sudo suricatasc -c dump-counters | grep -E "capture.kernel_drops|decoder.pkts"

# 监控 EVE JSON 告警
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

# 检查规则加载
grep -c "rules loaded" /var/log/suricata/suricata.log

# 内存使用
sudo suricatasc -c dump-counters | grep memuse
```

### 调优误报

```bash
# 识别噪音规则
cat /var/log/suricata/eve.json | jq -r 'select(.event_type=="alert") | .alert.signature_id' | sort | uniq -c | sort -rn | head -20

# 按源抑制特定规则
echo "suppress gen_id 1, sig_id 2100498, track by_src, ip 10.0.5.0/24" >> /etc/suricata/threshold.config

# 对告警进行速率限制
echo "rate_filter gen_id 1, sig_id 2100366, track by_src, count 10, seconds 60, new_action alert, timeout 300" >> /etc/suricata/threshold.config
```

## 最佳实践

- **先 IDS 模式** - 先以 IDS(仅告警)模式部署,调优 2-4 周后再切换到 IPS
- **故障开放** - 配置故障开放模式,确保 Suricata 崩溃时网络流量正常继续
- **规则调优** - 使用 threshold 和 suppress 指令减少误报,然后再启用 drop 动作
- **CPU 亲和性** - 将 Suricata 工作线程绑定到专用 CPU 核心以获得稳定性能
- **受信流量旁路** - 为已知良好流量使用 `pass` 规则以降低处理负载
- **定期更新** - 通过 cron 每天运行 `suricata-update` 保持签名最新
- **监控丢包** - 跟踪内核数据包丢失,必要时增加环形缓冲区大小

## 参考资料

- [Suricata Documentation](https://docs.suricata.io/en/latest/)
- [Suricata Rules Format](https://docs.suricata.io/en/latest/rules/index.html)
- [Emerging Threats Rulesets](https://rules.emergingthreats.net/)
- [OISF Suricata GitHub](https://github.com/OISF/suricata)
- [Suricata-Update Documentation](https://suricata-update.readthedocs.io/)

Related Skills

scanning-network-with-nmap-advanced

9
from killvxk/cybersecurity-skills-zh

使用 Nmap 的脚本引擎、时序控制、规避技术和输出解析,对授权目标网络执行高级网络侦察, 发现主机、枚举服务、检测漏洞并识别操作系统。

performing-wireless-network-penetration-test

9
from killvxk/cybersecurity-skills-zh

执行无线网络渗透测试,通过捕获握手包、破解 WPA2/WPA3 密钥、检测流氓接入点以及使用 Aircrack-ng 和相关工具测试无线网络分段,评估 WiFi 安全性。

performing-physical-intrusion-assessment

9
from killvxk/cybersecurity-skills-zh

通过尾随、门禁卡克隆、锁具绕过和流氓设备部署,执行授权的物理渗透测试,以评估设施安全控制措施的有效性。

performing-ot-network-security-assessment

9
from killvxk/cybersecurity-skills-zh

本技能涵盖对运营技术(OT)网络(包括SCADA系统、DCS架构和工业控制系统通信路径)进行全面安全评估。内容涉及Purdue参考模型各层、识别IT/OT融合风险、评估区域间防火墙规则,以及映射工业协议流量(Modbus、DNP3、OPC UA、EtherNet/IP),以检测关键基础设施中的错误配置、未授权连接和攻击面。

performing-network-traffic-analysis-with-zeek

9
from killvxk/cybersecurity-skills-zh

部署 Zeek 网络安全监控器,捕获、解析和分析网络流量元数据,用于威胁检测、异常识别和取证调查。

performing-network-traffic-analysis-with-tshark

9
from killvxk/cybersecurity-skills-zh

使用 tshark 和 pyshark 自动化网络流量分析,进行协议统计、可疑流量检测、DNS 异常识别以及从 PCAP 文件中提取威胁指标(IOC)

performing-network-packet-capture-analysis

9
from killvxk/cybersecurity-skills-zh

使用 Wireshark、tshark 和 tcpdump 对网络数据包捕获(PCAP/PCAPNG)进行取证分析,重建网络通信、提取传输文件、识别恶意流量,并建立数据渗出或命令与控制活动的证据。

performing-network-forensics-with-wireshark

9
from killvxk/cybersecurity-skills-zh

使用 Wireshark 和 tshark 捕获并分析网络流量,重建网络事件、提取制品并识别恶意通信。

performing-external-network-penetration-test

9
from killvxk/cybersecurity-skills-zh

依照 PTES 方法论,通过侦察、扫描、漏洞利用和报告等阶段,对面向互联网的基础设施执行全面的外部网络渗透测试,识别可利用漏洞。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。

implementing-zero-trust-with-beyondcorp

9
from killvxk/cybersecurity-skills-zh

使用身份感知代理(IAP,Identity-Aware Proxy)、上下文感知访问策略、设备信任验证和 Access Context Manager,部署 Google BeyondCorp Enterprise 零信任访问控制,对 GCP 资源和内部应用强制执行基于身份和安全态势的访问。

implementing-zero-trust-network-access

9
from killvxk/cybersecurity-skills-zh

通过配置身份感知代理、微分段、基于条件访问策略的持续验证,以及在 AWS、Azure 和 GCP 环境中以 BeyondCorp 风格的架构替代传统 VPN 访问,在云环境中实施零信任网络访问(ZTNA)。