可使用虛擬機安裝 ubuntu 系統,或者是灌雙系統
虛擬機安裝ubuntu教學 : https://www.kjnotes.com/linux/29
雙系統教學 : https://www.youtube.com/watch?v=yMHOpOuyjdc&t=208s&ab_channel=%E5%A2%9E%E5%BB%A3%E5%BB%BA%E6%96%87
Guest Additions 使虛擬機器與主機系統之間的操作更加方便,提供更好的整合性和性能。
-
安裝
sudo apt update sudo apt install dkms build-essential linux-headers-generic -
裝置 > 插入 Guest Additions CD 映像
-
重新安裝 GA,右上角的 "Run Software" 點下去!
-
重啟
sudo reboot
-
下圖是無法對外連線的 VM
-
使用橋接介面卡方可對外連線
-
記得勾全部允許
:::warning Wazuh Server 與 Wazuh Agent 必須裝在不同的 PC 上 :::
-
先進入root權限
sudo -s:::info
tips:可以按ctrl+d退出root ::: -
安裝 (Install the necessary packages)
apt install curl apt-transport-https unzip wget libcap2-bin software-properties-common lsb-release gnupg -
Install the GPG key
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg -
Add the repository
echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list -
更新
apt-get update -
安裝
apt-get install wazuh-manager -
Enable and Start service
systemctl daemon-reload systemctl enable wazuh-manager systemctl start wazuh-manager -
確認是否有正常 "active"
systemctl status wazuh-manager:::info
tips:ctrl+c退出 :::
-
安裝
add-apt-repository ppa:oisf/suricata-stable apt update apt install suricata jq vim -
設定 IDS 所偵測的 network interface,先輸入
ip addr,檢查自己的 network interface:::info
vim操作教學:tips:按i進入編輯模式,按esc回到閱讀模式輸入
:wq退出 vim,輸入/可進行搜尋 ::: -
設定
vim /etc/suricata/suricata.yaml #進入suricata設定檔針對以下片段進行修改
## in suricata.yaml## af-packet: - interface: *your network interface (e.g. ens160)* cluster-id: 99 cluster-type: cluster_flow defrag: yes use-mmap: yes tpacket-v3: yespcap: - interface: enp0s3 # On Linux, pcap will try to use mmap'ed capture and will use "buffer-size" # as total memory used by the ring. So set this to something bigger # than 1% of your bandwidth. #buffer-size: 16777216 #bpf-filter: "tcp and port 25" .....
設定 IDS 的 內網和外網
##in /etc/suricata/suricata.yaml## vars: # more specific is better for alert accuracy and performance address-groups: #HOME_NET: "[192.168.0.0/16, 10.0.0.0/8,172.16.0.0/12]" HOME_NET:"[*suricata 所監控 network interface 的 ip*]" #這邊要修改成這樣,ex:192.168.0.20/24 #HOME_NET:"[192.168.0.0/16]" #HOME_NET:"[10.0.0.0/8]" #HOME_NET:"[172.16.0.0/12]" #HOME_NET:"any" EXTERNAL_NET: "!$HOME_NET" #這邊要修改成這樣# Configure the type of alert (and other) logging you would like. outputs: # a line based alerts log similar to Snort's fast.log - fast: enabled: yes filetype: regular filename: /var/log/suricata/%Y/fast-%m-%d.log append: yes rotate-interval: day -
安裝規則到Suricata
suricata-update -
嘗試新增規則檔: 以下為新增偵測 DDoS 的 rule 的範例: 在
/var/lib/suricata/rules中新增規則檔,指令如下:sudo vim /var/lib/suricata/rules/test-ddos.rules接著在規則檔中填入如下規則:
alert tcp any any -> $HOME_NET any (msg: "Possible DDoS attack!"; flags: S; flow: stateless; threshold: type both, track by_dst, count 1000, seconds 1; classtype: misc-attack; priority:1; sid:1000001; rev:1;)
最後記得設定 IDS 的 設定檔
vim /etc/suricata/suricata.yamlrule-files: - suricata.rules - test-ddos.rules #要加上這條 -
重啟 NIDS
systemctl restart suricata添加規則後,請務必驗證 Suricata 的配置。為此,請運行以下命令:
sudo suricata -T -c /etc/suricata/suricata.yaml -v
- 創建規則參考資料: https://hackmd.io/5q4wKkr2T0enMZ2FfkHxwQ
-
在另一台 PC 上安裝 hping3
apt-get install hping3 -
hping3 模擬 DDoS 攻擊,命令如下:
sudo hping3 -S -p 80 --flood --rand-source $被攻擊的那台主機的IP$ -
在被攻擊的那台主機(即裝有 IDS 的主機) 輸入以下命令:
tail -f /var/log/suricata/fast.log
便能看到偵測到 DDoS 攻擊所產生的對應 log
:::info
tips:ctrl+c#退出 :::
-
安裝
sudo apt update sudo apt install wireshark sudo dpkg-reconfigure wireshark-common sudo chmod +x /usr/bin/dumpcap -
新增使用者到wireshark(不新增會沒有權限):
sudo adduser $USERNAME wireshark
-
下載安裝包指令 (嘗試更換最新版 Anaconda)
sudo wget https://repo.anaconda.com/archive/Anaconda3-2023.09-0-Linux-x86_64.sh -
安裝anaconda3
bash Anaconda3-2023.09-0-Linux-x86_64.sh -
測試conda 是否安裝成功
conda --version若失敗,則要修改環境變數
vim ~/.bashrc將以下指令加在最後
# added by Anaconda3 5.3.1 installer # >>> conda init >>> # !! Contents within this block are managed by 'conda init' !! __conda_setup="$(CONDA_REPORT_ERRORS=false '/home/server/anaconda3/bin/conda' shell.bash hook 2> /dev/null)" if [ $? -eq 0 ]; then \eval "$__conda_setup" else if [ -f "/home/server/anaconda3/etc/profile.d/conda.sh" ]; then . "/home/server/anaconda3/etc/profile.d/conda.sh" CONDA_CHANGEPS1=false conda activate base else \export PATH="/home/server/anaconda3/bin:$PATH" fi fi export PATH="/home/server/anaconda3/bin:$PATH" unset __conda_setup # <<< conda init <<<:::warning 注意: 請修改全部的 anaconda 路徑,不要直接複製貼上! :::
修改完成後,執行以下
source ~/.bashrc
- Set up Docker's apt repository.
# Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl gnupg sudo install -m 0755 -d /etc/apt/keyrings curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg sudo chmod a+r /etc/apt/keyrings/docker.gpg # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update - Install the Docker packages.
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin - Verify that the Docker Engine installation is successful by running the
hello-worldimage.sudo docker run hello-world - 將 docker 加入群組,之後就不用 sudo
sudo usermod -aG docker <your_username> - 重啟
sudo reboot
- 新增一個 docker-compose.yaml 文件
# Use root/example as user/password credentials version: '3.1' services: mongo: image: mongo:4.1.10 restart: always ports: - 27017:27017 environment: MONGO_INITDB_ROOT_USERNAME: root MONGO_INITDB_ROOT_PASSWORD: ncku mongo-express: image: mongo-express restart: always ports: - 8081:8081 environment: ME_CONFIG_MONGODB_ADMINUSERNAME: root ME_CONFIG_MONGODB_ADMINPASSWORD: ncku ME_CONFIG_MONGODB_URL: mongodb://root:ncku@mongo:27017/ - 開啟 docker
sudo docker compose up - 確定是否成功,到
http://localhost:8081/,帳號:admin、密碼:pass
- 先查看 mongo 的 container id
docker ps - 輸入指令
docker exec -it <your mongo id> mongo - 進入以後,需驗證密碼
> use admin switched to db admin > db.auth("root", "ncku") 1 > show dbs admin 0.000GB config 0.000GB local 0.000GB pythondb 0.000GB > use pythondb > db.posts.count() > db.posts.find().pretty()
-
Git clone 下載檔案
git clone https://github.com/brianlin314/NCKU_IIot_SEC.git -
下載完成後,請先新增一
config.json到該資料夾底下,如下:- dash_user_name 與 dash_user_password 為 Dashboard 登入的帳號及密碼
- sudoPassword 為虛擬機的密碼
- 請設定 agent_ip 為自己端點的 IP
{ "mongoUrl": "mongodb://root:ncku@localhost:27017/", "dash_user_name": "", "dash_user_password": "", "sudoPassword": "", "hidsdirpath": "/var/ossec/logs/alerts/", "nidsdirpath": "/var/log/suricata/", "pcapdirpath": "./wirepcap/pcap/", "csvdirpath": "./wirepcap/csv/", "model_path": "anomaly_AE_new.pth", "nids_agent_options": [ {"label": "Server", "value": "Server"}, {"label": "PCs", "value": "PCs"} ], "hids_agent_options": [ {"label": "Server", "value": "Server"}, {"label": "PC_1", "value": "PC_1"}, {"label": "PC_2", "value": "PC_2"}, {"label": "PC_3", "value": "PC_3"} ], "usb_add_options": [ {"label": "Server", "value": "000"}, {"label": "PC_1", "value": "001"}, {"label": "PC_2", "value": "002"}, {"label": "PC_3", "value": "003"} ], "agent_ip": { "Server": "255.255.255.255", "PCs": "255.255.255.255" }, "agent_id": { "Server": "000", "PC_1": "001", "PC_2": "002", "PC_3": "003" } } -
安裝相關套件及虛擬環境
conda create -y -n dashboard python=3.8 # 建立虛擬環境 conda activate dashboard # 進入虛擬環境 conda install pytorch torchvision torchaudio cpuonly -c pytorch # 安裝 pytorch cpu 版本 pip install pandas==1.3.5 pymongo==4.0.1 scikit-learn==1.3.2 dash==2.3.1 dash-bootstrap-components==0.13.1 feffery-antd-components==0.1.5 dash-extensions==0.1.3 Flask==2.0.2 Werkzeug==2.2.2 cicflowmeter==0.1.6 scapy==2.4.3 scipy==1.4.1 numpy==1.18.0 # 安裝相關套件 cd NCKU_IIot_SEC mkdir -p /wirepcap/pcap /wirepcap/csv # 新增 wireshark 資料夾 python app.py # 執行dashboard:::info 如果安裝套件出現
killed,輸入pip install <your-package-name> --no-cache-dir::::::warning 可能遇到的問題: oserror: [errno 98] address already in use
使用以下指令:
sudo lsof -t -i tcp:8050 | xargs kill -9
:::
-
將 git clone 下來的檔案裡面的
local_rules.xml取代掉/var/ossec/etc/rules/local_rules.xml<!-- Local rules --> <!-- Modify it at your will. --> <!-- Copyright (C) 2015, Wazuh Inc. --> <!-- Example --> <group name="local,syslog,sshd,"> <!-- Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2 --> <rule id="5760" level="12" overwrite="yes"> <if_sid>5700,5716</if_sid> <match>Failed password|Failed keyboard|authentication error</match> <description>sshd: authentication failed.</description> <mitre> <id>T1110.001</id> <id>T1021.004</id> </mitre> <group>authentication_failed,gdpr_IV_35.7.d,gdpr_IV_32.2,gpg13_7.1,hipaa_164.312.b,nist_800_53_AU.14,nist_800_53_AC.7,pci_dss_10.2.4,pci_dss_10.2.5,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group> </rule> </group> <group name="usb,"> <rule id="81104" level="3"> <if_sid>81100</if_sid> <match>SerialNumber</match> <description>usb.serial_number</description> </rule> </group>
設定 wireshark,及時抓取封包,讓 AI 模型能夠辨識
-
點開 Wireshark,上方工具欄選擇 Capture
-
pcap 檔案放置處選擇
NCKU_IIoT_SEC/wirepcap/pcap/,檔案大小設為 10 MB:::warning 檔案大小請設定為 10 MB,請勿隨意設置 :::
:::warning Wazuh (HIDS) Server 與 Agent 必須在不同 PC 上安裝 請根據欲裝 Agent 的 PC 的作業系統,選擇以下安裝步驟 :::
-
前往 wazuh官網,點選 Windows Installer
-
打開 Wazuh Agent Manager 填入 Server IP, 按 save 後, 再點 Manage -> restart
-
設定
win + R secpol.msc
-
安裝:
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/wazuh.gpg --import && chmod 644 /usr/share/keyrings/wazuh.gpg echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list -
更新:
sudo apt-get updatesystemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent -
關閉自動更新,避免版本不正確導致無法正常運作。
sed -i "s/^deb/#deb/" /etc/apt/sources.list.d/wazuh.list apt-get update echo "wazuh-agent hold" | dpkg --set-selections
-
設定
vim /var/ossec/etc/ossec.conf,修改 Server ip 為 Server 的 ip<client> <server> <address>SERVER_IP</address> ... </server> </client>
sudo /var/ossec/bin/agent_control -l
- 先查看 virualbox 的版本,並找到對應的版本
- 下載對應的 Extension Pack
- 更改 USB 的設定,改成 USB 3.0(xHCI) Controller
https://hackmd.io/HWSChGurR6S2rwUVCklGtA?view
- 可能只能在 linux 上運行
- 若無法順利執行,請檢查以下套件版本是否正確 :::info numpy==1.18.0 scipy==1.4.1 scapy==2.4.3 :::
- 如遇以下問題,請到該虛擬環境底下修改檔案 :::danger
File "/home/p76111262/anaconda3/envs/thesis/lib/python3.8/site-packages/cicflowmeter/features/flow_bytes.py", line 182, in get_min_forward_header_bytes
return min(
ValueError: min() arg is an empty sequence
:::
def get_min_forward_header_bytes(self) -> int:
"""Calculates the amount of header bytes in the header sent in the opposite direction as the flow.
Returns:
int: The amount of bytes.
"""
packets = self.feature.packets
forward_cnt = 0
for packet, direction in packets:
if direction == PacketDirection.FORWARD:
forward_cnt += 1
if forward_cnt == 0:
return 0
return min(
self._header_size(packet)
for packet, direction in packets
if direction == PacketDirection.FORWARD
)