測試用指令 - HackMD

--- tags: SecBuzzer ESM介紹 --- # 測試用指令 ## Suricata規則觸發測試規則檔案夾路徑: ```Rules folder path cd /opt/SecBuzzerESM/Suricata/suricata/rules/ ``` 創建一個測試規則檔: ``` vi conn_test.rules ``` 新增測試規則: ``` alert ip $HOME_NET any -> 111.122.133.144 any (msg:"SecBuzzerESM Connection Testing"; classtype:csti-rule-ip-test; sid:66778899; rev:1;) ``` 移動至Suricata目錄: ``` cd /opt/SecBuzzerESM/Suricata/ ``` 重新啟動Suricata，重載入規則: ``` docker-compose --emv-file ../SecBuzzerESM.env down (關閉) docker-compose --emv-file ../SecBuzzerESM.env up -d (啟動) ``` 查詢Suricata啟動logs，規則是否載入: ``` docker logs suricata -f ``` tail eve日誌準備查看是否有告警產生: ``` tail -f /opt/Logs/Suricata/eve-'date'.json ``` 觸發規則查看是否有告警產生: ``` curl 111.122.133.144 ``` ## Suricata 規則手動更新方法一、Shell script更新 ``` source /opt/SecBuzzerESM/Update_Suricata_rules.sh ``` 方法二、進入Crontab container更新 ``` docker exec -it cron bash cd scripts python3 Suricata_updater.py ``` ## ESMedge 主程式版本更新 ``` sudo su cd ~ git clone https://github.com/myESM/ESM.git -b master (開發版) git clone https://github.com/myESM/ESM.git (正式版) cd ESM/SecBuzzerESM/ python3 Upgrade_ESM.py ```