測試完成重寫,alloy好像有比較快,還是錯覺
看來看去Promtail跟alloy真的很像,所以就測試成功了
用snort3搭配alloy拋json到loki
alloy跟snort3都安裝在kali-linux上
snort3的部分用kali-linux2026的版本就有3.12版的
要用apt install snort3 安裝,省去了原始碼編譯
編輯snort3的設定檔
加入規則的參數跟警報的參數
建立log要放的地方
mkdir -p /var/log/snort
權限開到775
測試snort -c /etc/snort/snort.lua -T
無報錯,就可以開始跑來測試了
跑 snort -c /etc/snort/snort.lua -i eth0 -A alert_json -L /var/log/snort/
給他資料 ping google.com 測試規則是icmp
去/var/log/snort/裡面看alert的log
然後要安裝alloy的元件,讓他把LOG拋去
安裝alloy跟設定
sudo apt-get update #更新套件清單
sudo apt-get install -y apt-transport-https software-properties-common wget #安裝必要的套件
sudo mkdir -p /etc/apt/keyrings #建立key的目錄
wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/grafana.gpg > /dev/null #下載並加入 Grafana GPG 金鑰
echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" | sudo tee /etc/apt/sources.list.d/grafana.list #加入來源(Stable 版本)
sudo apt-get update //更新套件清單
sudo apt-get install alloy //安裝alloy
有兩個設定檔
架容器時的設定檔
建立docker-compose.yml跟config.alloy在同一個目錄下
容器建立時,會去讀config.alloy
另一個是在用戶端的alloy用的設定檔,我是在kali-linux底下
sudo nano /etc/alloy/config.alloy #這個是kali-linux底下的設定檔
sudo usermod -aG adm alloy //將adm使用者加入到該群組中
sudo mkdir -p /var/lib/alloy //建立目錄
sudo groupadd alloy //建立alloy群組
sudo usermod -aG alloy alloy //將alloy使用者加入到該群組中
sudo chown -R alloy:alloy /var/lib/alloy //修改目錄所有權
sudo chmod 755 /var/lib/alloy //確保權限正確
sudo systemctl start alloy //啟動alloy
sudo systemctl enable alloy //設定開機自動啟動
sudo systemctl status alloy //檢查狀態顯示 active (running)就成功了
sudo -u alloy ls -l /var/log/snort/alert_json.txt //檢查檔案是否可讀
sudo chmod 644 /var/log/snort/alert_json.txt //修改權限
sudo chmod 755 /var/log/snort/ //修改權限
journalctl -u alloy -f //追蹤日誌觀察
/etc/alloy/config.alloy 以下是內容,這個可以多端點跑,所以日誌不用清空,放到最後一排也行
---------------------------------------------------------------------------------------------------
//發現日誌
local.file_match "snort_alerts" {
path_targets = [{
__address__ = "localhost",
__path__ = "/var/log/snort/alert_json.txt",
job = "snort3",
}]
}
//讀取日誌
loki.source.file "snort_reader" {
targets = local.file_match.snort_alerts.targets
forward_to = [loki.process.snort_pipeline.receiver]
}
//處理日誌
loki.process "snort_pipeline" {
//解析 JSON 欄位
stage.json {
expressions = {
timestamp = "timestamp",
action = "action",
class = "class",
msg = "msg",
proto = "proto",
src_addr = "src_addr",
dst_addr = "dst_addr",
}
}
//將重要欄位設為標籤
stage.labels {
values = {
action = null,
class = null,
proto = null,
}
}
//格式化內容
stage.template {
source = "output_msg"
template = "[{{.action}}] {{.proto}} {{.src_addr}} -> {{.dst_addr}} | {{.msg}}"
}
stage.output {
source = "output_msg"
}
forward_to = [loki.write.local_loki.receiver]
}
//發送至 Loki
loki.write "local_loki" {
endpoint {
url = "http://localhost:3100/loki/api/v1/push" #localhost是loki的IP
}
}
-----------------------------------------------------------------------------------------------
docker-compose.yml
-----------------------------------------------------------------------------------------------
services:
# Loki:
loki:
image: "grafana/loki:latest"
ports:
- "3100:3100"
command: -config.file=/etc/loki/local-config.yaml
restart: always
# Grafana:
grafana:
image: "grafana/grafana:latest"
ports:
- "3000:3000"
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
restart: always
# Alloy:
alloy:
image: "grafana/alloy:latest"
volumes:
- "./config.alloy:/etc/alloy/config.alloy"
- "/var/log/snort:/var/log/snort:ro"
command: "run --storage.path=/var/lib/alloy/data /etc/alloy/config.alloy"
ports:
- "12345:12345"
restart: "always"
------------------------------------------------------------------------------------------------------
config.alloy
------------------------------------------------------------------------------------------------------
local.file_match "snort3_log" {
path_targets = [{
__address__ = "localhost",
__path__ = "/var/log/snort/alert_json.txt",
job = "snort",
instance = "ids-node-01",
}]
}
loki.source.file "snort_scrape" {
targets = local.file_match.snort3_log.targets
forward_to = [loki.process.snort_json_parser.receiver]
}
loki.process "snort_json_parser" {
stage.json {
expressions = {
action = "action",
protocol = "proto",
src_ip = "src_addr",
dest_ip = "dst_addr",
signature = "msg",
class = "class",
}
}
stage.labels {
values = {
action = null,
protocol = null,
class = null,
}
}
forward_to = [loki.write.local_loki.receiver]
}
loki.write "local_loki" {
endpoint {
url = "http://loki-server:3100/loki/api/v1/push" #loki-server是loki的IP
}
}
------------------------------------------------------------------------------------
其實兩個設定檔都一樣,job: snort3 #在 Grafana 搜尋時的主要標籤
-----------------------------------------------------------------------------------------------------------
沒有留言:
張貼留言