[DPI][suricata] suricata-4.0.3 安装部署
suricata 很值得借鉴。但是首先还是要安装使用,作为第一步的熟悉。
安装文档:https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation
1. 先做个虚拟机:
┬─[tong@T7:~/VM/suricata-centos7]─[:: AM]
╰─>$ cat start.sh
#! /usr/bin/bash sudo qemu-system-x86_64 -enable-kvm -nographic -vnc 127.0.0.1: \
-m 2G -drive file=disk.img,if=virtio \
-name suricata \
-device virtio-net-pci,netdev=dev0,mac='00:00:00:09:00:00' \
-netdev tap,ifname=tap-suricata-ctrl,vhost=on,queues=,id=dev0 \
-cdrom /home/tong/Data/ISO/CentOS--x86_64-DVD-.iso \
&
2. 安装操作系统CentOS7
使用的版本:CentOS-7-x86_64-DVD-1708.iso 安装 infrastructure server
3. 安装必要的依赖
yum install gcc
yum install pcre-devel
yum install libyaml-devel
yum install libpcap-devel
yum install lua-devel
yum search zlib-devel
4. 从源码编译安装
版本:suricata-4.0.3.tar.gz
编译安装:
[root@suricata suricata-4.0.]# ./configure --prefix=/suricata/usr --sysconfdir=/suricata/etc --localstatedir=/suricata/var --enable-nfqueue --enable-lua
[root@suricata suricata-4.0.]# mak
[root@suricata suricata-4.0.]# make install
都安装了哪些东西?
[root@suricata suricata]# tree
.
└── usr
├── bin
│ ├── suricata
│ └── suricatasc
├── include
│ └── htp
│ ├── bstr_builder.h
│ ├── bstr.h
│ ├── htp_base64.h
│ ├── htp_config.h
│ ├── htp_connection_parser.h
│ ├── htp_core.h
│ ├── htp_decompressors.h
│ ├── htp.h
│ ├── htp_hooks.h
│ ├── htp_list.h
│ ├── htp_multipart.h
│ ├── htp_table.h
│ ├── htp_transaction.h
│ ├── htp_urlencoded.h
│ ├── htp_utf8_decoder.h
│ └── htp_version.h
├── lib
│ ├── libhtp.a
│ ├── libhtp.la
│ ├── libhtp.so -> libhtp.so.2.0.
│ ├── libhtp.so. -> libhtp.so.2.0.
│ ├── libhtp.so.2.0.
│ ├── pkgconfig
│ │ └── htp.pc
│ └── python2.
│ └── site-packages
│ ├── suricatasc
│ │ ├── __init__.py
│ │ ├── __init__.pyc
│ │ ├── suricatasc.py
│ │ └── suricatasc.pyc
│ └── suricatasc-0.9-py2..egg-info
└── share
├── doc
│ └── suricata
│ ├── AUTHORS
│ ├── Basic_Setup.txt
│ ├── CentOS_56_Installation.txt
│ ├── CentOS5.txt
│ ├── Debian_Installation.txt
│ ├── Fedora_Core.txt
│ ├── FreeBSD_8.txt
│ ├── GITGUIDE
│ ├── HTP_library_installation.txt
│ ├── INSTALL
│ ├── Installation_from_GIT_with_PCRE-JIT.txt
│ ├── Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt
│ ├── Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt
│ ├── Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt
│ ├── Installation_with_CUDA_on_Scientific_Linux_6.txt
│ ├── Installation_with_CUDA_on_Ubuntu_server_1104.txt
│ ├── Installation_with_PF_RING.txt
│ ├── INSTALL.PF_RING
│ ├── INSTALL.WINDOWS
│ ├── Mac_OS_X_106x.txt
│ ├── NEWS
│ ├── OpenBSD_Installation_from_GIT.txt
│ ├── README
│ ├── Setting_up_IPSinline_for_Linux.txt
│ ├── Third_Party_Installation_Guides.txt
│ ├── TODO
│ ├── Ubuntu_Installation_from_GIT.txt
│ ├── Ubuntu_Installation.txt
│ └── Windows.txt
└── man
└── man1
└── suricata. directories, files
[root@suricata suricata]#
有个man手册,因为我没有直接安装在根目录,所以可以这样打开:
[root@suricata suricata]# man -M /suricata/usr/share/man/ suricata
装完了是没法运行的,还需要配置。自动化配置:
[root@suricata suricata-4.0.3]# make install-conf
install -d "/suricata/etc/suricata/"
install -d "/suricata/var/log/suricata/files"
install -d "/suricata/var/log/suricata/certs"
install -d "/suricata/var/run/"
install -m 770 -d "/suricata/var/run/suricata"
那么,部署了哪些东西呢?
[root@suricata suricata-4.0.]# diff org install-conf
74a75,
> /suricata/etc
> /suricata/etc/suricata
> /suricata/etc/suricata/suricata.yaml
> /suricata/etc/suricata/classification.config
> /suricata/etc/suricata/reference.config
> /suricata/etc/suricata/threshold.config
> /suricata/var
> /suricata/var/log
> /suricata/var/log/suricata
> /suricata/var/log/suricata/files
> /suricata/var/log/suricata/certs
> /suricata/var/run
> /suricata/var/run/suricata
[root@suricata suricata-4.0.]#
启动:
[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0
// -- :: - <Notice> - This is Suricata version 4.0. RELEASE
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/botcc.rules
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/ciarmy.rules
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/compromised.rules
... ...
安装规则:
在安装的过程中,程序会从网络上,下载最新的规则进行安装。
[root@suricata suricata-4.0.]# make install-rules
install -d "/suricata/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/suricata/etc/suricata/" -f - You can now start suricata by running as root something like '/suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'. If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/suricata/usr/lib /suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'. While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
引申一下: 这里提到了rule manager, 基本上来说,就是用来更新规则的, 可以参考阅读:
http://suricata.readthedocs.io/en/latest/rule-management/index.html
安装规则的时候, 都安装了些什么东西呢?
[root@suricata ~]# diff old new
80a81,
> /suricata/etc/suricata/rules
> /suricata/etc/suricata/rules/emerging-ftp.rules
> /suricata/etc/suricata/rules/emerging-activex.rules
> /suricata/etc/suricata/rules/dshield.rules
> /suricata/etc/suricata/rules/emerging-pop3.rules
> /suricata/etc/suricata/rules/emerging-web_specific_apps.rules
> /suricata/etc/suricata/rules/emerging-icmp.rules
> /suricata/etc/suricata/rules/suricata-1.3-etpro-etnamed.yaml
> /suricata/etc/suricata/rules/emerging-scan.rules
> /suricata/etc/suricata/rules/emerging-current_events.rules
> /suricata/etc/suricata/rules/emerging-imap.rules
> /suricata/etc/suricata/rules/emerging-sql.rules
> /suricata/etc/suricata/rules/emerging-p2p.rules
> /suricata/etc/suricata/rules/drop.rules
> /suricata/etc/suricata/rules/emerging-worm.rules
> /suricata/etc/suricata/rules/suricata-1.3-open.yaml
> /suricata/etc/suricata/rules/emerging-snmp.rules
> /suricata/etc/suricata/rules/emerging-scada.rules
> /suricata/etc/suricata/rules/emerging-malware.rules
> /suricata/etc/suricata/rules/emerging-trojan.rules
> /suricata/etc/suricata/rules/emerging-inappropriate.rules
> /suricata/etc/suricata/rules/emerging-shellcode.rules
> /suricata/etc/suricata/rules/BSD-License.txt
> /suricata/etc/suricata/rules/botcc.portgrouped.rules
> /suricata/etc/suricata/rules/emerging-smtp.rules
> /suricata/etc/suricata/rules/emerging-web_server.rules
> /suricata/etc/suricata/rules/emerging-web_client.rules
> /suricata/etc/suricata/rules/compromised.rules
> /suricata/etc/suricata/rules/emerging-netbios.rules
> /suricata/etc/suricata/rules/botcc.rules
> /suricata/etc/suricata/rules/ciarmy.rules
> /suricata/etc/suricata/rules/emerging-tftp.rules
> /suricata/etc/suricata/rules/classification.config
> /suricata/etc/suricata/rules/rbn.rules
> /suricata/etc/suricata/rules/emerging.conf
> /suricata/etc/suricata/rules/emerging-attack_response.rules
> /suricata/etc/suricata/rules/emerging-deleted.rules
> /suricata/etc/suricata/rules/emerging-mobile_malware.rules
> /suricata/etc/suricata/rules/emerging-rpc.rules
> /suricata/etc/suricata/rules/tor.rules
> /suricata/etc/suricata/rules/rbn-malvertisers.rules
> /suricata/etc/suricata/rules/emerging-icmp_info.rules
> /suricata/etc/suricata/rules/emerging-exploit.rules
> /suricata/etc/suricata/rules/emerging-telnet.rules
> /suricata/etc/suricata/rules/emerging-user_agents.rules
> /suricata/etc/suricata/rules/gpl-2.0.txt
> /suricata/etc/suricata/rules/decoder-events.rules
> /suricata/etc/suricata/rules/stream-events.rules
> /suricata/etc/suricata/rules/smtp-events.rules
> /suricata/etc/suricata/rules/http-events.rules
> /suricata/etc/suricata/rules/dns-events.rules
> /suricata/etc/suricata/rules/tls-events.rules
> /suricata/etc/suricata/rules/modbus-events.rules
> /suricata/etc/suricata/rules/app-layer-events.rules
> /suricata/etc/suricata/rules/dnp3-events.rules
> /suricata/etc/suricata/rules/emerging-info.rules
> /suricata/etc/suricata/rules/emerging-chat.rules
> /suricata/etc/suricata/rules/LICENSE
> /suricata/etc/suricata/rules/emerging-misc.rules
> /suricata/etc/suricata/rules/suricata-4.0-enhanced-open.txt
> /suricata/etc/suricata/rules/reference.config
> /suricata/etc/suricata/rules/gen-msg.map
> /suricata/etc/suricata/rules/emerging-policy.rules
> /suricata/etc/suricata/rules/emerging-dns.rules
> /suricata/etc/suricata/rules/unicode.map
> /suricata/etc/suricata/rules/compromised-ips.txt
> /suricata/etc/suricata/rules/emerging-voip.rules
> /suricata/etc/suricata/rules/suricata-1.2-prior-open.yaml
> /suricata/etc/suricata/rules/emerging-games.rules
> /suricata/etc/suricata/rules/emerging-dos.rules
> /suricata/etc/suricata/rules/sid-msg.map
[root@suricata ~]#
再次启动:
[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0
// -- :: - <Notice> - This is Suricata version 4.0. RELEASE
// -- :: - <Notice> - all packet processing threads, management threads initialized, engine started.
至此, 安装部署启动已完成.
下一篇:
一篇参考文章,还不错 : 构建基于Suricata+Splunk的IDS入侵检测系统
http://www.cnblogs.com/ssooking/p/IDS.html
[DPI][suricata] suricata-4.0.3 安装部署的更多相关文章
- Storm-0.9.0.1安装部署 指导
可以带着下面问题来阅读本文章: 1.Storm只支持什么传输 2.通过什么配置,可以更改Zookeeper默认端口 3.Storm UI必须和Storm Nimbus部署在同一台机器上,UI无法正常工 ...
- kafka_2.11-2.0.0_安装部署
参考博文:kafka 配置文件参数详解 参考博文:Kafka[第一篇]Kafka集群搭建 参考博文:如何为Kafka集群选择合适的Partitions数量 参考博文:Kafka Server.prop ...
- 大数据篇:DolphinScheduler-1.2.0.release安装部署
大数据篇:DolphinScheduler-1.2.0.release安装部署 1 配置jdk #查看命令 rpm -qa | grep java #删除命令 rpm -e --nodeps xxx ...
- zabbix4.0.1 安装部署
zabbix安装部署 目录 一.环境准备... 3 1.1.版本:... 3 1.2.部署环境... 3 二.安装部署... 3 2.1.zabbix安装... 3 2.1.1.下载zabbix的rp ...
- presto 0.166安装部署
系统:linux java:jdk 8,64-bit Connector:hive 分布式,node1-3 node1:Coordinator . Discovery service node2-3: ...
- Hbase-2.0.0_01_安装部署
该文章是基于 Hadoop2.7.6_01_部署 进行的 1. 主机规划 主机名称 IP信息 内网IP 操作系统 安装软件 备注:运行程序 mini01 10.0.0.11 172.16.1.11 C ...
- Hadoop1.0.3安装部署
0x00 大数据平台相关链接 官网:http://hadoop.apache.org/ 主要参考教程:http://www.cnblogs.com/xia520pi/archive/2012/05/1 ...
- jumperserver3.0的安装部署
适用于jumperserver版本:v0.3.1-2 官网:http://www.jumpserver.org/ 系统:centos7.2 基本安装 备注:如果是centos系统最好使用基本安装,否 ...
- zabbix3.0.4安装部署与SendEmail报警配置
MySQL:5.6.21 nginx:1.62 PHP:5.7 pcre:8.32 zabbix:3.0.4 LNMP安装步骤略过 # tar xvf zabbix-3.0.4.tar.gz # cd ...
随机推荐
- Atitit 快速开发体系建设路线图
Atitit 快速开发体系建设路线图 1.1. 项目类型划分 哑铃型 橄榄型 直板型(可以立即实行)1 1.2. 解决方案知识库 最佳实践库 最佳流程优化(已成,需要一些整理)2 1.3. 功能模板 ...
- 物联网架构成长之路(11)-Redis缓存主从复制
1. 说明 在我的物联网平台框架框架中,会用到Redis这个中间件.作为EMQ权限认证的缓存.https://www.cnblogs.com/think-in-java/p/5123884.html ...
- 【XMPP】基于XMPP的即时通讯解决方案
什么是XMPP 介绍XMPP之前,先来看看GTalk. GTalk是Google推出的IM(Instant Messaging,即时通讯)软件,类似于QQ和MSN. 从技术角度来说,GTalk与QQ和 ...
- 跨控制器跳转view——RedirectToRoute和RedirectToAction
已知控制器AccountController.cs和HomeController.cs,如果从页面Account/Login直接跳转到Home/Index,可以利用RedirectToRoute和Re ...
- metroui
<!DOCTYPE html> <html> <head> <meta http-equiv="Content-Type" content ...
- Git 学习笔记--拉取远程分支到本地
1.查看远程分支,和上面的第一步相同2. 从远程获取最新版本到本地 git fetch origin master:temp git fetch origin master:temp 这句命令的意思是 ...
- android 网络图片双缓存
本文转自:http://blog.csdn.net/a79412906/article/details/10180583 Android每次加载图片很浪费时间.所以设计了一个图片缓存技术来解决每次an ...
- spark未授权RCE漏洞学习
Spark简介 spark是一个实现快速通用的集群计算平台.它是由加州大学伯克利分校AMP实验室 开发的通用内存并行计算框架,用来构建大型的.低延迟的数据分析应用程序.它扩展了广泛使用的MapRedu ...
- 跟bWAPP学WEB安全(PHP代码)--终结篇:文件目录遍历、文件上传、SSRF、CSRF、XXE、文件包含
前言 过年过的很不顺,家里领导和我本人接连生病,年前腊月29才都治好出院,大年初六家里的拉布拉多爱犬又因为细小医治无效离开了,没能过年回家,花了好多钱,狗狗还离世了.所以也就没什么心思更新博客.今天初 ...
- jmeter 中 Client implementation HttpClient4和java区别实践一
好吧,最近还是在折腾Jmeter,在一个post请求中,发现啃爹的竟然带有特殊字符:' 怎么办,直接将数据写入,如下: 然后在实际用post发请求时,jmeter自动给转义了,如下: xxxx=%27 ...