[DPI][suricata] suricata-4.0.3 安装部署
suricata 很值得借鉴。但是首先还是要安装使用,作为第一步的熟悉。
安装文档:https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation
1. 先做个虚拟机:
┬─[tong@T7:~/VM/suricata-centos7]─[:: AM]
╰─>$ cat start.sh
#! /usr/bin/bash sudo qemu-system-x86_64 -enable-kvm -nographic -vnc 127.0.0.1: \
-m 2G -drive file=disk.img,if=virtio \
-name suricata \
-device virtio-net-pci,netdev=dev0,mac='00:00:00:09:00:00' \
-netdev tap,ifname=tap-suricata-ctrl,vhost=on,queues=,id=dev0 \
-cdrom /home/tong/Data/ISO/CentOS--x86_64-DVD-.iso \
&
2. 安装操作系统CentOS7
使用的版本:CentOS-7-x86_64-DVD-1708.iso 安装 infrastructure server
3. 安装必要的依赖
yum install gcc
yum install pcre-devel
yum install libyaml-devel
yum install libpcap-devel
yum install lua-devel
yum search zlib-devel
4. 从源码编译安装
版本:suricata-4.0.3.tar.gz
编译安装:
[root@suricata suricata-4.0.]# ./configure --prefix=/suricata/usr --sysconfdir=/suricata/etc --localstatedir=/suricata/var --enable-nfqueue --enable-lua
[root@suricata suricata-4.0.]# mak
[root@suricata suricata-4.0.]# make install
都安装了哪些东西?
[root@suricata suricata]# tree
.
└── usr
├── bin
│ ├── suricata
│ └── suricatasc
├── include
│ └── htp
│ ├── bstr_builder.h
│ ├── bstr.h
│ ├── htp_base64.h
│ ├── htp_config.h
│ ├── htp_connection_parser.h
│ ├── htp_core.h
│ ├── htp_decompressors.h
│ ├── htp.h
│ ├── htp_hooks.h
│ ├── htp_list.h
│ ├── htp_multipart.h
│ ├── htp_table.h
│ ├── htp_transaction.h
│ ├── htp_urlencoded.h
│ ├── htp_utf8_decoder.h
│ └── htp_version.h
├── lib
│ ├── libhtp.a
│ ├── libhtp.la
│ ├── libhtp.so -> libhtp.so.2.0.
│ ├── libhtp.so. -> libhtp.so.2.0.
│ ├── libhtp.so.2.0.
│ ├── pkgconfig
│ │ └── htp.pc
│ └── python2.
│ └── site-packages
│ ├── suricatasc
│ │ ├── __init__.py
│ │ ├── __init__.pyc
│ │ ├── suricatasc.py
│ │ └── suricatasc.pyc
│ └── suricatasc-0.9-py2..egg-info
└── share
├── doc
│ └── suricata
│ ├── AUTHORS
│ ├── Basic_Setup.txt
│ ├── CentOS_56_Installation.txt
│ ├── CentOS5.txt
│ ├── Debian_Installation.txt
│ ├── Fedora_Core.txt
│ ├── FreeBSD_8.txt
│ ├── GITGUIDE
│ ├── HTP_library_installation.txt
│ ├── INSTALL
│ ├── Installation_from_GIT_with_PCRE-JIT.txt
│ ├── Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt
│ ├── Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt
│ ├── Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt
│ ├── Installation_with_CUDA_on_Scientific_Linux_6.txt
│ ├── Installation_with_CUDA_on_Ubuntu_server_1104.txt
│ ├── Installation_with_PF_RING.txt
│ ├── INSTALL.PF_RING
│ ├── INSTALL.WINDOWS
│ ├── Mac_OS_X_106x.txt
│ ├── NEWS
│ ├── OpenBSD_Installation_from_GIT.txt
│ ├── README
│ ├── Setting_up_IPSinline_for_Linux.txt
│ ├── Third_Party_Installation_Guides.txt
│ ├── TODO
│ ├── Ubuntu_Installation_from_GIT.txt
│ ├── Ubuntu_Installation.txt
│ └── Windows.txt
└── man
└── man1
└── suricata. directories, files
[root@suricata suricata]#
有个man手册,因为我没有直接安装在根目录,所以可以这样打开:
[root@suricata suricata]# man -M /suricata/usr/share/man/ suricata
装完了是没法运行的,还需要配置。自动化配置:
[root@suricata suricata-4.0.3]# make install-conf
install -d "/suricata/etc/suricata/"
install -d "/suricata/var/log/suricata/files"
install -d "/suricata/var/log/suricata/certs"
install -d "/suricata/var/run/"
install -m 770 -d "/suricata/var/run/suricata"
那么,部署了哪些东西呢?
[root@suricata suricata-4.0.]# diff org install-conf
74a75,
> /suricata/etc
> /suricata/etc/suricata
> /suricata/etc/suricata/suricata.yaml
> /suricata/etc/suricata/classification.config
> /suricata/etc/suricata/reference.config
> /suricata/etc/suricata/threshold.config
> /suricata/var
> /suricata/var/log
> /suricata/var/log/suricata
> /suricata/var/log/suricata/files
> /suricata/var/log/suricata/certs
> /suricata/var/run
> /suricata/var/run/suricata
[root@suricata suricata-4.0.]#
启动:
[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0
// -- :: - <Notice> - This is Suricata version 4.0. RELEASE
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/botcc.rules
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/ciarmy.rules
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/compromised.rules
... ...
安装规则:
在安装的过程中,程序会从网络上,下载最新的规则进行安装。
[root@suricata suricata-4.0.]# make install-rules
install -d "/suricata/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/suricata/etc/suricata/" -f - You can now start suricata by running as root something like '/suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'. If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/suricata/usr/lib /suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'. While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
引申一下: 这里提到了rule manager, 基本上来说,就是用来更新规则的, 可以参考阅读:
http://suricata.readthedocs.io/en/latest/rule-management/index.html
安装规则的时候, 都安装了些什么东西呢?
[root@suricata ~]# diff old new
80a81,
> /suricata/etc/suricata/rules
> /suricata/etc/suricata/rules/emerging-ftp.rules
> /suricata/etc/suricata/rules/emerging-activex.rules
> /suricata/etc/suricata/rules/dshield.rules
> /suricata/etc/suricata/rules/emerging-pop3.rules
> /suricata/etc/suricata/rules/emerging-web_specific_apps.rules
> /suricata/etc/suricata/rules/emerging-icmp.rules
> /suricata/etc/suricata/rules/suricata-1.3-etpro-etnamed.yaml
> /suricata/etc/suricata/rules/emerging-scan.rules
> /suricata/etc/suricata/rules/emerging-current_events.rules
> /suricata/etc/suricata/rules/emerging-imap.rules
> /suricata/etc/suricata/rules/emerging-sql.rules
> /suricata/etc/suricata/rules/emerging-p2p.rules
> /suricata/etc/suricata/rules/drop.rules
> /suricata/etc/suricata/rules/emerging-worm.rules
> /suricata/etc/suricata/rules/suricata-1.3-open.yaml
> /suricata/etc/suricata/rules/emerging-snmp.rules
> /suricata/etc/suricata/rules/emerging-scada.rules
> /suricata/etc/suricata/rules/emerging-malware.rules
> /suricata/etc/suricata/rules/emerging-trojan.rules
> /suricata/etc/suricata/rules/emerging-inappropriate.rules
> /suricata/etc/suricata/rules/emerging-shellcode.rules
> /suricata/etc/suricata/rules/BSD-License.txt
> /suricata/etc/suricata/rules/botcc.portgrouped.rules
> /suricata/etc/suricata/rules/emerging-smtp.rules
> /suricata/etc/suricata/rules/emerging-web_server.rules
> /suricata/etc/suricata/rules/emerging-web_client.rules
> /suricata/etc/suricata/rules/compromised.rules
> /suricata/etc/suricata/rules/emerging-netbios.rules
> /suricata/etc/suricata/rules/botcc.rules
> /suricata/etc/suricata/rules/ciarmy.rules
> /suricata/etc/suricata/rules/emerging-tftp.rules
> /suricata/etc/suricata/rules/classification.config
> /suricata/etc/suricata/rules/rbn.rules
> /suricata/etc/suricata/rules/emerging.conf
> /suricata/etc/suricata/rules/emerging-attack_response.rules
> /suricata/etc/suricata/rules/emerging-deleted.rules
> /suricata/etc/suricata/rules/emerging-mobile_malware.rules
> /suricata/etc/suricata/rules/emerging-rpc.rules
> /suricata/etc/suricata/rules/tor.rules
> /suricata/etc/suricata/rules/rbn-malvertisers.rules
> /suricata/etc/suricata/rules/emerging-icmp_info.rules
> /suricata/etc/suricata/rules/emerging-exploit.rules
> /suricata/etc/suricata/rules/emerging-telnet.rules
> /suricata/etc/suricata/rules/emerging-user_agents.rules
> /suricata/etc/suricata/rules/gpl-2.0.txt
> /suricata/etc/suricata/rules/decoder-events.rules
> /suricata/etc/suricata/rules/stream-events.rules
> /suricata/etc/suricata/rules/smtp-events.rules
> /suricata/etc/suricata/rules/http-events.rules
> /suricata/etc/suricata/rules/dns-events.rules
> /suricata/etc/suricata/rules/tls-events.rules
> /suricata/etc/suricata/rules/modbus-events.rules
> /suricata/etc/suricata/rules/app-layer-events.rules
> /suricata/etc/suricata/rules/dnp3-events.rules
> /suricata/etc/suricata/rules/emerging-info.rules
> /suricata/etc/suricata/rules/emerging-chat.rules
> /suricata/etc/suricata/rules/LICENSE
> /suricata/etc/suricata/rules/emerging-misc.rules
> /suricata/etc/suricata/rules/suricata-4.0-enhanced-open.txt
> /suricata/etc/suricata/rules/reference.config
> /suricata/etc/suricata/rules/gen-msg.map
> /suricata/etc/suricata/rules/emerging-policy.rules
> /suricata/etc/suricata/rules/emerging-dns.rules
> /suricata/etc/suricata/rules/unicode.map
> /suricata/etc/suricata/rules/compromised-ips.txt
> /suricata/etc/suricata/rules/emerging-voip.rules
> /suricata/etc/suricata/rules/suricata-1.2-prior-open.yaml
> /suricata/etc/suricata/rules/emerging-games.rules
> /suricata/etc/suricata/rules/emerging-dos.rules
> /suricata/etc/suricata/rules/sid-msg.map
[root@suricata ~]#
再次启动:
[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0
// -- :: - <Notice> - This is Suricata version 4.0. RELEASE
// -- :: - <Notice> - all packet processing threads, management threads initialized, engine started.
至此, 安装部署启动已完成.
下一篇:
一篇参考文章,还不错 : 构建基于Suricata+Splunk的IDS入侵检测系统
http://www.cnblogs.com/ssooking/p/IDS.html
[DPI][suricata] suricata-4.0.3 安装部署的更多相关文章
- Storm-0.9.0.1安装部署 指导
可以带着下面问题来阅读本文章: 1.Storm只支持什么传输 2.通过什么配置,可以更改Zookeeper默认端口 3.Storm UI必须和Storm Nimbus部署在同一台机器上,UI无法正常工 ...
- kafka_2.11-2.0.0_安装部署
参考博文:kafka 配置文件参数详解 参考博文:Kafka[第一篇]Kafka集群搭建 参考博文:如何为Kafka集群选择合适的Partitions数量 参考博文:Kafka Server.prop ...
- 大数据篇:DolphinScheduler-1.2.0.release安装部署
大数据篇:DolphinScheduler-1.2.0.release安装部署 1 配置jdk #查看命令 rpm -qa | grep java #删除命令 rpm -e --nodeps xxx ...
- zabbix4.0.1 安装部署
zabbix安装部署 目录 一.环境准备... 3 1.1.版本:... 3 1.2.部署环境... 3 二.安装部署... 3 2.1.zabbix安装... 3 2.1.1.下载zabbix的rp ...
- presto 0.166安装部署
系统:linux java:jdk 8,64-bit Connector:hive 分布式,node1-3 node1:Coordinator . Discovery service node2-3: ...
- Hbase-2.0.0_01_安装部署
该文章是基于 Hadoop2.7.6_01_部署 进行的 1. 主机规划 主机名称 IP信息 内网IP 操作系统 安装软件 备注:运行程序 mini01 10.0.0.11 172.16.1.11 C ...
- Hadoop1.0.3安装部署
0x00 大数据平台相关链接 官网:http://hadoop.apache.org/ 主要参考教程:http://www.cnblogs.com/xia520pi/archive/2012/05/1 ...
- jumperserver3.0的安装部署
适用于jumperserver版本:v0.3.1-2 官网:http://www.jumpserver.org/ 系统:centos7.2 基本安装 备注:如果是centos系统最好使用基本安装,否 ...
- zabbix3.0.4安装部署与SendEmail报警配置
MySQL:5.6.21 nginx:1.62 PHP:5.7 pcre:8.32 zabbix:3.0.4 LNMP安装步骤略过 # tar xvf zabbix-3.0.4.tar.gz # cd ...
随机推荐
- CentOS 上开启 BBR 加速
BBR 算法需要 Linux 4.9 及以上的内核支持,所以想要使用该方式的需要先升级内核版本. 在 Cent OS 7 上的 Linux 内核是 3.10, 使用 uname -r 查看内核版本 [ ...
- 【6集iCore3_ADP触摸屏驱动讲解视频】6-4 底层驱动之SDRAM读写(上)
源视频包下载地址: 链接:http://pan.baidu.com/s/1i5lzzj3 密码:bwoe 银杏科技优酷视频发布区: http://i.youku.com/gingko8
- Linux中Cache内存占用过高解决办法
在Linux系统中,我们经常用free命令来查看系统内存的使用状态.在一个RHEL6的系统上,free命令的显示内容大概是这样一个状态: 这里的默认显示单位是kb,我的服务器是128G内存,所以数字显 ...
- 【转】iframe页面跳转时,导致父页面滚动!该怎么解决?
HTML code <body> <form id="form1" runat="server"> <iframe id=&quo ...
- mac air 2012 mid 使用bootcamp 安装windows
一切都按正常顺序进行,到开始安装时,遇到错误: "提示windows无法安装到这个磁盘.选中的磁盘具有MBR分区表" 解决方法: 重新进入mac系统,使用bootcamp从头开始, ...
- Scala学习笔记——样本类和模式匹配
1.样本类 在申明的类前面加上一个case修饰符,带有这种修饰符的类被称为样本类(case class). 被申明为样本类的类的特点:1.会添加和类名一致的工厂方法:2.样本类参数列表中的所有参数隐式 ...
- glob通配符
描述glob是shell使用的路径匹配符,类似于正则表达式,但是与正则表达式不完全相同.在linux操作中如文件匹配等等其实已经使用了glob通配符.由于其在路径匹配方面的强大,其他语言也有相应的实现 ...
- [IR] Suffix Trees and Suffix Arrays
前缀树 匹配前缀字符串是不言自明的道理. 1. 字符串的快速检索 2. 最长公共前缀(LCP) 等等 树的压缩 后缀树 Let s=abab, a suffix tree of s is a comp ...
- ethereum发erc20token
以太坊发币智能合约代码简单介绍: 发币代码如下(https://ethereum.org/token#the-code网站中获得): pragma solidity ^; interface toke ...
- 【代码审计】XYHCMS V3.5URL重定向漏洞分析
0x00 环境准备 XYHCMS官网:http://www.xyhcms.com/ 网站源码版本:XYHCMS V3.5(2017-12-04 更新) 程序源码下载:http://www.xyhc ...