[DPI][suricata] suricata-4.0.3 安装部署
suricata 很值得借鉴。但是首先还是要安装使用,作为第一步的熟悉。
安装文档:https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation
1. 先做个虚拟机:
┬─[tong@T7:~/VM/suricata-centos7]─[:: AM]
╰─>$ cat start.sh
#! /usr/bin/bash sudo qemu-system-x86_64 -enable-kvm -nographic -vnc 127.0.0.1: \
-m 2G -drive file=disk.img,if=virtio \
-name suricata \
-device virtio-net-pci,netdev=dev0,mac='00:00:00:09:00:00' \
-netdev tap,ifname=tap-suricata-ctrl,vhost=on,queues=,id=dev0 \
-cdrom /home/tong/Data/ISO/CentOS--x86_64-DVD-.iso \
&
2. 安装操作系统CentOS7
使用的版本:CentOS-7-x86_64-DVD-1708.iso 安装 infrastructure server
3. 安装必要的依赖
yum install gcc
yum install pcre-devel
yum install libyaml-devel
yum install libpcap-devel
yum install lua-devel
yum search zlib-devel
4. 从源码编译安装
版本:suricata-4.0.3.tar.gz
编译安装:
[root@suricata suricata-4.0.]# ./configure --prefix=/suricata/usr --sysconfdir=/suricata/etc --localstatedir=/suricata/var --enable-nfqueue --enable-lua
[root@suricata suricata-4.0.]# mak
[root@suricata suricata-4.0.]# make install
都安装了哪些东西?
[root@suricata suricata]# tree
.
└── usr
├── bin
│ ├── suricata
│ └── suricatasc
├── include
│ └── htp
│ ├── bstr_builder.h
│ ├── bstr.h
│ ├── htp_base64.h
│ ├── htp_config.h
│ ├── htp_connection_parser.h
│ ├── htp_core.h
│ ├── htp_decompressors.h
│ ├── htp.h
│ ├── htp_hooks.h
│ ├── htp_list.h
│ ├── htp_multipart.h
│ ├── htp_table.h
│ ├── htp_transaction.h
│ ├── htp_urlencoded.h
│ ├── htp_utf8_decoder.h
│ └── htp_version.h
├── lib
│ ├── libhtp.a
│ ├── libhtp.la
│ ├── libhtp.so -> libhtp.so.2.0.
│ ├── libhtp.so. -> libhtp.so.2.0.
│ ├── libhtp.so.2.0.
│ ├── pkgconfig
│ │ └── htp.pc
│ └── python2.
│ └── site-packages
│ ├── suricatasc
│ │ ├── __init__.py
│ │ ├── __init__.pyc
│ │ ├── suricatasc.py
│ │ └── suricatasc.pyc
│ └── suricatasc-0.9-py2..egg-info
└── share
├── doc
│ └── suricata
│ ├── AUTHORS
│ ├── Basic_Setup.txt
│ ├── CentOS_56_Installation.txt
│ ├── CentOS5.txt
│ ├── Debian_Installation.txt
│ ├── Fedora_Core.txt
│ ├── FreeBSD_8.txt
│ ├── GITGUIDE
│ ├── HTP_library_installation.txt
│ ├── INSTALL
│ ├── Installation_from_GIT_with_PCRE-JIT.txt
│ ├── Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt
│ ├── Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt
│ ├── Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt
│ ├── Installation_with_CUDA_on_Scientific_Linux_6.txt
│ ├── Installation_with_CUDA_on_Ubuntu_server_1104.txt
│ ├── Installation_with_PF_RING.txt
│ ├── INSTALL.PF_RING
│ ├── INSTALL.WINDOWS
│ ├── Mac_OS_X_106x.txt
│ ├── NEWS
│ ├── OpenBSD_Installation_from_GIT.txt
│ ├── README
│ ├── Setting_up_IPSinline_for_Linux.txt
│ ├── Third_Party_Installation_Guides.txt
│ ├── TODO
│ ├── Ubuntu_Installation_from_GIT.txt
│ ├── Ubuntu_Installation.txt
│ └── Windows.txt
└── man
└── man1
└── suricata. directories, files
[root@suricata suricata]#
有个man手册,因为我没有直接安装在根目录,所以可以这样打开:
[root@suricata suricata]# man -M /suricata/usr/share/man/ suricata
装完了是没法运行的,还需要配置。自动化配置:
[root@suricata suricata-4.0.3]# make install-conf
install -d "/suricata/etc/suricata/"
install -d "/suricata/var/log/suricata/files"
install -d "/suricata/var/log/suricata/certs"
install -d "/suricata/var/run/"
install -m 770 -d "/suricata/var/run/suricata"
那么,部署了哪些东西呢?
[root@suricata suricata-4.0.]# diff org install-conf
74a75,
> /suricata/etc
> /suricata/etc/suricata
> /suricata/etc/suricata/suricata.yaml
> /suricata/etc/suricata/classification.config
> /suricata/etc/suricata/reference.config
> /suricata/etc/suricata/threshold.config
> /suricata/var
> /suricata/var/log
> /suricata/var/log/suricata
> /suricata/var/log/suricata/files
> /suricata/var/log/suricata/certs
> /suricata/var/run
> /suricata/var/run/suricata
[root@suricata suricata-4.0.]#
启动:
[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0
// -- :: - <Notice> - This is Suricata version 4.0. RELEASE
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/botcc.rules
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/ciarmy.rules
// -- :: - <Warning> - [ERRCODE: SC_ERR_NO_RULES()] - No rule files match the pattern /suricata/etc/suricata/rules/compromised.rules
... ...
安装规则:
在安装的过程中,程序会从网络上,下载最新的规则进行安装。
[root@suricata suricata-4.0.]# make install-rules
install -d "/suricata/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/suricata/etc/suricata/" -f - You can now start suricata by running as root something like '/suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'. If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/suricata/usr/lib /suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'. While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
引申一下: 这里提到了rule manager, 基本上来说,就是用来更新规则的, 可以参考阅读:
http://suricata.readthedocs.io/en/latest/rule-management/index.html
安装规则的时候, 都安装了些什么东西呢?
[root@suricata ~]# diff old new
80a81,
> /suricata/etc/suricata/rules
> /suricata/etc/suricata/rules/emerging-ftp.rules
> /suricata/etc/suricata/rules/emerging-activex.rules
> /suricata/etc/suricata/rules/dshield.rules
> /suricata/etc/suricata/rules/emerging-pop3.rules
> /suricata/etc/suricata/rules/emerging-web_specific_apps.rules
> /suricata/etc/suricata/rules/emerging-icmp.rules
> /suricata/etc/suricata/rules/suricata-1.3-etpro-etnamed.yaml
> /suricata/etc/suricata/rules/emerging-scan.rules
> /suricata/etc/suricata/rules/emerging-current_events.rules
> /suricata/etc/suricata/rules/emerging-imap.rules
> /suricata/etc/suricata/rules/emerging-sql.rules
> /suricata/etc/suricata/rules/emerging-p2p.rules
> /suricata/etc/suricata/rules/drop.rules
> /suricata/etc/suricata/rules/emerging-worm.rules
> /suricata/etc/suricata/rules/suricata-1.3-open.yaml
> /suricata/etc/suricata/rules/emerging-snmp.rules
> /suricata/etc/suricata/rules/emerging-scada.rules
> /suricata/etc/suricata/rules/emerging-malware.rules
> /suricata/etc/suricata/rules/emerging-trojan.rules
> /suricata/etc/suricata/rules/emerging-inappropriate.rules
> /suricata/etc/suricata/rules/emerging-shellcode.rules
> /suricata/etc/suricata/rules/BSD-License.txt
> /suricata/etc/suricata/rules/botcc.portgrouped.rules
> /suricata/etc/suricata/rules/emerging-smtp.rules
> /suricata/etc/suricata/rules/emerging-web_server.rules
> /suricata/etc/suricata/rules/emerging-web_client.rules
> /suricata/etc/suricata/rules/compromised.rules
> /suricata/etc/suricata/rules/emerging-netbios.rules
> /suricata/etc/suricata/rules/botcc.rules
> /suricata/etc/suricata/rules/ciarmy.rules
> /suricata/etc/suricata/rules/emerging-tftp.rules
> /suricata/etc/suricata/rules/classification.config
> /suricata/etc/suricata/rules/rbn.rules
> /suricata/etc/suricata/rules/emerging.conf
> /suricata/etc/suricata/rules/emerging-attack_response.rules
> /suricata/etc/suricata/rules/emerging-deleted.rules
> /suricata/etc/suricata/rules/emerging-mobile_malware.rules
> /suricata/etc/suricata/rules/emerging-rpc.rules
> /suricata/etc/suricata/rules/tor.rules
> /suricata/etc/suricata/rules/rbn-malvertisers.rules
> /suricata/etc/suricata/rules/emerging-icmp_info.rules
> /suricata/etc/suricata/rules/emerging-exploit.rules
> /suricata/etc/suricata/rules/emerging-telnet.rules
> /suricata/etc/suricata/rules/emerging-user_agents.rules
> /suricata/etc/suricata/rules/gpl-2.0.txt
> /suricata/etc/suricata/rules/decoder-events.rules
> /suricata/etc/suricata/rules/stream-events.rules
> /suricata/etc/suricata/rules/smtp-events.rules
> /suricata/etc/suricata/rules/http-events.rules
> /suricata/etc/suricata/rules/dns-events.rules
> /suricata/etc/suricata/rules/tls-events.rules
> /suricata/etc/suricata/rules/modbus-events.rules
> /suricata/etc/suricata/rules/app-layer-events.rules
> /suricata/etc/suricata/rules/dnp3-events.rules
> /suricata/etc/suricata/rules/emerging-info.rules
> /suricata/etc/suricata/rules/emerging-chat.rules
> /suricata/etc/suricata/rules/LICENSE
> /suricata/etc/suricata/rules/emerging-misc.rules
> /suricata/etc/suricata/rules/suricata-4.0-enhanced-open.txt
> /suricata/etc/suricata/rules/reference.config
> /suricata/etc/suricata/rules/gen-msg.map
> /suricata/etc/suricata/rules/emerging-policy.rules
> /suricata/etc/suricata/rules/emerging-dns.rules
> /suricata/etc/suricata/rules/unicode.map
> /suricata/etc/suricata/rules/compromised-ips.txt
> /suricata/etc/suricata/rules/emerging-voip.rules
> /suricata/etc/suricata/rules/suricata-1.2-prior-open.yaml
> /suricata/etc/suricata/rules/emerging-games.rules
> /suricata/etc/suricata/rules/emerging-dos.rules
> /suricata/etc/suricata/rules/sid-msg.map
[root@suricata ~]#
再次启动:
[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0
// -- :: - <Notice> - This is Suricata version 4.0. RELEASE
// -- :: - <Notice> - all packet processing threads, management threads initialized, engine started.
至此, 安装部署启动已完成.
下一篇:
一篇参考文章,还不错 : 构建基于Suricata+Splunk的IDS入侵检测系统
http://www.cnblogs.com/ssooking/p/IDS.html
[DPI][suricata] suricata-4.0.3 安装部署的更多相关文章
- Storm-0.9.0.1安装部署 指导
可以带着下面问题来阅读本文章: 1.Storm只支持什么传输 2.通过什么配置,可以更改Zookeeper默认端口 3.Storm UI必须和Storm Nimbus部署在同一台机器上,UI无法正常工 ...
- kafka_2.11-2.0.0_安装部署
参考博文:kafka 配置文件参数详解 参考博文:Kafka[第一篇]Kafka集群搭建 参考博文:如何为Kafka集群选择合适的Partitions数量 参考博文:Kafka Server.prop ...
- 大数据篇:DolphinScheduler-1.2.0.release安装部署
大数据篇:DolphinScheduler-1.2.0.release安装部署 1 配置jdk #查看命令 rpm -qa | grep java #删除命令 rpm -e --nodeps xxx ...
- zabbix4.0.1 安装部署
zabbix安装部署 目录 一.环境准备... 3 1.1.版本:... 3 1.2.部署环境... 3 二.安装部署... 3 2.1.zabbix安装... 3 2.1.1.下载zabbix的rp ...
- presto 0.166安装部署
系统:linux java:jdk 8,64-bit Connector:hive 分布式,node1-3 node1:Coordinator . Discovery service node2-3: ...
- Hbase-2.0.0_01_安装部署
该文章是基于 Hadoop2.7.6_01_部署 进行的 1. 主机规划 主机名称 IP信息 内网IP 操作系统 安装软件 备注:运行程序 mini01 10.0.0.11 172.16.1.11 C ...
- Hadoop1.0.3安装部署
0x00 大数据平台相关链接 官网:http://hadoop.apache.org/ 主要参考教程:http://www.cnblogs.com/xia520pi/archive/2012/05/1 ...
- jumperserver3.0的安装部署
适用于jumperserver版本:v0.3.1-2 官网:http://www.jumpserver.org/ 系统:centos7.2 基本安装 备注:如果是centos系统最好使用基本安装,否 ...
- zabbix3.0.4安装部署与SendEmail报警配置
MySQL:5.6.21 nginx:1.62 PHP:5.7 pcre:8.32 zabbix:3.0.4 LNMP安装步骤略过 # tar xvf zabbix-3.0.4.tar.gz # cd ...
随机推荐
- pandas DataFrame(1)
之前介绍了numpy的二维数组,但是numpy二维数组有一些局限性,比如,它数组里所有的值的类型必须相同,不能某一列是数值型,某一列是字符串型,这样会导致无法使用 mean() , std() 等方法 ...
- pandas遍历行数据
假设我的DataFrame如图所示: 我可以这样遍历它: for index,row in list.iterrows(): id =row["id"] x=row["x ...
- asp.net ashx一般处理程序实现async await异步操作
目前项目存在页面展示大量图片,效率不高,考虑优化性能,改为ashx+异步下载的方式,废话不说直接贴code: using System; using System.Web; using System. ...
- 解决Android8.0之后开启service时报错IllegalStateException: Not allowed to start service Intent ...
项目测试时发现的,在双击返回键关闭应用后(并未杀死后台)重新打开APP,其他手机都OK,但是8.0的手机会出现较频繁的crash.检查代码,问题锁定在重新开启应用时的startService()上. ...
- oracle存储过程遇到的问题
最近新的项目,会批量执行数据,用到了存储过程和函数,遇到的问题记录如下: 1.涉及大量数据,所以决定分批commit数据 2.out无论是存储过程还是函数,都会返回数据,当时当我们手动raise(抛出 ...
- MTK 修改默认时区
首先介绍应用程序修改 : AlarmManager mAlarmManager = (AlarmManager) getSystemService(Context.ALARM_SERVICE); mA ...
- [Laravel] 01 - Love beautiful code? We do too.
前言 一.良心资料 英文 Laravel 框架:https://laravel.com/ 教程:https://laracasts.com/series/ laravel-from-scratch-2 ...
- ctrl c 中文字符到 vnc 里,中文字符已经被转码
为了测试程序对多语言字符的支持情况,我找来一段中文和北欧的文字,希望把这些文字上传到elasticsearch,并能正确显示. 首先测试了北欧文字,一切OK. 但是中文复制到 VNC 客户端(Linu ...
- oracle 学习笔记(2)创建表空间及用户授权
原文:http://www.cnblogs.com/smartvessel/archive/2009/07/06/1517690.html Oracle安装完后,其中有一个缺省的数据库,除了这个缺省的 ...
- WebApi中的Session与Token间的处理对接
首先,说起来创建session,一般会针对注册登录或者授权等情况: session 从字面上讲,就是会话.这个就类似于你和一个人交谈,你怎么知道当前和你交谈的是张三而不是李四呢?对方肯定有某种特征(长 ...