suricata 很值得借鉴。但是首先还是要安装使用,作为第一步的熟悉。
安装文档:https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation
1. 先做个虚拟机:
┬─[tong@T7:~/VM/suricata-centos7]─[10:52:28 AM] ╰─>$ cat start.sh #! /usr/bin/bash sudo qemu-system-x86_64 -enable-kvm -nographic -vnc 127.0.0.1:8 -m 2G -drive file=disk.img,if=virtio -name suricata -device virtio-net-pci,netdev=dev0,mac='00:00:00:09:00:00' -netdev tap,ifname=tap-suricata-ctrl,vhost=on,queues=16,id=dev0 -cdrom /home/tong/Data/ISO/CentOS-7-x86_64-DVD-1708.iso &
2. 安装操作系统CentOS7
使用的版本:CentOS-7-x86_64-DVD-1708.iso 安装 infrastructure server
3. 安装必要的依赖
yum install gcc yum install pcre-devel yum install libyaml-devel yum install libpcap-devel yum install lua-devel yum search zlib-devel
4. 从源码编译安装
版本:suricata-4.0.3.tar.gz
编译安装:
[root@suricata suricata-4.0.3]# ./configure --prefix=/suricata/usr --sysconfdir=/suricata/etc --localstatedir=/suricata/var --enable-nfqueue --enable-lua [root@suricata suricata-4.0.3]# mak [root@suricata suricata-4.0.3]# make install
都安装了哪些东西?
[root@suricata suricata]# tree . └── usr ├── bin │ ├── suricata │ └── suricatasc ├── include │ └── htp │ ├── bstr_builder.h │ ├── bstr.h │ ├── htp_base64.h │ ├── htp_config.h │ ├── htp_connection_parser.h │ ├── htp_core.h │ ├── htp_decompressors.h │ ├── htp.h │ ├── htp_hooks.h │ ├── htp_list.h │ ├── htp_multipart.h │ ├── htp_table.h │ ├── htp_transaction.h │ ├── htp_urlencoded.h │ ├── htp_utf8_decoder.h │ └── htp_version.h ├── lib │ ├── libhtp.a │ ├── libhtp.la │ ├── libhtp.so -> libhtp.so.2.0.0 │ ├── libhtp.so.2 -> libhtp.so.2.0.0 │ ├── libhtp.so.2.0.0 │ ├── pkgconfig │ │ └── htp.pc │ └── python2.7 │ └── site-packages │ ├── suricatasc │ │ ├── __init__.py │ │ ├── __init__.pyc │ │ ├── suricatasc.py │ │ └── suricatasc.pyc │ └── suricatasc-0.9-py2.7.egg-info └── share ├── doc │ └── suricata │ ├── AUTHORS │ ├── Basic_Setup.txt │ ├── CentOS_56_Installation.txt │ ├── CentOS5.txt │ ├── Debian_Installation.txt │ ├── Fedora_Core.txt │ ├── FreeBSD_8.txt │ ├── GITGUIDE │ ├── HTP_library_installation.txt │ ├── INSTALL │ ├── Installation_from_GIT_with_PCRE-JIT.txt │ ├── Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt │ ├── Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt │ ├── Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt │ ├── Installation_with_CUDA_on_Scientific_Linux_6.txt │ ├── Installation_with_CUDA_on_Ubuntu_server_1104.txt │ ├── Installation_with_PF_RING.txt │ ├── INSTALL.PF_RING │ ├── INSTALL.WINDOWS │ ├── Mac_OS_X_106x.txt │ ├── NEWS │ ├── OpenBSD_Installation_from_GIT.txt │ ├── README │ ├── Setting_up_IPSinline_for_Linux.txt │ ├── Third_Party_Installation_Guides.txt │ ├── TODO │ ├── Ubuntu_Installation_from_GIT.txt │ ├── Ubuntu_Installation.txt │ └── Windows.txt └── man └── man1 └── suricata.1 14 directories, 59 files [root@suricata suricata]#
有个man手册,因为我没有直接安装在根目录,所以可以这样打开:
[root@suricata suricata]# man -M /suricata/usr/share/man/ suricata
装完了是没法运行的,还需要配置。自动化配置:
[root@suricata suricata-4.0.3]# make install-conf
install -d "/suricata/etc/suricata/"
install -d "/suricata/var/log/suricata/files"
install -d "/suricata/var/log/suricata/certs"
install -d "/suricata/var/run/"
install -m 770 -d "/suricata/var/run/suricata"
那么,部署了哪些东西呢?
[root@suricata suricata-4.0.3]# diff org install-conf 74a75,87 > /suricata/etc > /suricata/etc/suricata > /suricata/etc/suricata/suricata.yaml > /suricata/etc/suricata/classification.config > /suricata/etc/suricata/reference.config > /suricata/etc/suricata/threshold.config > /suricata/var > /suricata/var/log > /suricata/var/log/suricata > /suricata/var/log/suricata/files > /suricata/var/log/suricata/certs > /suricata/var/run > /suricata/var/run/suricata [root@suricata suricata-4.0.3]#
启动:
[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0 7/2/2018 -- 13:45:15 - <Notice> - This is Suricata version 4.0.3 RELEASE 7/2/2018 -- 13:45:16 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /suricata/etc/suricata/rules/botcc.rules 7/2/2018 -- 13:45:16 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /suricata/etc/suricata/rules/ciarmy.rules 7/2/2018 -- 13:45:16 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /suricata/etc/suricata/rules/compromised.rules ... ...
安装规则:
在安装的过程中,程序会从网络上,下载最新的规则进行安装。
[root@suricata suricata-4.0.3]# make install-rules install -d "/suricata/etc/suricata/rules" /usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/suricata/etc/suricata/" -f - You can now start suricata by running as root something like '/suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'. If a library like libhtp.so is not found, you can run suricata with: 'LD_LIBRARY_PATH=/suricata/usr/lib /suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'. While rules are installed now, it's highly recommended to use a rule manager for maintaining rules. The two most common are Oinkmaster and Pulledpork. For a guide see: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster
引申一下: 这里提到了rule manager, 基本上来说,就是用来更新规则的, 可以参考阅读:
http://suricata.readthedocs.io/en/latest/rule-management/index.html
安装规则的时候, 都安装了些什么东西呢?
[root@suricata ~]# diff old new 80a81,151 > /suricata/etc/suricata/rules > /suricata/etc/suricata/rules/emerging-ftp.rules > /suricata/etc/suricata/rules/emerging-activex.rules > /suricata/etc/suricata/rules/dshield.rules > /suricata/etc/suricata/rules/emerging-pop3.rules > /suricata/etc/suricata/rules/emerging-web_specific_apps.rules > /suricata/etc/suricata/rules/emerging-icmp.rules > /suricata/etc/suricata/rules/suricata-1.3-etpro-etnamed.yaml > /suricata/etc/suricata/rules/emerging-scan.rules > /suricata/etc/suricata/rules/emerging-current_events.rules > /suricata/etc/suricata/rules/emerging-imap.rules > /suricata/etc/suricata/rules/emerging-sql.rules > /suricata/etc/suricata/rules/emerging-p2p.rules > /suricata/etc/suricata/rules/drop.rules > /suricata/etc/suricata/rules/emerging-worm.rules > /suricata/etc/suricata/rules/suricata-1.3-open.yaml > /suricata/etc/suricata/rules/emerging-snmp.rules > /suricata/etc/suricata/rules/emerging-scada.rules > /suricata/etc/suricata/rules/emerging-malware.rules > /suricata/etc/suricata/rules/emerging-trojan.rules > /suricata/etc/suricata/rules/emerging-inappropriate.rules > /suricata/etc/suricata/rules/emerging-shellcode.rules > /suricata/etc/suricata/rules/BSD-License.txt > /suricata/etc/suricata/rules/botcc.portgrouped.rules > /suricata/etc/suricata/rules/emerging-smtp.rules > /suricata/etc/suricata/rules/emerging-web_server.rules > /suricata/etc/suricata/rules/emerging-web_client.rules > /suricata/etc/suricata/rules/compromised.rules > /suricata/etc/suricata/rules/emerging-netbios.rules > /suricata/etc/suricata/rules/botcc.rules > /suricata/etc/suricata/rules/ciarmy.rules > /suricata/etc/suricata/rules/emerging-tftp.rules > /suricata/etc/suricata/rules/classification.config > /suricata/etc/suricata/rules/rbn.rules > /suricata/etc/suricata/rules/emerging.conf > /suricata/etc/suricata/rules/emerging-attack_response.rules > /suricata/etc/suricata/rules/emerging-deleted.rules > /suricata/etc/suricata/rules/emerging-mobile_malware.rules > /suricata/etc/suricata/rules/emerging-rpc.rules > /suricata/etc/suricata/rules/tor.rules > /suricata/etc/suricata/rules/rbn-malvertisers.rules > /suricata/etc/suricata/rules/emerging-icmp_info.rules > /suricata/etc/suricata/rules/emerging-exploit.rules > /suricata/etc/suricata/rules/emerging-telnet.rules > /suricata/etc/suricata/rules/emerging-user_agents.rules > /suricata/etc/suricata/rules/gpl-2.0.txt > /suricata/etc/suricata/rules/decoder-events.rules > /suricata/etc/suricata/rules/stream-events.rules > /suricata/etc/suricata/rules/smtp-events.rules > /suricata/etc/suricata/rules/http-events.rules > /suricata/etc/suricata/rules/dns-events.rules > /suricata/etc/suricata/rules/tls-events.rules > /suricata/etc/suricata/rules/modbus-events.rules > /suricata/etc/suricata/rules/app-layer-events.rules > /suricata/etc/suricata/rules/dnp3-events.rules > /suricata/etc/suricata/rules/emerging-info.rules > /suricata/etc/suricata/rules/emerging-chat.rules > /suricata/etc/suricata/rules/LICENSE > /suricata/etc/suricata/rules/emerging-misc.rules > /suricata/etc/suricata/rules/suricata-4.0-enhanced-open.txt > /suricata/etc/suricata/rules/reference.config > /suricata/etc/suricata/rules/gen-msg.map > /suricata/etc/suricata/rules/emerging-policy.rules > /suricata/etc/suricata/rules/emerging-dns.rules > /suricata/etc/suricata/rules/unicode.map > /suricata/etc/suricata/rules/compromised-ips.txt > /suricata/etc/suricata/rules/emerging-voip.rules > /suricata/etc/suricata/rules/suricata-1.2-prior-open.yaml > /suricata/etc/suricata/rules/emerging-games.rules > /suricata/etc/suricata/rules/emerging-dos.rules > /suricata/etc/suricata/rules/sid-msg.map [root@suricata ~]#
再次启动:
[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0 8/2/2018 -- 09:29:48 - <Notice> - This is Suricata version 4.0.3 RELEASE 8/2/2018 -- 09:29:52 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
至此, 安装部署启动已完成.
下一篇:
一篇参考文章,还不错 : 构建基于Suricata+Splunk的IDS入侵检测系统
http://www.cnblogs.com/ssooking/p/IDS.html