[DPI][suricata] suricata-4.0.3 安装部署

 

suricata 很值得借鉴。但是首先还是要安装使用,作为第一步的熟悉。

安装文档:https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation

1. 先做个虚拟机:

┬─[tong@T7:~/VM/suricata-centos7]─[10:52:28 AM]
╰─>$ cat start.sh 
#! /usr/bin/bash

sudo qemu-system-x86_64 -enable-kvm -nographic -vnc 127.0.0.1:8 \
        -m 2G -drive file=disk.img,if=virtio \
        -name suricata \
        -device virtio-net-pci,netdev=dev0,mac='00:00:00:09:00:00' \
        -netdev tap,ifname=tap-suricata-ctrl,vhost=on,queues=16,id=dev0 \
        -cdrom /home/tong/Data/ISO/CentOS-7-x86_64-DVD-1708.iso \
        &

 

2. 安装操作系统CentOS7

使用的版本:CentOS-7-x86_64-DVD-1708.iso  安装 infrastructure server

 

3. 安装必要的依赖

yum install gcc
yum install pcre-devel
yum install libyaml-devel
yum install libpcap-devel
yum install lua-devel
yum search zlib-devel

 

4. 从源码编译安装

版本:suricata-4.0.3.tar.gz

编译安装:

[root@suricata suricata-4.0.3]# ./configure --prefix=/suricata/usr --sysconfdir=/suricata/etc --localstatedir=/suricata/var --enable-nfqueue --enable-lua
[root@suricata suricata-4.0.3]# mak
[root@suricata suricata-4.0.3]# make install

都安装了哪些东西?

[root@suricata suricata]# tree
.
└── usr
    ├── bin
    │   ├── suricata
    │   └── suricatasc
    ├── include
    │   └── htp
    │       ├── bstr_builder.h
    │       ├── bstr.h
    │       ├── htp_base64.h
    │       ├── htp_config.h
    │       ├── htp_connection_parser.h
    │       ├── htp_core.h
    │       ├── htp_decompressors.h
    │       ├── htp.h
    │       ├── htp_hooks.h
    │       ├── htp_list.h
    │       ├── htp_multipart.h
    │       ├── htp_table.h
    │       ├── htp_transaction.h
    │       ├── htp_urlencoded.h
    │       ├── htp_utf8_decoder.h
    │       └── htp_version.h
    ├── lib
    │   ├── libhtp.a
    │   ├── libhtp.la
    │   ├── libhtp.so -> libhtp.so.2.0.0
    │   ├── libhtp.so.2 -> libhtp.so.2.0.0
    │   ├── libhtp.so.2.0.0
    │   ├── pkgconfig
    │   │   └── htp.pc
    │   └── python2.7
    │       └── site-packages
    │           ├── suricatasc
    │           │   ├── __init__.py
    │           │   ├── __init__.pyc
    │           │   ├── suricatasc.py
    │           │   └── suricatasc.pyc
    │           └── suricatasc-0.9-py2.7.egg-info
    └── share
        ├── doc
        │   └── suricata
        │       ├── AUTHORS
        │       ├── Basic_Setup.txt
        │       ├── CentOS_56_Installation.txt
        │       ├── CentOS5.txt
        │       ├── Debian_Installation.txt
        │       ├── Fedora_Core.txt
        │       ├── FreeBSD_8.txt
        │       ├── GITGUIDE
        │       ├── HTP_library_installation.txt
        │       ├── INSTALL
        │       ├── Installation_from_GIT_with_PCRE-JIT.txt
        │       ├── Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt
        │       ├── Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt
        │       ├── Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt
        │       ├── Installation_with_CUDA_on_Scientific_Linux_6.txt
        │       ├── Installation_with_CUDA_on_Ubuntu_server_1104.txt
        │       ├── Installation_with_PF_RING.txt
        │       ├── INSTALL.PF_RING
        │       ├── INSTALL.WINDOWS
        │       ├── Mac_OS_X_106x.txt
        │       ├── NEWS
        │       ├── OpenBSD_Installation_from_GIT.txt
        │       ├── README
        │       ├── Setting_up_IPSinline_for_Linux.txt
        │       ├── Third_Party_Installation_Guides.txt
        │       ├── TODO
        │       ├── Ubuntu_Installation_from_GIT.txt
        │       ├── Ubuntu_Installation.txt
        │       └── Windows.txt
        └── man
            └── man1
                └── suricata.1

14 directories, 59 files
[root@suricata suricata]# 

 

有个man手册,因为我没有直接安装在根目录,所以可以这样打开:

[root@suricata suricata]# man -M /suricata/usr/share/man/ suricata

 

装完了是没法运行的,还需要配置。自动化配置:

[root@suricata suricata-4.0.3]# make install-conf 
install -d "/suricata/etc/suricata/"
install -d "/suricata/var/log/suricata/files"
install -d "/suricata/var/log/suricata/certs"
install -d "/suricata/var/run/"
install -m 770 -d "/suricata/var/run/suricata"

那么,部署了哪些东西呢?

[root@suricata suricata-4.0.3]# diff org install-conf 
74a75,87
> /suricata/etc
> /suricata/etc/suricata
> /suricata/etc/suricata/suricata.yaml
> /suricata/etc/suricata/classification.config
> /suricata/etc/suricata/reference.config
> /suricata/etc/suricata/threshold.config
> /suricata/var
> /suricata/var/log
> /suricata/var/log/suricata
> /suricata/var/log/suricata/files
> /suricata/var/log/suricata/certs
> /suricata/var/run
> /suricata/var/run/suricata
[root@suricata suricata-4.0.3]# 

 

启动:

[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0
7/2/2018 -- 13:45:15 - <Notice> - This is Suricata version 4.0.3 RELEASE
7/2/2018 -- 13:45:16 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /suricata/etc/suricata/rules/botcc.rules
7/2/2018 -- 13:45:16 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /suricata/etc/suricata/rules/ciarmy.rules
7/2/2018 -- 13:45:16 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /suricata/etc/suricata/rules/compromised.rules
... ...

 

安装规则:

在安装的过程中,程序会从网络上,下载最新的规则进行安装。

[root@suricata suricata-4.0.3]# make install-rules
install -d "/suricata/etc/suricata/rules"
/usr/bin/wget -qO - https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz | tar -x -z -C "/suricata/etc/suricata/" -f -

You can now start suricata by running as root something like '/suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'.

If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/suricata/usr/lib /suricata/usr/bin/suricata -c /suricata/etc/suricata//suricata.yaml -i eth0'.

While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
The two most common are Oinkmaster and Pulledpork. For a guide see:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

引申一下: 这里提到了rule manager, 基本上来说,就是用来更新规则的, 可以参考阅读:

http://suricata.readthedocs.io/en/latest/rule-management/index.html

 

安装规则的时候, 都安装了些什么东西呢?

[root@suricata ~]# diff old new 
80a81,151
> /suricata/etc/suricata/rules
> /suricata/etc/suricata/rules/emerging-ftp.rules
> /suricata/etc/suricata/rules/emerging-activex.rules
> /suricata/etc/suricata/rules/dshield.rules
> /suricata/etc/suricata/rules/emerging-pop3.rules
> /suricata/etc/suricata/rules/emerging-web_specific_apps.rules
> /suricata/etc/suricata/rules/emerging-icmp.rules
> /suricata/etc/suricata/rules/suricata-1.3-etpro-etnamed.yaml
> /suricata/etc/suricata/rules/emerging-scan.rules
> /suricata/etc/suricata/rules/emerging-current_events.rules
> /suricata/etc/suricata/rules/emerging-imap.rules
> /suricata/etc/suricata/rules/emerging-sql.rules
> /suricata/etc/suricata/rules/emerging-p2p.rules
> /suricata/etc/suricata/rules/drop.rules
> /suricata/etc/suricata/rules/emerging-worm.rules
> /suricata/etc/suricata/rules/suricata-1.3-open.yaml
> /suricata/etc/suricata/rules/emerging-snmp.rules
> /suricata/etc/suricata/rules/emerging-scada.rules
> /suricata/etc/suricata/rules/emerging-malware.rules
> /suricata/etc/suricata/rules/emerging-trojan.rules
> /suricata/etc/suricata/rules/emerging-inappropriate.rules
> /suricata/etc/suricata/rules/emerging-shellcode.rules
> /suricata/etc/suricata/rules/BSD-License.txt
> /suricata/etc/suricata/rules/botcc.portgrouped.rules
> /suricata/etc/suricata/rules/emerging-smtp.rules
> /suricata/etc/suricata/rules/emerging-web_server.rules
> /suricata/etc/suricata/rules/emerging-web_client.rules
> /suricata/etc/suricata/rules/compromised.rules
> /suricata/etc/suricata/rules/emerging-netbios.rules
> /suricata/etc/suricata/rules/botcc.rules
> /suricata/etc/suricata/rules/ciarmy.rules
> /suricata/etc/suricata/rules/emerging-tftp.rules
> /suricata/etc/suricata/rules/classification.config
> /suricata/etc/suricata/rules/rbn.rules
> /suricata/etc/suricata/rules/emerging.conf
> /suricata/etc/suricata/rules/emerging-attack_response.rules
> /suricata/etc/suricata/rules/emerging-deleted.rules
> /suricata/etc/suricata/rules/emerging-mobile_malware.rules
> /suricata/etc/suricata/rules/emerging-rpc.rules
> /suricata/etc/suricata/rules/tor.rules
> /suricata/etc/suricata/rules/rbn-malvertisers.rules
> /suricata/etc/suricata/rules/emerging-icmp_info.rules
> /suricata/etc/suricata/rules/emerging-exploit.rules
> /suricata/etc/suricata/rules/emerging-telnet.rules
> /suricata/etc/suricata/rules/emerging-user_agents.rules
> /suricata/etc/suricata/rules/gpl-2.0.txt
> /suricata/etc/suricata/rules/decoder-events.rules
> /suricata/etc/suricata/rules/stream-events.rules
> /suricata/etc/suricata/rules/smtp-events.rules
> /suricata/etc/suricata/rules/http-events.rules
> /suricata/etc/suricata/rules/dns-events.rules
> /suricata/etc/suricata/rules/tls-events.rules
> /suricata/etc/suricata/rules/modbus-events.rules
> /suricata/etc/suricata/rules/app-layer-events.rules
> /suricata/etc/suricata/rules/dnp3-events.rules
> /suricata/etc/suricata/rules/emerging-info.rules
> /suricata/etc/suricata/rules/emerging-chat.rules
> /suricata/etc/suricata/rules/LICENSE
> /suricata/etc/suricata/rules/emerging-misc.rules
> /suricata/etc/suricata/rules/suricata-4.0-enhanced-open.txt
> /suricata/etc/suricata/rules/reference.config
> /suricata/etc/suricata/rules/gen-msg.map
> /suricata/etc/suricata/rules/emerging-policy.rules
> /suricata/etc/suricata/rules/emerging-dns.rules
> /suricata/etc/suricata/rules/unicode.map
> /suricata/etc/suricata/rules/compromised-ips.txt
> /suricata/etc/suricata/rules/emerging-voip.rules
> /suricata/etc/suricata/rules/suricata-1.2-prior-open.yaml
> /suricata/etc/suricata/rules/emerging-games.rules
> /suricata/etc/suricata/rules/emerging-dos.rules
> /suricata/etc/suricata/rules/sid-msg.map
[root@suricata ~]# 

 

 

再次启动:

[root@suricata ~]# /suricata/usr/bin/suricata -c /suricata/etc/suricata/suricata.yaml -i eth0
8/2/2018 -- 09:29:48 - <Notice> - This is Suricata version 4.0.3 RELEASE
8/2/2018 -- 09:29:52 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.

 

至此, 安装部署启动已完成.

 

下一篇: 

[DPI][suricata] suricata 配置使用

 

一篇参考文章,还不错 :  构建基于Suricata+Splunk的IDS入侵检测系统

http://www.cnblogs.com/ssooking/p/IDS.html

 

posted on 2018-02-07 11:54  toong  阅读(1237)  评论(0编辑  收藏  举报