n1 Armbian OS 24.11.0 noble 安装suricata

参考

安装 Suricata | OISF/suricata - KoalaWiki

arm服务器上部署kibana_kibana arm-CSDN博客

https://artifacts.elastic.co/downloads/kibana/kibana-7.17.22-linux-aarch64.tar.gz

  1. 添加 OISF PPA:

    复制代码
    sudo add-apt-repository ppa:oisf/suricata-stable
    sudo apt-get update
  2. 安装 Suricata:

    复制代码
    sudo apt-get install suricata

Suricata 安装指南

Suricata 是一个高性能的开源入侵检测系统(IDS)、入侵防御系统(IPS)和网络安全监控引擎。以下是在不同操作系统上安装 Suricata 的方法。

在 Ubuntu/Debian 上安装

更新系统软件包列表以确保获取最新的软件版本:

复制代码
sudo apt update

安装 Suricata 及其依赖项:

复制代码
sudo apt install suricata

启动 Suricata 服务并设置为开机自启:

复制代码
sudo systemctl start suricata
sudo systemctl enable suricata
在 CentOS/RHEL 上安装

添加 EPEL 仓库以获取 Suricata 软件包:

复制代码
sudo yum install epel-release

安装 Suricata:

复制代码
sudo yum install suricata

启动服务并启用开机自启:

复制代码
sudo systemctl start suricata
sudo systemctl enable suricata
通过源码编译安装

下载最新版本的 Suricata 源码:

复制代码
wget https://www.openinfosecfoundation.org/download/suricata-<version>.tar.gz

解压并进入源码目录:

复制代码
tar -xzvf suricata-<version>.tar.gz
cd suricata-<version>

编译并安装 Suricata:

复制代码
./configure
make
sudo make install
配置 Suricata

默认配置文件通常位于 /etc/suricata/suricata.yaml,可以根据需求修改规则集和网络接口配置。更新规则集可以使用以下命令:

复制代码
sudo suricata-update
验证安装

检查 Suricata 版本以确认安装成功:

复制代码
suricata -V

运行 Suricata 进行测试:

复制代码
sudo suricata -c /etc/suricata/suricata.yaml -i <interface>

以上步骤涵盖了在主流 Linux 发行版上安装和配置 Suricata 的基本方法。根据具体需求,可能需要进一步调整配置文件或规则集。

复制代码
egrep -v '^[[:space:]]*#|%$' /etc/suricata/suricata.yaml

%YAML 1.1
---


suricata-version: "8.0"


vars:
  address-groups:
    HOME_NET: "[192.168.1.0/24,10.8.8.0/24,172.16.0.0/12]"

    EXTERNAL_NET: "!$HOME_NET"

    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"
    ORACLE_PORTS: 1521
    SSH_PORTS: 22
    DNP3_PORTS: 20000
    MODBUS_PORTS: 502
    FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
    FTP_PORTS: 21
    GENEVE_PORTS: 6081
    VXLAN_PORTS: 4789
    TEREDO_PORTS: 3544
    SIP_PORTS: "[5060, 5061]"


default-log-dir: /sdb1/log/suricata/

stats:
  enabled: yes
  interval: 8
  exception-policy:

plugins:

outputs:
  - fast:
      enabled: yes
      filename: fast.log
      append: yes

  - eve-log:
      enabled: yes
      filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
      filename: eve.json


      pcap-file: false


      community-id: false
      community-id-seed: 0

      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For

      types:
        - alert:

            tagged-packets: yes
        - frame:
            enabled: no
        - anomaly:
            enabled: yes
            types:
        - http:
            extended: yes     # enable this for extended logging information
        - dns:




        - mdns:
        - tls:
            extended: yes     # enable this for extended logging information
        - files:
            force-magic: no   # force logging magic on all logged files
        - smtp:

        - websocket
        - ftp
        - rdp
        - nfs
        - smb:
        - tftp
        - ike
        - dcerpc
        - krb5
        - bittorrent-dht
        - snmp
        - rfb
        - sip
        - quic
        - ldap
        - pop3
        - arp:
            enabled: no        # Many events can be logged. Disabled by default
        - dhcp:
            enabled: yes
            extended: no
        - ssh
        - mqtt:
        - http2
        - doh2
        - pgsql:
            enabled: no
        - stats:
            totals: yes       # stats for all threads merged together
            threads: no       # per thread stats
            deltas: no        # include delta values
        - flow



  - tls-store:
      enabled: no

  - pcap-log:
      enabled: no
      filename: log.pcap

      limit: 1000 MiB

      max-files: 2000

      compression: none


      mode: normal # normal or multi


      use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
      honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.


  - alert-debug:
      enabled: no
      filename: alert-debug.log
      append: yes

  - stats:
      enabled: yes
      filename: stats.log
      append: yes       # append to file (yes) or overwrite it (no)
      totals: yes       # stats for all threads merged together
      threads: no       # per thread stats

  - file-store:
      version: 2
      enabled: no






      xff:
        enabled: no
        mode: extra-data
        deployment: reverse
        header: X-Forwarded-For

  - tcp-data:
      enabled: no
      type: file
      filename: tcp-data.log

  - http-body-data:
      enabled: no
      type: file
      filename: http-data.log

  - lua:
      enabled: no


      scripts:

heartbeat:

logging:
  default-log-level: notice


  default-output-filter:


  outputs:
  - console:
      enabled: yes
  - file:
      enabled: yes
      level: info
      filename: suricata.log
  - syslog:
      enabled: no
      facility: local5
      format: "[%i] <%d> -- "



af-packet:
  - interface: eth0
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes

  - interface: default

af-xdp:
  - interface: default

dpdk:
  eal-params:
    proc-type: primary

  interfaces:
    - interface: 0000:3b:00.0 # PCIe address of the NIC port
      threads: auto
      promisc: true # promiscuous mode - capture all packets
      multicast: true # enables also detection on multicast packets
      checksum-checks: true # if Suricata should validate checksums
      checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)
      mtu: 1500 # Set MTU of the device in bytes
      vlan-strip-offload: false # if possible enable hardware vlan stripping

      mempool-size: auto # autocalculated based on Rx/Tx descriptors and threads
      mempool-cache-size: auto # autocalculated from the mempool size
      rx-descriptors: auto # max number of descriptors
      tx-descriptors: auto # max number of descriptors
      copy-mode: none
      copy-iface: none # or PCIe address of the second interface

    - interface: default
      threads: auto
      promisc: true
      multicast: true
      checksum-checks: true
      checksum-checks-offload: true
      mtu: 1500
      vlan-strip-offload: false
      rss-hash-functions: auto
      linkup-timeout: 0
      mempool-size: auto
      mempool-cache-size: auto
      rx-descriptors: auto
      tx-descriptors: auto
      copy-mode: none
      copy-iface: none


pcap:
  - interface: eth0
  - interface: default

pcap-file:
  checksum-checks: auto






app-layer:
  protocols:
    telnet:
      enabled: yes
    rfb:
      enabled: yes
      detection-ports:
        dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
    mqtt:
      enabled: yes
    krb5:
      enabled: yes
    bittorrent-dht:
      enabled: yes
    snmp:
      enabled: yes
    ike:
      enabled: yes
    tls:
      enabled: yes
      detection-ports:
        dp: 443



    pgsql:
      enabled: no
      stream-depth: 0
    dcerpc:
      enabled: yes
    ftp:
      enabled: yes
    websocket:
    rdp:
    ssh:
      enabled: yes

    doh2:
      enabled: yes
    http2:
      enabled: yes
    smtp:
      enabled: yes
      raw-extraction: no
      mime:
        decode-mime: yes

        decode-base64: yes
        decode-quoted-printable: yes

        header-value-depth: 2000

        extract-urls: yes
        body-md5: no
      inspected-tracker:
        content-limit: 100000
        content-inspect-min-size: 32768
        content-inspect-window: 4096
    imap:
      enabled: detection-only
    pop3:
      enabled: yes
      detection-ports:
        dp: 110
      stream-depth: 0
    smb:
      enabled: yes
      detection-ports:
        dp: 139, 445


    nfs:
      enabled: yes
    tftp:
      enabled: yes
    dns:
      tcp:
        enabled: yes
        detection-ports:
          dp: 53
      udp:
        enabled: yes
        detection-ports:
          dp: 53
    http:
      enabled: yes





      libhtp:
         default-config:
           personality: IDS

           request-body-limit: 100 KiB
           response-body-limit: 100 KiB

           request-body-minimal-inspect-size: 32 KiB
           request-body-inspect-window: 4 KiB
           response-body-minimal-inspect-size: 40 KiB
           response-body-inspect-window: 16 KiB

           response-body-decompress-layer-limit: 2

           http-body-inline: auto

           swf-decompression:
             enabled: no
             type: both
             compress-depth: 100 KiB
             decompress-depth: 100 KiB


           double-decode-path: no
           double-decode-query: no


         server-config:



    modbus:

      enabled: no
      detection-ports:
        dp: 502

      stream-depth: 0

    dnp3:
      enabled: no
      detection-ports:
        dp: 20000

    enip:
      enabled: no
      detection-ports:
        dp: 44818
        sp: 44818

    ntp:
      enabled: yes

    quic:
      enabled: yes

    dhcp:
      enabled: yes

    sip:

    ldap:
      tcp:
        enabled: yes
        detection-ports:
          dp: 389, 3268
      udp:
        enabled: yes
        detection-ports:
          dp: 389, 3268

    mdns:
      enabled: yes

asn1-max-frames: 256

datasets:
  defaults:

  limits:

  rules:





security:
  limit-noproc: true
  landlock:
    enabled: no
    directories:
      read:
        - /usr/
        - /etc/
        - /etc/suricata/

  lua:






coredump:
  max-dump: unlimited

host-mode: auto





unix-command:
  enabled: auto



legacy:
  uricontent: enabled




exception-policy: auto


engine-analysis:
  rules-fast-pattern: yes
  rules: yes

pcre:
  match-limit: 3500
  match-limit-recursion: 1500


host-os-policy:
  windows: [0.0.0.0/0]
  bsd: []
  bsd-right: []
  old-linux: []
  linux: []
  old-solaris: []
  solaris: []
  hpux10: []
  hpux11: []
  irix: []
  macos: []
  vista: []
  windows2k3: []


defrag:
  memcap: 32 MiB
  hash-size: 65536
  trackers: 65535 # number of defragmented flows to follow
  max-frags: 65535 # number of fragments to keep (higher than trackers)
  prealloc: yes
  timeout: 60



flow:
  memcap: 128 MiB
  hash-size: 65536
  prealloc: 10000
  emergency-recovery: 30

vlan:
  use-for-tracking: true

livedev:
  use-for-tracking: true


flow-timeouts:

  default:
    new: 30
    established: 300
    closed: 0
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-closed: 0
    emergency-bypassed: 50
  tcp:
    new: 60
    established: 600
    closed: 60
    bypassed: 100
    emergency-new: 5
    emergency-established: 100
    emergency-closed: 10
    emergency-bypassed: 50
  udp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50
  icmp:
    new: 30
    established: 300
    bypassed: 100
    emergency-new: 10
    emergency-established: 100
    emergency-bypassed: 50


stream:
  memcap: 64 MiB
  checksum-validation: yes      # reject incorrect csums
  inline: auto                  # auto will use inline mode in IPS mode, yes or no set it statically
  reassembly:
    urgent:
      policy: oob              # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap
      oob-limit-policy: drop
    memcap: 256 MiB
    depth: 1 MiB                # reassemble 1 MiB into a stream
    toserver-chunk-size: 2560
    toclient-chunk-size: 2560
    randomize-chunk-size: yes

host:
  hash-size: 4096
  prealloc: 1000
  memcap: 32 MiB



decoder:
  teredo:
    enabled: true
    ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.

  vxlan:
    enabled: true
    ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.

  geneve:
    enabled: true
    ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.


  recursion-level:
    use-for-tracking: true


detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25
  sgh-mpm-context: auto
  sgh-mpm-caching: yes
  sgh-mpm-caching-path: /var/lib/suricata/cache/sgh

  prefilter:
    default: mpm

  grouping:

  thresholds:
    hash-size: 16384
    memcap: 16 MiB

  profiling:
    grouping:
      dump-to-disk: false
      include-rules: false      # very verbose
      include-mpm-stats: false


mpm-algo: auto


spm-algo: auto

threading:
  set-cpu-affinity: no
  autopin: no
  cpu-affinity:
    management-cpu-set:
      cpu: [ 0 ]  # include only these CPUs in affinity settings
    receive-cpu-set:
      cpu: [ 0 ]  # include only these CPUs in affinity settings
    worker-cpu-set:
      cpu: [ "all" ]
      mode: "exclusive"
      prio:
        low: [ 0 ]
        medium: [ "1-2" ]
        high: [ 3 ]
        default: "medium"
      interface-specific-cpu-set:
        - interface: "enp4s0f0" # 0000:3b:00.0 # net_bonding0 # ens1f0
          cpu: [ 1,3,5,7,9 ]
          mode: "exclusive"
          prio:
            high: [ "all" ]
            default: "medium"
  detect-thread-ratio: 1.0

profiling:

  rules:

    enabled: yes
    filename: rule_perf.log
    append: yes


    limit: 10

    json: yes

  keywords:
    enabled: yes
    filename: keyword_perf.log
    append: yes

  prefilter:
    enabled: yes
    filename: prefilter_perf.log
    append: yes

  rulegroups:
    enabled: yes
    filename: rule_group_perf.log
    append: yes

  packets:

    enabled: yes
    filename: packet_stats.log
    append: yes

    csv:

      enabled: no
      filename: packet_stats.csv

  locks:
    enabled: no
    filename: lock_stats.log
    append: yes

  pcap-log:
    enabled: no
    filename: pcaplog_stats.log
    append: yes


nfq:

nflog:
  - group: 2
    buffer-size: 18432
  - group: default
    qthreshold: 1
    qtimeout: 100
    max-size: 20000


capture:

netmap:
 - interface: eth2
 - interface: default

pfring:
  - interface: eth0
    threads: auto

    cluster-id: 99

    cluster-type: cluster_flow



  - interface: default

ipfw:



napatech:

    streams: ["0-3"]

    enable-stream-stats: no

    auto-config: yes

    hardware-bypass: yes

    inline: no

    ports: [0-1,2-3]

    hashmode: hash5tuplesorted


default-rule-path: /var/lib/suricata/rules

rule-files:
  - suricata.rules


classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config

firewall:

#root用户操作useradd es

useradd -s /bin/false es

相关推荐
傅里叶2 小时前
sudo启动Flutter程序AMD初始化失败
linux·flutter
bug攻城狮2 小时前
CentOS 7 出现 “Could not resolve host“ 错误的修复方案
linux·运维·centos
feifeigo1233 小时前
CentOS系统管理:useradd命令的全面解析
linux·运维·centos
こ进制掌控者3 小时前
CentOS 8重启后网卡不见了解决办法
linux·运维·centos
荣光波比3 小时前
Nginx 实战系列(六)—— Nginx 性能优化与防盗链配置指南
运维·nginx·性能优化·云计算
Nightwish53 小时前
Linux随记(二十三 )
linux·运维
萧鼎3 小时前
深入解析 Python 的 pytun 库:虚拟网络接口与隧道技术实战指南
服务器·网络·python
Re_Yang093 小时前
2025年统计与数据分析领域专业认证发展指南
服务器·人工智能·数据分析
牛奶咖啡134 小时前
从零到一使用Linux+Nginx+MySQL+PHP搭建的Web网站服务器架构环境——LNMP(上)
linux·lnmp·ngnix的源码安装部署·mysql的二进制文件安装部署·php源码的安装部署·记录并解决安装php的各种问题