参考
安装 Suricata | OISF/suricata - KoalaWiki
arm服务器上部署kibana_kibana arm-CSDN博客
https://artifacts.elastic.co/downloads/kibana/kibana-7.17.22-linux-aarch64.tar.gz
-
添加 OISF PPA:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt-get update
-
安装 Suricata:
sudo apt-get install suricata
Suricata 安装指南
Suricata 是一个高性能的开源入侵检测系统(IDS)、入侵防御系统(IPS)和网络安全监控引擎。以下是在不同操作系统上安装 Suricata 的方法。
在 Ubuntu/Debian 上安装
更新系统软件包列表以确保获取最新的软件版本:
sudo apt update
安装 Suricata 及其依赖项:
sudo apt install suricata
启动 Suricata 服务并设置为开机自启:
sudo systemctl start suricata
sudo systemctl enable suricata
在 CentOS/RHEL 上安装
添加 EPEL 仓库以获取 Suricata 软件包:
sudo yum install epel-release
安装 Suricata:
sudo yum install suricata
启动服务并启用开机自启:
sudo systemctl start suricata
sudo systemctl enable suricata
通过源码编译安装
下载最新版本的 Suricata 源码:
wget https://www.openinfosecfoundation.org/download/suricata-<version>.tar.gz
解压并进入源码目录:
tar -xzvf suricata-<version>.tar.gz
cd suricata-<version>
编译并安装 Suricata:
./configure
make
sudo make install
配置 Suricata
默认配置文件通常位于 /etc/suricata/suricata.yaml
,可以根据需求修改规则集和网络接口配置。更新规则集可以使用以下命令:
sudo suricata-update
验证安装
检查 Suricata 版本以确认安装成功:
suricata -V
运行 Suricata 进行测试:
sudo suricata -c /etc/suricata/suricata.yaml -i <interface>
以上步骤涵盖了在主流 Linux 发行版上安装和配置 Suricata 的基本方法。根据具体需求,可能需要进一步调整配置文件或规则集。
egrep -v '^[[:space:]]*#|%$' /etc/suricata/suricata.yaml
%YAML 1.1
---
suricata-version: "8.0"
vars:
address-groups:
HOME_NET: "[192.168.1.0/24,10.8.8.0/24,172.16.0.0/12]"
EXTERNAL_NET: "!$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: "$EXTERNAL_NET"
DC_SERVERS: "$HOME_NET"
DNP3_SERVER: "$HOME_NET"
DNP3_CLIENT: "$HOME_NET"
MODBUS_CLIENT: "$HOME_NET"
MODBUS_SERVER: "$HOME_NET"
ENIP_CLIENT: "$HOME_NET"
ENIP_SERVER: "$HOME_NET"
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
DNP3_PORTS: 20000
MODBUS_PORTS: 502
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
FTP_PORTS: 21
GENEVE_PORTS: 6081
VXLAN_PORTS: 4789
TEREDO_PORTS: 3544
SIP_PORTS: "[5060, 5061]"
default-log-dir: /sdb1/log/suricata/
stats:
enabled: yes
interval: 8
exception-policy:
plugins:
outputs:
- fast:
enabled: yes
filename: fast.log
append: yes
- eve-log:
enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
pcap-file: false
community-id: false
community-id-seed: 0
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
types:
- alert:
tagged-packets: yes
- frame:
enabled: no
- anomaly:
enabled: yes
types:
- http:
extended: yes # enable this for extended logging information
- dns:
- mdns:
- tls:
extended: yes # enable this for extended logging information
- files:
force-magic: no # force logging magic on all logged files
- smtp:
- websocket
- ftp
- rdp
- nfs
- smb:
- tftp
- ike
- dcerpc
- krb5
- bittorrent-dht
- snmp
- rfb
- sip
- quic
- ldap
- pop3
- arp:
enabled: no # Many events can be logged. Disabled by default
- dhcp:
enabled: yes
extended: no
- ssh
- mqtt:
- http2
- doh2
- pgsql:
enabled: no
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
- flow
- tls-store:
enabled: no
- pcap-log:
enabled: no
filename: log.pcap
limit: 1000 MiB
max-files: 2000
compression: none
mode: normal # normal or multi
use-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packets
honor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.
- alert-debug:
enabled: no
filename: alert-debug.log
append: yes
- stats:
enabled: yes
filename: stats.log
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
- file-store:
version: 2
enabled: no
xff:
enabled: no
mode: extra-data
deployment: reverse
header: X-Forwarded-For
- tcp-data:
enabled: no
type: file
filename: tcp-data.log
- http-body-data:
enabled: no
type: file
filename: http-data.log
- lua:
enabled: no
scripts:
heartbeat:
logging:
default-log-level: notice
default-output-filter:
outputs:
- console:
enabled: yes
- file:
enabled: yes
level: info
filename: suricata.log
- syslog:
enabled: no
facility: local5
format: "[%i] <%d> -- "
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
- interface: default
af-xdp:
- interface: default
dpdk:
eal-params:
proc-type: primary
interfaces:
- interface: 0000:3b:00.0 # PCIe address of the NIC port
threads: auto
promisc: true # promiscuous mode - capture all packets
multicast: true # enables also detection on multicast packets
checksum-checks: true # if Suricata should validate checksums
checksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)
mtu: 1500 # Set MTU of the device in bytes
vlan-strip-offload: false # if possible enable hardware vlan stripping
mempool-size: auto # autocalculated based on Rx/Tx descriptors and threads
mempool-cache-size: auto # autocalculated from the mempool size
rx-descriptors: auto # max number of descriptors
tx-descriptors: auto # max number of descriptors
copy-mode: none
copy-iface: none # or PCIe address of the second interface
- interface: default
threads: auto
promisc: true
multicast: true
checksum-checks: true
checksum-checks-offload: true
mtu: 1500
vlan-strip-offload: false
rss-hash-functions: auto
linkup-timeout: 0
mempool-size: auto
mempool-cache-size: auto
rx-descriptors: auto
tx-descriptors: auto
copy-mode: none
copy-iface: none
pcap:
- interface: eth0
- interface: default
pcap-file:
checksum-checks: auto
app-layer:
protocols:
telnet:
enabled: yes
rfb:
enabled: yes
detection-ports:
dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909
mqtt:
enabled: yes
krb5:
enabled: yes
bittorrent-dht:
enabled: yes
snmp:
enabled: yes
ike:
enabled: yes
tls:
enabled: yes
detection-ports:
dp: 443
pgsql:
enabled: no
stream-depth: 0
dcerpc:
enabled: yes
ftp:
enabled: yes
websocket:
rdp:
ssh:
enabled: yes
doh2:
enabled: yes
http2:
enabled: yes
smtp:
enabled: yes
raw-extraction: no
mime:
decode-mime: yes
decode-base64: yes
decode-quoted-printable: yes
header-value-depth: 2000
extract-urls: yes
body-md5: no
inspected-tracker:
content-limit: 100000
content-inspect-min-size: 32768
content-inspect-window: 4096
imap:
enabled: detection-only
pop3:
enabled: yes
detection-ports:
dp: 110
stream-depth: 0
smb:
enabled: yes
detection-ports:
dp: 139, 445
nfs:
enabled: yes
tftp:
enabled: yes
dns:
tcp:
enabled: yes
detection-ports:
dp: 53
udp:
enabled: yes
detection-ports:
dp: 53
http:
enabled: yes
libhtp:
default-config:
personality: IDS
request-body-limit: 100 KiB
response-body-limit: 100 KiB
request-body-minimal-inspect-size: 32 KiB
request-body-inspect-window: 4 KiB
response-body-minimal-inspect-size: 40 KiB
response-body-inspect-window: 16 KiB
response-body-decompress-layer-limit: 2
http-body-inline: auto
swf-decompression:
enabled: no
type: both
compress-depth: 100 KiB
decompress-depth: 100 KiB
double-decode-path: no
double-decode-query: no
server-config:
modbus:
enabled: no
detection-ports:
dp: 502
stream-depth: 0
dnp3:
enabled: no
detection-ports:
dp: 20000
enip:
enabled: no
detection-ports:
dp: 44818
sp: 44818
ntp:
enabled: yes
quic:
enabled: yes
dhcp:
enabled: yes
sip:
ldap:
tcp:
enabled: yes
detection-ports:
dp: 389, 3268
udp:
enabled: yes
detection-ports:
dp: 389, 3268
mdns:
enabled: yes
asn1-max-frames: 256
datasets:
defaults:
limits:
rules:
security:
limit-noproc: true
landlock:
enabled: no
directories:
read:
- /usr/
- /etc/
- /etc/suricata/
lua:
coredump:
max-dump: unlimited
host-mode: auto
unix-command:
enabled: auto
legacy:
uricontent: enabled
exception-policy: auto
engine-analysis:
rules-fast-pattern: yes
rules: yes
pcre:
match-limit: 3500
match-limit-recursion: 1500
host-os-policy:
windows: [0.0.0.0/0]
bsd: []
bsd-right: []
old-linux: []
linux: []
old-solaris: []
solaris: []
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
defrag:
memcap: 32 MiB
hash-size: 65536
trackers: 65535 # number of defragmented flows to follow
max-frags: 65535 # number of fragments to keep (higher than trackers)
prealloc: yes
timeout: 60
flow:
memcap: 128 MiB
hash-size: 65536
prealloc: 10000
emergency-recovery: 30
vlan:
use-for-tracking: true
livedev:
use-for-tracking: true
flow-timeouts:
default:
new: 30
established: 300
closed: 0
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-closed: 0
emergency-bypassed: 50
tcp:
new: 60
established: 600
closed: 60
bypassed: 100
emergency-new: 5
emergency-established: 100
emergency-closed: 10
emergency-bypassed: 50
udp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
icmp:
new: 30
established: 300
bypassed: 100
emergency-new: 10
emergency-established: 100
emergency-bypassed: 50
stream:
memcap: 64 MiB
checksum-validation: yes # reject incorrect csums
inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
reassembly:
urgent:
policy: oob # drop, inline, oob (1 byte, see RFC 6093, 3.1), gap
oob-limit-policy: drop
memcap: 256 MiB
depth: 1 MiB # reassemble 1 MiB into a stream
toserver-chunk-size: 2560
toclient-chunk-size: 2560
randomize-chunk-size: yes
host:
hash-size: 4096
prealloc: 1000
memcap: 32 MiB
decoder:
teredo:
enabled: true
ports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.
vxlan:
enabled: true
ports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.
geneve:
enabled: true
ports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.
recursion-level:
use-for-tracking: true
detect:
profile: medium
custom-values:
toclient-groups: 3
toserver-groups: 25
sgh-mpm-context: auto
sgh-mpm-caching: yes
sgh-mpm-caching-path: /var/lib/suricata/cache/sgh
prefilter:
default: mpm
grouping:
thresholds:
hash-size: 16384
memcap: 16 MiB
profiling:
grouping:
dump-to-disk: false
include-rules: false # very verbose
include-mpm-stats: false
mpm-algo: auto
spm-algo: auto
threading:
set-cpu-affinity: no
autopin: no
cpu-affinity:
management-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
receive-cpu-set:
cpu: [ 0 ] # include only these CPUs in affinity settings
worker-cpu-set:
cpu: [ "all" ]
mode: "exclusive"
prio:
low: [ 0 ]
medium: [ "1-2" ]
high: [ 3 ]
default: "medium"
interface-specific-cpu-set:
- interface: "enp4s0f0" # 0000:3b:00.0 # net_bonding0 # ens1f0
cpu: [ 1,3,5,7,9 ]
mode: "exclusive"
prio:
high: [ "all" ]
default: "medium"
detect-thread-ratio: 1.0
profiling:
rules:
enabled: yes
filename: rule_perf.log
append: yes
limit: 10
json: yes
keywords:
enabled: yes
filename: keyword_perf.log
append: yes
prefilter:
enabled: yes
filename: prefilter_perf.log
append: yes
rulegroups:
enabled: yes
filename: rule_group_perf.log
append: yes
packets:
enabled: yes
filename: packet_stats.log
append: yes
csv:
enabled: no
filename: packet_stats.csv
locks:
enabled: no
filename: lock_stats.log
append: yes
pcap-log:
enabled: no
filename: pcaplog_stats.log
append: yes
nfq:
nflog:
- group: 2
buffer-size: 18432
- group: default
qthreshold: 1
qtimeout: 100
max-size: 20000
capture:
netmap:
- interface: eth2
- interface: default
pfring:
- interface: eth0
threads: auto
cluster-id: 99
cluster-type: cluster_flow
- interface: default
ipfw:
napatech:
streams: ["0-3"]
enable-stream-stats: no
auto-config: yes
hardware-bypass: yes
inline: no
ports: [0-1,2-3]
hashmode: hash5tuplesorted
default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules
classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config
firewall:
#root用户操作useradd es
useradd -s /bin/false es