目前只讨论安装suricata 5.0.7,6.0不在讨论范围之内。
-
安装依赖包
sudo apt update
sudo apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev pkg-config rustc cargo
-
apt-get install liblua5.1-dev
sudo apt-get install libnspr4-dev
sudo apt-get install libnss3-dev
-
下载suricata
tar -xvzf suricata-5.0.7.tar.gz
cd suricata-5.0.7
-
工作在IDS模式
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
make
sudo make install
sudo make install-conf
运行时出现
suricata: symbol lookup error: suricata: undefined symbol: htp_connp_req_close
运行
ldd /usr/bin/suricata
linux-vdso.so.1 (0x00007ffc76fda000)
libhtp.so.2 => /usr/local/lib/libhtp.so.2 (0x00007f5dd1fcc000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f5dd1dc8000)
删除 /usr/local/lib/libhtp.so.2 就可以解决。
不建议 编译时 添加--enable-non-bundled-htp,因为系统的lbhtp库很难对上。
如果使用luajit,需要安装luajit
sudo apt-get install libluajit-5.1-dev
编译时 加上 --enable-luajit
下载cisco的snort rule
-
wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
sudo mkdir /var/lib/suricata/
sudo mv rules /var/lib/suricata/
规则的配置路径
/etc/suricata/ <--- Configuration Files
/etc/suricata/rules/ <--- Rules
/var/log/suricata/ <--- Log Files
/var/log/suricata/fast.log <--- Log file with triggered rules
运行
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
阅读(1675) | 评论(0) | 转发(0) |
