Suricata开源IDS安装与配置

开源IDS Suricata安装

---

Linux下的依赖问题的解决

---

在Debian，Ubuntu或者Linux Mint系列

$ sudo apt-get install wget build-essential libpcre3-dev libpcre3-dbg automake autoconf libtool libpcap-dev libnet1-dev libyaml-dev zlib1g-dev libcap-ng-dev libjansson-dev

在CentOS、Fedora或者RHEL系列

$ sudo yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel

在Mac OS X下

brew install pkg-config libmagic libyaml nss nspr jansson libnet lua pcre

下载安装

---

$ wget http://www.openinfosecfoundation.org/download/suricata-4.0.4.tar.gz
$ tar -xvf suricata-4.0.4.tar.gz
$ cd suricata-4.0.4
$ ./configure --sysconfdir=/etc --localstatedir=/var
/mac ox x下（CC=llvm-gcc ./configure --sysconfdir=/etc --localstatedir=/var
--with-libpcre-includes=/usr/local/include --with-libpcre-libraries=/usr/local/lib
--with-libnss-includes=/usr/local/opt/nss/include/nss --with-libnss-libraries=/usr/local/opt/nss/lib
--with-libnspr-includes=/usr/local/opt/nspr/include/nspr --with-libnspr-libraries=/usr/local/opt/nspr/lib
--enable-ipfw --enable-lua）/
$ make
$ make install
$ make install-conf
$ make install-rules(mac下make install-full)

配置文件

---

路径在/etc/suricata/suricata.yaml
Mac在安装目录下

启用Suricata功能

$ sudo ethtool -K eth0 gro off lro off
$ sudo /usr/local/bin/suricata --list-runmodes
$ sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --init-errors-fatal
$ tail -f /var/log/suricata/fast.log