1. 前言
- Suricata的安裝包可以從 github上克隆安裝,可以從Suricata官網進行下載。本文的測試以github上的版本爲例。
- 本文的測試平臺爲 CentOS release 6.7 (Final),不同Linux平臺類似。
- 由於實際需求,本文中的Suricata編譯將加入PF_RING零拷貝工具。
2. Suricata Build Info 詳解
[root@monster suricata]# suricata --build-info
This is Suricata version 3.0.1 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 PF_RING AF_PACKET HAVE_PACKET_FANOUT HAVE_HTP_URI_NORMALIZE_HOOK HAVE_NSS TLS
SIMD support: SSE_4_2 SSE_4_1 SSE_3
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-16), C version 199901
compiled with _FORTIFY_SOURCE=0
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.19, linked against LibHTP v0.5.19
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: yes //PF_RING支持
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
Detection enabled: yes
libnss support: yes
libnspr support: yes
libjansson support: no
hiredis support: no
Prelude support: no
PCRE jit: no
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Hyperscan support: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
Host: x86_64-unknown-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -march=native
PCAP_CFLAGS -I/usr/local/include
SECCFLAGS 2. 安裝依賴項
$ sudo yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel安裝過程中,若出現類似 No package *** available.,則自行wget相應安裝包進行安裝。
例如:筆者缺少libnet-devel和jansson-devel ,可以到sourceforge或github進行查找安裝。
3. 檢查配置(configure)
git clone https://github.com/inliniac/suricata.git
cd suricata
sh autogen.sh
./configure --sysconfdir=/etc --localstatedir=/var 若需加入PF_RING支持,則添加
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include --with-libpfring-libraries=/usr/local/pfring/lib類似地,要加入PCRE-jit支持,則添加
--enable-pcre-jit --with-libpcre-includes=/usr/local/include
--with-libpcre-libraries=/usr/local/lib綜上筆者使用的編譯命令:
./configure --sysconfdir=/etc --localstatedir=/var --enable-pfring --with-libpfring-includes=/usr/local/pfring/include --with-libpfring-libraries=/usr/local/pfring/lib3. 編譯及安裝
make
sudo make install
sudo ldconfig4. 配置及規則集安裝
Suricata源代碼隨帶默認的配置文件,使用命令
sudo make install-conf,可進行安裝。正如你所知,要是沒有IDS規則集,Suricata毫無用處。頗爲方便的是,Makefile隨帶IDS規則安裝選項。想安裝IDS規則,運行下面這個命令即可。
sudo make install-rules
上述規則安裝命令會從EmergingThreats.net(https://www.bro.org)安裝可用的社區規則集的最新快照,並將它們存儲在/etc/suricata/rules下。
5. 測試
5.1 離線檢測
suricata -c /etc/suricata/suricata.yaml -r 0.pcap -l .
5.2 在線檢測
6. 參考資料
