Suricata安装教程

1.安装必要库
(1)检查是否安装了jansson,这是Suricata输出的日志文件eve.json必备库
可参考:彻底解决Suricata Eve-log support not compiled in 问题
(2)安装pfring
2.安装Suricata
https://suricata-ids.org/download/下载安装包
(1)解压安装包
tar -zxf suricata-4.1.0.tar.gz
(2)编译和安装
./configure -enable-pfring --with-libpfring-includes=/opt/pfring/include --with-libpfring-libraries=/opt/pfring/lib -with-libjansson libraries=/usr/lib64/ --with-libjansson-includes=/usr/include
make
make install
(3)创建必要的目录，这些目录都是suricata.yaml配置文件中写好的路径，但不会主动创建，需要手动创建
mkdir /usr/local/etc/suricata/ #配置文件目录
cp suricata-4.1.0/classification.config /usr/local/etc/suricata/
cp suricata-4.1.0/reference.config /usr/local/etc/suricata/
cp suricata-4.1.0/suricata.yaml /usr/local/etc/suricata/
cp suricata-4.1.0/threshold.config /usr/local/etc/suricata/
mkdir /usr/local/var/run/suricata
mkdir /usr/local/var/log/suricata/ #suricata默认日志输出位置
(4)离线安装规则
在https://rules.emergingthreats.net/open/,中下载emerging.rules.tar.gz
tar -zxf emerging.rules.tar.gz
rm -rf /usr/local/share/suricata/rules
mv rules /usr/local/share/suricata/
(5)运行suricata
/usr/local/bin/suricata --pfring-int=em1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /usr/local/etc/suricata/suricata.yaml -D
(6)输出的日志的类型可以在suricata.yaml中进行设置