suricata安装编译运行

# 0. 参考
[1] [Git-suricata](https://github.com/OISF/suricata)
[2] [suricata官网](https://suricata-ids.org/)
[3] [suricata官方文档](https://suricata.readthedocs.io/en/latest/index.html)
[4] [Rust官网](https://www.rust-lang.org/tools/install)
[5] [CentOS Installation for suricata](https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_Installation)
[6] [Git-suricata-update](https://github.com/OISF/suricata-update)(suricata 依赖，关于规则)
[7] [Git-libhtp](https://github.com/OISF/libhtp)(suricata依赖)
[8] [suricata-update: Command not found](https://www.centos.org/forums/viewtopic.php?t=69604)
[9] [Installing Python 2.7 on CentOS 6.x](http://tuxlabs.com/?p=194)
[10] [Centos 6.5 升级python2.6到python2.7](https://www.jianshu.com/p/98952438748a)
[11] [How to Install Rust Programming Language in Linux](https://www.tecmint.com/install-rust-programming-language-in-linux/)
[12] [Rust Toolchain 反向代理使用帮助](https://cdn.jsdelivr.net/gh/rust-lang-nursery/rustup.rs/rustup-init.sh)

# 1. 准备工作
系统:[centos 6.5(CentOS-6.5-x86_64-bin-DVD1)](http://%5C%5C192.168.3.5%5Cfile%5C%E6%93%8D%E4%BD%9C%E7%B3%BB%E7%BB%9F%E7%B1%BB%5Clinux%5CCentOS-6.5-x86_64-bin-DVD1)

---

tips:建议采用 centos 7.0(suricata-update 依赖python2.7，而centos6.5采用python2.6，且与系统(源依赖)深度绑定,升级python比较麻烦)

---
## 1.1 相关依赖安装
```
$ sudo yum install epel-release # (修改源)just for centos-6
$ sudo yum -y install libtool #error:no libtoolize glibtoolize
$ sudo yum -y install lz4-devel
$ sudo yum -y install xz-devel
$ sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel
```

```
$ sudo yum -y install curl
$ curl https://sh.rustup.rs -sSf | sh  #安装rust,需翻墙
$ source $HOME/.cargo/env
```
#2.下载编译
```
$ wget http://www.openinfosecfoundation.org/download/suricata-5.0.0-beta1.tar.gz --no-check-certificate #(包含htp模块，git源上需要下载htp模块)
$ tar -xvzf suricata-5.0.0-beta1.tar.gz
$ mv suricata-5.0.0-beta1 suricata-5.0.0
$ cd suricata-5.0.0
$ autoreconf -f -i(`optional`)
$ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua  --enable-rust #添加`enable-rust`
$ make
$ sudo make install
```

#3.安装相关
```
make install-conf # do the regular `make install` then create/setup suricata.yaml
make install-rules # do the regular `make install` then it will automatically **download** and set up the latest ruleset from Emerging Threats available for Suricata
make install-full #combine install-conf install-rules
```
规则：24940条(date:20190712,自动安装不全)
<center>
![make install-full](https://leanote.com/api/file/getImage?fileId=5d282c5aab64417804006320)
</center>

>安装可执行程序及相关路径:

>>可执行程序(/usr/bin):
suricata/suricatactl/suricatasc/suricata-update

>>配置相关路径：
/var/log/suricata #log相关
/etc/suricata(include:classification.config/reference.config/suricata.yaml(可配置rules路径)/threshold.config) #配置信息 协议等
/var/lib/suricata/rules #规则相关

## 3.1 rules 安装
```
wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
tar zxvf emerging.rules.tar.gz
sudo cp -R rules/ /etc/suricata/
```

## 3.2 运行
```
suricata -c /etc/suricata/suricata.yaml -i eth0
```
<center>
![start](https://leanote.com/api/file/getImage?fileId=5d284a77ab64417804006966)
</center>
#4. Issue
##4.1 添加sudo权限
```
$su
$visudo
```

>root    ALL=(ALL)       ALL
heming  ALL=(ALL)       ALL  `#Allow user to run any commands anywhere`

##4.2 Cannot retrieve metalink for repository: epel
修改`/etc/yum.repos.d/epel.repo`,将所有baseurl注释取消，注释掉所有mirrorlist

##4.3 (rust)no default toolchain configured
需要以root账户安装rust(可以用rustc --version测试是否安装成功)
```
curl https://sh.rustup.rs -sSf | sh
```

##4.4 (make install-full)/usr/bin/suricata-update: Command not found
suricata-update 需要单独安装
```
# cd suricata-update
# python setup.py build
# python setup.py install
# yum install PyYAML.x86_64
```

##4.5 python2.6 upgrade python2.7 on centos 6.5
root用户下(可以参考[7]):
```
alias python=/usr/local/bin/python2.7 #修改~/.bashrc
source ~/.bashrc
```

##4.6 (suricata-update)error: pyyaml is required
参考[7]安装pyyaml,maybe it's a bug([Bug #2667](https://redmine.openinfosecfoundation.org/issues/2667))
```
pip27 install pyyaml
```

信息安全从业人员^_^

导航

最近发表

友情链接