Notice
Recent Posts
Recent Comments
Link
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | |||
5 | 6 | 7 | 8 | 9 | 10 | 11 |
12 | 13 | 14 | 15 | 16 | 17 | 18 |
19 | 20 | 21 | 22 | 23 | 24 | 25 |
26 | 27 | 28 | 29 | 30 | 31 |
Tags
- freebsd
- 한글가이드
- docker
- Kibana
- proxycfg
- ssh key 배포
- miniconda
- application security
- pfsense
- hardening
- elastic stack
- bash
- endpoint security
- XCP-ng
- ELASTIC
- Elasticsearch
- ansible
- xe guest utilities
- GitLab
- Proxy
- G-suite
- 로그인불가
- centos 8
- x-pack
- Kibana server is not ready yet
- 보안양파
- PlayBook
- macos
- Windows
Archives
- Today
- Total
선 밖에 선 자유인
suricata IPS 설치 (CentOS) 본문
출처 : https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_56_Installation
Pre-installation requirements
You will have to use the Fedora EPEL repository for some packages to enable this repository. It is the same for i386 and x86_64:
sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm
Before you can build Suricata for your system, run the following command to ensure that you have everything you need for the installation.
sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel
Depending on the current status of your system, it may take a while to complete this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to install HTP manually for other reasons, instructions can be found at HTP library installation.
IPS
If you plan to build Suricata with IPS capabilities via ./configure --enable-nfqueue, there are no pre-built packages in the CentOS base or EPEL for libnfnetlink and libnetfilter_queue. If you wish, you may use the rpms in the Emerging Threats Cent OS 5 repository:
i386
sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnetfilter_queue-devel-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-0.0.30-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-devel-0.0.30-1.i386.rpm
x86_64
sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-0.0.30-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/libnfnetlink-devel-0.0.30-1.x86_64.rpm
libcap-ng installation
This installation is needed for dropping privileges.
wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz
tar -xzvf libcap-ng-0.6.4.tar.gz
cd libcap-ng-0.6.4
./configure
make
sudo make install
Suricata
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-1.0.5.tar.gz
tar -xvzf suricata-1.0.5.tar.gz
cd suricata-1.0.5
If you are building from Git sources, enter all the following commands:
bash autogen.sh
If you are not building from Git sources, enter only:
./configure
make
sudo make install
** suricata 설치 시 libyaml과 libyaml-devel 은 별도의 rpm을 받아 설치해 주고, libnet-1.1.x 버전도 소스 설치 한다.
Basic Setup
When using Debian or FreeBSD, make sure you enter all commands as root/super-user because for these operating systems it is not possible to use 'sudo'.
Start with creating a directory for Suricata's log information.
sudo mkdir /var/log/suricata
To prepare the system for using it, enter:
cd /etc
Followed by:
sudo mkdir suricata
In this example the directory created is named 'suricata'. It is possible to choose the name you prefer.
Then enter:
cd ~/suricata/oisf
The next step is to copy classification.config, reference.config and suricata.yaml from the oisf directory to the /etc/suricata directory. Do so by entering the following:
sudo cp classification.config /etc/suricata
sudo cp reference.config /etc/suricata
sudo cp suricata.yaml /etc/suricata
Setting variables
Make sure every variable of the vars, address-groups and port-groups in the yaml file is set correctly for your needs.
You need to set the ip-address(es) of your home network at HOME_NET.
It is recommended to set EXTERNAL_NET to !$HOMENET_NET. This way, every ip-address but the
one set at HOME_NET will be treated as external.
It is also possible to set EXTERNAL_NET to 'any', only the recommended setting is more precise and lowers the change that false positives will be generated.
HTTP_SERVERS, SMTP_SERVERS , SQL_SERVERS , DNS_SERVERS and TELNET_SERVERS are by default set to HOME_NET. AIM_SERVERS is by default set at 'any'. These variables have to be set for servers on your network.
All settings have to be set precise to let it have a more accurate effect.
Next, make sure the following ports are set to your needs: HTTP_PORTS, SHELLCODE_PORTS, ORACLE_PORTS and SSH_PORTS.
In the near future you can set the host-os-policy to your needs.
windows:[]
bsd: []
bsd_right: []
old_linux: []
linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000:0000"]
old_solaris: []
solaris: ["::1"]
hpux10: []
hpux11: []
irix: []
macos: []
vista: []
windows2k3: []
Interface cards
To check the available interface cards, enter:
ifconfig
Now you can see which one you would like Suricata to use.
To start the engine and include the interface card of your preference, enter:
sudo suricata -c /etc/suricata/suricata.yaml -i wlan0
Instead of wlan0, you can enter the interface card of your preference.
To see if the engine is working correctly and registrates traffic, enter:
cd /var/log/suricata
Followed by:
tail http.log
And:
tail -n 33 stats.log
To make sure the information displayed is up-dated, enter before http.log and stats.log:
tail -f http.log
Comments