n1 Armbian OS 24.11.0 noble 安装suricata

参考

安装 Suricata | OISF/suricata - KoalaWiki

arm服务器上部署kibana_kibana arm-CSDN博客

https://artifacts.elastic.co/downloads/kibana/kibana-7.17.22-linux-aarch64.tar.gz

1. 添加 OISF PPA：

   sudo add-apt-repository ppa:oisf/suricata-stable
   sudo apt-get update

2. 安装 Suricata：

   sudo apt-get install suricata

Suricata 安装指南

Suricata 是一个高性能的开源入侵检测系统（IDS）、入侵防御系统（IPS）和网络安全监控引擎。以下是在不同操作系统上安装 Suricata 的方法。

在 Ubuntu/Debian 上安装

更新系统软件包列表以确保获取最新的软件版本：

sudo apt update

安装 Suricata 及其依赖项：

sudo apt install suricata

启动 Suricata 服务并设置为开机自启：

sudo systemctl start suricata
sudo systemctl enable suricata

在 CentOS/RHEL 上安装

添加 EPEL 仓库以获取 Suricata 软件包：

sudo yum install epel-release

安装 Suricata：

sudo yum install suricata

启动服务并启用开机自启：

sudo systemctl start suricata
sudo systemctl enable suricata

通过源码编译安装

下载最新版本的 Suricata 源码：

wget https://www.openinfosecfoundation.org/download/suricata-<version>.tar.gz

解压并进入源码目录：

tar -xzvf suricata-<version>.tar.gz
cd suricata-<version>

编译并安装 Suricata：

./configure
make
sudo make install

配置 Suricata

默认配置文件通常位于 /etc/suricata/suricata.yaml，可以根据需求修改规则集和网络接口配置。更新规则集可以使用以下命令：

sudo suricata-update

验证安装

检查 Suricata 版本以确认安装成功：

suricata -V

运行 Suricata 进行测试：

sudo suricata -c /etc/suricata/suricata.yaml -i <interface>

以上步骤涵盖了在主流 Linux 发行版上安装和配置 Suricata 的基本方法。根据具体需求，可能需要进一步调整配置文件或规则集。

egrep -v '^[[:space:]]*#|%$' /etc/suricata/suricata.yaml%YAML 1.1
---suricata-version: "8.0"vars:address-groups:HOME_NET: "[192.168.1.0/24,10.8.8.0/24,172.16.0.0/12]"EXTERNAL_NET: "!$HOME_NET"HTTP_SERVERS: "$HOME_NET"SMTP_SERVERS: "$HOME_NET"SQL_SERVERS: "$HOME_NET"DNS_SERVERS: "$HOME_NET"TELNET_SERVERS: "$HOME_NET"AIM_SERVERS: "$EXTERNAL_NET"DC_SERVERS: "$HOME_NET"DNP3_SERVER: "$HOME_NET"DNP3_CLIENT: "$HOME_NET"MODBUS_CLIENT: "$HOME_NET"MODBUS_SERVER: "$HOME_NET"ENIP_CLIENT: "$HOME_NET"ENIP_SERVER: "$HOME_NET"port-groups:HTTP_PORTS: "80"SHELLCODE_PORTS: "!80"ORACLE_PORTS: 1521SSH_PORTS: 22DNP3_PORTS: 20000MODBUS_PORTS: 502FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"FTP_PORTS: 21GENEVE_PORTS: 6081VXLAN_PORTS: 4789TEREDO_PORTS: 3544SIP_PORTS: "[5060, 5061]"default-log-dir: /sdb1/log/suricata/stats:enabled: yesinterval: 8exception-policy:plugins:outputs:- fast:enabled: yesfilename: fast.logappend: yes- eve-log:enabled: yesfiletype: regular #regular|syslog|unix_dgram|unix_stream|redisfilename: eve.jsonpcap-file: falsecommunity-id: falsecommunity-id-seed: 0xff:enabled: nomode: extra-datadeployment: reverseheader: X-Forwarded-Fortypes:- alert:tagged-packets: yes- frame:enabled: no- anomaly:enabled: yestypes:- http:extended: yes     # enable this for extended logging information- dns:- mdns:- tls:extended: yes     # enable this for extended logging information- files:force-magic: no   # force logging magic on all logged files- smtp:- websocket- ftp- rdp- nfs- smb:- tftp- ike- dcerpc- krb5- bittorrent-dht- snmp- rfb- sip- quic- ldap- pop3- arp:enabled: no        # Many events can be logged. Disabled by default- dhcp:enabled: yesextended: no- ssh- mqtt:- http2- doh2- pgsql:enabled: no- stats:totals: yes       # stats for all threads merged togetherthreads: no       # per thread statsdeltas: no        # include delta values- flow- tls-store:enabled: no- pcap-log:enabled: nofilename: log.pcaplimit: 1000 MiBmax-files: 2000compression: nonemode: normal # normal or multiuse-stream-depth: no #If set to "yes" packets seen after reaching stream inspection depth are ignored. "no" logs all packetshonor-pass-rules: no # If set to "yes", flows in which a pass rule matched will stop being logged.- alert-debug:enabled: nofilename: alert-debug.logappend: yes- stats:enabled: yesfilename: stats.logappend: yes       # append to file (yes) or overwrite it (no)totals: yes       # stats for all threads merged togetherthreads: no       # per thread stats- file-store:version: 2enabled: noxff:enabled: nomode: extra-datadeployment: reverseheader: X-Forwarded-For- tcp-data:enabled: notype: filefilename: tcp-data.log- http-body-data:enabled: notype: filefilename: http-data.log- lua:enabled: noscripts:heartbeat:logging:default-log-level: noticedefault-output-filter:outputs:- console:enabled: yes- file:enabled: yeslevel: infofilename: suricata.log- syslog:enabled: nofacility: local5format: "[%i] <%d> -- "af-packet:- interface: eth0cluster-id: 99cluster-type: cluster_flowdefrag: yes- interface: defaultaf-xdp:- interface: defaultdpdk:eal-params:proc-type: primaryinterfaces:- interface: 0000:3b:00.0 # PCIe address of the NIC portthreads: autopromisc: true # promiscuous mode - capture all packetsmulticast: true # enables also detection on multicast packetschecksum-checks: true # if Suricata should validate checksumschecksum-checks-offload: true # if possible offload checksum validation to the NIC (saves Suricata resources)mtu: 1500 # Set MTU of the device in bytesvlan-strip-offload: false # if possible enable hardware vlan strippingmempool-size: auto # autocalculated based on Rx/Tx descriptors and threadsmempool-cache-size: auto # autocalculated from the mempool sizerx-descriptors: auto # max number of descriptorstx-descriptors: auto # max number of descriptorscopy-mode: nonecopy-iface: none # or PCIe address of the second interface- interface: defaultthreads: autopromisc: truemulticast: truechecksum-checks: truechecksum-checks-offload: truemtu: 1500vlan-strip-offload: falserss-hash-functions: autolinkup-timeout: 0mempool-size: automempool-cache-size: autorx-descriptors: autotx-descriptors: autocopy-mode: nonecopy-iface: nonepcap:- interface: eth0- interface: defaultpcap-file:checksum-checks: autoapp-layer:protocols:telnet:enabled: yesrfb:enabled: yesdetection-ports:dp: 5900, 5901, 5902, 5903, 5904, 5905, 5906, 5907, 5908, 5909mqtt:enabled: yeskrb5:enabled: yesbittorrent-dht:enabled: yessnmp:enabled: yesike:enabled: yestls:enabled: yesdetection-ports:dp: 443pgsql:enabled: nostream-depth: 0dcerpc:enabled: yesftp:enabled: yeswebsocket:rdp:ssh:enabled: yesdoh2:enabled: yeshttp2:enabled: yessmtp:enabled: yesraw-extraction: nomime:decode-mime: yesdecode-base64: yesdecode-quoted-printable: yesheader-value-depth: 2000extract-urls: yesbody-md5: noinspected-tracker:content-limit: 100000content-inspect-min-size: 32768content-inspect-window: 4096imap:enabled: detection-onlypop3:enabled: yesdetection-ports:dp: 110stream-depth: 0smb:enabled: yesdetection-ports:dp: 139, 445nfs:enabled: yestftp:enabled: yesdns:tcp:enabled: yesdetection-ports:dp: 53udp:enabled: yesdetection-ports:dp: 53http:enabled: yeslibhtp:default-config:personality: IDSrequest-body-limit: 100 KiBresponse-body-limit: 100 KiBrequest-body-minimal-inspect-size: 32 KiBrequest-body-inspect-window: 4 KiBresponse-body-minimal-inspect-size: 40 KiBresponse-body-inspect-window: 16 KiBresponse-body-decompress-layer-limit: 2http-body-inline: autoswf-decompression:enabled: notype: bothcompress-depth: 100 KiBdecompress-depth: 100 KiBdouble-decode-path: nodouble-decode-query: noserver-config:modbus:enabled: nodetection-ports:dp: 502stream-depth: 0dnp3:enabled: nodetection-ports:dp: 20000enip:enabled: nodetection-ports:dp: 44818sp: 44818ntp:enabled: yesquic:enabled: yesdhcp:enabled: yessip:ldap:tcp:enabled: yesdetection-ports:dp: 389, 3268udp:enabled: yesdetection-ports:dp: 389, 3268mdns:enabled: yesasn1-max-frames: 256datasets:defaults:limits:rules:security:limit-noproc: truelandlock:enabled: nodirectories:read:- /usr/- /etc/- /etc/suricata/lua:coredump:max-dump: unlimitedhost-mode: autounix-command:enabled: autolegacy:uricontent: enabledexception-policy: autoengine-analysis:rules-fast-pattern: yesrules: yespcre:match-limit: 3500match-limit-recursion: 1500host-os-policy:windows: [0.0.0.0/0]bsd: []bsd-right: []old-linux: []linux: []old-solaris: []solaris: []hpux10: []hpux11: []irix: []macos: []vista: []windows2k3: []defrag:memcap: 32 MiBhash-size: 65536trackers: 65535 # number of defragmented flows to followmax-frags: 65535 # number of fragments to keep (higher than trackers)prealloc: yestimeout: 60flow:memcap: 128 MiBhash-size: 65536prealloc: 10000emergency-recovery: 30vlan:use-for-tracking: truelivedev:use-for-tracking: trueflow-timeouts:default:new: 30established: 300closed: 0bypassed: 100emergency-new: 10emergency-established: 100emergency-closed: 0emergency-bypassed: 50tcp:new: 60established: 600closed: 60bypassed: 100emergency-new: 5emergency-established: 100emergency-closed: 10emergency-bypassed: 50udp:new: 30established: 300bypassed: 100emergency-new: 10emergency-established: 100emergency-bypassed: 50icmp:new: 30established: 300bypassed: 100emergency-new: 10emergency-established: 100emergency-bypassed: 50stream:memcap: 64 MiBchecksum-validation: yes      # reject incorrect csumsinline: auto                  # auto will use inline mode in IPS mode, yes or no set it staticallyreassembly:urgent:policy: oob              # drop, inline, oob (1 byte, see RFC 6093, 3.1), gapoob-limit-policy: dropmemcap: 256 MiBdepth: 1 MiB                # reassemble 1 MiB into a streamtoserver-chunk-size: 2560toclient-chunk-size: 2560randomize-chunk-size: yeshost:hash-size: 4096prealloc: 1000memcap: 32 MiBdecoder:teredo:enabled: trueports: $TEREDO_PORTS # syntax: '[3544, 1234]' or '3533' or 'any'.vxlan:enabled: trueports: $VXLAN_PORTS # syntax: '[8472, 4789]' or '4789'.geneve:enabled: trueports: $GENEVE_PORTS # syntax: '[6081, 1234]' or '6081'.recursion-level:use-for-tracking: truedetect:profile: mediumcustom-values:toclient-groups: 3toserver-groups: 25sgh-mpm-context: autosgh-mpm-caching: yessgh-mpm-caching-path: /var/lib/suricata/cache/sghprefilter:default: mpmgrouping:thresholds:hash-size: 16384memcap: 16 MiBprofiling:grouping:dump-to-disk: falseinclude-rules: false      # very verboseinclude-mpm-stats: falsempm-algo: autospm-algo: autothreading:set-cpu-affinity: noautopin: nocpu-affinity:management-cpu-set:cpu: [ 0 ]  # include only these CPUs in affinity settingsreceive-cpu-set:cpu: [ 0 ]  # include only these CPUs in affinity settingsworker-cpu-set:cpu: [ "all" ]mode: "exclusive"prio:low: [ 0 ]medium: [ "1-2" ]high: [ 3 ]default: "medium"interface-specific-cpu-set:- interface: "enp4s0f0" # 0000:3b:00.0 # net_bonding0 # ens1f0cpu: [ 1,3,5,7,9 ]mode: "exclusive"prio:high: [ "all" ]default: "medium"detect-thread-ratio: 1.0profiling:rules:enabled: yesfilename: rule_perf.logappend: yeslimit: 10json: yeskeywords:enabled: yesfilename: keyword_perf.logappend: yesprefilter:enabled: yesfilename: prefilter_perf.logappend: yesrulegroups:enabled: yesfilename: rule_group_perf.logappend: yespackets:enabled: yesfilename: packet_stats.logappend: yescsv:enabled: nofilename: packet_stats.csvlocks:enabled: nofilename: lock_stats.logappend: yespcap-log:enabled: nofilename: pcaplog_stats.logappend: yesnfq:nflog:- group: 2buffer-size: 18432- group: defaultqthreshold: 1qtimeout: 100max-size: 20000capture:netmap:- interface: eth2- interface: defaultpfring:- interface: eth0threads: autocluster-id: 99cluster-type: cluster_flow- interface: defaultipfw:napatech:streams: ["0-3"]enable-stream-stats: noauto-config: yeshardware-bypass: yesinline: noports: [0-1,2-3]hashmode: hash5tuplesorteddefault-rule-path: /var/lib/suricata/rulesrule-files:- suricata.rulesclassification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.configfirewall:

#root用户操作useradd es
useradd -s /bin/false es