文章目录
1. 安装信息
本文在阿里云Ubuntu 24.04上安装通过源码编译安装suricata 8.0;并实现三层IPS的功能。 Ubuntu需要配置两个接口用于连接外网与内网,分别对应eth0和eth1。
| 系统名 | 版本 | 说明 |
|---|---|---|
| Ubuntu | 24.04 | internet—-FW—-[eth0—suricata—eth1]——internal |
| Suricata | 8.0.0 | 本质是包处理引擎不转发数据,数据转发有操作系统实现 |
下载页面: https://suricata.io/download/
直接下载地址:https://www.openinfosecfoundation.org/download/suricata-8.0.0.tar.gz
2. 部署过程
部署过程均使用root用户进行操作。
2.1 依赖包与下载
# 安装依赖
#sudo apt -y install libpcap-dev
sudo apt install -y build-essential autoconf automake libtool pkg-config libpcre2-dev libyaml-dev zlib1g-dev libcap-ng-dev libnet1-dev libjansson-dev libmagic-dev libnss3-dev libmaxminddb-dev libnfnetlink-dev libnetfilter-queue-dev rustc cargo make cbindgen
# 下载源码包
wget https://www.openinfosecfoundation.org/download/suricata-8.0.0.tar.gz
# 解压
tar -zxvf suricata-8.0.0.tar.gz
cd suricata-8.0.0
2.2 编译安装
2.2.1 执行 ./configure
# 编译
./configure --disable-gccmarch-native --enable-hiredis --enable-geoip --enable-unix-socket --enable-nfqueue --enable-hyperscan
在此过程结束后会输出默认位置信息,可以留存,如下:
# 在此过程中屏幕会输出关键路径
.....
Generic build parameters:
Installation prefix: /usr/local
Configuration directory: /usr/local/etc/suricata/
Log directory: /usr/local/var/log/suricata/
--prefix /usr/local
--sysconfdir /usr/local/etc
--localstatedir /usr/local/var
--datarootdir /usr/local/share
Host: x86_64-pc-linux-gnu
Compiler: gcc (exec name) / g++ (real)
GCC Protect enabled: no
GCC march native enabled: no
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -fPIC -DOS_LINUX -std=c11 -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist -I../rust/gen
PCAP_CFLAGS -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include -I/usr/include/libnl3
SECCFLAGS
To build and install run 'make' and 'make install'.
You can run 'make install-conf' if you want to install initial configuration
files to /usr/local/etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.
To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
2.2.2 执行 make
# 编译后安装
make && make install-full
这部分执行成功后会告诉你加载了多少策略及如何开始:
6/9/2025 -- 15:49:32 - <Info> -- Ignoring file b3a62191660c4b770056372c69bc7439/rules/emerging-deleted.rules
6/9/2025 -- 15:49:34 - <Info> -- Loaded 60820 rules.
6/9/2025 -- 15:49:34 - <Info> -- Disabled 13 rules.
6/9/2025 -- 15:49:34 - <Info> -- Enabled 0 rules.
6/9/2025 -- 15:49:34 - <Info> -- Modified 0 rules.
6/9/2025 -- 15:49:34 - <Info> -- Dropped 0 rules.
6/9/2025 -- 15:49:34 - <Info> -- Enabled 136 rules for flowbit dependencies.
6/9/2025 -- 15:49:34 - <Info> -- Creating directory /usr/local/var/lib/suricata/rules.
6/9/2025 -- 15:49:34 - <Info> -- Backing up current rules.
6/9/2025 -- 15:49:34 - <Info> -- Writing rules to /usr/local/var/lib/suricata/rules/suricata.rules: total: 60820; enabled: 45035; added: 60820; removed 0; modified: 0
6/9/2025 -- 1