suricata+elk

<pre><code> suricata+elk</code></pre> <p>一.安装（cetos7） 前期环境准备 sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo lz4-devel 下载Suricata: wget <a href="https://www.openinfosecfoundation.org/download/suricata-6.0.3.tar.gz2">https://www.openinfosecfoundation.org/download/suricata-6.0.3.tar.gz2</a> tar zxvf suricata-6.0.3.tar.gz2 cd suricata-6.0.3 ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua make make install make install-conf make install-rules(mac下make install-full)</p> <ol> <li>其他说明 配置文件位于 /etc/suricata/suricata.yaml 执行make install-rules成功后，规则默认位于/var/lib/suricata/rules下面 二，启动 suricata -c /etc/suricata/suricata.yaml -i ens33（网口） 可能会报错，根据错误进行修改 三，联动elk 注意先添加索引 <a href="https://www.cnblogs.com/zheh/p/10240856.html">https://www.cnblogs.com/zheh/p/10240856.html</a> 四，自定义规则 <a href="https://zhuanlan.zhihu.com/p/37173608?from_voters_page=true">https://zhuanlan.zhihu.com/p/37173608?from_voters_page=true</a> 四，更新规则 suricata-update update-sources 五，自定义规则 <img src="https://www.showdoc.com.cn/server/api/attachment/visitfile/sign/e83e0f590f04289388d7b21e3c4db4b8" alt="" /></li> </ol>