suricata+elk
suricata+elk一.安装(cetos7) 前期环境准备 sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo lz4-devel 下载Suricata: wget https://www.openinfosecfoundation.org/download/suricata-6.0.3.tar.gz2 tar zxvf suricata-6.0.3.tar.gz2 cd suricata-6.0.3 ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua make make install make install-conf make install-rules(mac下make install-full)
- 其他说明
配置文件位于 /etc/suricata/suricata.yaml
执行make install-rules成功后,规则默认位于/var/lib/suricata/rules下面
二,启动
suricata -c /etc/suricata/suricata.yaml -i ens33(网口)
可能会报错,根据错误进行修改
三,联动elk
注意先添加索引
https://www.cnblogs.com/zheh/p/10240856.html
四,自定义规则
https://zhuanlan.zhihu.com/p/37173608?from_voters_page=true
四,更新规则
suricata-update update-sources
五,自定义规则