Suricata: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 8: | Zeile 8: | ||
*sudo mkdir /var/lib/suricata/ | *sudo mkdir /var/lib/suricata/ | ||
*sudo mv rules /var/lib/suricata/ | *sudo mv rules /var/lib/suricata/ | ||
| − | *sudo cd /var/lib/suricata/ | + | *sudo cd /var/lib/suricata/rules |
*sudo cat *.rules > suricata.rules | *sudo cat *.rules > suricata.rules | ||
| + | =Local Rules= | ||
| + | *cat /var/lib/suricata//rules/local.rules | ||
| + | alert icmp any any -> 8.8.8.8 any (msg:"Snort Test"; sid:1000000002;) | ||
| + | drop icmp any any -> 1.1.1.1 any (msg:"Snort Test"; sid:1000000001;) | ||
| + | alert tcp any any -> any any (flags: S; msg: "SYN packet"; sid:100000003;) | ||
| + | =Suricata config= | ||
| + | ;add to /etc/suricata/suricata.yaml | ||
| + | rule-files: | ||
| + | - suricata.rules | ||
| + | - local.rules | ||
| + | |||
| + | |||
| + | =Links= | ||
*https://www.pro-linux.de/artikel/2/1751/suricata-einbruchserkennung-mit-dem-erdm%C3%A4nnchen.html | *https://www.pro-linux.de/artikel/2/1751/suricata-einbruchserkennung-mit-dem-erdm%C3%A4nnchen.html | ||
Version vom 10. Juni 2020, 14:32 Uhr
Installation
- sudo add-apt-repository ppa:oisf/suricata-stable
- sudo apt-get update
- sudo apt-get install suricata
Install Rules
- wget http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
- tar zxvf emerging.rules.tar.gz
- sudo mkdir /var/lib/suricata/
- sudo mv rules /var/lib/suricata/
- sudo cd /var/lib/suricata/rules
- sudo cat *.rules > suricata.rules
Local Rules
- cat /var/lib/suricata//rules/local.rules
alert icmp any any -> 8.8.8.8 any (msg:"Snort Test"; sid:1000000002;) drop icmp any any -> 1.1.1.1 any (msg:"Snort Test"; sid:1000000001;) alert tcp any any -> any any (flags: S; msg: "SYN packet"; sid:100000003;)
Suricata config
- add to /etc/suricata/suricata.yaml
rule-files:
- suricata.rules - local.rules