suricata-4.1.4(一)编译安装

2021-02-27  本文已影响0人  funOfFan

环境准备

  1. 基于minimal版本的CentOS7镜像安装虚拟机
  2. 安装包:suricata-4.1.4.tar.gz、LuaJIT-2.0.3.tar.gz、lua-cjson-2.1.0.tar.gz

修改yum源
1.进入/etc/yum.repo.d
2.修改CentOS-BASE.repo文件为如下内容

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirrors.ustc.edu.cn/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#released updates
[updates]
name=CentOS-$releasever - Updates
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirrors.ustc.edu.cn/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirrors.ustc.edu.cn/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
# mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirrors.ustc.edu.cn/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
  1. 新建epel.repo文件,内容如下
[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
baseurl=http://mirrors.ustc.edu.cn/epel/7/$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
 
[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
baseurl=http://mirrors.ustc.edu.cn/epel/7/$basearch/debug
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0
 
[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
baseurl=http://mirrors.ustc.edu.cn/epel/7/SRPMS
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=0
  1. 新建epel-testing.repo文件,内容如下
[epel-testing]
name=Extra Packages for Enterprise Linux 7 - Testing - $basearch
baseurl=http://mirrors.ustc.edu.cn/epel/testing/7/$basearch
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=testing-epel7&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
 
[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 7 - Testing - $basearch - Debug
baseurl=http://mirrors.ustc.edu.cn/epel/testing/7/$basearch/debug
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=testing-debug-epel7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1
 
[epel-testing-source]
name=Extra Packages for Enterprise Linux 7 - Testing - $basearch - Source
baseurl=http://mirrors.ustc.edu.cn/epel/testing/7/SRPMS
#mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=testing-source-epel7&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

安装依赖库

sudo yum install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel libnetfilter_queue-devel lua-devel PyYAML libmaxminddb-devel rustc cargo   lz4-devel libcap-ng-devel openssl-devel openssl;
cargo install cargo-vendor;

配置环境变量

echo "export PATH=$PATH:/root/.cargo/bin" >> /root/.bashrc 
source /root/.bashrc
echo "/usr/local/lib" >> /etc/ld.so.conf 
ldconfig

安装Luajit库、cjson库

wget  http://luajit.org/download/LuaJIT-2.0.3.tar.gz</u>](http://luajit.org/download/LuaJIT-2.0.3.tar.gz)
tar -zxf LuaJIT-2.0.3.tar.gz
cd LuaJIT-2.0.3
make && make install

wget  http://www.kyne.com.au/~mark/software/download/lua-cjson-2.1.0.tar.gz</u>](http://www.kyne.com.au/~mark/software/download/lua-cjson-2.1.0.tar.gz)
tar zxvf lua-cjson-2.1.0.tar.gz
make
make install

编译安装suricata

tar -zxvf suricata-4.1.4.tar.gz
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/lib/ --with-libjansson-libraries=/usr/lib64/ --with-libjansson-includes=/usr/include
make
make install  
ldconfig

下载开源规则及配置文件

make install-full
cd  /var/lib/suricata/update/cache/
tar -zxvf *.tar.gz

开启lua支持

image.png 
vi /etc/suricata/suricata.yaml
# 修改enabled处为yes
mkdir /etc/suricata/lua-output

启动suricata显示非法指令

  1. 在设备A中编译的suricata能够正常运行
  2. 将A中的suricata移植到设备B后,运行suricata显示“非法指令”
  3. 执行 make指令编译时,默认使用了-march=native选项
    image.png 该选项会产生专用于local machine的代码,使之能够支持所有的指令集,因此可能导致在不同的机器上不能运行。
  4. 在执行configure指令的时候,增加--disable-gccmarch-native选项,这样make的时候就不会自动添加--march=native选项了。
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-luajit --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/lib/ --with-libjansson-libraries=/usr/lib64/ --with-libjansson-includes=/usr/include --enable-gccmarch-native
上一篇下一篇

猜你喜欢

热点阅读