commit 2e624c579245063bf8826220719b1120e2834548 Author: Linar Suleymanov Date: Tue Jun 3 21:31:57 2025 +0500 Добавить readme.md diff --git a/readme.md b/readme.md new file mode 100644 index 0000000..5c185b8 --- /dev/null +++ b/readme.md @@ -0,0 +1,93 @@ +## Suricata IPS Integration for Proxmox + +This document provides a detailed guide for integrating Suricata as an Intrusion Prevention System (IPS) within your Proxmox VE environment. + +### Note +- Packets will be forwarded to the IPS only after the firewall ACCEPTed them. +- Rejected/Dropped firewall packets don’t go to the IPS. + +This try follow [PVE Firewall#_suricata_ips_integration](https://pve.proxmox.com/wiki/Firewall#_suricata_ips_integration) + +**1. Installation and Configuration:** + +```bash +# Install Suricata and necessary tools +apt-get -y install suricata jq + +# Load nfnetlink_queue module +modprobe nfnetlink_queue +echo "nfnetlink_queue" > /etc/modules-load.d/nfnetlink_queue.conf + +# Configure Suricata for NFQUEUE +sed -i 's/NFQUEUE=.*/NFQUEUE=0-3/' /etc/default/suricata +``` + +**2. Suricata Configuration:** + +```bash +# Adjust interface (replace 'vmbr0' with your public interface) +sed -i 's/interface: eth0/interface: vmbr0/g' /etc/suricata/suricata.yaml + +# Enable community-id and rule-reload +sed -i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml +echo "detect-engine:" >> /etc/suricata/suricata.yaml +echo " - rule-reload: true" >> /etc/suricata/suricata.yaml +``` + +**3. Rule Updates:** + +```bash +# Update Suricata rules +suricata-update update-sources +suricata-update enable-source et/open +suricata-update -o /etc/suricata/rules + +# Schedule automatic rule updates (every day at 02:00) +crontab -e +0 2 * * * suricata-update -o /etc/suricata/rules +``` + +**4. Testing Suricata:** + +```bash +# Test Suricata configuration +suricata -T -c /etc/suricata/suricata.yaml -v +``` + +**5. Setting Suricata as IPS:** + +```bash +# Edit Suricata service to run as IPS +systemctl edit suricata.service + +[Service] +ExecStart= +ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv +Type=simple + +# Reload and restart Suricata service +systemctl daemon-reload +systemctl restart suricata +``` + +**6. Configuring VM/CT Firewall for IPS:** + +```bash +# Edit VM/CT firewall configuration (replace '' with your VM/CT ID) +nano /etc/pve/firewall/.fw + +[OPTIONS] +enable: 1 +ips_queues: 0:3 +ips: 1 +``` + +**7. Monitoring Suricata Alerts and Statistics:** + +```bash +# View Suricata alerts +tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' + +# View Suricata IPS statistics +tail -f /var/log/suricata/stats.log | grep ips +``` \ No newline at end of file