linartpro/Suricata
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Добавить readme.md

Browse Source
This commit is contained in:
Linar Suleymanov
2025-06-03 21:31:57 +05:00
commit 2e624c5792
1 changed files with 93 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
readme.md
+93
View File
@@ -0,0 +1,93 @@
## Suricata IPS Integration for Proxmox
This document provides a detailed guide for integrating Suricata as an Intrusion Prevention System (IPS) within your Proxmox VE environment.
### Note
- Packets will be forwarded to the IPS only after the firewall ACCEPTed them.
- Rejected/Dropped firewall packets dont go to the IPS.
This try follow [PVE Firewall#_suricata_ips_integration](https://pve.proxmox.com/wiki/Firewall#_suricata_ips_integration)
**1. Installation and Configuration:**
```bash
# Install Suricata and necessary tools
apt-get -y install suricata jq
# Load nfnetlink_queue module
modprobe nfnetlink_queue
echo "nfnetlink_queue" > /etc/modules-load.d/nfnetlink_queue.conf
# Configure Suricata for NFQUEUE
sed -i 's/NFQUEUE=.*/NFQUEUE=0-3/' /etc/default/suricata
```
**2. Suricata Configuration:**
```bash
# Adjust interface (replace 'vmbr0' with your public interface)
sed -i 's/interface: eth0/interface: vmbr0/g' /etc/suricata/suricata.yaml
# Enable community-id and rule-reload
sed -i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml
echo "detect-engine:" >> /etc/suricata/suricata.yaml
echo " - rule-reload: true" >> /etc/suricata/suricata.yaml
```
**3. Rule Updates:**
```bash
# Update Suricata rules
suricata-update update-sources
suricata-update enable-source et/open
suricata-update -o /etc/suricata/rules
# Schedule automatic rule updates (every day at 02:00)
crontab -e
0 2 * * * suricata-update -o /etc/suricata/rules
```
**4. Testing Suricata:**
```bash
# Test Suricata configuration
suricata -T -c /etc/suricata/suricata.yaml -v
```
**5. Setting Suricata as IPS:**
```bash
# Edit Suricata service to run as IPS
systemctl edit suricata.service
[Service]
ExecStart=
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv
Type=simple
# Reload and restart Suricata service
systemctl daemon-reload
systemctl restart suricata
```
**6. Configuring VM/CT Firewall for IPS:**
```bash
# Edit VM/CT firewall configuration (replace '<VMID>' with your VM/CT ID)
nano /etc/pve/firewall/<VMID>.fw
[OPTIONS]
enable: 1
ips_queues: 0:3
ips: 1
```
**7. Monitoring Suricata Alerts and Statistics:**
```bash
# View Suricata alerts
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
# View Suricata IPS statistics
tail -f /var/log/suricata/stats.log | grep ips
```