linartpro/Suricata
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Suricata/readme.md
T
linartpro 2e624c5792 Добавить readme.md
2025-06-03 21:31:57 +05:00

93 lines
2.3 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## Suricata IPS Integration for Proxmox
This document provides a detailed guide for integrating Suricata as an Intrusion Prevention System (IPS) within your Proxmox VE environment.
### Note
- Packets will be forwarded to the IPS only after the firewall ACCEPTed them.
- Rejected/Dropped firewall packets dont go to the IPS.
This try follow [PVE Firewall#_suricata_ips_integration](https://pve.proxmox.com/wiki/Firewall#_suricata_ips_integration)
**1. Installation and Configuration:**
```bash
# Install Suricata and necessary tools
apt-get -y install suricata jq
# Load nfnetlink_queue module
modprobe nfnetlink_queue
echo "nfnetlink_queue" > /etc/modules-load.d/nfnetlink_queue.conf
# Configure Suricata for NFQUEUE
sed -i 's/NFQUEUE=.*/NFQUEUE=0-3/' /etc/default/suricata
```
**2. Suricata Configuration:**
```bash
# Adjust interface (replace 'vmbr0' with your public interface)
sed -i 's/interface: eth0/interface: vmbr0/g' /etc/suricata/suricata.yaml
# Enable community-id and rule-reload
sed -i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml
echo "detect-engine:" >> /etc/suricata/suricata.yaml
echo " - rule-reload: true" >> /etc/suricata/suricata.yaml
```
**3. Rule Updates:**
```bash
# Update Suricata rules
suricata-update update-sources
suricata-update enable-source et/open
suricata-update -o /etc/suricata/rules
# Schedule automatic rule updates (every day at 02:00)
crontab -e
0 2 * * * suricata-update -o /etc/suricata/rules
```
**4. Testing Suricata:**
```bash
# Test Suricata configuration
suricata -T -c /etc/suricata/suricata.yaml -v
```
**5. Setting Suricata as IPS:**
```bash
# Edit Suricata service to run as IPS
systemctl edit suricata.service
[Service]
ExecStart=
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv
Type=simple
# Reload and restart Suricata service
systemctl daemon-reload
systemctl restart suricata
```
**6. Configuring VM/CT Firewall for IPS:**
```bash
# Edit VM/CT firewall configuration (replace '<VMID>' with your VM/CT ID)
nano /etc/pve/firewall/<VMID>.fw
[OPTIONS]
enable: 1
ips_queues: 0:3
ips: 1
```
**7. Monitoring Suricata Alerts and Statistics:**
```bash
# View Suricata alerts
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
# View Suricata IPS statistics
tail -f /var/log/suricata/stats.log | grep ips
```
Reference in New Issue View Git Blame Copy Permalink