linartpro/Suricata
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e624c579245063bf8826220719b1120e2834548
Suricata/readme.md
T
linartpro 2e624c5792 Добавить readme.md
2025-06-03 21:31:57 +05:00

2.3 KiB
Raw Blame History

Suricata IPS Integration for Proxmox

This document provides a detailed guide for integrating Suricata as an Intrusion Prevention System (IPS) within your Proxmox VE environment.

Note

  • Packets will be forwarded to the IPS only after the firewall ACCEPTed them.
  • Rejected/Dropped firewall packets dont go to the IPS.

This try follow PVE Firewall#_suricata_ips_integration

1. Installation and Configuration:

# Install Suricata and necessary tools
apt-get -y install suricata jq

# Load nfnetlink_queue module
modprobe nfnetlink_queue
echo "nfnetlink_queue" > /etc/modules-load.d/nfnetlink_queue.conf

# Configure Suricata for NFQUEUE
sed -i 's/NFQUEUE=.*/NFQUEUE=0-3/' /etc/default/suricata

2. Suricata Configuration:

# Adjust interface (replace 'vmbr0' with your public interface)
sed -i 's/interface: eth0/interface: vmbr0/g' /etc/suricata/suricata.yaml

# Enable community-id and rule-reload
sed -i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml
echo "detect-engine:" >> /etc/suricata/suricata.yaml
echo "  - rule-reload: true" >> /etc/suricata/suricata.yaml

3. Rule Updates:

# Update Suricata rules
suricata-update update-sources
suricata-update enable-source et/open
suricata-update -o /etc/suricata/rules

# Schedule automatic rule updates (every day at 02:00)
crontab -e
0 2 * * * suricata-update -o /etc/suricata/rules

4. Testing Suricata:

# Test Suricata configuration
suricata -T -c /etc/suricata/suricata.yaml -v

5. Setting Suricata as IPS:

# Edit Suricata service to run as IPS
systemctl edit suricata.service

[Service]
ExecStart=
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv
Type=simple

# Reload and restart Suricata service
systemctl daemon-reload
systemctl restart suricata

6. Configuring VM/CT Firewall for IPS:

# Edit VM/CT firewall configuration (replace '<VMID>' with your VM/CT ID)
nano /etc/pve/firewall/<VMID>.fw

[OPTIONS]
enable: 1
ips_queues: 0:3
ips: 1

7. Monitoring Suricata Alerts and Statistics:

# View Suricata alerts
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

# View Suricata IPS statistics
tail -f /var/log/suricata/stats.log | grep ips
Reference in New Issue View Git Blame Copy Permalink