一、部署PF_RING
step1:安装依赖
[root@localhost ~]# yum install -y flex bison kernel-devel kernel-headers gcc gcc-c++ make wget
[root@localhost ~]# git clone https://github.com/ntop/PF_RING.git
[root@localhost ~]# cd PF_RING/
[root@localhost PF_RING]# make
[root@localhost PF_RING]# cd kernel
[root@localhost kernel]# make
[root@localhost kernel]# make install
stpe2:加载模块
[root@localhost kernel]# insmod pf_ring.ko
[root@localhost kernel]# cd ../userland/lib
[root@localhost lib]# ./configure
[root@localhost lib]# make
[root@localhost lib]# make install
[root@localhost lib]# cd ../libpcap
[root@localhost libpcap]# ./configure
[root@localhost libpcap]#
[root@localhost libpcap]# make install
stpe3:验证
[root@localhost libpcap]# cd ../examples
[root@localhost examples]# make
[root@localhost examples]# ./pfcount -i ens33
step4:检查模块
[root@localhost examples]# modinfo pf_ring
二、部署hyperscan
step1:安装LuaJIT
[root@NIDS ~]# wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
[root@NIDS ~]# tar zxvf LuaJIT-2.0.4.tar.gz
[root@NIDS ~]# cd LuaJIT-2.0.4
[root@NIDS LuaJIT-2.0.4]# make
[root@NIDS LuaJIT-2.0.4]# make install
step2:安装依赖
[root@NIDS]# yum install -y libpcap zlib libyaml libpcap-devel jansson-devel pcre-devel lua-devel libmaxminddb-devel epel-release libnetfilter_queue-devel nss-devel libyaml-devel zlib-devel luajit-devel rustc cargo
[root@NIDS ~]# yum install -y rustc cargo
step3:安装hyperscan
[root@NIDS ~]# yum install cmake ragel libtool python-devel GyeoIP-devel -y
[root@NIDS ~]# yum install boost boost-devel boost-doc -y
[root@NIDS ~]# yum install libquadmath libquadmath-devel bzip2-devel -y
[root@NIDS ~]# wget https://jaist.dl.sourceforge.net/project/boost/boost/1.76.0/boost_1_76_0.tar.gz
[root@NIDS ~]# tar zxvf boost_1_76_0.tar.gz
[root@NIDS ~]# cd boost_1_76_0
[root@NIDS boost_1_76_0]# ./bootstrap.sh --prefix=/tmp/boots-1.76
[root@NIDS boost_1_76_0]# ./b2 install
[root@NIDS ~]# git clone https://github.com/intel/hyperscan.git
[root@NIDS ~]# mkdir build
[root@NIDS ~]# cd build/
[root@NIDS build]# cmake -DBUILD_STATIC_AND_SHARED=1 -DBOOST_ROOT=/tmp/boots-1.76 ../hyperscan
[root@NIDS build]# make
[root@NIDS build]# make install
[root@NIDS build]# vim /etc/ld.so.conf
增加
/usr/local/lib64
[root@NIDS build]# ldconfig
step4:安装suricata
[root@NIDS ~]# wget https://www.openinfosecfoundation.org/download/suricata-6.0.15.tar.gz
[root@NIDS ~]# tar zxvf suricata-6.0.15.tar.gz
[root@NIDS ~]# cd suricata-6.0.15
[root@NIDS suricata-6.0.15]# LIBS="-lrt" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-pfring --with-libpfring-includes=/usr/local/pfring/include --with-libpfring-libraries=/usr/local/pfring/lib --enable-geoip --enable-luajit --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/local/lib/ --with-libhs-includes=/usr/local/include/hs/ --with-libhs-libraries=/usr/local/lib/ --enable-profiling --enable-nfqueue
[root@NIDS suricata-6.0.15]# make
[root@NIDS suricata-6.0.15]# make install
[root@NIDS suricata-6.0.15]# ldconfig
[root@NIDS suricata-6.0.15]# make install-conf
[root@NIDS suricata-6.0.15]# vim /etc/ld.so.conf
增加一行
/usr/local/lib
[root@NIDS suricata-6.0.15]# ldconfig
安装规则文件
[root@NIDS ~]# yum install -y python3-pip
[root@NIDS ~]# python3 -m pip install --upgrade suricata-update
[root@NIDS ~]# suricata-update
[root@NIDS suricata-6.0.15]# make install-rules
[root@NIDS ~]# suricata --build-info
以PF_RING模式运行
[root@NIDS suricata-6.0.15]# suricata --pfring-int=ens33 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
[root@NIDS ~]# cat /proc/net/pf_ring/info
