[suricata]在ubuntu上的环境搭建+hyperscan配置安装

sudo apt update -y
sudo apt upgrade -y

相关依赖下载
sudo apt install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libjansson4 pkg-config libnspr4-dev libnss3-dev liblz4-dev rustc cargo python3-pip
sudo apt install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

suricata安装包下载
wget https://www.openinfosecfoundation.org/download/suricata-6.0.8.tar.gz
tar xzf suricata-6.0.8.tar.gz

配置, 显示使用 hypperscan
./configure --enable-nfqueue --enable-hyperscan --prefix=/usr
--sysconfdir=/etc --localstatedir=/var PKG_CONFIG_PATH=/usr/local/lib/pkgconfig

make -j$(nproc) #使用多核加速编译
sudo make install-full

检验安装 成功输出路径
which suricata

Hyperscan support: yes说明编译成功配置hyperscan
suricata --build-info | grep -i hyperscan

规则管理包
sudo apt install -y suricata-update
sudo suricata-update

手动规则
sudo vim /var/lib/suricata/rules/local.rules

alert icmp any any -> any any (msg:"ICMP Ping Detected"; sid:1000001; rev:1;)
alert tcp any any -> any 80 (msg:"Test HTTP Baidu"; content:"Host: www.baidu.com"; sid:1000002; rev:1;)