This try follow PVE Firewall#_suricata_ips_integration
- install suricata
apt-get -y install suricata jq
modprobe nfnetlink_queue
echo "nfnetlink_queue" > /etc/modules-load.d/nfnetlink_queue.conf
sed -i 's/NFQUEUE=.*/NFQUEUE=0-3/' /etc/default/suricata
- config suricata (incase public interface was
vmbr0
)
sed -i 's/interface: eth0/interface: vmbr0/g' /etc/suricata/suricata.yaml
sed -i 's/community-id: false/community-id: true/' /etc/suricata/suricata.yaml
echo "detect-engine:" >> /etc/suricata/suricata.yaml
echo " - rule-reload: true" >> /etc/suricata/suricata.yaml
- update rules
suricata-update update-sources
suricata-update enable-source et/open
suricata-update -o /etc/suricata/rules
- auto update rules at
02:00
crontab -e
0 2 * * * suricata-update -o /etc/suricata/rules
- test suricata
suricata -T -c /etc/suricata/suricata.yaml -v
- set suricata as IPS
systemctl edit suricata.service
[Service]
ExecStart=
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv
Type=simple
- start suricata
systemctl daemon-reload
systemctl restart suricata
systemctl status suricata
- add VM/CT firewall IPS
nano /etc/pve/firewall/<VMID>.fw
[OPTIONS]
enable: 1
ips_queues: 0:3
ips: 1
- view alert
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'
- view IPS stat
tail -f /var/log/suricata/stats.log | grep ips
I'm new to all this kinds of stuff. I already setup Suricata in a Debian LXC. I was wondering if this will monitor all my VMs and LXCs within my Proxmox host? Also, can I add my main Windows machine to this?