add-apt-repository ppa:oisf/suricata-stable
apt-get install suricata

apt install python3-pip
pip3 install pyyaml
pip3 install https://github.com/OISF/suricata-update/archive/master.zip
pip3 install --pre --upgrade suricata-update

Directory /etc/suricata: read access
Directory /var/lib/suricata/rules: read/write access
Directory /var/lib/suricata/update: read/write access

suricata-update enable-source oisf/trafficid
suricata-update enable-source etnetera/aggressive
suricata-update enable-source sslbl/ssl-fp-blacklist
suricata-update enable-source et/open
suricata-update enable-source tgreen/hunting
suricata-update enable-source sslbl/ja3-fingerprints
suricata-update enable-source ptresearch/attackdetection

suricata-update

حال سرویس آن را استارت میکنیم

systemctl enable suricata
systemctl start suricata

خروجی لاگ های این ابزار در فایل/var/log/suricata/eve.json ذخیره میشود .

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_20.10/ /' | sudo tee /etc/apt/sources.list.d/security:zeek.list
curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_20.10/Release.key | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null
apt update
apt -y install zeek

### node.cfg
# This is a complete standalone configuration. Most likely you will
# only need to change the interface.
[zeek]
type=standalone
host=localhost
interface=eth0 -- < در اینجا آدرس کارت شبکه مشخص میشود

### networks.cfg
# List of local networks in CIDR notation, optionally followed by a
# descriptive tag.
# For example, "10.0.0.0/8" or "fe80::/64" are valid prefixes.
در این بخش آدرس های داخلی شبکه شما مشخصی مشود
10.0.0.0/8          Private IP space
172.16.0.0/12       Private IP space
192.168.0.0/16      Private IP space

### /opt/zeek/share/zeek/site/local.zeek#add this line
@load policy/tuning/json-logs.zeek

./zeekctl install
./zeekctl deploy

apt-get install apt-transport-httpswget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-7.x.list
apt-get update && apt -y install filebeat
 
filebeat modules enable suricata
filebeat modules enable zeek

######## /etc/filebeat/modules.d/zeek.yml
# Module: zeek
# Docs: /guide/en/beats/filebeat/7.6/filebeat-module-zeek.html
 
- module: zeek
  capture_loss:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/capture_loss.log"]
  connection:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/conn.log"]
  dce_rpc:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/dce_rpc.log"]
  dhcp:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/dhcp.log"]
  dnp3:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/dnp3.log"]
  dns:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/dns.log"]
  dpd:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/dpd.log"]
  files:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/files.log"]
  ftp:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/ftp.log"]
  http:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/http.log"]
  intel:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/intel.log"]
  irc:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/irc.log"]
  kerberos:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/kerberos.log"]
  modbus:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/modbus.log"]
  mysql:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/mysql.log"]
  notice:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/notice.log"]
  ntlm:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/ntlm.log"]
  ocsp:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/ocsp.log"]
  pe:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/pe.log"]
  radius:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/radius.log"]
  rdp:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/rdp.log"]
  rfb:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/rfb.log"]
  sip:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/sip.log"]
  smb_cmd:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/smb_cmd.log"]
  smb_files:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/smb_files.log"]
  smb_mapping:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/smb_mapping.log"]
  smtp:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/smtp.log"]
  snmp:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/snmp.log"]
  socks:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/socks.log"]
  ssh:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/ssh.log"]
  ssl:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/ssl.log"]
  stats:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/stats.log"]
  syslog:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/syslog.log"]
  traceroute:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/traceroute.log"]
  tunnel:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/tunnel.log"]
  weird:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/weird.log"]
  x509:
    enabled: true
    var.paths: ["/opt/zeek/logs/current/x509.log"]
 
 
 
 
######## /etc/filebeat/modules.d/suricata.yml 
# Module: suricata
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-suricata.html
 
- module: suricata
  # All logs
  eve:
    enabled: true
 
    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    var.paths: ["/var/log/suricata/eve.json"]

systemctl enable filebeat
systemctl start filebeat