Suricata/Installation-and-basic-configuration

From aldeid
Jump to navigation Jump to search
You are here:
Installation and basic configuration

Installation

Environment

The following has been tested on a Virtual Machine (ESX server), hosting a Debian 5 box, with a standard LAMP environment, using following packages:

$ sudo apt-get install apache2 php5 mysql-server php5-mysql

The IP address of the machine is 192.168.100.35.

Prerequisites

Install following packages:

# apt-get install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev pkg-config

In addition, you will need a Python interpreter:

# apt-get install python

Also install libpcap-ng:

$ cd /data/src/
$ wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.5.tar.gz
$ tar xzvf libcap-ng-0.6.5.tar.gz
$ cd libcap-ng-0.6.5/
$ ./configure
$ make
# make install

If you plan to install Suricata with IPS capabilities instead of IDS, also install

# apt-get -y install libnetfilter-queue-dev \
libnetfilter-queue1 libnfnetlink-dev libnfnetlink0

Installation from git

This is the recommended method.

First install dependencies:

# apt-get install git-core libtool automake autoconf

Download the last available version:

$ mkdir -p /data/src/suricata/
$ cd /data/src/suricata/
$ git clone git://phalanx.openinfosecfoundation.org/oisf.git
$ cd oisf/

Create the log directory for Suricata:

# mkdir /var/log/suricata/

Compile and install it by issuing following commands (if you plan to install IPS features, please refer to the advanced installation):

$ ./autogen.sh
$ ./configure
$ make
# make install

Copy the configuration files:

# mkdir /etc/suricata/
# cp /data/src/suricata/oisf/{*.config,*.yaml} /etc/suricata/

Installation from tar.gz

Basic installation (single-thread) is straightforward:

$ cd /data/src/
$ wget http://www.openinfosecfoundation.org/download/suricata-1.0.2.tar.gz
$ tar xzvf suricata-1.0.2.tar.gz
$ cd suricata-1.0.2/
$ ./configure
$ sudo mkdir /var/log/suricata/
$ make
$ sudo make install

Copy the configuration files:

# mkdir /etc/suricata/
# cp /data/src/suricata/oisf/{*.config,*.yaml} /etc/suricata/

Advanced installation of Suricata & Inline capabilities

NFQueue support

To compile Suricata with Inline capabilities, configure, compile and install Suricata and follows:

$ ./configure --enable-nfqueue --enable-ipfw
$ make
# make install

To use Suricata in inline mode, pass -q <queue id> to the command line:

# suricata -c /etc/suricata/suricata.yaml -i eth0 -q 0

Other compilation options

Incomplete.png
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
  • IPFW support
  • PF_RING support
  • Prelude support
  • CUDA
  • DAG

Alternate installation of Suricata

Basic configuration and first start

Configuration

Edit suricata.yaml configuration file:

$ vim /etc/suricata/suricata.yaml

And adapt accordingly to your needs. At least, you will need to define your network:

HOME_NET: "[192.168.100.0/24]"
EXTERNAL_NET: !$HOME_NET

For a complete explanation, please refer to this page.

Setting up rules

Please refer to this section.

First start

Start Suricata with following options (adapt your interface):

# suricata -c /etc/suricata/suricata.yaml -i eth0

At this stage, if you have an error (suricata: error while loading shared libraries: libhtp-0.2.so.1: cannot open shared object file: No such file or directory), add following path to your ld.so.conf file and update it:

# echo "/usr/local/lib" >> /etc/ld.so.conf
# ldconfig