Suricata/Installation-and-basic-configuration
| You are here: | Installation and basic configuration
|
Installation
Environment
The following has been tested on a Virtual Machine (ESX server), hosting a Debian 5 box, with a standard LAMP environment, using following packages:
$ sudo apt-get install apache2 php5 mysql-server php5-mysql
The IP address of the machine is 192.168.100.35.
Prerequisites
Install following packages:
# apt-get install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev pkg-config
In addition, you will need a Python interpreter:
# apt-get install python
Also install libpcap-ng:
$ cd /data/src/ $ wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.5.tar.gz $ tar xzvf libcap-ng-0.6.5.tar.gz $ cd libcap-ng-0.6.5/ $ ./configure $ make # make install
If you plan to install Suricata with IPS capabilities instead of IDS, also install
# apt-get -y install libnetfilter-queue-dev \ libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Installation from git
This is the recommended method.
First install dependencies:
# apt-get install git-core libtool automake autoconf
Download the last available version:
$ mkdir -p /data/src/suricata/ $ cd /data/src/suricata/ $ git clone git://phalanx.openinfosecfoundation.org/oisf.git $ cd oisf/
Create the log directory for Suricata:
# mkdir /var/log/suricata/
Compile and install it by issuing following commands (if you plan to install IPS features, please refer to the advanced installation):
$ ./autogen.sh $ ./configure $ make # make install
Copy the configuration files:
# mkdir /etc/suricata/
# cp /data/src/suricata/oisf/{*.config,*.yaml} /etc/suricata/
Installation from tar.gz
Basic installation (single-thread) is straightforward:
$ cd /data/src/ $ wget http://www.openinfosecfoundation.org/download/suricata-1.0.2.tar.gz $ tar xzvf suricata-1.0.2.tar.gz $ cd suricata-1.0.2/ $ ./configure $ sudo mkdir /var/log/suricata/ $ make $ sudo make install
Copy the configuration files:
# mkdir /etc/suricata/
# cp /data/src/suricata/oisf/{*.config,*.yaml} /etc/suricata/
Advanced installation of Suricata & Inline capabilities
NFQueue support
To compile Suricata with Inline capabilities, configure, compile and install Suricata and follows:
$ ./configure --enable-nfqueue --enable-ipfw $ make # make install
To use Suricata in inline mode, pass -q <queue id> to the command line:
# suricata -c /etc/suricata/suricata.yaml -i eth0 -q 0
Other compilation options
Thank you for your comprehension.
- IPFW support
- PF_RING support
- Prelude support
- CUDA
- DAG
Alternate installation of Suricata
- SecurityOnion: Please refer to this section.
- smooth-sec: ready to-go IDS/IPS live CD with Suricata and Snorby. More information here: http://bailey.st/blog/smooth-sec/
Basic configuration and first start
Configuration
Edit suricata.yaml configuration file:
$ vim /etc/suricata/suricata.yaml
And adapt accordingly to your needs. At least, you will need to define your network:
HOME_NET: "[192.168.100.0/24]" EXTERNAL_NET: !$HOME_NET
For a complete explanation, please refer to this page.
Setting up rules
Please refer to this section.
First start
Start Suricata with following options (adapt your interface):
# suricata -c /etc/suricata/suricata.yaml -i eth0
At this stage, if you have an error (suricata: error while loading shared libraries: libhtp-0.2.so.1: cannot open shared object file: No such file or directory), add following path to your ld.so.conf file and update it:
# echo "/usr/local/lib" >> /etc/ld.so.conf # ldconfig