Project

General

Profile

CentOS 6.4 Installation (with unix socket, geoip, profiling and MD5 features)

This is a guide for installation of Suricata from git (latest) on a CentOS 6.4, 64 bit.

The server OS and kernel level used for this guide is:

[root@localhost PTP]# uname -a
Linux localhost.localdomain 2.6.32-358.2.1.el6.x86_64 #1 SMP Wed Mar 13 00:26:49 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost PTP]# cat /etc/redhat-release 
CentOS release 6.4 (Final)

General packages needed.

Add a repo for some packages that we need:

rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

Install the packages:

yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel file-devel

In order to be able to get the latest git:

yum install wget git-core

We also need libcap-ng:

wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.7.3.tar.gz
tar -zxf libcap-ng-0.7.3.tar.gz 
cd libcap-ng-0.7.3
./configure && make clean && make && make install

For MD5 functionality and availabilty.

yum install nss-util nss-util-devel nss-devel nspr-devel nspr

For the GeoIP functionality.

yum install GeoIP-devel GeoIP

For the unix socket functionality.

Unix socket usage guide - Interacting via Unix Socket

yum install python-simplejson python-setuptools python-instant python-distutils-extra
http://www.digip.org/jansson/releases/jansson-2.4.tar.gz
tar -zxf jansson-2.4.tar.gz
cd jansson-2.4/
./configure --prefix=/usr/ && make clean && make && make install

CentOS 6.4 comes with python 2.6.6:

[root@localhost ~]# rpm -qa python
python-2.6.6-36.el6.x86_64
[root@localhost ~]#

This could the following drawback when you run suricatasc :

[root@localhost ~]# suricatasc 
Traceback (most recent call last):
  File "/usr/bin/suricatasc", line 18, in <module>
    import argparse
ImportError: No module named argparse
[root@localhost ~]#

In order to solve this we need to:
Download argparse from here - https://pypi.python.org/pypi/argparse

tar -zxf argparse-1.2.1.tar.gz 
cd argparse-1.2.1
python setup.py install

Configure,compile and install.

We get the latest Suricata:

git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/
git clone https://github.com/OISF/libhtp.git -b 0.5.x

Then we configure , compile and install:

./autogen.sh && \
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/  \
--enable-unix-socket --enable-profiling --enable-geoip \
--with-libnss-libraries=/usr/lib64 --with-libnss-includes=/usr/include/nss3 \
--with-libnspr-libraries=/usr/lib64 --with-libnspr-includes=/usr/include/nspr4  \
&& make clean && make && make install && ldconfig

NOTE:
If this is your first installation on that particular server , you might want to consider "make install-full" instead of "make install".
Please read Basic Setup.

Now you have installed Suricata with the following features enabled - unix socket, GeoIP, MD5, profiling:

NOTE: version 2.0dev (rev 40a5ce8) - at the moment of this writing

[root@localhost oisf]# suricata --build-info
This is Suricata version 2.0dev (rev 40a5ce8)
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW HAVE_NSS HAVE_LIBJANSSON PROFILING 
64-bits, Little-endian architecture
GCC version 4.4.7 20120313 (Red Hat 4.4.7-3), C version 199901
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
  __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16
compiled with libhtp 0.2.12, linked against 0.2.12
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  Prelude support:                         no
  PCRE jit:                                no
  libluajit:                               no
  libgeoip:                                yes
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       yes
  Profiling locks enabled:                 no

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-unknown-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
[root@localhost oisf]#


[root@localhost oisf]# which suricata
/usr/bin/suricata


Peter Manev