Project

General

Profile

Installation of Suricata stable with PF RING (STABLE) on Ubuntu server 12.04

This guide is based on using Ubuntu Server LTS 12.04 Precise Pangolin

Linux ubuntu64LTS 3.2.0-58-generic x86_64 GNU/Linux


Pre installation requirements

Before you can build Suricata for your system, run the following command to ensure that you have everything you need for the installation.

sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev

If you have pf_ring already installed, you might want to do:

sudo rmmod pf_ring

before continuing with the installation below.

If this is the first time you are installing pf_ring:

apt-get install build-essential bison flex linux-headers-$(uname -r)

Go to your preferred download directory and get the latest stable PF_RING (5.6.2 at the time of this writing)
NOT as root:

wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-5.6.2.tar.gz

Compile and install

Next, enter the following commands for configuration and installation
NOT as root:

tar -zxf PF_RING-5.6.2.tar.gz
cd PF_RING-5.6.2/
make

elevate as root

sudo -i
cd kernel; make install
cd ../userland/lib; make install

then:

sudo modprobe pf_ring

To check if you have everything you need, enter:

modinfo pf_ring && cat /proc/net/pf_ring/info

Suricata

The example below is using suricata-2.0rc1 release.
To download and build Suricata, enter the following:

wget http://www.openinfosecfoundation.org/download/suricata-2.0rc1.tar.gz
tar -xvzf suricata-2.0rc1.tar.gz
cd suricata-2.0rc1

Compile and install the engine

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib --with-libpcap-includes=/usr/local/pfring/include \
--with-libpcap-libraries=/usr/local/pfring/lib

In case if you get an error during the configure stage (you might experience that with pfring 5.6.2 and above):

checking for pfring_open in -lpfring... no

   ERROR! --enable-pfring was passed but the library was not found or version is >4, go get it
   from http://www.ntop.org/PF_RING.html

Configure like this instead:

LIBS=-lrt ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib --with-libpcap-includes=/usr/local/pfring/include \
--with-libpcap-libraries=/usr/local/pfring/lib

Then:

make
sudo make install
sudo ldconfig

Auto setup

You can also use the available auto setup features of Suricata:

ex:

./configure && make && make install-conf

make install-conf
would do the regular "make install" and then it would automatically create/setup all the necessary directories and suricata.yaml for you.

./configure && make && make install-rules

make install-rules
would do the regular "make install" and then it would automatically download and set up the latest ruleset from Emerging Threats available for Suricata

./configure && make && make install-full

make install-full
would combine everything mentioned above (install-conf and install-rules) - and will present you with a ready to run (configured and set up) Suricata

You can always check if PF_RING is build in properly, by entering:

LD_LIBRARY_PATH=/usr/local/pfring/lib suricata --build-info

To get rid of LD_LIBRARY_PATH you can create a pfring.conf file in /etc/ld.so.conf.d/ containing

/usr/local/pfring/lib

and run

sudo ldconfig

To run Suricata with PF_RING, enter:

suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml

Continue with the Basic Setup.

Thanks to Peter Manev