Installation of Suricata stable with PF RING (STABLE) on Ubuntu server 12.04¶
This guide is based on using Ubuntu Server LTS 12.04 Precise Pangolin
Linux ubuntu64LTS 3.2.0-58-generic x86_64 GNU/Linux
Pre installation requirements¶
Before you can build Suricata for your system, run the following command to ensure that you have everything you need for the installation.
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ make libmagic-dev
If you have pf_ring already installed, you might want to do:
sudo rmmod pf_ring
before continuing with the installation below.
If this is the first time you are installing pf_ring:
apt-get install build-essential bison flex linux-headers-$(uname -r)
Go to your preferred download directory and get the latest stable PF_RING (5.6.2 at the time of this writing)
NOT as root:
wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-5.6.2.tar.gz
Compile and install¶
Next, enter the following commands for configuration and installation
NOT as root:
tar -zxf PF_RING-5.6.2.tar.gz
cd PF_RING-5.6.2/
make
elevate as root
sudo -i
cd kernel; make install
cd ../userland/lib; make install
then:
sudo modprobe pf_ring
To check if you have everything you need, enter:
modinfo pf_ring && cat /proc/net/pf_ring/info
Suricata¶
The example below is using suricata-2.0rc1 release.
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-2.0rc1.tar.gz tar -xvzf suricata-2.0rc1.tar.gz cd suricata-2.0rc1
Compile and install the engine
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib --with-libpcap-includes=/usr/local/pfring/include \
--with-libpcap-libraries=/usr/local/pfring/lib
In case if you get an error during the configure stage (you might experience that with pfring 5.6.2 and above):
checking for pfring_open in -lpfring... no ERROR! --enable-pfring was passed but the library was not found or version is >4, go get it from http://www.ntop.org/PF_RING.html
Configure like this instead:
LIBS=-lrt ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib --with-libpcap-includes=/usr/local/pfring/include \
--with-libpcap-libraries=/usr/local/pfring/lib
Then:
make
sudo make install
sudo ldconfig
Auto setup¶
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and will present you with a ready to run (configured and set up) Suricata
You can always check if PF_RING is build in properly, by entering:
LD_LIBRARY_PATH=/usr/local/pfring/lib suricata --build-info
To get rid of LD_LIBRARY_PATH you can create a pfring.conf file in /etc/ld.so.conf.d/ containing
/usr/local/pfring/lib
and run
sudo ldconfig
To run Suricata with PF_RING, enter:
suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
Continue with the Basic Setup.
Thanks to Peter Manev