Project

General

Profile

Suricata » Suricata Installation »

Installation from GIT with PF RING on Ubuntu server LTS

This guide is based on using Ubuntu Server 14.04.2 LTS (Trusty Tahr)

Kernel - Linux LTS-64-1 3.13.0-45-generic


Pre installation requirements

Install the following packages, to make sure you have everything needed for the installation:

sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make flex bison git subversion libmagic-dev pkg-config libnuma-dev

If you have pf_ring already installed, you might want to do:

sudo rmmod pf_ring

before continuing with the installation below.

Go to your download directory and get the latest PF_RING:

git clone https://github.com/ntop/PF_RING.git

Compile and install

Next, enter the following commands for configuration and installation (NOT as root):

cd PF_RING/kernel/
make && sudo make install
cd ../userland/lib
./configure --prefix=/usr/local/pfring && make && sudo make install
cd ../libpcap
./configure --prefix=/usr/local/pfring && make && sudo make install
cd ../tcpdump
./configure --prefix=/usr/local/pfring && make && sudo make install
sudo ldconfig

then:

sudo modprobe pf_ring

To check if you have everything you need, enter:

modinfo pf_ring && cat /proc/net/pf_ring/info

Suricata

Go to your download directory of choice, and enter:

git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
git clone https://github.com/OISF/libhtp.git -b 0.5.x
./autogen.sh
./configure --enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib

In case if you get an error during the configure stage (you might experience that with pfring 5.6.2 and above):

checking for pfring_open in -lpfring... no

   ERROR! --enable-pfring was passed but the library was not found or version is >4, go get it
   from http://www.ntop.org/PF_RING.html

Configure like this instead:

LIBS="-lrt -lnuma" ./configure --enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib

Then:

make
sudo make install
sudo ldconfig

You can always check if PF_RING is build in properly, by entering:

LD_LIBRARY_PATH=/usr/local/pfring/lib suricata --build-info

To get rid of LD_LIBRARY_PATH you can create a pfring.conf file in /etc/ld.so.conf.d/ containing

/usr/local/pfring/lib

and run

sudo ldconfig

To run Suricata with PF_RING, enter:

LD_LIBRARY_PATH=/usr/local/pfring/lib suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml

Continue with the Basic Setup.

Thanks to Peter Manev