Installation of Suricata stable with PF RING (STABLE) on Ubuntu server 12.04¶

This guide is based on using Ubuntu Server LTS 12.04 Precise Pangolin

Linux ubuntu64LTS 3.2.0-58-generic x86_64 GNU/Linux

Pre installation requirements¶

Before you can build Suricata for your system, run the following command to ensure that you have everything you need for the installation.

sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev libnuma-dev

If you have pf_ring already installed, you might want to do:

sudo rmmod pf_ring

before continuing with the installation below.

If this is the first time you are installing pf_ring:

apt-get install build-essential bison flex linux-headers-$(uname -r)

Go to your preferred download directory and get the latest stable PF_RING (6.0.3 at the time of this writing)
NOT as root:

wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.0.3.tar.gz

Compile and install¶

Next, enter the following commands for configuration and installation
NOT as root:

tar -zxf PF_RING-6.0.3.tar.gz
cd PF_RING-6.0.3/
make

elevate as root

sudo -i
cd kernel; make install
cd ../userland/lib; make install

then:

sudo modprobe pf_ring

To check if you have everything you need, enter:

modinfo pf_ring && cat /proc/net/pf_ring/info

root@suricata:~# modinfo pf_ring && cat /proc/net/pf_ring/info
filename:       /lib/modules/3.2.0-58-generic/kernel/net/pf_ring/pf_ring.ko
alias:          net-pf-27
description:    Packet capture acceleration and analysis
author:         Luca Deri <deri@ntop.org>
license:        GPL
srcversion:     69FF0F125F449EBD27ED96F
depends:
vermagic:       3.2.0-58-generic SMP mod_unload modversions
parm:           min_num_slots:Min number of ring slots (uint)
parm:           perfect_rules_hash_size:Perfect rules hash size (uint)
parm:           transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint)
parm:           enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint)
parm:           enable_tx_capture:Set to 1 to capture outgoing packets (uint)
parm:           enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint)
parm:           enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint)
parm:           quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint)
PF_RING Version          : 6.0.3 ($Revision: exported$)
Total rings              : 16

Standard (non DNA) Options
Ring slots               : 4096
Slot version             : 15
Capture TX               : Yes [RX+TX]
IP Defragment            : No
Socket Mode              : Standard
Transparent mode         : Yes [mode 0]
Total plugins            : 0
Cluster Fragment Queue   : 31537
Cluster Fragment Discard : 2161203
root@suricata:~#

Suricata¶

The example below is using suricata-2.0.8 release.
To download and build Suricata, enter the following:

wget http://www.openinfosecfoundation.org/download/suricata-2.0.8.tar.gz
tar -xvzf suricata-2.0.8.tar.gz
cd suricata-2.0.8

Compile and install the engine

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib

In case if you get an error during the configure stage (you might experience that with pfring 5.6.2 and above):

checking for pfring_open in -lpfring... no

   ERROR! --enable-pfring was passed but the library was not found or version is >4, go get it
   from http://www.ntop.org/PF_RING.html

Configure like this instead:

LIBS="-lrt -lnuma" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib

Then:

make
sudo make install
sudo ldconfig

Auto setup¶

You can also use the available auto setup features of Suricata:

ex:

./configure && make && make install-conf

make install-conf
would do the regular "make install" and then it would automatically create/setup all the necessary directories and suricata.yaml for you.

./configure && make && make install-rules

make install-rules
would do the regular "make install" and then it would automatically download and set up the latest ruleset from Emerging Threats available for Suricata

./configure && make && make install-full

make install-full
would combine everything mentioned above (install-conf and install-rules) - and will present you with a ready to run (configured and set up) Suricata

You can always check if PF_RING is build in properly, by entering:

suricata --build-info

you should see:

...
Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         yes
...

To run Suricata with PF_RING, enter:

suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml

Continue with the Basic Setup.

Peter Manev