Installation of Suricata stable with PF RING (STABLE) on Ubuntu server 12.04¶
This guide is based on using Ubuntu Server LTS 12.04 Precise Pangolin
Linux ubuntu64LTS 3.2.0-58-generic x86_64 GNU/Linux
Pre installation requirements¶
Before you can build Suricata for your system, run the following command to ensure that you have everything you need for the installation.
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ build-essential autoconf automake libtool libpcap-dev libnet1-dev \ libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ make libmagic-dev libnuma-dev
If you have pf_ring already installed, you might want to do:
sudo rmmod pf_ring
before continuing with the installation below.
If this is the first time you are installing pf_ring:
apt-get install build-essential bison flex linux-headers-$(uname -r)
Go to your preferred download directory and get the latest stable PF_RING (6.0.3 at the time of this writing)
NOT as root:
wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.0.3.tar.gz
Compile and install¶
Next, enter the following commands for configuration and installation
NOT as root:
tar -zxf PF_RING-6.0.3.tar.gz
cd PF_RING-6.0.3/
make
elevate as root
sudo -i
cd kernel; make install
cd ../userland/lib; make install
then:
sudo modprobe pf_ring
To check if you have everything you need, enter:
modinfo pf_ring && cat /proc/net/pf_ring/info
root@suricata:~# modinfo pf_ring && cat /proc/net/pf_ring/info filename: /lib/modules/3.2.0-58-generic/kernel/net/pf_ring/pf_ring.ko alias: net-pf-27 description: Packet capture acceleration and analysis author: Luca Deri <deri@ntop.org> license: GPL srcversion: 69FF0F125F449EBD27ED96F depends: vermagic: 3.2.0-58-generic SMP mod_unload modversions parm: min_num_slots:Min number of ring slots (uint) parm: perfect_rules_hash_size:Perfect rules hash size (uint) parm: transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint) parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog (uint) parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint) parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint) parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint) parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint) PF_RING Version : 6.0.3 ($Revision: exported$) Total rings : 16 Standard (non DNA) Options Ring slots : 4096 Slot version : 15 Capture TX : Yes [RX+TX] IP Defragment : No Socket Mode : Standard Transparent mode : Yes [mode 0] Total plugins : 0 Cluster Fragment Queue : 31537 Cluster Fragment Discard : 2161203 root@suricata:~#
Suricata¶
The example below is using suricata-2.0.8 release.
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-2.0.8.tar.gz tar -xvzf suricata-2.0.8.tar.gz cd suricata-2.0.8
Compile and install the engine
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib
In case if you get an error during the configure stage (you might experience that with pfring 5.6.2 and above):
checking for pfring_open in -lpfring... no ERROR! --enable-pfring was passed but the library was not found or version is >4, go get it from http://www.ntop.org/PF_RING.html
Configure like this instead:
LIBS="-lrt -lnuma" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib
Then:
make
sudo make install
sudo ldconfig
Auto setup¶
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and will present you with a ready to run (configured and set up) Suricata
You can always check if PF_RING is build in properly, by entering:
suricata --build-info
you should see:
... Suricata Configuration: AF_PACKET support: yes PF_RING support: yes ...
To run Suricata with PF_RING, enter:
suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
Continue with the Basic Setup.
Peter Manev