Project

General

Profile

Suricata » Suricata Installation »

Mac OS X (10.6.x, works for 10.5.8 as well)

Pre-installation requirements

These instructions have been tested with Mac OS X (10.5.8 and 10.6.8). To begin, you will need an essential development environment much like gcc/make. You can download Xcode from http://developer.apple.com/technology/xcode.html.

MacPorts is required for you to fetch the depends, so you will also need to install MacPorts, if you have not already done so. The online installation guide is located at http://guide.macports.org/#installing.

Before you can build Suricata for your system, you must run the following command to ensure that you have everything you need for the installation.

port install autoconf automake pkgconfig gcc44 libnet11 libpcap pcre \
libyaml libtool
export AC_PROG_LIBTOOL=$( which libtool )

Depending on the current status of your system, it may take a while to complete this process.

HTP

HTP is bundled with Suricata and installed automatically. If you need to install HTP manually for other reasons, instructions can be found at HTP library installation.

IPS

If you would like to have IPS capabilities with IPFW, then you should run configure like this:

./configure --enable-ipfw --prefix=/usr --sysconfdir=/etc --localstatedir=/var

and execute the rest of the commands the same as above.

Suricata

To download and build Suricata, enter the following:

curl -O http://www.openinfosecfoundation.org/download/suricata-2.0.6.tar.gz
tar -xvzf suricata-2.0.6.tar.gz
cd suricata-2.0.6

You will also need to have an ipfw rule set for the engine to see the packets from ipfw. For example:

ipfw add 100 divert 8000 ip from any to any

The 8000 above should be the same number you pass on the command line of Suricata with the option -d, that is, -d 8000:

suricata -c config_file.yaml -d 8000

You will need a Suricata rule set with IPS options (drop, reject, etc). For this, please refer to the Emerging Threats rule sets.

If you are building from Git sources, enter the following:

bash autogen.sh

If you are not building from Git sources, enter the following:

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install

Recent versions of OS X use clang which does not support the CFLAG -fno-tree-pre, resulting in the following warnings:

configure: WARNING: pcre.h:     section "Present But Cannot Be Compiled" 
configure: WARNING: pcre.h: proceeding with the compiler's result
configure: WARNING: pcre.h: proceeding with the compiler's result
checking for pcre.h... no

Replace clang with llvm-gcc to fix this problem:
CC=llvm-gcc ./configure ...

Please continue with the Basic Setup.