Compiling suricata from source code and creating a .deb package

From Cryptolife

Jump to: navigation, search


Suricata is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. Suricata support Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards.

In this guide I'll show howto compile Suricata from the source code and install from a .deb package.  This howto is applicable to Ubuntu and Debian. Updated to suricata version 0.9.0.

Install required packages for Suricata compilation 

apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libnet1  libnet1-dev libcap-ng-dev \ 
libhtp1 libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 build-essential checkinstall

Add suricata user

useradd suricata -s /bin/false -c suricata_user

Download suricata source code.

cd /tmp
wget http://www.openinfosecfoundation.org/download/suricata-0.9.1.tar.gz
tar xvfz suricata-0.9.1.tar.gz
cd suricata-0.9.1

Configure,make and create the .deb package with checkinstall.

#if building with IPS capabilities via ./configure --enable-nfq
./configure --enable-nfq 

make

checkinstall

.deb package created.

**********************************************************************
 Done. The new package has been installed and saved to

/tmp/suricata-0.9.1/suricata_0.9.1-1_i386.deb

 You can remove it from your system anytime using: 

      dpkg -r suricata

**********************************************************************


Install suricata.

dpkg -i suricata_0.9.1-1_i386.deb

Create the necessary links and cache to the most recent shared libraries.

ldconfig

Create the necessary directories to store the log and configuration files.

mkdir /var/log/suricata
chown suricata:suricata /var/log/suricata 
mkdir /etc/suricata/
mkdir /etc/suricata/rules
cp classification.config suricata.yaml /etc/suricata/


Rules Management


Go to http://www.snort.org/login , subscribe and get the oinkcode.


in the file /etc/oinkmaster.conf must be added the following line (replace OINKCODE with your oinkcode).

url = http://www.snort.org/pub-bin/oinkmaster.cgi/OINKCODE/snortrules-snapshot-2860.tar.gz

and commented out this 

#url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz


Dowload the official snort rules with 

/usr/sbin/oinkmaster  -o /etc/suricata/rules -v


Using the opensource community emergingthreats rules.


in the file /etc/oinkmaster.conf must be added the following line 

url = http://www.emergingthreats.net/rules/emerging.rules.tar.gz


Dowload the emergingthreats rules

/usr/sbin/oinkmaster  -o /etc/suricata/rules -v


A crontab is needed for automatically updating the rules, in this case every day at 21.30

add this line to the root crontab

30 21 * * * /usr/sbin/oinkmaster  -o /etc/suricata/rules -s | mail -s "oinkmaster.update" 
 \ myname@mydomain.org


Start Suricata

suricata -D  -c /etc/suricata/suricata.yaml  -i eth0 --user suricata --group suricata





Retrieved from "http://*.cryptolife.org/index.php/Compiling_suricata_from_source_code_and_creating_a_.deb_package"
Personal tools
Creative Commons License