aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs: remove many outdated and old install docs

Browse Source
pull/3246/head
Andreas Herz 8 years ago committed by Victor Julien
parent 2e8678a5ff
commit bdb886bd68
15 changed files with 1 additions and 1471 deletions
Show Stats Download Patch File Download Diff File

116
doc/CentOS5.txt
Unescape Escape View File

@ -1,116 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5
CentOS5
Pre-installation requirements
You will have to use the Fedora EPEL repository for some packages to enable
this repository. It is the same for i386 and x86_64:
sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-
5-3.noarch.rpm
Before you can build Suricata for your system, run the following command to
ensure that you have everything you need for the installation.
sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel
Depending on the current status of your system, it may take a while to complete
this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
If you plan to build Suricata with IPS capabilities via ./configure --enable-
nfqueue, there are no pre-built packages in the CentOS base or EPEL for
libnfnetlink and libnetfilter_queue. If you wish, you may use the rpms in the
Emerging Threats Cent OS 5 repository:
i386
sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/
libnetfilter_queue-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/
libnetfilter_queue-devel-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-
0.0.30-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-
devel-0.0.30-1.i386.rpm
x86_64
sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/
x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/
libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/
libnfnetlink-0.0.30-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/
libnfnetlink-devel-0.0.30-1.x86_64.rpm
libcap-ng installation
This installation is needed for dropping privileges.
wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz
tar -xzvf libcap-ng-0.6.4.tar.gz
cd libcap-ng-0.6.4
./configure
make
sudo make install
Suricata
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz
tar -xvzf suricata-1.3.3.tar.gz
cd suricata-1.3.3
If you are building from Git sources, enter all the following commands:
bash autogen.sh
If you are not building from Git sources, enter only:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/
setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download
and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and
will present you with a ready to run (configured and set up) Suricata
Please continue with the Basic_Setup.

116
doc/CentOS_56_Installation.txt
Unescape Escape View File

@ -1,116 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_56_Installation
CentOS 5.6 Installation
Pre-installation requirements
You will have to use the Fedora EPEL repository for some packages to enable
this repository. It is the same for i386 and x86_64:
sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-
4.noarch.rpm
Before you can build Suricata for your system, run the following command to
ensure that you have everything you need for the installation.
sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel
Depending on the current status of your system, it may take a while to complete
this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
If you plan to build Suricata with IPS capabilities via ./configure --enable-
nfqueue, there are no pre-built packages in the CentOS base or EPEL for
libnfnetlink and libnetfilter_queue. If you wish, you may use the rpms in the
Emerging Threats Cent OS 5 repository:
i386
sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/
libnetfilter_queue-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/
libnetfilter_queue-devel-0.0.15-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-
0.0.30-1.i386.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink-
devel-0.0.30-1.i386.rpm
x86_64
sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/
x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/
libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/
libnfnetlink-0.0.30-1.x86_64.rpm \
http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/
libnfnetlink-devel-0.0.30-1.x86_64.rpm
libcap-ng installation
This installation is needed for dropping privileges.
wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz
tar -xzvf libcap-ng-0.6.4.tar.gz
cd libcap-ng-0.6.4
./configure
make
sudo make install
Suricata
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz
tar -xvzf suricata-1.3.3.tar.gz
cd suricata-1.3.3
If you are building from Git sources, enter all the following commands:
bash autogen.sh
If you are not building from Git sources, enter only:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/
setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download
and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and
will present you with a ready to run (configured and set up) Suricata
Please continue with the Basic_Setup.

90
doc/Debian_Installation.txt
Unescape Escape View File

@ -1,90 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Debian_Installation
Debian Installation
Pre-installation requirements
Before you can build Suricata for your system, run the following command to
ensure that you have everything you need for the installation.
Make sure you will enter all the following commands as root/super-user,
otherwise it will not work.
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \
pkg-config
Depending on the current status of your system, it may take a while to complete
this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
By default, Suricata works as an IDS. If you want to use it as a IDS and IPS
program, enter:
apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-
dev libnfnetlink0
Suricata
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz
tar -xvzf suricata-1.3.3.tar.gz
cd suricata-1.3.3
Compile and install the program
If you plan to build Suricata with IPS capabilities, enter:
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --
localstatedir=/var
instead of
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Continue with the next commands:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install
To make sure the existing list with libraries will be updated with the new
library, enter:
ldconfig
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/
setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download
and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and
will present you with a ready to run (configured and set up) Suricata
Please continue with the Basic_Setup.

76
doc/Fedora_Core.txt
Unescape Escape View File

@ -1,76 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Fedora_Core
Fedora
pre-installation requirements
Before you can build Suricata for your system, run the following command to
ensure that you have everything you need for the installation.
sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel file-devel file
Depending on the current status of your system, it may take a while to complete
this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
If you plan to build Suricata with IPS capabilities via ./configure --enable-
nfqueue, enter the following:
sudo yum -y install libnfnetlink libnfnetlink-devel \
libnetfilter_queue libnetfilter_queue-devel
Suricata
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz
tar -xvzf suricata-1.3.3.tar.gz
cd suricata-1.3.3
If you are building from Git sources, enter all the following commands:
bash autogen.sh
If you are not building from Git sources, enter only the following:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/
setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download
and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and
will present you with a ready to run (configured and set up) Suricata
Please continue with the Basic_Setup.

102
doc/FreeBSD_8.txt
Unescape Escape View File

@ -1,102 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/FreeBSD_8
FreeBSD 8 & 9
Pre-installation requirements
Before you can build Suricata for your system, run the following command to
ensure that you have everything you need for the installation.
Make sure you enter all commands as root/super-user, otherwise it will not
work.
For FreeBSD 8:
pkg_add -r autoconf262 automake19 gcc45 libyaml pcre libtool \
libnet11 libpcap gmake
For FreeBSD 9.0:
pkg_add -r autoconf268 automake111 gcc libyaml pcre libtool \
libnet11 libpcap gmake
Depending on the current status of your system, it may take a while to complete
this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
If you would like to build suricata on FreeBSD with IPS capabilities with IPFW
via --enable-ipfw, enter the following to enable ipfw and divert socket support
before starting the engine with -d:
Edit /etc/rc.conf and add or modify the following lines:
firewall_enable="YES"
firewall_type="open"
Edit /boot/loader.conf and add or modify the following lines:
ipfw_load="YES"
ipfw_nat_load="YES"
ipdivert_load="YES"
dummynet_load="YES"
libalias_load="YES"
Suricata
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz
tar -xvzf suricata-1.3.3.tar.gz
cd suricata-1.3.3
If you are building from Git sources, enter all the following commands until
the end of this file:
bash autogen.sh
If you are not building from Git sources, do not enter the above mentioned
commands. Continue enter the following:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install
zerocopy bpf
mkdir /var/log/suricata/
FreeBSD 8 has support for zerocopy bpf in libpcap. To test this functionality,
issue the following command and then start/restart the engine:
sysctl net.bpf.zerocopy_enable=1
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/
setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download
and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and
will present you with a ready to run (configured and set up) Suricata
Please continue with the Basic_Setup.

18
doc/HTP_library_installation.txt
Unescape Escape View File

@ -1,18 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTP_library_installation
HTP library installation
The installation of the HTP library is the same for several operating systems,
except you can not use 'sudo' with Debian and FreeBSD. Using Debian or FreeBSD
you have to Make sure you enter all following commands as root/super-user.
To download and build HTP, enter the following:
wget http://www.openinfosecfoundation.org/download/libhtp-0.2.3.tar.gz
tar -xzvf libhtp-0.2.3.tar.gz
cd libhtp-0.2.3
./configure
make
make install

119
doc/Installation_from_GIT_with_PCRE-JIT.txt
Unescape Escape View File

@ -1,119 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT
Installation from GIT with PCRE-JIT
In this guide will be explained how to install and use the most recent code of
Suricata on Ubuntu together with PCRE with JIT 8.20-RC1 support. The goal of
PCRE-JIT is to improve the pcre pattern matching performance of the pcre
library.
The easiest way to see performance difference is to create a couple of pcre
only rules or use for example the SSN rules from ET, and compare the
performance statistics for rules.
Installing from GIT on other operating systems is basically the same, except
that some commands are Ubuntu-specific (like sudo and apt-get). In case you are
using another operating system, you should replace those commands by your
operating-specific commands.
Pre-installation requirements
Before you can build Suricata with PCRE-JIT for your system, run the following
command to ensure that you have everything you need for the installation.
sudo apt-get -y install build-essential autoconf automake \
libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev \
zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make g++
sudo apt-get install git-core
Depending on the current status of your system, it may take a while to complete
this process.
PCRE with JIT support
Enter the following commands for PCRE JIT installation:
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/Testing/pcre-8.20-
RC1.tar.gz
tar -xzvf pcre-8.20-RC1.tar.gz
cd pcre-8.20-RC1
./configure --enable-jit
Make sure you see that JIT compiling support is enabled, see example:
make
sudo make install
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
By default, Suricata works as an IDS. If you want to use it as a IDS and IPS
program, enter:
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1
libnfnetlink-dev libnfnetlink0
Suricata
First, it is convenient to create a directory for Suricata. Name it 'suricata'
for example. Open the terminal and enter:
mkdir suricata
Followed by:
cd suricata
Next, enter the following line in the terminal:
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
Followed by:
./autogen.sh
Compile and install
To configure, please enter:
./configure --enable-pcre-jit \
--with-libpcre-includes=/usr/local/include \
--with-libpcre-libraries=/usr/local/lib
After entering the previous, make sure that your screen looks like the
following example and you have PCRE with JIT support:
make
sudo make install
sudo ldconfig
To check the build information you can enter:
suricata --build-info
Please continue with Basic_Setup.
In case you have already made a map for the most recent code, downloaded the
code into that map, and want to download recent code again, please enter:
cd suricata/oisf
next, enter:
git pull
After that, you start again at running autogen.

73
doc/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt
Unescape Escape View File

@ -1,73 +0,0 @@
Autogenerated on 2012-01-11
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104
Installation from GIT with PF RING on Ubuntu server 11.04
This guide is based on using Ubuntu Server 11.04
Linux ubuntu 2.6.38-8-generic x86_64 GNU/Linux
Pre installation requirements
Install the following packages, to make sure you have everything needed for the
installation:
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make flex bison git subversion
Go to your download directory and get the latest PF_RING:
svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING
Compile and install
Next, enter the following commands for configuration and installation:
cd PF_RING/kernel
make && make install
sudo insmod ./pf_ring.ko
cd ../userland
make && make install
cd /lib
./configure && make && make install
cd ../libpcap
./configure && make && make install
cd /examples
echo "options pf_ring transparent_mode=0 min_num_slots=32768
enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf
To check if you have everything you need, enter:
lsmod |grep pf_ring
sudo modprobe pf_ring
sudo modinfo pf_ring && cat /proc/net/pf_ring/info
To check if PF_RING is functional, enter the following:
./pfcount -i eth0
Suricata
Go to your download directory of choice, and enter:
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
sudo ./autogen.sh
sudo ./configure --enable-pfring && make && make install
You can always check if PF_RING is build in properly, by entering:
suricata --build-info
To run Suricata with PF_RING, enter:
suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-
type=cluster_flow -c /etc/suricata/suricata.yaml
Continue with the Basic_Setup.
Thanks to Peter Manev

207
doc/Installation_with_PF_RING.txt
Unescape Escape View File

@ -1,207 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING
Installation with PF RING
This is the installation guide for Suricata with PF_RING support and a guide to
install PF_RING.
To install DKMS, enter:
sudo apt-get install dkms
To get subversion for checking out the PF_RING code, flex and bison for
libpcap, enter:
sudo apt-get install subversion flex bison
To install the debs needed for Suricata, enter the following:
sudo apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-
ng-dev libnet1-dev
In the example you will build from the GIT repository, so you will need some
extra packages:
sudo apt-get install git-core automake autoconf libtool
To build your modules, please go to:
cd /usr/src/
Checkout the PF_RING code:
sudo svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/
PF_RING_CURRENT_SVN
Create the DKMS build directory and copy files over for the main PF_RING module
by entering the following:
sudo mkdir /usr/src/pf_ring-4
sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/
cd /usr/src/pf_ring-4/
Create a file called 'dkms.conf'
sudo nano dkms.conf
and place the following into the file:
PACKAGE_NAME="pf_ring"
PACKAGE_VERSION="4"
BUILT_MODULE_NAME[0]="pf_ring"
DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/"
AUTOINSTALL="yes"
To close the file, do so by pressing Ctrl and X at the same time, followed by y
and enter.
Build and install the kernel -module of PF_RING:
sudo dkms add -m pf_ring -v 4
sudo dkms build -m pf_ring -v 4
sudo dkms install -m pf_ring -v 4
development headers.(zie aantekeningen)
sudo mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin}
Next, build and install the userland lib.:
sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/
include/linux/
cd /usr/src/PF_RING_CURRENT_SVN/userland/lib
sudo ./configure
sudo sed -i -e 's/INSTDIR = \${DESTDIR}\/usr\/local/INSTDIR = \$
{DESTDIR}\/opt\/PF_RING/' Makefile
sudo cp -f pfring_e1000e_dna.h /opt/PF_RING/include
sudo make
sudo make install
Enter the following to pull down the latest version of Suricata from the git
repository and build with PF_RING support:
cd /usr/src/PF_RING_CURRENT_SVN/userland/
sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew
cd oisfnew
sudo ./autogen.sh
sudo ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib
--with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/
PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/
PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/
sudo make install
sudo make
sudo mkdir etc/suricata
To make config and log directories for a more complete getting started, see:
Basic_Setup.
sudo mkdir /etc/suricata
sudo cp suricata.yaml /etc/suricata/
sudo cp classification.config /etc/suricata/
sudo mkdir /var/log/suricata
The information about the setup options for when you initialise the module:
min_num_slots:Number of ring slots (uint)
transparent_mode:0=standard Linux, 1=direct2pfring+transparent,
2=direct2pfring+non transparent.
For 1 and 2 you need to use a PF_RING aware driver (uint) .
enable_tx_capture:Set to 1 to capture outgoing packets (uint)
enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is
defragmentead) (uint)
Enter the following as super-user:
echo "options pf_ring transparent_mode=0 min_num_slots=32768
enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf
To check the status of PF_RING :
sudo modprobe pf_ring
sudo modinfo pf_ring && cat /proc/net/pf_ring/info
Start up Suricata with PF_RING support:
sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --
pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml
If you need to uninstall PF_RING or rollback your PF_RING aware drivers to
their previous state you can do so with the following commands:
sudo dkms remove -m pf_ring -v 4 --all
Optional
The following part is optional.
sudo dkms remove -m e1000e-pf_ring -v 1.0.15 --all
If you issue the following command, you can see that PF_RING should now be
installed as DKMS module:
dkms status
Now go through the steps to build a PF_RING aware driver:
sudo mkdir /usr/src/e1000e-pf_ring-1.0.15
sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e-
1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/
Enter the following so that DKMS can find it for driver rebuilds:
sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/
e1000e-pf_ring-1.0.15/
cd /usr/src/e1000e-pf_ring-1.0.15/
After that, fix the path to pf_ring.h:
sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/
' netdev.c
Then create a file called 'dkms.conf'.
sudo nano dkms.conf
and place the following into the file:
PACKAGE_NAME="e1000e-pf_ring"
PACKAGE_VERSION="1.0.15"
BUILT_MODULE_NAME[0]="e1000e"
DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/"
AUTOINSTALL="yes"
Build and install the module of the e1000e-pf_ring network driver:
sudo dkms add -m e1000e-pf_ring -v 1.0.15
sudo dkms build -m e1000e-pf_ring -v 1.0.15
sudo dkms install -m e1000e-pf_ring -v 1.0.15
After that, build and install the PF_RING enabled libpcap:
cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring
./configure
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
' Makefile
sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
' Makefile.in
./configure --prefix=/opt/PF_RING && make && make install
Subsequently, build and install tcpdump using the PF_RING enabled version of
libpcap:
cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0
sudo ./configure
sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
' Makefile
sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/
' Makefile.in
sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/
' Makefile
sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/
' Makefile.in
sudo sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//
' Makefile
sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\//
' Makefile.in
sudo ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --
prefix=/opt/PF_RING/ --enable-ipv6 && make && make install

72
doc/Mac_OS_X_106x.txt
Unescape Escape View File

@ -1,72 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Mac_OS_X_106x
Mac OS X (10.6.x)
Pre-installation requirements
These instructions have been tested with Mac OS X (10.6.1). To begin, you will
need an essential development environment much like gcc/make. You can download
Xcode from http://developer.apple.com/technology/xcode.html.
MacPorts is required for you to fetch the depends, so you will also need to
install MacPorts, if you have not already done so. The online installation
guide is located at http://guide.macports.org/#installing.
Before you can build Suricata for your system, you must run the following
command to ensure that you have everything you need for the installation.
port install autoconf automake gcc44 make libnet11 libpcap pcre \
libyaml libtool
export AC_PROG_LIBTOOL=$( which libtool )
Depending on the current status of your system, it may take a while to complete
this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
If you would like to have IPS capabilities with IPFW, then you should run
configure like this:
./configure --enable-ipfw --prefix=/usr --sysconfdir=/etc --localstatedir=/
var
and execute the rest of the commands the same as above.
Suricata
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz
tar -xvzf suricata-1.3.3.tar.gz
cd suricata-1.3.3
You will also need to have an ipfw rule set for the engine to see the packets
from ipfw. For example:
ipfw add 100 divert 8000 ip from any to any
The 8000 above should be the same number you pass on the command line of
suricata with the option -d, that is, -d 8000:
suricata -c config_file.yaml -d 8000
You will need a Suricata rule set with IPS options (drop, reject, etc). For
this, please refer to the Emerging Threats rule sets.
If you are building from Git sources, enter the following:
bash autogen.sh
If you are not building from Git sources, enter the following:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
Please continue with the Basic_Setup.

16
doc/Makefile.am
Unescape Escape View File

@ -11,22 +11,8 @@ INSTALL.PF_RING \
INSTALL.WINDOWS \
\
Basic_Setup.txt \
CentOS5.txt \
CentOS_56_Installation.txt \
Debian_Installation.txt \
Fedora_Core.txt \
FreeBSD_8.txt \
HTP_library_installation.txt \
Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt \
Installation_with_PF_RING.txt \
Installation_from_GIT_with_PCRE-JIT.txt \
Mac_OS_X_106x.txt \
OpenBSD_Installation_from_GIT.txt \
Setting_up_IPSinline_for_Linux.txt \
Third_Party_Installation_Guides.txt \
Ubuntu_Installation.txt \
Ubuntu_Installation_from_GIT.txt \
Windows.txt
Third_Party_Installation_Guides.txt
datarootdir=@datarootdir@
docdir = ${datarootdir}/doc/${PACKAGE}

79
doc/OpenBSD_Installation_from_GIT.txt
Unescape Escape View File

@ -1,79 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/OpenBSD_Installation_from_GIT
OpenBSD Installation from GIT
Pre-installation Requirements
Before you can build Suricata for your system, run the following commands to
ensure that you have everything you need for the installation.
pkg_add gcc
pkg_add pcre
pkg_add libtool
pkg_add libyaml
pkg_add libnet-1.1.2.1p0
If you would like to build from Git sources, you have to install the following
building tools:
pkg_add git
pkg_add autoconf
pkg_add automake
If you use OpenBSD 4.8, enter the following:
pkg_add git autoconf-2.61p3 automake-1.10.3
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
Suricata
Next, clone the repository and run autogen:
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
export AUTOCONF_VERSION=2.61
export AUTOMAKE_VERSION=1.10
./autogen.sh
Enter the following to configure:
CPPFLAGS="-I/usr/local/include" CFLAGS="-L/usr/local/lib" ./configure --
prefix=/opt/suricata
To build and install Suricata, enter the following in your command line:
make
make install
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/
setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download
and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and
will present you with a ready to run (configured and set up) Suricata
Next, continue with the Basic_Setup.
Source: http://home.regit.org/?p=478

84
doc/Ubuntu_Installation.txt
Unescape Escape View File

@ -1,84 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
Ubuntu Installation
Pre-installation requirements
Before you can build Suricata for your system, run the following command to
ensure that you have everything you need for the installation.
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev
Depending on the current status of your system, it may take a while to complete
this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
By default, Suricata works as an IDS. If you want to use it as a IDS and IPS
program, enter:
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1
libnfnetlink-dev libnfnetlink0
Suricata
To download and build Suricata, enter the following:
wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz
tar -xvzf suricata-1.3.3.tar.gz
cd suricata-1.3.3
Compile and install the engine
If you plan to build Suricata with IPS capabilities, enter:
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --
localstatedir=/var
instead of
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
Continue with the next commands:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
sudo make install
sudo ldconfig
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/
setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download
and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and
will present you with a ready to run (configured and set up) Suricata
Please continue with Basic_Setup.

115
doc/Ubuntu_Installation_from_GIT.txt
Unescape Escape View File

@ -1,115 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_from_GIT
Ubuntu Installation from GIT
In this document will be explained how to install and use the most recent code
of Suricata on Ubuntu. Installing from GIT on other operating systems is
basically the same, except that some commands are Ubuntu-specific (like sudo
and apt-get). In case you are using another operating system, you should
replace those commands by your operating-specific commands.
Pre-installation requirements
Before you can build Suricata for your system, run the following command to
ensure that you have everything you need for the installation.
sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make libmagic-dev
sudo apt-get install git-core
Depending on the current status of your system, it may take a while to complete
this process.
HTP
HTP is bundled with Suricata and installed automatically. If you need to
install HTP manually for other reasons, instructions can be found at HTP
library_installation.
IPS
By default, Suricata works as an IDS. If you want to use it as a IDS and IPS
program, enter:
sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1
libnfnetlink-dev libnfnetlink0
Suricata
First, it is convenient to create a directory for Suricata. Name it 'suricata'
for example. Open the terminal and enter:
mkdir suricata
Followed by:
cd suricata
Next, enter the following line in the terminal:
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
Followed by:
./autogen.sh
To configure, please enter:
./configure
To compile, please enter:
make
To install Suricata, enter:
sudo make install
sudo ldconfig
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/
setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download
and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and
will present you with a ready to run (configured and set up) Suricata
Please continue with Basic_Setup.
In case you have already made a map for the most recent code, downloaded the
code into that map, and want to download recent code again, please enter:
cd suricata/oisf
next, enter:
git pull
After that, you start again at running autogen.

189
doc/Windows.txt
Unescape Escape View File

@ -1,189 +0,0 @@
Autogenerated on 2012-11-29
from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Windows
Windows
NOTE -
A new instruction set for Suricata installation (and/or compilation from
scratch) can be found here:
https://redmine.openinfosecfoundation.org/projects/suricata/files
also a windows binary - self extracting auto install package is available here:
http://www.openinfosecfoundation.org/index.php/download-suricata
Preparing the build environment
The instructions below should be followed in the order they appear. If your
configuration requires unique actions to compile the package and/or you
significantly modify the configure shell script, please e-mail the details of
your requirements and/or solution to bugreports@openinfosecfoundation.org.
Set up MinGW environment from http://mingw.org/
Do not use the automatic installer, as it is deprecated. Instead, manually
unpack the following packages to c:\mingw (you may use newer versions if you
prefer):
* binutils
o binutils-2.20-1-mingw32-bin.tar.gz
* mingw-runtime (dev and dll)
o mingwrt-3.17-mingw32-dll.tar.gz
o mingwrt-3.17-mingw32-dev.tar.gz
* w32api
o w32api-3.14-mingw32-dev.tar.gz
* Required runtime libraries for GCC (gmp, libiconv, MPFR and pthreads)
o gmp-4.2.4-mingw32-dll.tar.gz
o libiconv-1.13.1-1-mingw32-dll-2.tar.lzma
o mpfr-2.4.1-mingw32-dll.tar.gz
o pthreads-w32-2.8.0-mingw32-dll.tar.gz
* gcc-core (bin and dll)
o gcc-core-4.4.0-mingw32-bin.tar.gz
o gcc-core-4.4.0-mingw32-dll.tar.gz
* make
o make-3.81-20090914-mingw32-bin.tar.gz
* zlib
o libz-1.2.3-1-mingw32-dll-1.tar.gz
+ libz-1.2.3-1-mingw32-dev.tar.gz
Download MSYS
Get MSYS from http://sourceforge.net/projects/mingw/files/ and install
MSYS-1.0.11.exe (MSYS Base System)
msysDTK-1.0.1.exe (MSYS Suplementary Tools)
autoconf-2.63-1-msys-1.0.11-bin.tar.lzma
automake-1.11-1-msys-1.0.11-bin.tar.lzma
libtool-2.2.7a-1-msys-1.0.11-bin.tar.lzma
MSYS will ask the following questions during installation.
Accept Post Install: [y]
MinGW Installed? : [y]
path to MinGW: [c:/MinGW]
Download pkg-config
Install pkg-config taken from http://wiki.videolan.org/Win32CompileMSYSNew#PKG-
CONFIG
Download and extract the following into c:\Msys\1.0
http://ftp.gnome.org/pub/GNOME/binaries/win32/glib/2.18/glib_2.18.2-
1_win32.zip
ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config_0.23-
3_win32.zip
ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config-
dev_0.23-3_win32.zip
Set PKG_CONFIG_PATH=/win32/lib/pkgconfig
(e.g. by adding the Windows environment variable PKG_CONFIG_PATH in "Control
Panel"->"System"->"Advanced System Settings"->"Environment Variables" and
setting the value to /win32/lib/pkgconfig)
Download Git sources
Get Git sources from http://code.google.com/p/msysgit/
Unpack to /msys/1.0
Remember to edit ~/.gitconfig to set your username
Download libpcre
Get libpcre from http://www.pcre.org/
./configure --enable-utf8 --disable-cpp --prefix=/mingw
make
make install
Download libyaml
Download libyaml from http://pyyaml.org/wiki/LibYAML
Though libyaml does not support mingw compilation, it does work in static mode.
./configure --prefix=/mingw CFLAGS="-DYAML_DECLARE_STATIC"
make
make install
Download libpcap
Download the developer pack from http://www.winpcap.org/devel.htm
To have the driver in the system, download and install a corresponding
installer package from http://www.winpcap.org/install/default.htm
Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib
Rename libwpcap.a to libpcap.a
Get and compile Suricata
git clone git://phalanx.openinfosecfoundation.org/oisf.git
cd oisf
Because of an autotools port bug, you will need to do the following:
dos2unix.exe libhtp/configure.ac
dos2unix.exe libhtp/htp.pc.in
dos2unix.exe libhtp/Makefile.am
./autogen.sh
./configure CFLAGS="-DYAML_DECLARE_STATIC"
Add --enable-nfqueue as a configurable parameter to enable inline mode.
make
If the full installation is successful, suricata.exe will be located in
src/.lib. To test your build, you will need libpcre-0.dll, libz-1.dll, and
pthreadGC2.dll, all of which should already be installed under c:/mingw or c:/
msys.
preparing the runtime environment.
To prepare the runtime environment, you must copy the executable and DLLs to a
dedicated directory. Get the classification.config and suricata.yaml, and then
edit suricata.yaml to ensure the directories are correctly identified.
pcap mode
If you have not already done so, install winpcap runtime and its driver. Then,
determine your eth device UUID in the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
suricata.exe -c suricata.yaml -i \device\
In the example above, device should be replaced with your device uuid.
Inline mode
To operate in inline mode, you must download, compile and install
netfilterforwin, which is the netfilter.sys driver and Windows port of the
libnetfilter_queue library.
Download and install the Windows Driver Kit from Microsoft
http://www.microsoft.com/downloads/
details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff
Download netfilterforwin from http://sourceforge.net/projects/netfilterforwin/
Unpack it so the netfilterforwin directory is beside the oisf directory. You
must omit the version from its name.
Compile the driver
Open the correct build environment from your Start menu
Start > All Programs > Windows Driver Kits > WDK xxxx.yyyy.z > Build
Environments > Windows Server 2003 > x86 Free Build Environment
At your command line prompt, enter the following:
cd netfilterforwin/netfilter
nmake
Install the driver
Copy inf/* files and the freshly built netfilter.sys to a separate directory,
and then open the network connections.
Right-click an interface, then select Properties
Click install...
Select Service
Click Add
Click Have disk...
Browse to the directory with the inf files and netfilter.sys, select
netfilter.inf, and then click Ok.
Confirm everything
The driver is now installed.
Run Suricata in inline mode
suricata.exe -c suricata.yaml -q 0
Write Preview
Loading…
Cancel
Save