Pre installation requirements
Before you can build Suricata for your system, run the following command to ensure that you have everything you need for the installation.
If you have pf_ring already installed, you might want to do:
before continuing with the installation below.
If this is the first time you are installing pf_ring:
Go to your preferred download directory and get the latest stable PF_RING (6.0.3 at the time of this writing)
NOT as root:
wget http://sourceforge.net/projects/ntop/files/PF_RING/PF_RING-6.0.3.tar.gz
Compile and install
Next, enter the following commands for configuration and installation
NOT as root:
tar -zxf PF_RING-6.0.3.tar.gz
cd PF_RING-6.0.3/
make
elevate as root
sudo -i
cd kernel; make install
cd ../userland/lib; make install
then:
sudo modprobe pf_ring
To check if you have everything you need, enter:
modinfo pf_ring && cat /proc/net/pf_ring/info
Suricata
The example below is using suricata-2.0.8 release.
To download and build Suricata, enter the following:
Compile and install the engine
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib
In case if you get an error during the configure stage (you might experience that with pfring 5.6.2 and above):
Configure like this instead:
LIBS="-lrt -lnuma" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-pfring --with-libpfring-includes=/usr/local/pfring/include \
--with-libpfring-libraries=/usr/local/pfring/lib
Then:
make
sudo make install
sudo ldconfig
Auto setup
You can also use the available auto setup features of Suricata:
ex:
./configure && make && make install-conf
make install-conf
would do the regular "make install" and then it would automatically create/setup all the necessary directories and suricata.yaml for you.
./configure && make && make install-rules
make install-rules
would do the regular "make install" and then it would automatically download and set up the latest ruleset from Emerging Threats available for Suricata
./configure && make && make install-full
make install-full
would combine everything mentioned above (install-conf and install-rules) - and will present you with a ready to run (configured and set up) Suricata
You can always check if PF_RING is build in properly, by entering:
suricata --build-info
you should see:
To run Suricata with PF_RING, enter:
Continue with the Basic Setup.