This tutorial is intended for Linux (Debian/Ubuntu).
Install the prerequisite packages in order to compile Suricata. I add/enable some optional features so in my case I usually do:
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev make flex bison \
libmagic-dev
For Eve (all JSON output):
apt-get install libjansson-dev libjansson4
For MD5 support(file extraction):
apt-get install libnss3-dev libnspr4-dev
For GeoIP:
apt-get install libgeoip1 libgeoip-dev
For nfqueue(ips mode):
apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
For the dropping privileges part you can simply do:
apt-get install libcap-ng0 libcap-ng-dev
OR get the latest libcap-ng version form here:
http://people.redhat.com/sgrubb/libcap-ng/
like so:
wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.7.4.tar.gz
tar -zxf libcap-ng-0.7.4.tar.gz
cd libcap-ng-0.7.4
./configure && make && make install
cd ..
Let’s fetch and compile Suricata:
wget http://www.openinfosecfoundation.org/download/suricata-2.0.4.tar.gz
tar -xzf suricata-2.0.4.tar.gz
cd suricata-2.0.4
One liner… one of my favorite:
./configure –prefix=/usr/ –sysconfdir=/etc/ –localstatedir=/var/ –disable-gccmarch-native \
–enable-geoip –with-libnss-libraries=/usr/lib –with-libnss-includes=/usr/include/nss/ \
–enable-nfqueue \
–with-libcap_ng-libraries=/usr/local/lib –with-libcap_ng-includes=/usr/local/include \
–with-libnspr-libraries=/usr/lib –with-libnspr-includes=/usr/include/nspr && \
make clean && make && make install-full && ldconfig
Above we enable some other features like :
- GeoIP
- MD5(libnspr/libnss)
- nfqueue
- we also install the necessary config file in /etc/suricata (make install-full)
- download a full ET Open ruleset (make install-full)
(
you can do like this
root@IDS:~/suricata-2.0.4# ./configure –help
to see what each option is for
)
but this line –
–with-libcap_ng-libraries=/usr/local/lib –with-libcap_ng-includes=/usr/local/include
is the one you need to compile and enable dropping privileges with Suricata.
Then you can run Suri like so
/usr/bin/suricata -c /etc/suricata/suricata.yaml –pidfile /var/run/suricata.pid –af-packet -D -v –user=logstash
Make sure the log directory has the right permissions to allow the user “logstash” to write to it.
After you start Suricata – you should see something similar:
root@IDS:~# ls -lh /var/log/suricata/
total 77M
drwxr-xr-x 2 logstash logstash 4.0K Oct 15 13:06 certs
drwxr-xr-x 2 logstash logstash 4.0K Oct 15 13:06 core
-rw-r—– 1 logstash logstash 18M Oct 26 10:48 eve.json
-rw-r—– 1 logstash logstash 806K Oct 26 10:48 fast.log
drwxr-xr-x 2 logstash logstash 4.0K Oct 15 13:06 files
drwxr-xr-x 2 logstash logstash 4.0K Oct 26 06:26 StatsByDate
-rw-r–r– 1 root root 58M Oct 26 10:48 stats.log
-rw-r–r– 1 root root 1.1K Oct 26 09:15 suricata-start.log
root@IDS:~#
Notice the user logstash ownership.
root@IDS:~# ps aux |grep suricata
logstash 2189 11.0 10.6 420448 219972 ? Ssl 09:15 13:04 /usr/bin/suricata -c /etc/suricata/suricata.yaml –pidfile /var/run/suricata.pid –af-packet -D -v –user=logstash
root@IDS:~#
Now you have the user logstash running (not as root) Suricata IDS/IPS.
