Tuesday, December 31, 2013

Suricata cocktails (handy one-liners)




Some of my favorite cocktails (one-liners) :)

Suricata cocktails with git master. Tested on Ubuntu and Debian.
You can just copy/paste.

Before you start, make sure you have the below packages installed.

General packages needed:
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make flex bison git git-core subversion libmagic-dev


For MD5 support(file extraction):
apt-get install libnss3-dev libnspr4-dev


For GeoIP:
apt-get install libgeoip1 libgeoip-dev


For the first three (3) cocktails/recipes you would need:
  1. PF_RING as explained HERE 
  2. luajit as explained HERE
and use Suricata's git master - latest dev edition.


Cocktail 1

Suricata - latest dev edition plus enabled:
  1. pf_ring
  2. Luajit scripting
  3. GeoIP
  4. Filemagic/MD5

In case you get the pfring err:
    checking for pfring_open in -lpfring... no

       ERROR! --enable-pfring was passed but the library was not found
       or version is >4, go get it
       from http://www.ntop.org/PF_RING.html

The "LIBS=-lrt" infront of "./configure" below addresses that problem (err message above)


git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && LIBS=-lrt ./configure  --enable-pfring --enable-luajit --enable-geoip \
--with-libpfring-includes=/usr/local/pfring/include/ \
--with-libpfring-libraries=/usr/local/pfring/lib/ \
--with-libpcap-includes=/usr/local/pfring/include/ \
--with-libpcap-libraries=/usr/local/pfring/lib/ \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/ \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig


Cocktail 2

Suricata - latest dev edition plus enabled:
  1. pf_ring
  2. Luajit scripting
  3. GeoIP
  4. Filemagic/MD5
  5. Debugging

git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && CFLAGS="-O0 -ggdb"  \
./configure  \
--enable-pfring --enable-luajit --enable-geoip \
--with-libpfring-includes=/usr/local/pfring/include/ \
--with-libpfring-libraries=/usr/local/pfring/lib/ \
--with-libpcap-includes=/usr/local/pfring/include/ \
--with-libpcap-libraries=/usr/local/pfring/lib/ \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/ \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig


Cocktail 3

Suricata - latest dev edition plus enabled:
  1. pf_ring
  2. Luajit scripting
  3. GeoIP
  4. Filemagic/MD5


git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure  \
--enable-pfring --enable-luajit --enable-geoip \
--with-libpfring-includes=/usr/local/pfring/include/ \
--with-libpfring-libraries=/usr/local/pfring/lib/ \
--with-libpcap-includes=/usr/local/pfring/include/ \
--with-libpcap-libraries=/usr/local/pfring/lib/ \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/ \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig

Cocktail 4

Suricata - latest dev edition plus enabled:
  1. GeoIP
  2. Filemagic/MD5

git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure --enable-geoip \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig

Cocktail 5

Suricata - latest dev edition plus enabled:
  1. GeoIP

git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure --enable-geoip \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig






Cocktail 6

Suricata - latest dev edition plus enabled:
  1. Filemagic/MD5

git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig



Cocktail 7

Suricata - latest dev edition - default

git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure \
&& sudo make clean \
&& sudo make \
&& sudo make install \
&& sudo ldconfig



Issue  - suricata --build-info - to verify after compile and installation.
You could twist it anyway you want - depending on library locations and features enabled in Suricata.




No comments:

Post a Comment