Some of my favorite cocktails (one-liners) :)
Suricata cocktails with git master. Tested on Ubuntu and Debian.
You can just copy/paste.
Before you start, make sure you have the below packages installed.
General packages needed:
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \
make flex bison git git-core subversion libmagic-dev
For MD5 support(file extraction):
apt-get install libnss3-dev libnspr4-dev
For GeoIP:
apt-get install libgeoip1 libgeoip-dev
For the first three (3) cocktails/recipes you would need:
and use Suricata's git master - latest dev edition.
Cocktail 1
Suricata - latest dev edition plus enabled:- pf_ring
- Luajit scripting
- GeoIP
- Filemagic/MD5
In case you get the pfring err:
checking for pfring_open in -lpfring... no
ERROR! --enable-pfring was passed but the library was not found
or version is >4, go get it
from http://www.ntop.org/PF_RING.html
The "LIBS=-lrt" infront of "./configure" below addresses that problem (err message above)
git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && LIBS=-lrt ./configure --enable-pfring --enable-luajit --enable-geoip \
--with-libpfring-includes=/usr/local/pfring/include/ \
--with-libpfring-libraries=/usr/local/pfring/lib/ \
--with-libpcap-includes=/usr/local/pfring/include/ \
--with-libpcap-libraries=/usr/local/pfring/lib/ \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/ \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig
Cocktail 2
Suricata - latest dev edition plus enabled:- pf_ring
- Luajit scripting
- GeoIP
- Filemagic/MD5
- Debugging
git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && CFLAGS="-O0 -ggdb" \
./configure \
--enable-pfring --enable-luajit --enable-geoip \
--with-libpfring-includes=/usr/local/pfring/include/ \
--with-libpfring-libraries=/usr/local/pfring/lib/ \
--with-libpcap-includes=/usr/local/pfring/include/ \
--with-libpcap-libraries=/usr/local/pfring/lib/ \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/ \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig
Cocktail 3
Suricata - latest dev edition plus enabled:- pf_ring
- Luajit scripting
- GeoIP
- Filemagic/MD5
git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure \
--enable-pfring --enable-luajit --enable-geoip \
--with-libpfring-includes=/usr/local/pfring/include/ \
--with-libpfring-libraries=/usr/local/pfring/lib/ \
--with-libpcap-includes=/usr/local/pfring/include/ \
--with-libpcap-libraries=/usr/local/pfring/lib/ \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
--with-libluajit-includes=/usr/local/include/luajit-2.0/ \
--with-libluajit-libraries=/usr/lib/x86_64-linux-gnu/ \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig
Cocktail 4
Suricata - latest dev edition plus enabled:git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure --enable-geoip \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig
Cocktail 5
Suricata - latest dev edition plus enabled:git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure --enable-geoip \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig
Cocktail 6
Suricata - latest dev edition plus enabled:git clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure \
--with-libnss-libraries=/usr/lib \
--with-libnss-includes=/usr/include/nss/ \
--with-libnspr-libraries=/usr/lib \
--with-libnspr-includes=/usr/include/nspr \
&& sudo make clean && sudo make && sudo make install \
&& sudo ldconfig
Cocktail 7
Suricata - latest dev edition - defaultgit clone git://phalanx.openinfosecfoundation.org/oisf.git && cd oisf/ && \
git clone https://github.com/ironbee/libhtp.git -b 0.5.x && \
./autogen.sh && ./configure \
&& sudo make clean \
&& sudo make \
&& sudo make install \
&& sudo ldconfig
Issue - suricata --build-info - to verify after compile and installation.
You could twist it anyway you want - depending on library locations and features enabled in Suricata.
No comments:
Post a Comment