This tutorial is intended for Linux (Debian/Ubuntu).
Install the prerequisite packages in order to compile Suricata. I add/enable some optional features so in my case I usually do:
apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev make flex bison \
libmagic-dev
For Eve (all JSON output):
apt-get install libjansson-dev libjansson4For MD5 support(file extraction):
apt-get install libnss3-dev libnspr4-devFor GeoIP:
apt-get install libgeoip1 libgeoip-devFor nfqueue(ips mode):
apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0For the dropping privileges part you can simply do:
apt-get install libcap-ng0 libcap-ng-dev
OR get the latest libcap-ng version form here:
http://people.redhat.com/sgrubb/libcap-ng/
like so:
wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.7.4.tar.gz
tar -zxf libcap-ng-0.7.4.tar.gz
cd libcap-ng-0.7.4
./configure && make && make install
cd ..
Let's fetch and compile Suricata:
wget http://www.openinfosecfoundation.org/download/suricata-2.0.4.tar.gz
tar -xzf suricata-2.0.4.tar.gz
cd suricata-2.0.4One liner... one of my favorite:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --disable-gccmarch-native \
--enable-geoip --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ \
--enable-nfqueue \
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include \
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr && \
make clean && make && make install-full && ldconfig
Above we enable some other features like :
- GeoIP
- MD5(libnspr/libnss)
- nfqueue
- we also install the necessary config file in /etc/suricata (make install-full)
- download a full ET Open ruleset (make install-full)
you can do like this
root@IDS:~/suricata-2.0.4# ./configure --helpto see what each option is for
)
but this line -
--with-libcap_ng-libraries=/usr/local/lib --with-libcap_ng-includes=/usr/local/include
is the one you need to compile and enable dropping privileges with Suricata.
Then you can run Suri like so
/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -v --user=logstash
Make sure the log directory has the right permissions to allow the user "logstash" to write to it.
After you start Suricata - you should see something similar:
root@IDS:~# ls -lh /var/log/suricata/Notice the user logstash ownership.
total 77M
drwxr-xr-x 2 logstash logstash 4.0K Oct 15 13:06 certs
drwxr-xr-x 2 logstash logstash 4.0K Oct 15 13:06 core
-rw-r----- 1 logstash logstash 18M Oct 26 10:48 eve.json
-rw-r----- 1 logstash logstash 806K Oct 26 10:48 fast.log
drwxr-xr-x 2 logstash logstash 4.0K Oct 15 13:06 files
drwxr-xr-x 2 logstash logstash 4.0K Oct 26 06:26 StatsByDate
-rw-r--r-- 1 root root 58M Oct 26 10:48 stats.log
-rw-r--r-- 1 root root 1.1K Oct 26 09:15 suricata-start.log
root@IDS:~#
root@IDS:~# ps aux |grep suricataNow you have the user logstash running (not as root) Suricata IDS/IPS.
logstash 2189 11.0 10.6 420448 219972 ? Ssl 09:15 13:04 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid --af-packet -D -v --user=logstash
root@IDS:~#