Last active
September 23, 2018 21:31
-
-
Save cleesmith/3ae872eb46d1ea102667 to your computer and use it in GitHub Desktop.
install/test Suricata on a virtualbox with Ubuntu 14.04 installed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Suricata | |
| Nov 2, 2014: | |
| ... don't waste time installing it on osx :( | |
| instead, try it on ubuntu 14.04 using virtualbox, much better, and more like a real server: | |
| sudo apt-get install build-essential automake libtool bison subversion pkg-config | |
| sudo apt-get install libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev libpcre3 libpcre3-dev | |
| sudo apt-get install openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3 | |
| sudo apt-get install libnet1 libnet1-dev | |
| sudo apt-get install libpcap-dev libpcap0.8 libpcap0.8-dev | |
| sudo apt-get install libcap-ng-dev | |
| sudo apt-get install coccinelle | |
| sudo apt-get install libcap-ng-dev | |
| sudo apt-get install magic libmagic-dev | |
| sudo apt-get install file | |
| sudo apt-get install libjansson4 libjansson-dev python-simplejson | |
| ... is there anything left to install ? :) | |
| ... download from http://suricata-ids.org/download/ click: suricata-2.0.4.tar.gz | |
| tar zxvf suricata-2.0.4.tar.gz | |
| cd suricata-2.0.4 | |
| ./configure --prefix=/opt/suricata --sysconfdir=/opt/suricata/etc --localstatedir=/var | |
| make -j4 <<-- 4 cores, change to your number of cores | |
| sudo make install-full <<-- includes config/rules | |
| outputs: | |
| You can now start suricata by running as root something like: | |
| /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata//suricata.yaml -i eth0 | |
| If a library like libhtp.so is not found, you can run suricata with: | |
| 'LD_LIBRARY_PATH=/opt/suricata/lib /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata//suricata.yaml -i eth0'. | |
| While rules are installed now, it's highly recommended to use a rule manager for maintaining rules. | |
| The two most common are Oinkmaster and Pulledpork. For a guide see: | |
| https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster | |
| ... start it up: | |
| sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0 | |
| ... oops, this shows a warning about enabled network card features, and here's how to fix that: | |
| sudo ethtool -k eth0 ... lists settings | |
| sudo ethtool -K eth0 tx off rx off sg off gso off gro off | |
| ... now open 3 terminal windows, or 2 since you have 1 open already ;) | |
| 1. start suricata: | |
| sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0 | |
| 2. cd /var/log/suricata | |
| tail -f fast.log http.log | |
| 3. wget www.testmyids.com | |
| ... in terminal window 2 you should see: | |
| ==> http.log <=== | |
| 11/03/2014-04:36:12.075516 www.testmyids.com [**] / [**] Wget/1.15 (linux-gnu) [**] 192.168.0.4:33803 -> 82.165.177.154:80 | |
| ==> fast.log <=== | |
| 11/03/2014-04:36:12.206152 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 82.165.177.154:80 -> 192.168.0.4:33803 | |
| One Step Beyond: | |
| cd /opt/suricata/etc/suricata/rules | |
| sudo nano local.rules <<-- probably a new file | |
| alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;) | |
| ... ctrl+o, ctrl+x ... i.e. save it | |
| sudo nano /opt/suricata/etc/suricata/suricata.yaml | |
| ... ctrl+w, type rule-files: to find where to add new rule files, then add: | |
| - local.rules (indent like the other rule files listed) | |
| ... ctrl+o, ctrl+x ... i.e. save it | |
| ... stop suricata, somehow, if you still testing in a terminal window then do a ctrl+c | |
| ... start it up again to use the new rules | |
| ... ping the suricata server from another server: | |
| ping 192.168.x.x <<-- suricata server IP | |
| ... in the "tail -f fast.log http.log" i.e. terminal window 2 you should see lines like this: | |
| ==> fast.log <== | |
| 11/03/2014-04:14:38.192906 [**] [1:2:1] PING detected [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.2:8 -> 192.168.0.4:0 | |
| ... can't run suricata in a terminal window all the time, so let's use an Upstart script: | |
| sudo nano /etc/init/suricata.conf | |
| ... add this: | |
| # suricata | |
| description "Intruder Detection System Daemon" | |
| start on runlevel [2345] | |
| stop on runlevel [!2345] | |
| expect fork | |
| exec /opt/suricata/bin/suricata -D --pidfile /var/run/suricata.pid -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0 | |
| ... ctrl+o, ctrl+x ... i.e. save it | |
| ... start it up again, be sure that terminal window 1 has been stopped: | |
| sudo service suricata start | |
| ... retest like above | |
| enjoy! |
error
Thank you so much :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Warning! spatch not found, you will not be
able to run code checking with coccinelle
get it from http://coccinelle.lip6.fr
or install from your distribution
checking for Mpipe... no
checking pcre.h usability... no
checking pcre.h presence... no
checking for pcre.h... no
configure: error: pcre.h not found ...
krishna@ubuntu:
/Downloads/suricata-2.0.4$ make -j4/Downloads/suricata-2.0.4$ sudo make install-fullmake: *** No targets specified and no makefile found. Stop.
krishna@ubuntu:
make: *** No rule to make target `install-full'. Stop.
krishna@ubuntu:~/Downloads/suricata-2.0.4$