cleesmith · September 23, 2018 21:31 · bahruzjabiyev · Jun 1, 2016
diff --git a/suricata2install b/suricata2install
 Suricata
 Nov 2, 2014:
 ... don't waste time installing it on osx :(
    instead, try it on ubuntu 14.04 using virtualbox, much better, and more like a real server:
 sudo apt-get install build-essential automake libtool bison subversion pkg-config
 sudo apt-get install libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev libpcre3 libpcre3-dev
 sudo apt-get install openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3
 sudo apt-get install libnet1 libnet1-dev
 sudo apt-get install libpcap-dev libpcap0.8 libpcap0.8-dev
 sudo apt-get install libcap-ng-dev
 sudo apt-get install coccinelle
 sudo apt-get install libcap-ng-dev
 sudo apt-get install magic libmagic-dev
 sudo apt-get install file
 sudo apt-get install libjansson4 libjansson-dev python-simplejson
 ... is there anything left to install ?  :)

 ... download from http://suricata-ids.org/download/ click: suricata-2.0.4.tar.gz
 tar zxvf suricata-2.0.4.tar.gz

 cd suricata-2.0.4
 ./configure --prefix=/opt/suricata --sysconfdir=/opt/suricata/etc --localstatedir=/var
 make -j4   <<-- 4 cores, change to your number of cores
 sudo make install-full    <<-- includes config/rules
    outputs:
    You can now start suricata by running as root something like: 
    /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata//suricata.yaml -i eth0
    
    If a library like libhtp.so is not found, you can run suricata with:
    'LD_LIBRARY_PATH=/opt/suricata/lib /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata//suricata.yaml -i eth0'.
    
    While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
    The two most common are Oinkmaster and Pulledpork. For a guide see:
    https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

 ... start it up:
 sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0
 ... oops, this shows a warning about enabled network card features, and here's how to fix that:
 sudo ethtool -k eth0 ... lists settings
 sudo ethtool -K eth0 tx off rx off sg off gso off gro off

 ... now open 3 terminal windows, or 2 since you have 1 open already ;)
 1. start suricata:
    sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0
 2. cd /var/log/suricata
     tail -f fast.log http.log
 3. wget www.testmyids.com
 ... in terminal window 2 you should see:
 ==> http.log <===
 11/03/2014-04:36:12.075516 www.testmyids.com [**] / [**] Wget/1.15 (linux-gnu) [**] 192.168.0.4:33803 -> 82.165.177.154:80

 ==> fast.log <===
 11/03/2014-04:36:12.206152  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 82.165.177.154:80 -> 192.168.0.4:33803

 One Step Beyond:
 cd /opt/suricata/etc/suricata/rules
 sudo nano local.rules   <<-- probably a new file
 alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
 ... ctrl+o, ctrl+x ... i.e. save it
 sudo nano /opt/suricata/etc/suricata/suricata.yaml
 ... ctrl+w, type rule-files: to find where to add new rule files, then add:
 - local.rules  (indent like the other rule files listed)
 ... ctrl+o, ctrl+x ... i.e. save it
 ... stop suricata, somehow, if you still testing in a terminal window then do a ctrl+c
 ... start it up again to use the new rules
 ... ping the suricata server from another server:
 ping 192.168.x.x   <<-- suricata server IP
 ... in the "tail -f fast.log http.log" i.e. terminal window 2 you should see lines like this:
 ==> fast.log <==
 11/03/2014-04:14:38.192906  [**] [1:2:1] PING detected [**] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.2:8 -> 192.168.0.4:0

 ... can't run suricata in a terminal window all the time, so let's use an Upstart script:
 sudo nano /etc/init/suricata.conf
 ... add this:
 # suricata
 description "Intruder Detection System Daemon"
 start on runlevel [2345]
 stop on runlevel [!2345]
 expect fork
 exec /opt/suricata/bin/suricata -D --pidfile /var/run/suricata.pid -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0
 ... ctrl+o, ctrl+x ... i.e. save it
 ... start it up again, be sure that terminal window 1 has been stopped:
 sudo service suricata start
 ... retest like above

 enjoy!
	Suricata
	Nov 2, 2014:
	... don't waste time installing it on osx :(
	instead, try it on ubuntu 14.04 using virtualbox, much better, and more like a real server:
	sudo apt-get install build-essential automake libtool bison subversion pkg-config
	sudo apt-get install libxml2-dev libxslt-dev autoconf libc6-dev ncurses-dev libpcre3 libpcre3-dev
	sudo apt-get install openssl libreadline6 libreadline6-dev curl git-core zlib1g zlib1g-dev libssl-dev libyaml-dev libsqlite3-dev sqlite3
	sudo apt-get install libnet1 libnet1-dev
	sudo apt-get install libpcap-dev libpcap0.8 libpcap0.8-dev
	sudo apt-get install libcap-ng-dev
	sudo apt-get install coccinelle
	sudo apt-get install libcap-ng-dev
	sudo apt-get install magic libmagic-dev
	sudo apt-get install file
	sudo apt-get install libjansson4 libjansson-dev python-simplejson
	... is there anything left to install ? :)

	... download from http://suricata-ids.org/download/ click: suricata-2.0.4.tar.gz
	tar zxvf suricata-2.0.4.tar.gz

	cd suricata-2.0.4
	./configure --prefix=/opt/suricata --sysconfdir=/opt/suricata/etc --localstatedir=/var
	make -j4 <<-- 4 cores, change to your number of cores
	sudo make install-full <<-- includes config/rules
	outputs:
	You can now start suricata by running as root something like:
	/opt/suricata/bin/suricata -c /opt/suricata/etc/suricata//suricata.yaml -i eth0

	If a library like libhtp.so is not found, you can run suricata with:
	'LD_LIBRARY_PATH=/opt/suricata/lib /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata//suricata.yaml -i eth0'.

	While rules are installed now, it's highly recommended to use a rule manager for maintaining rules.
	The two most common are Oinkmaster and Pulledpork. For a guide see:
	https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster

	... start it up:
	sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0
	... oops, this shows a warning about enabled network card features, and here's how to fix that:
	sudo ethtool -k eth0 ... lists settings
	sudo ethtool -K eth0 tx off rx off sg off gso off gro off

	... now open 3 terminal windows, or 2 since you have 1 open already ;)
	1. start suricata:
	sudo /opt/suricata/bin/suricata -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0
	2. cd /var/log/suricata
	tail -f fast.log http.log
	3. wget www.testmyids.com
	... in terminal window 2 you should see:
	==> http.log <===
	11/03/2014-04:36:12.075516 www.testmyids.com [] / [] Wget/1.15 (linux-gnu) [**] 192.168.0.4:33803 -> 82.165.177.154:80

	==> fast.log <===
	11/03/2014-04:36:12.206152 [] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 82.165.177.154:80 -> 192.168.0.4:33803

	One Step Beyond:
	cd /opt/suricata/etc/suricata/rules
	sudo nano local.rules <<-- probably a new file
	alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
	... ctrl+o, ctrl+x ... i.e. save it
	sudo nano /opt/suricata/etc/suricata/suricata.yaml
	... ctrl+w, type rule-files: to find where to add new rule files, then add:
	- local.rules (indent like the other rule files listed)
	... ctrl+o, ctrl+x ... i.e. save it
	... stop suricata, somehow, if you still testing in a terminal window then do a ctrl+c
	... start it up again to use the new rules
	... ping the suricata server from another server:
	ping 192.168.x.x <<-- suricata server IP
	... in the "tail -f fast.log http.log" i.e. terminal window 2 you should see lines like this:
	==> fast.log <==
	11/03/2014-04:14:38.192906 [] [1:2:1] PING detected [] [Classification: (null)] [Priority: 3] {ICMP} 192.168.0.2:8 -> 192.168.0.4:0

	... can't run suricata in a terminal window all the time, so let's use an Upstart script:
	sudo nano /etc/init/suricata.conf
	... add this:
	# suricata
	description "Intruder Detection System Daemon"
	start on runlevel [2345]
	stop on runlevel [!2345]
	expect fork
	exec /opt/suricata/bin/suricata -D --pidfile /var/run/suricata.pid -c /opt/suricata/etc/suricata/suricata.yaml --af-packet=eth0
	... ctrl+o, ctrl+x ... i.e. save it
	... start it up again, be sure that terminal window 1 has been stopped:
	sudo service suricata start
	... retest like above

	enjoy!