Sunday, February 16, 2014

Suricata IDPS installation on OpenSUSE


This is a quick tutorial of how to install Suricata IDPS (latest dev edition from git) on OpenSUSE with MD5/file extraction and GeoIP features enabled.

For this tutorial we use OpenSUSE 13.1 (Bottle) (x86_64) 64-bit  with 3.11.6 kernel level:

uname -a
Linux linux-560z.site 3.11.6-4-desktop #1 SMP PREEMPT Wed Oct 30 18:04:56 UTC 2013 (e6d4a27) x86_64 x86_64 x86_64 GNU/Linux 

Step 1

Install the needed packages:
zypper install gcc zlib-devel libtool make libpcre1 autoconf automake gcc-c++ pcre-devel libz1 file-devel libnet1 libpcap1 libpcap-devel libnet-devel libyaml-devel libyaml-0-2 git-core wget libcap-ng0 libcap-ng-devel libmagic1 file-magic

Step 2

For MD5 functionality and file extraction capability:
zypper install mozilla-nss mozilla-nss-devel mozilla-nspr mozilla-nspr-devel mozilla-nss-tools

Step 3 

For the GeoIP functionality:
zypper install GeoIP libGeoIP-devel

Step 4

Git clone the latest dev branch,compile and configure(one liner, copy paste ready):

git clone git://phalanx.openinfosecfoundation.org/oisf.git \
&& cd oisf/\
&&  git clone https://github.com/ironbee/libhtp.git -b 0.5.x \
&& ./autogen.sh \
&& ./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ \
--disable-gccmarch-native --enable-gccprotect \
--enable-geoip \
--with-libnss-libraries=/usr/lib64 \
--with-libnss-includes=/usr/include/nss3 \
&& make clean && make && make install \
&& ldconfig

NOTE:
You can change make install (above) to make install-full for an automated full set up -> directory creation, rule download and directory set up in suricata.yaml - everything ready to run!


Step 5

Some commands to confirm everything is in place:
which suricata
suricata --build-info
ldd `which suricata` 


Step 6 

Continue with basic set up of your networks,which rules to enable and other  suricata.yaml config options...Basic Setup


After you are done with all the config options, you can start it like so:
suricata -c /etc/suricata/suricata.yaml -i enp0s3
change your interface name accordingly !

NOTE:
if you get the following err:
 (util-magic.c:65) <Warning> (MagicInit) -- [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file: "/usr/share/file/magic": No such file or directory

change the following line in your suriacta.yaml from:
magic-file: /usr/share/file/magic
to
magic-file: /usr/share/misc/magic



That's all.


No comments:

Post a Comment