Back to 3rd Party Agents Installation
Installing Suricata¶
This section explains how to install Suricata with Prelude support.
Dependencies (CentOS)¶
On CentOS you have to add EPEL repositories:
# yum install epel-release
Then,
# yum -y install libpcap-devel libcap-ng-devel libnet-devel pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel libprelude-devel libtool-ltdl-devel file-devel
Get the sources¶
Download Suricata from http://suricata-ids.org/download/
Unpack it :
$ tar -zxvf suricata-*.tar.gz $ cd suricata-*
Comment the following lines in the configure file:
# Prelude doesn't work with -Werror STORECFLAGS="${CFLAGS}" CFLAGS="${CFLAGS} -Wno-error=unused-result"
Then, compile and install Suricata using the following:
$ ./configure --enable-prelude --with-libprelude-prefix=/usr/local/ CC="gcc -std=gnu99" $ make # make install-full
Configuration¶
Edit /etc/suricata/suricata.yaml file to enable Prelude alerting:
# alert output to prelude (http://www.prelude-technologies.com/) only # available if Suricata has been compiled with --enable-prelude - alert-prelude: enabled: yes profile: suricata log-packet-content: yes log-packet-header: yes
Registering Suricata profile¶
Nota : Each module from your Prelude installation must be registered with the manager which is in charge of communications between the modules. This can take a long time given the creation of the RSA key. Generating activity on your machine will reduce the time to create the key (ex : ls -l /, etc.)
Now you need to create the suricata profile, on the Suricata host :
# prelude-admin register suricata "idmef:w" <manager address> --uid X --gid X
And, on the Prelude-Manager host:
# prelude-admin registration-server prelude-manager
After your RSA key creation, a password is generated. Paste it from the second terminal to the first terminal, then confirm the registration on the second terminal.
Approve registration? [y/n]: y 127.0.0.1:45761 successfully registered.
Please check the Agents Registration Page for more details about sensors registration.
Running Suricata¶
To launch Suricata, type:
# LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
You can now see a new agent named Suricata on Prewikka.