Project

General

Profile

Back to 3rd Party Agents Installation

Installing Suricata

This section explains how to install Suricata with Prelude support.

Dependencies (CentOS)

On CentOS you have to add EPEL repositories:

   # yum install epel-release

Then,

   # yum -y install libpcap-devel libcap-ng-devel libnet-devel pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel libprelude-devel libtool-ltdl-devel file-devel

Get the sources

Download Suricata from http://suricata-ids.org/download/

Unpack it :

   $ tar -zxvf suricata-*.tar.gz
   $ cd suricata-*

Comment the following lines in the configure file:

    # Prelude doesn't work with -Werror
    STORECFLAGS="${CFLAGS}" 
    CFLAGS="${CFLAGS} -Wno-error=unused-result" 

Then, compile and install Suricata using the following:

   $ ./configure --enable-prelude --with-libprelude-prefix=/usr/local/ CC="gcc -std=gnu99" 
   $ make
   # make install-full

Configuration

Edit /etc/suricata/suricata.yaml file to enable Prelude alerting:

  # alert output to prelude (http://www.prelude-technologies.com/) only
  # available if Suricata has been compiled with --enable-prelude
  - alert-prelude:
      enabled: yes
      profile: suricata
      log-packet-content: yes
      log-packet-header: yes

Registering Suricata profile

Nota : Each module from your Prelude installation must be registered with the manager which is in charge of communications between the modules. This can take a long time given the creation of the RSA key. Generating activity on your machine will reduce the time to create the key (ex : ls -l /, etc.)

Now you need to create the suricata profile, on the Suricata host :

   # prelude-admin register suricata "idmef:w" <manager address> --uid X --gid X

And, on the Prelude-Manager host:

   # prelude-admin registration-server prelude-manager

After your RSA key creation, a password is generated. Paste it from the second terminal to the first terminal, then confirm the registration on the second terminal.

   Approve registration? [y/n]: y
   127.0.0.1:45761 successfully registered.

Please check the Agents Registration Page for more details about sensors registration.

Running Suricata

To launch Suricata, type:

   # LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

You can now see a new agent named Suricata on Prewikka.

Back to 3rd Party Agents Installation