getting started with suricata

topics

getting started
introduction
requirements

basic installation

platform-specific instructions
CentOS5
Debian/Ubuntu
Fedora Core
FreeBSD 8
Mac OS X (10.6.x)
Windows

custom installation
configure options

rules
rulesets
emerging threats

output

introduction

Suricata is a multi-threaded intrusion detection/prevention engine. To describe Suricata as multi-threaded means that it can run on a machine with multiple CPUs, using threads to spread the workload between the CPUs and process many packets and streams at one time.

In order to compile Suricata on your system, you must have gcc, make and g++ already installed. Without these tools, you will not be able to continue. Additionally, if you are building from the git repository, you will also need to install automake, autoconf and libtool.

As well as the tools listed above, there are six libraries that must be installed on your system before building Suricata. libpcre provides regular expression matching functionality to Suricata. libnet is a packet-injecting library. libyaml parses the configuration file. libpcap allows user-level packet capture and is used in low-level network monitoring. libz is a lossless data compression utility. libpthread adds multi-threading ability to Suricata.

There are four optional libraries that can be installed to enhance Suricata's functionality, including libnetfilter_queue and libfnetlink. If you plan to install libnetfilter_queue, you must install libfnetlink as well; combined, they allow you to build Suricata with inline support via ./configure --enable-nfqueue. Another optional install is libpfring, which improves packet capture performance via ./configure --enable-pfring. Linux users may also choose to install libcap-ng, which is used for dropping privileges.

Suricata uses rulesets to identify problems and attacks in incoming traffic; rulesets are the intelligence behind the engine. Although there rulesets are available for Suricata, you can write your own rules to customize your build according to your needs. Suricata uses the Snort rule syntax, but with some additions to allow access to new features not available in Snort.

Suricata and the HTP library are licensed under the GPLv2. A copy of this license is included in the Suricata tarball, or you can read it online at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.

general compile information

The following is general information on compiling Suricata. Links to platform-specific installation and compilation instructions are provided in the section below.

1. Go to the directory containing the Suricata package source code, and then enter ./configure at the command prompt to configure the package for your system. If you are using csh on an old version of System V, you might need to enter sh ./configure instead, to prevent csh from trying to execute configure automatically. Running configure will take some time, but while this process runs, messages detailing the configuration progress (i.e., which features it is checking for, etc.) will be displayed on the screen.
2. Type make to compile the package.
3. Type make install to install the programs and any data files and documentation.
4. The program binaries and object files can be removed from the source code directory by typing make clean.

platform-specific installation instructions

Each platform has its own set of instructions for installing the tools and libraries listed above. Click on your platform below for specific instructions on how to download and build them as well as how to download and build Suricata.

CentOS5
Debian/Ubuntu
Fedora Core
FreeBSD 8
Mac OS X (10.6.x)
Windows

next step

See Requirements for additional information before installing Suricata.

OISF Home • Documentation