Installing Suricata 6.0.1-dev with pf_ring on Ubuntu 18.04

Get ntop package management:

sudo apt-get install software-properties-common wget
sudo add-apt-repository universe
wget http://apt-stable.ntop.org/18.04/all/apt-ntop-stable.deb
sudo apt install ./apt-ntop-stable.deb

Install PFRing-DKMS:

sudo apt-get install pfring-dkms

Note the GIT version and/or release specified, we will need to build those libraries.

Install dependencies:

sudo apt-get install build-essential bison flex linux-headers-$(uname -r)
sudo apt-get install libtool automake autoconf

Setup pf_ring libs:

mkdir git && cd git/
git clone https://github.com/ntop/PF_RING.git

Remember the part earlier where I said we would need to note the git/RELEASE version? Enter that version after the “git checkout “, currently it is “7.6.0-stable”

cd PF_RING && git checkout 7.6.0-stable
cd userland/lib
./configure && make && sudo make install
cd ~/git/

You can also find the git branch using this command:

sudo apt-cache search pfring-dkms
pfring-dkms - PF_RING driver in DKMS format. GIT info: 7.6.0-stable:b5d63335790c2277a23719fcfc2e4f0a56be730f

Install dependencies:

sudo apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev python-yaml rustc cargo autoconf
sudo apt-get install python3-distutils
sudo apt-get install liblz4-dev
sudo apt-get install libmaxminddb-dev
cargo install cbindgen

Add “~/.cargo/bin” to $PATH:

export PATH="/home/$(whoami)/.cargo/bin:$PATH"

Get luajit installed:

git clone https://luajit.org/git/luajit-2.0.git
cd luagit-2.0/
make && sudo make install

Ensure Redis Support:

sudo apt-get install libhiredis-dev libevent-dev libevent-pthreads-2.1-6

Get BPF

sudo apt install clang libelf-dev
sudo apt install libc6-dev-i386 --no-install-recommends
cd ~/git/
git clone https://github.com/libbpf/libbpf.git
cd libbpf/src/
./configure
make && sudo make install
sudo make install_headers
sudo ldconfig

Adding extra details about manually building libhtp (this may not be necessary, I’ll update in the future if not)

sudo apt-get install doxygen
sudo apt-get install lcov
git clone https://github.com/OISF/libhtp.git
cd libhtp/
./autogen.sh
./configure
cd ~/git/

Get suricata-update installed:

sudo apt-get install python3-pip
sudo python3 -m pip install suricata-update
sudo ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update

You may have to:

sudo ldconfig

or

export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH

Continue with Suricata:

git clone https://github.com/OISF/suricata
cd suricata/
./autogen.sh
LIBS="-lrt" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-hiredis --enable-non-bundled-htp --enable-luajit --enable-geoip --enable-ebpf --enable-ebpf-build --enable-rust --with-clang=/usr/bin/clang --enable-pfring --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib --with-libluajit-includes=/usr/local/include/luajit-2.0/ --with-libluajit-libraries=/usr/lib/
make && sudo make install
sudo suricata-update
sudo make install-conf

Create Service File:

sudo cp ~/git/suricata/etc/suricata.service /etc/systemd/system/
sudo chown root: /etc/systemd/system/suricata.service

Edit Service File to Uncomment platform specific defaults location:

sudo vim /etc/systemd/system/suricata.service

Now we use some of the features we’ve built into our binary. In the future I will hopefully write something about redis.

Edit as such (for Ubuntu/Debian, otherwise uncomment other “EnvironmentFile” line) and mind your options when starting the binary, and path, some environments have likely shifted your contents:

[Service]
...
EnvironmentFile=-/etc/default/suricata
...
ExecStart=/usr/bin/suricata --pfring-int=eth1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid $OPTIONS

Note: To use PF_RING, you will need to edit the interface of the PF_RING element in /etc/suricata/suricata.yaml to the proper interface name, here I’ve used “eth1”.

Create Suricata Defaults File:

sudo touch /etc/default/suricata
sudo vim /etc/default/suricata

Edit as such:

# Configuration file for the suricata service.
#from /etc/sysconfig
LD_PRELOAD="/usr/lib/x86_64-linux-gnu/libtcmalloc_minimal.so.4"
OPTIONS="-S /var/lib/suricata/rules/suricata.rules --init-errors-fatal"

You may need to fix rules location (it doesn’t seem $OPTIONS gets passed on the init):
Either:

sudo vim /etc/suricata/suricata.yaml

Edit as such (approx line number 1865):

default-rule-path: /var/lib/suricata/rules/

-or-

sudo ln -s /var/lib/suricata/rules/suricata.rules /etc/suricata/rules/suricata.rules

PF_RING – Create slots:

sudo vim /etc/pf_ring/pf_ring.conf

Enter as such:

min_num_slots=65536

PF_RING – Set interfaces:

sudo vim /etc/pf_ring/interfaces.conf

Enter as such:

MANAGEMENT_INTERFACES="eth0"
CAPTURE_INTERFACES="eth1"

You should be able to test your config now:

sudo suricata -v -T -c /etc/suricata/suricata.yaml

sudo /usr/bin/suricata --pfring-int=eth1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml --dump-config

sudo /usr/bin/suricata --pfring-int=eth1 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml --dump-features

sudo suricata --list-runmodes

sudo suricata --build-info

If you are running this in an ESXi and/or your doing this via port mirror on your switch, then you might have some VLAN oddities. In ESXi 6.7 there’s a little known trick with setting the VLAN for your Sniff Switch/Ports to 4095. This, plus not making the VLAN a significant flow feature (it is a suricata.yaml option…) in Suricata is vital.

vlan:
use-for-tracking: false

One of the only things I’m not detailing here is the actual suricata.yaml file and that is because I’m still learning it and there are other blog posts specifically about that, even one I saw about going from snort -> suricata.

Thanks!

Hope this helps someone, and be well.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.