diff options
Diffstat (limited to '')
-rw-r--r-- | doc/userguide/install.rst | 416 |
1 files changed, 416 insertions, 0 deletions
diff --git a/doc/userguide/install.rst b/doc/userguide/install.rst new file mode 100644 index 0000000..b3d39d2 --- /dev/null +++ b/doc/userguide/install.rst @@ -0,0 +1,416 @@ +.. _installation: + +Installation +============ + +Before Suricata can be used it has to be installed. Suricata can be installed +on various distributions using binary packages: :ref:`install-binary-packages`. + +For people familiar with compiling their own software, the `Source method` is +recommended. + +Advanced users can check the advanced guides, see :ref:`install-advanced`. + +Source +------ + +Installing from the source distribution files gives the most control over the Suricata installation. + +Basic steps:: + + tar xzvf suricata-6.0.0.tar.gz + cd suricata-6.0.0 + ./configure + make + make install + +This will install Suricata into ``/usr/local/bin/``, use the default +configuration in ``/usr/local/etc/suricata/`` and will output to +``/usr/local/var/log/suricata`` + + +Common configure options +^^^^^^^^^^^^^^^^^^^^^^^^ + +.. option:: --disable-gccmarch-native + + Do not optimize the binary for the hardware it is built on. Add this + flag if the binary is meant to be portable or if Suricata is to be used in a VM. + +.. option:: --prefix=/usr/ + + Installs the Suricata binary into /usr/bin/. Default ``/usr/local/`` + +.. option:: --sysconfdir=/etc + + Installs the Suricata configuration files into /etc/suricata/. Default ``/usr/local/etc/`` + +.. option:: --localstatedir=/var + + Setups Suricata for logging into /var/log/suricata/. Default ``/usr/local/var/log/suricata`` + +.. option:: --enable-lua + + Enables Lua support for detection and output. + +.. option:: --enable-geoip + + Enables GeoIP support for detection. + +.. option:: --enable-dpdk + + Enables `DPDK <https://www.dpdk.org/>`_ packet capture method. + +Dependencies +^^^^^^^^^^^^ + +For Suricata's compilation you'll need the following libraries and their development headers installed:: + + libjansson, libpcap, libpcre2, libyaml, zlib + +The following tools are required:: + + make gcc (or clang) pkg-config rustc cargo + +Rust support:: + + rustc, cargo + + Some distros don't provide or provide outdated Rust packages. + Rust can also be installed directly from the Rust project itself:: + + 1) Install Rust https://www.rust-lang.org/en-US/install.html + 2) Install cbindgen - if the cbindgen is not found in the repository + or the cbindgen version is lower than required, it can be + alternatively installed as: cargo install --force cbindgen + 3) Make sure the cargo path is within your PATH environment + e.g. echo 'export PATH=”${PATH}:~/.cargo/bin”' >> ~/.bashrc + e.g. export PATH="${PATH}:/root/.cargo/bin" + +Ubuntu/Debian +""""""""""""" + +.. note:: The following instructions require ``sudo`` to be installed. + +Minimal:: + + # Installed Rust and cargo as indicated above + sudo apt-get install build-essential git libjansson-dev libpcap-dev \ + libpcre2-dev libtool libyaml-dev make pkg-config zlib1g-dev + # On most distros installing cbindgen with package manager should be enough + sudo apt-get install cbindgen # alternative: cargo install --force cbindgen + +Recommended:: + + # Installed Rust and cargo as indicated above + sudo apt-get install autoconf automake build-essential ccache clang curl git \ + gosu jq libbpf-dev libcap-ng0 libcap-ng-dev libelf-dev \ + libevent-dev libgeoip-dev libhiredis-dev libjansson-dev \ + liblua5.1-dev libmagic-dev libnet1-dev libpcap-dev \ + libpcre2-dev libtool libyaml-0-2 libyaml-dev m4 make \ + pkg-config python3 python3-dev python3-yaml sudo zlib1g \ + zlib1g-dev + cargo install --force cbindgen + +Extra for iptables/nftables IPS integration:: + + sudo apt-get install libnetfilter-queue-dev libnetfilter-queue1 \ + libnetfilter-log-dev libnetfilter-log1 \ + libnfnetlink-dev libnfnetlink0 + +CentOS, AlmaLinux, RockyLinux, Fedora, etc +"""""""""""""""""""""""""""""""""""""""""" + +.. note:: The following instructions require ``sudo`` to be installed. + +To install all minimal dependencies, it is required to enable extra package +repository in most distros. You can enable it possibly by +one of the following ways:: + + sudo dnf -y update + sudo dnf -y install dnf-plugins-core + # AlmaLinux 8 + sudo dnf config-manager --set-enabled powertools + # AlmaLinux 9 + sudo dnf config-manager --set-enable crb + # Oracle Linux 8 + sudo dnf config-manager --set-enable ol8_codeready_builder + # Oracle Linux 9 + sudo dnf config-manager --set-enable ol9_codeready_builder + +Minimal:: + + # Installed Rust and cargo as indicated above + sudo dnf install -y gcc gcc-c++ git jansson-devel libpcap-devel libtool \ + libyaml-devel make pcre2-devel which zlib-devel + cargo install --force cbindgen + +Recommended:: + + # Installed Rust and cargo as indicated above + sudo dnf install -y autoconf automake diffutils file-devel gcc gcc-c++ git \ + jansson-devel jq libcap-ng-devel libevent-devel \ + libmaxminddb-devel libnet-devel libnetfilter_queue-devel \ + libnfnetlink-devel libpcap-devel libtool libyaml-devel \ + lua-devel lz4-devel make nss-devel pcre2-devel pkgconfig \ + python3-devel python3-sphinx python3-yaml sudo which \ + zlib-devel + cargo install --force cbindgen + +Compilation +^^^^^^^^^^^ + +Follow these steps from your Suricata directory:: + + ./scripts/bundle.sh + ./autogen.sh + ./configure # you may want to add additional parameters here + # ./configure --help to get all available parameters + make -j8 # j is for paralleling, you may de/increase depending on your CPU + make install # to install your Suricata compiled binary + +Auto-Setup +^^^^^^^^^^ + +You can also use the available auto-setup features of Suricata: + +:: + + ./configure && make && sudo make install-conf + +*make install-conf* would do the regular "make install" and then it would automatically +create/setup all the necessary directories and ``suricata.yaml`` for you. + +:: + + ./configure && make && sudo make install-rules + +*make install-rules* would do the regular "make install" and then it would automatically +download and set up the latest ruleset from Emerging Threats available for Suricata. + +:: + + ./configure && make && sudo make install-full + +*make install-full* would combine everything mentioned above (install-conf and install-rules) +and will present you with a ready-to-run (configured and set-up) Suricata. + +.. _install-binary-packages: + +Binary packages +--------------- + +Ubuntu from Personal Package Archives (PPA) +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +For Ubuntu, OISF maintains a PPA ``suricata-stable`` that always contains the +latest stable release. + +.. note:: The following instructions require ``sudo`` to be installed. + +Setup to install the latest stable Suricata:: + + sudo apt-get install software-properties-common + sudo add-apt-repository ppa:oisf/suricata-stable + sudo apt-get update + +Then, you can install the latest stable with:: + + sudo apt-get install suricata + +After installing you can proceed to the :ref:`Basic setup`. + +`OISF launchpad: suricata-stable <https://launchpad.net/~oisf/+archive/suricata-stable>`_. + +Upgrading +""""""""" + +To upgrade:: + + sudo apt-get update + sudo apt-get upgrade suricata + +Remove +"""""" + +To remove Suricata from your system:: + + sudo apt-get remove suricata + + + +Getting Debug or Pre-release Versions +""""""""""""""""""""""""""""""""""""" + +.. note:: The following instructions require ``sudo`` to be installed. + +If you want Suricata with built-in (enabled) debugging, you can install the +debug package:: + + sudo apt-get install suricata-dbg + +If you would like to help test the Release Candidate (RC) packages, the same procedures +apply, just using another PPA: ``suricata-beta``:: + + sudo add-apt-repository ppa:oisf/suricata-beta + sudo apt-get update + sudo apt-get upgrade + +You can use both the suricata-stable and suricata-beta repositories together. +Suricata will then always be the latest release, stable or beta. + +`OISF launchpad: suricata-beta <https://launchpad.net/~oisf/+archive/suricata-beta>`_. + +Daily Releases +"""""""""""""" + +.. note:: The following instructions require ``sudo`` to be installed. + +If you would like to help test the daily build packages from our latest git(dev) +repository, the same procedures as above apply, just using another PPA, +``suricata-daily``:: + + sudo add-apt-repository ppa:oisf/suricata-daily-allarch + sudo apt-get update + sudo apt-get upgrade + +.. note:: + + Please have in mind that this is packaged from our latest development git master + and is therefore potentially unstable. + + We do our best to make others aware of continuing development and items + within the engine that are not yet complete or optimal. With this in mind, + please refer to `Suricata's issue tracker on Redmine + <http://redmine.openinfosecfoundation.org/projects/suricata/issues>`_ + for an up-to-date list of what we are working on, planned roadmap, + and to report issues. + +`OISF launchpad: suricata-daily <https://launchpad.net/~oisf/+archive/suricata-daily>`_. + +Debian +^^^^^^ + +.. note:: The following instructions require ``sudo`` to be installed. + +In Debian 9 (stretch) and later do:: + + sudo apt-get install suricata + +In the "stable" version of Debian, Suricata is usually not available in the +latest version. A more recent version is often available from Debian backports, +if it can be built there. + +To use backports, the backports repository for the current stable +distribution needs to be added to the system-wide sources list. +For Debian 10 (buster), for instance, run the following as ``root``:: + + echo "deb http://http.debian.net/debian buster-backports main" > \ + /etc/apt/sources.list.d/backports.list + apt-get update + apt-get install suricata -t buster-backports + +.. _RPM packages: + +CentOS, AlmaLinux, RockyLinux, Fedora, etc +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +RPMs are provided for the latest release of *Enterprise Linux*. This +includes CentOS Linux and rebuilds such as AlmaLinux and RockyLinux. +Additionally, RPMs are provided for the latest supported versions of Fedora. + +RPMs specifically for CentOS Stream are not provided, however the RPMs for their +related version may work fine. + +Installing From Package Repositories +"""""""""""""""""""""""""""""""""""" + +CentOS, RHEL, AlmaLinux, RockyLinux, etc Version 8+ +''''''''''''''''''''''''''''''''''''''''''''''''''' + +.. note:: The following instructions require ``sudo`` to be installed. + +.. code-block:: none + + sudo dnf install epel-release dnf-plugins-core + sudo dnf copr enable @oisf/suricata-7.0 + sudo dnf install suricata + +CentOS 7 +'''''''' + +.. code-block:: none + + sudo yum install epel-release yum-plugin-copr + sudo yum copr enable @oisf/suricata-7.0 + sudo yum install suricata + +Fedora +'''''' + +.. code-block:: none + + sudo dnf install dnf-plugins-core + sudo dnf copr enable @oisf/suricata-7.0 + sudo dnf install suricata + +Additional Notes for RPM Installations +"""""""""""""""""""""""""""""""""""""" + +- Suricata is pre-configured to run as the ``suricata`` user. +- Command line parameters such as providing the interface names can be + configured in ``/etc/sysconfig/suricata``. +- Users can run ``suricata-update`` without being root provided they + are added to the ``suricata`` group. +- Directories: + + - ``/etc/suricata``: Configuration directory + - ``/var/log/suricata``: Log directory + - ``/var/lib/suricata``: State directory rules, datasets. + +Starting Suricata On-Boot +''''''''''''''''''''''''' + +The Suricata RPMs are configured to run from Systemd. + +.. note:: The following instructions require ``sudo`` to be installed. + +To start Suricata:: + + sudo systemctl start suricata + +To stop Suricata:: + + sudo systemctl stop suricata + +To have Suricata start on-boot:: + + sudo systemctl enable suricata + +To reload rules:: + + sudo systemctl reload suricata + +.. _install-advanced: + +Arch Based +^^^^^^^^^^ + +The ArchLinux AUR contains Suricata and suricata-nfqueue packages, with commonly +used configurations for compilation (may also be edited to your liking). You may +use makepkg, yay (sample below), or other AUR helpers to compile and build +Suricata packages. + +:: + + yay -S suricata + +Advanced Installation +--------------------- + +If you are using Ubuntu, you can follow +:doc:`devguide/codebase/installation-from-git`. + +For other various installation guides for installing from GIT and for other operating +systems, please check (bear in mind that those may be somewhat outdated): +https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation |