1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
|
.. _installation:
Installation
============
Before Suricata can be used it has to be installed. Suricata can be installed
on various distributions using binary packages: :ref:`install-binary-packages`.
For people familiar with compiling their own software, the `Source method` is
recommended.
Advanced users can check the advanced guides, see :ref:`install-advanced`.
Source
------
Installing from the source distribution files gives the most control over the Suricata installation.
Basic steps::
tar xzvf suricata-6.0.0.tar.gz
cd suricata-6.0.0
./configure
make
make install
This will install Suricata into ``/usr/local/bin/``, use the default
configuration in ``/usr/local/etc/suricata/`` and will output to
``/usr/local/var/log/suricata``
Common configure options
^^^^^^^^^^^^^^^^^^^^^^^^
.. option:: --disable-gccmarch-native
Do not optimize the binary for the hardware it is built on. Add this
flag if the binary is meant to be portable or if Suricata is to be used in a VM.
.. option:: --prefix=/usr/
Installs the Suricata binary into /usr/bin/. Default ``/usr/local/``
.. option:: --sysconfdir=/etc
Installs the Suricata configuration files into /etc/suricata/. Default ``/usr/local/etc/``
.. option:: --localstatedir=/var
Setups Suricata for logging into /var/log/suricata/. Default ``/usr/local/var/log/suricata``
.. option:: --enable-lua
Enables Lua support for detection and output.
.. option:: --enable-geoip
Enables GeoIP support for detection.
.. option:: --enable-dpdk
Enables `DPDK <https://www.dpdk.org/>`_ packet capture method.
Dependencies
^^^^^^^^^^^^
For Suricata's compilation you'll need the following libraries and their development headers installed::
libjansson, libpcap, libpcre2, libyaml, zlib
The following tools are required::
make gcc (or clang) pkg-config rustc cargo
Rust support::
rustc, cargo
Some distros don't provide or provide outdated Rust packages.
Rust can also be installed directly from the Rust project itself::
1) Install Rust https://www.rust-lang.org/en-US/install.html
2) Install cbindgen - if the cbindgen is not found in the repository
or the cbindgen version is lower than required, it can be
alternatively installed as: cargo install --force cbindgen
3) Make sure the cargo path is within your PATH environment
e.g. echo 'export PATH=”${PATH}:~/.cargo/bin”' >> ~/.bashrc
e.g. export PATH="${PATH}:/root/.cargo/bin"
Ubuntu/Debian
"""""""""""""
.. note:: The following instructions require ``sudo`` to be installed.
Minimal::
# Installed Rust and cargo as indicated above
sudo apt-get install build-essential git libjansson-dev libpcap-dev \
libpcre2-dev libtool libyaml-dev make pkg-config zlib1g-dev
# On most distros installing cbindgen with package manager should be enough
sudo apt-get install cbindgen # alternative: cargo install --force cbindgen
Recommended::
# Installed Rust and cargo as indicated above
sudo apt-get install autoconf automake build-essential ccache clang curl git \
gosu jq libbpf-dev libcap-ng0 libcap-ng-dev libelf-dev \
libevent-dev libgeoip-dev libhiredis-dev libjansson-dev \
liblua5.1-dev libmagic-dev libnet1-dev libpcap-dev \
libpcre2-dev libtool libyaml-0-2 libyaml-dev m4 make \
pkg-config python3 python3-dev python3-yaml sudo zlib1g \
zlib1g-dev
cargo install --force cbindgen
Extra for iptables/nftables IPS integration::
sudo apt-get install libnetfilter-queue-dev libnetfilter-queue1 \
libnetfilter-log-dev libnetfilter-log1 \
libnfnetlink-dev libnfnetlink0
CentOS, AlmaLinux, RockyLinux, Fedora, etc
""""""""""""""""""""""""""""""""""""""""""
.. note:: The following instructions require ``sudo`` to be installed.
To install all minimal dependencies, it is required to enable extra package
repository in most distros. You can enable it possibly by
one of the following ways::
sudo dnf -y update
sudo dnf -y install dnf-plugins-core
# AlmaLinux 8
sudo dnf config-manager --set-enabled powertools
# AlmaLinux 9
sudo dnf config-manager --set-enable crb
# Oracle Linux 8
sudo dnf config-manager --set-enable ol8_codeready_builder
# Oracle Linux 9
sudo dnf config-manager --set-enable ol9_codeready_builder
Minimal::
# Installed Rust and cargo as indicated above
sudo dnf install -y gcc gcc-c++ git jansson-devel libpcap-devel libtool \
libyaml-devel make pcre2-devel which zlib-devel
cargo install --force cbindgen
Recommended::
# Installed Rust and cargo as indicated above
sudo dnf install -y autoconf automake diffutils file-devel gcc gcc-c++ git \
jansson-devel jq libcap-ng-devel libevent-devel \
libmaxminddb-devel libnet-devel libnetfilter_queue-devel \
libnfnetlink-devel libpcap-devel libtool libyaml-devel \
lua-devel lz4-devel make nss-devel pcre2-devel pkgconfig \
python3-devel python3-sphinx python3-yaml sudo which \
zlib-devel
cargo install --force cbindgen
Compilation
^^^^^^^^^^^
Follow these steps from your Suricata directory::
./scripts/bundle.sh
./autogen.sh
./configure # you may want to add additional parameters here
# ./configure --help to get all available parameters
make -j8 # j is for paralleling, you may de/increase depending on your CPU
make install # to install your Suricata compiled binary
Auto-Setup
^^^^^^^^^^
You can also use the available auto-setup features of Suricata:
::
./configure && make && sudo make install-conf
*make install-conf* would do the regular "make install" and then it would automatically
create/setup all the necessary directories and ``suricata.yaml`` for you.
::
./configure && make && sudo make install-rules
*make install-rules* would do the regular "make install" and then it would automatically
download and set up the latest ruleset from Emerging Threats available for Suricata.
::
./configure && make && sudo make install-full
*make install-full* would combine everything mentioned above (install-conf and install-rules)
and will present you with a ready-to-run (configured and set-up) Suricata.
.. _install-binary-packages:
Binary packages
---------------
Ubuntu from Personal Package Archives (PPA)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
For Ubuntu, OISF maintains a PPA ``suricata-stable`` that always contains the
latest stable release.
.. note:: The following instructions require ``sudo`` to be installed.
Setup to install the latest stable Suricata::
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
Then, you can install the latest stable with::
sudo apt-get install suricata
After installing you can proceed to the :ref:`Basic setup`.
`OISF launchpad: suricata-stable <https://launchpad.net/~oisf/+archive/suricata-stable>`_.
Upgrading
"""""""""
To upgrade::
sudo apt-get update
sudo apt-get upgrade suricata
Remove
""""""
To remove Suricata from your system::
sudo apt-get remove suricata
Getting Debug or Pre-release Versions
"""""""""""""""""""""""""""""""""""""
.. note:: The following instructions require ``sudo`` to be installed.
If you want Suricata with built-in (enabled) debugging, you can install the
debug package::
sudo apt-get install suricata-dbg
If you would like to help test the Release Candidate (RC) packages, the same procedures
apply, just using another PPA: ``suricata-beta``::
sudo add-apt-repository ppa:oisf/suricata-beta
sudo apt-get update
sudo apt-get upgrade
You can use both the suricata-stable and suricata-beta repositories together.
Suricata will then always be the latest release, stable or beta.
`OISF launchpad: suricata-beta <https://launchpad.net/~oisf/+archive/suricata-beta>`_.
Daily Releases
""""""""""""""
.. note:: The following instructions require ``sudo`` to be installed.
If you would like to help test the daily build packages from our latest git(dev)
repository, the same procedures as above apply, just using another PPA,
``suricata-daily``::
sudo add-apt-repository ppa:oisf/suricata-daily-allarch
sudo apt-get update
sudo apt-get upgrade
.. note::
Please have in mind that this is packaged from our latest development git master
and is therefore potentially unstable.
We do our best to make others aware of continuing development and items
within the engine that are not yet complete or optimal. With this in mind,
please refer to `Suricata's issue tracker on Redmine
<http://redmine.openinfosecfoundation.org/projects/suricata/issues>`_
for an up-to-date list of what we are working on, planned roadmap,
and to report issues.
`OISF launchpad: suricata-daily <https://launchpad.net/~oisf/+archive/suricata-daily>`_.
Debian
^^^^^^
.. note:: The following instructions require ``sudo`` to be installed.
In Debian 9 (stretch) and later do::
sudo apt-get install suricata
In the "stable" version of Debian, Suricata is usually not available in the
latest version. A more recent version is often available from Debian backports,
if it can be built there.
To use backports, the backports repository for the current stable
distribution needs to be added to the system-wide sources list.
For Debian 10 (buster), for instance, run the following as ``root``::
echo "deb http://http.debian.net/debian buster-backports main" > \
/etc/apt/sources.list.d/backports.list
apt-get update
apt-get install suricata -t buster-backports
.. _RPM packages:
CentOS, AlmaLinux, RockyLinux, Fedora, etc
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
RPMs are provided for the latest release of *Enterprise Linux*. This
includes CentOS Linux and rebuilds such as AlmaLinux and RockyLinux.
Additionally, RPMs are provided for the latest supported versions of Fedora.
RPMs specifically for CentOS Stream are not provided, however the RPMs for their
related version may work fine.
Installing From Package Repositories
""""""""""""""""""""""""""""""""""""
CentOS, RHEL, AlmaLinux, RockyLinux, etc Version 8+
'''''''''''''''''''''''''''''''''''''''''''''''''''
.. note:: The following instructions require ``sudo`` to be installed.
.. code-block:: none
sudo dnf install epel-release dnf-plugins-core
sudo dnf copr enable @oisf/suricata-7.0
sudo dnf install suricata
CentOS 7
''''''''
.. code-block:: none
sudo yum install epel-release yum-plugin-copr
sudo yum copr enable @oisf/suricata-7.0
sudo yum install suricata
Fedora
''''''
.. code-block:: none
sudo dnf install dnf-plugins-core
sudo dnf copr enable @oisf/suricata-7.0
sudo dnf install suricata
Additional Notes for RPM Installations
""""""""""""""""""""""""""""""""""""""
- Suricata is pre-configured to run as the ``suricata`` user.
- Command line parameters such as providing the interface names can be
configured in ``/etc/sysconfig/suricata``.
- Users can run ``suricata-update`` without being root provided they
are added to the ``suricata`` group.
- Directories:
- ``/etc/suricata``: Configuration directory
- ``/var/log/suricata``: Log directory
- ``/var/lib/suricata``: State directory rules, datasets.
Starting Suricata On-Boot
'''''''''''''''''''''''''
The Suricata RPMs are configured to run from Systemd.
.. note:: The following instructions require ``sudo`` to be installed.
To start Suricata::
sudo systemctl start suricata
To stop Suricata::
sudo systemctl stop suricata
To have Suricata start on-boot::
sudo systemctl enable suricata
To reload rules::
sudo systemctl reload suricata
.. _install-advanced:
Arch Based
^^^^^^^^^^
The ArchLinux AUR contains Suricata and suricata-nfqueue packages, with commonly
used configurations for compilation (may also be edited to your liking). You may
use makepkg, yay (sample below), or other AUR helpers to compile and build
Suricata packages.
::
yay -S suricata
Advanced Installation
---------------------
If you are using Ubuntu, you can follow
:doc:`devguide/codebase/installation-from-git`.
For other various installation guides for installing from GIT and for other operating
systems, please check (bear in mind that those may be somewhat outdated):
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation
|
