Compiling Suricata 0.9.0 in Ubuntu Lucid 10.04 in IPS (inline) mode

Posted on by

Note: the difference with the 0.8.2 post is that addition of libcap-ng-dev. This allows Suricata to run as an unprivileged user.

Here is how to compile Suricata 0.9.0 in inline mode on Ubuntu Lucid 10.04.

First, make sure you have the “universe” repository enabled. Go to the System menu, Administration, Software Sources. There enable “Community-maintained Open Source Software (universe)”. If you’re not running a gui, edit /etc/apt/sources.list and enable the universe repository there. Don’t forget doing an “apt-get update”.

Install the following packages needed to build Suricata: libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libnfnetlink-dev libnetfilter-queue-dev libnet1-dev libcap-ng-dev.

apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libnfnetlink-dev libnetfilter-queue-dev libnet1-dev libcap-ng-dev

Download Suricata 0.9.0 here

Extract the suricata-0.9.0.tar.gz file as follows:

tar xzvf suricata-0.9.0.tar.gz

Enter the extracted directory suricata-0.9.0.

Run “./configure –enable-nfqueue”
If “./configure –enable-nfqueue” was succesful, run “make”
If “make” was succesful, run “sudo make install”
Except for Suricata itself, the build process installed “libhtp”. For that to work properly, run “ldconfig”.

Run “suricata -V” and it should report version 0.9.0.

To use Suricata in inline mode, pass -q <queue id> to the command line. Example:

suricata -c /etc/suricata/suricata.yaml -q 0

5 thoughts on “Compiling Suricata 0.9.0 in Ubuntu Lucid 10.04 in IPS (inline) mode

  1. Look, i try this,

    /usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0

    with this

    iptables -t raw -A PREROUTING -j NFQUEUE –queue-num 0
    iptables -t raw -A OUTPUT -j NFQUEUE –queue-num 0

    and it wantnt work, but snort works well.

    For example, this rule doesnt work:
    local.rules:
    drop tcp any any any any (msg:”DROP ALL”; content:”google.com”; sid:3000010;)

  2. Suricata 0.9.2rc3, compiled like this:

    CFLAGS=”-O3 -march=i486 -mtune=i686″
    ./configure –prefix=/usr –enable-unified-native-timeval –enable-nfqueue –build=i486-Slackware-linux “$@”
    make
    make install DESTDIR=$TMP

    try to configure iptables by this way:

    iptables -t mangle -A PREROUTING -j NFQUEUE –queue-num 0
    iptables -t mangle -A FORWARD -j NFQUEUE –queue-num 0
    iptables -t mangle -A OUTPUT -j NFQUEUE –queue-num 0

    do not work 😦

  5. # /usr/bin/suricata -c /etc/suricata/suricata.yaml -D -q 0
    [6660] 22/6/2010 — 18:44:16 – (suricata.c:354) (main) — This is Suricata version 0.9.1
    [6660] 22/6/2010 — 18:44:16 – (util-cpu.c:167) (UtilCpuPrintSummary) — CPUs Summary:
    [6660] 22/6/2010 — 18:44:16 – (util-cpu.c:169) (UtilCpuPrintSummary) — CPUs online: 2
    [6660] 22/6/2010 — 18:44:16 – (util-cpu.c:171) (UtilCpuPrintSummary) — CPUs configured 2

Comments are closed.