diff options
Diffstat (limited to 'framework/src/suricata/doc')
31 files changed, 2855 insertions, 0 deletions
diff --git a/framework/src/suricata/doc/AUTHORS b/framework/src/suricata/doc/AUTHORS new file mode 100644 index 00000000..5d50fad2 --- /dev/null +++ b/framework/src/suricata/doc/AUTHORS @@ -0,0 +1,6 @@ +Team: +http://suricata-ids.org/about/team/ + +All contributors: +https://www.ohloh.net/p/suricata-engine/contributors/summary + diff --git a/framework/src/suricata/doc/Basic_Setup.txt b/framework/src/suricata/doc/Basic_Setup.txt new file mode 100644 index 00000000..1769e1d4 --- /dev/null +++ b/framework/src/suricata/doc/Basic_Setup.txt @@ -0,0 +1,116 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup + + +Basic Setup + +When using Debian or FreeBSD, make sure you enter all commands as root/super- +user because for these operating systems it is not possible to use 'sudo'. +Start with creating a directory for Suricata's log information. + + sudo mkdir /var/log/suricata + + +To prepare the system for using it, enter: + + sudo mkdir /etc/suricata + +The next step is to copy classification.config, reference.config and +suricata.yaml from the base build/installation directory (ex. from git it will +be the oisf directory) to the /etc/suricata directory. Do so by entering the +following: + + sudo cp classification.config /etc/suricata + sudo cp reference.config /etc/suricata + sudo cp suricata.yaml /etc/suricata + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata + +Setting variables + +Make sure every variable of the vars, address-groups and port-groups in the +yaml file is set correctly for your needs. A full explanation is available in +the Rule_vars_section_of_the_yaml. You need to set the ip-address(es) of your +local network at HOME_NET. It is recommended to set EXTERNAL_NET to !$HOME_NET. +This way, every ip-address but the one set at HOME_NET will be treated as +external. It is also possible to set EXTERNAL_NET to 'any', only the +recommended setting is more precise and lowers the change that false positives +will be generated. HTTP_SERVERS, SMTP_SERVERS , SQL_SERVERS , DNS_SERVERS and +TELNET_SERVERS are by default set to HOME_NET. AIM_SERVERS is by default set at +'any'. These variables have to be set for servers on your network. All settings +have to be set to let it have a more accurate effect. +Next, make sure the following ports are set to your needs: HTTP_PORTS, +SHELLCODE_PORTS, ORACLE_PORTS and SSH_PORTS. +Finally, set the host-os-policy to your needs. See Host_OS_Policy_in_the_yaml +for a full explanation. + + windows:[] + bsd: [] + bsd-right: [] + old-linux: [] + linux: [10.0.0.0/8, 192.168.1.100, "8762:2352:6241:7245:E000:0000:0000: + 0000"] + old-solaris: [] + solaris: ["::1"] + hpux10: [] + hpux11: [] + irix: [] + macos: [] + vista: [] + windows2k3: [] + +Note that bug #499 may prevent you from setting old-linux, bsd-right and old- +solaris right now. + +Interface cards + +To check the available interface cards, enter: + + ifconfig + +Now you can see which one you would like Suricata to use. +To start the engine and include the interface card of your preference, enter: + + sudo suricata -c /etc/suricata/suricata.yaml -i wlan0 + +Instead of wlan0, you can enter the interface card of your preference. +To see if the engine is working correctly and receives and inspects traffic, +enter: + + cd /var/log/suricata + +Followed by: + + tail http.log + +And: + + tail -n 50 stats.log + +To make sure the information displayed is up-dated in real time, use the - +f option before http.log and stats.log: + + tail -f http.log stats.log + diff --git a/framework/src/suricata/doc/CentOS5.txt b/framework/src/suricata/doc/CentOS5.txt new file mode 100644 index 00000000..bce84459 --- /dev/null +++ b/framework/src/suricata/doc/CentOS5.txt @@ -0,0 +1,116 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS5 + + +CentOS5 + + +Pre-installation requirements + +You will have to use the Fedora EPEL repository for some packages to enable +this repository. It is the same for i386 and x86_64: + + sudo rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/i386/epel-release- + 5-3.noarch.rpm + +Before you can build Suricata for your system, run the following command to +ensure that you have everything you need for the installation. + + sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \ + pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \ + libyaml-devel zlib zlib-devel + +Depending on the current status of your system, it may take a while to complete +this process. + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + + +IPS + + +If you plan to build Suricata with IPS capabilities via ./configure --enable- +nfqueue, there are no pre-built packages in the CentOS base or EPEL for +libnfnetlink and libnetfilter_queue. If you wish, you may use the rpms in the +Emerging Threats Cent OS 5 repository: +i386 + + sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/ + libnetfilter_queue-0.0.15-1.i386.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/i386/ + libnetfilter_queue-devel-0.0.15-1.i386.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink- + 0.0.30-1.i386.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink- + devel-0.0.30-1.i386.rpm + +x86_64 + + sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/ + x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/ + libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/ + libnfnetlink-0.0.30-1.x86_64.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/ + libnfnetlink-devel-0.0.30-1.x86_64.rpm + + +libcap-ng installation + +This installation is needed for dropping privileges. + + wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz + tar -xzvf libcap-ng-0.6.4.tar.gz + cd libcap-ng-0.6.4 + ./configure + make + sudo make install + + +Suricata + +To download and build Suricata, enter the following: + + wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz + tar -xvzf suricata-1.3.3.tar.gz + cd suricata-1.3.3 + +If you are building from Git sources, enter all the following commands: + + bash autogen.sh + +If you are not building from Git sources, enter only: + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + make + sudo make install + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata +Please continue with the Basic_Setup. diff --git a/framework/src/suricata/doc/CentOS_56_Installation.txt b/framework/src/suricata/doc/CentOS_56_Installation.txt new file mode 100644 index 00000000..8bb835f1 --- /dev/null +++ b/framework/src/suricata/doc/CentOS_56_Installation.txt @@ -0,0 +1,116 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/CentOS_56_Installation + + +CentOS 5.6 Installation + + +Pre-installation requirements + +You will have to use the Fedora EPEL repository for some packages to enable +this repository. It is the same for i386 and x86_64: + + sudo rpm -Uvh http://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5- + 4.noarch.rpm + +Before you can build Suricata for your system, run the following command to +ensure that you have everything you need for the installation. + + sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \ + pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \ + libyaml-devel zlib zlib-devel + +Depending on the current status of your system, it may take a while to complete +this process. + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + + +IPS + + +If you plan to build Suricata with IPS capabilities via ./configure --enable- +nfqueue, there are no pre-built packages in the CentOS base or EPEL for +libnfnetlink and libnetfilter_queue. If you wish, you may use the rpms in the +Emerging Threats Cent OS 5 repository: +i386 + + sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/i386/ + libnetfilter_queue-0.0.15-1.i386.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/i386/ + libnetfilter_queue-devel-0.0.15-1.i386.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink- + 0.0.30-1.i386.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/i386/libnfnetlink- + devel-0.0.30-1.i386.rpm + +x86_64 + + sudo rpm -Uvh http://rules.emergingthreatspro.com/projects/emergingrepo/ + x86_64/libnetfilter_queue-0.0.15-1.x86_64.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/ + libnetfilter_queue-devel-0.0.15-1.x86_64.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/ + libnfnetlink-0.0.30-1.x86_64.rpm \ + http://rules.emergingthreatspro.com/projects/emergingrepo/x86_64/ + libnfnetlink-devel-0.0.30-1.x86_64.rpm + + +libcap-ng installation + +This installation is needed for dropping privileges. + + wget http://people.redhat.com/sgrubb/libcap-ng/libcap-ng-0.6.4.tar.gz + tar -xzvf libcap-ng-0.6.4.tar.gz + cd libcap-ng-0.6.4 + ./configure + make + sudo make install + + +Suricata + +To download and build Suricata, enter the following: + + wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz + tar -xvzf suricata-1.3.3.tar.gz + cd suricata-1.3.3 + +If you are building from Git sources, enter all the following commands: + + bash autogen.sh + +If you are not building from Git sources, enter only: + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + make + sudo make install + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata +Please continue with the Basic_Setup. diff --git a/framework/src/suricata/doc/Debian_Installation.txt b/framework/src/suricata/doc/Debian_Installation.txt new file mode 100644 index 00000000..878e0dd6 --- /dev/null +++ b/framework/src/suricata/doc/Debian_Installation.txt @@ -0,0 +1,90 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Debian_Installation + + +Debian Installation + + +Pre-installation requirements + +Before you can build Suricata for your system, run the following command to +ensure that you have everything you need for the installation. +Make sure you will enter all the following commands as root/super-user, +otherwise it will not work. + + apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ + build-essential autoconf automake libtool libpcap-dev libnet1-dev \ + libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \ + pkg-config + +Depending on the current status of your system, it may take a while to complete +this process. + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + +IPS + +By default, Suricata works as an IDS. If you want to use it as a IDS and IPS +program, enter: + + apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink- + dev libnfnetlink0 + + +Suricata + +To download and build Suricata, enter the following: + + wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz + tar -xvzf suricata-1.3.3.tar.gz + cd suricata-1.3.3 + +Compile and install the program +If you plan to build Suricata with IPS capabilities, enter: + + ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc -- + localstatedir=/var + +instead of + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + +Continue with the next commands: + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + make + make install + +To make sure the existing list with libraries will be updated with the new +library, enter: + + ldconfig + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata +Please continue with the Basic_Setup. diff --git a/framework/src/suricata/doc/Fedora_Core.txt b/framework/src/suricata/doc/Fedora_Core.txt new file mode 100644 index 00000000..4eecb343 --- /dev/null +++ b/framework/src/suricata/doc/Fedora_Core.txt @@ -0,0 +1,76 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Fedora_Core + + +Fedora + + +pre-installation requirements + +Before you can build Suricata for your system, run the following command to +ensure that you have everything you need for the installation. + + sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \ + pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \ + libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel file-devel file + +Depending on the current status of your system, it may take a while to complete +this process. + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + +IPS + +If you plan to build Suricata with IPS capabilities via ./configure --enable- +nfqueue, enter the following: + + sudo yum -y install libnfnetlink libnfnetlink-devel \ + libnetfilter_queue libnetfilter_queue-devel + + +Suricata + +To download and build Suricata, enter the following: + + wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz + tar -xvzf suricata-1.3.3.tar.gz + cd suricata-1.3.3 + +If you are building from Git sources, enter all the following commands: + + bash autogen.sh + +If you are not building from Git sources, enter only the following: + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + make + sudo make install + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata +Please continue with the Basic_Setup. diff --git a/framework/src/suricata/doc/FreeBSD_8.txt b/framework/src/suricata/doc/FreeBSD_8.txt new file mode 100644 index 00000000..d3709c58 --- /dev/null +++ b/framework/src/suricata/doc/FreeBSD_8.txt @@ -0,0 +1,102 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/FreeBSD_8 + + +FreeBSD 8 & 9 + + +Pre-installation requirements + +Before you can build Suricata for your system, run the following command to +ensure that you have everything you need for the installation. +Make sure you enter all commands as root/super-user, otherwise it will not +work. +For FreeBSD 8: + + pkg_add -r autoconf262 automake19 gcc45 libyaml pcre libtool \ + libnet11 libpcap gmake + +For FreeBSD 9.0: + + pkg_add -r autoconf268 automake111 gcc libyaml pcre libtool \ + libnet11 libpcap gmake + +Depending on the current status of your system, it may take a while to complete +this process. + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + +IPS + +If you would like to build suricata on FreeBSD with IPS capabilities with IPFW +via --enable-ipfw, enter the following to enable ipfw and divert socket support +before starting the engine with -d: +Edit /etc/rc.conf and add or modify the following lines: + + firewall_enable="YES" + firewall_type="open" + +Edit /boot/loader.conf and add or modify the following lines: + + ipfw_load="YES" + ipfw_nat_load="YES" + ipdivert_load="YES" + dummynet_load="YES" + libalias_load="YES" + + +Suricata + +To download and build Suricata, enter the following: + + wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz + tar -xvzf suricata-1.3.3.tar.gz + cd suricata-1.3.3 + +If you are building from Git sources, enter all the following commands until +the end of this file: + + bash autogen.sh + +If you are not building from Git sources, do not enter the above mentioned +commands. Continue enter the following: + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + make + make install + zerocopy bpf + mkdir /var/log/suricata/ + +FreeBSD 8 has support for zerocopy bpf in libpcap. To test this functionality, +issue the following command and then start/restart the engine: + + sysctl net.bpf.zerocopy_enable=1 + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata +Please continue with the Basic_Setup. diff --git a/framework/src/suricata/doc/GITGUIDE b/framework/src/suricata/doc/GITGUIDE new file mode 100644 index 00000000..41b4059a --- /dev/null +++ b/framework/src/suricata/doc/GITGUIDE @@ -0,0 +1,90 @@ +Guide for using GIT + +Working with Git is significantly different that working with SVN. In particular, although similar, git pull is not svn update, git push is not svn commit, and git add is not svn add. If you are a SVN user, be sure to read the man pages for the different git commands. + +The following workflow is recommended by Evan and is the guideline for contributing code to Rubinius. + + 1. + + Create a local working copy of the source code (we did this earlier.) + + # See above for the exact invocation + + 2. + + Change to the newly created directory that contains the local working copy. (Substitute the directory if you created it with a different name, obviously.) + + cd code + + 3. + + Create a branch for your work. This will make a copy of the current branch (master) and name it "new_feature". Now you can work in this new branch without breaking the main one. + + git checkout -b new_feature + + 4. + + Edit the code and test your changes. Then commit to your local working copy + + git commit -a + + 5. + + When you are ready to send your local changes back to the Rubinius repository, you first need to ensure that your local copy is up-to-date. First, ensure you have committed your local changes. Then switch from your topic branch to the master branch. + + git checkout master + + 6. + + Update your local copy with changes from the Rubinius repository + + git pull + + 7. + + Switch back to your topic branch and integrate any new changes. The git rebase command will save your changes away, update the topic branch, and then reapply them. + + git checkout new_feature + git rebase master + + Warning! If you are sharing a branch, you must use: + + git merge master + + Rebase causes the commit layout to change and will confuse anyone you've shared this branch with. + + 8. + + If there are conflicts applying your changes during the git rebase command, fix them and use the following to finish applying them + + git rebase --continue + + 9. + + Now, switch back to the master branch and merge your changes from the topic branch + + git checkout master + git merge new_feature + + 10. + + You might want to check that your commits ended up as you intended. To do so, you can have a look at the log + + git log + + 11. + + Get your changes in the main repository. If you have commit rights, you can just use the git push command. Otherwise, see the section below for information on creating a set of patches to send. + + git push + + 12. + + At this point, you can delete the branch if you like. + + git branch -d new_feature + +When you're familiar with the workflow, you can use the rake tasks to help you out. For example, rake git will fetch the latest code from remote repo, rebase the current branch to master, fast-forward the changes to master and push the commits to the remote. This saves a lot of typing. Check rake -T git for all the git related tasks. + +Taken from: http://rubinius.lighthouseapp.com/projects/5089/using-git + diff --git a/framework/src/suricata/doc/HTP_library_installation.txt b/framework/src/suricata/doc/HTP_library_installation.txt new file mode 100644 index 00000000..827262ff --- /dev/null +++ b/framework/src/suricata/doc/HTP_library_installation.txt @@ -0,0 +1,18 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTP_library_installation + + +HTP library installation + +The installation of the HTP library is the same for several operating systems, +except you can not use 'sudo' with Debian and FreeBSD. Using Debian or FreeBSD +you have to Make sure you enter all following commands as root/super-user. +To download and build HTP, enter the following: + + wget http://www.openinfosecfoundation.org/download/libhtp-0.2.3.tar.gz + tar -xzvf libhtp-0.2.3.tar.gz + cd libhtp-0.2.3 + ./configure + make + make install + diff --git a/framework/src/suricata/doc/INSTALL b/framework/src/suricata/doc/INSTALL new file mode 100644 index 00000000..cb7f513c --- /dev/null +++ b/framework/src/suricata/doc/INSTALL @@ -0,0 +1,14 @@ +About +===== +Suricata is a multi-threaded intrusion detection/prevention engine. +engine available from the Open Information Security Foundation +(http://www.openinfosecfoundation.org). + +Suricata and the HTP library are licensed under the GPLv2. A copy of this +license is available in this tarball, or at: +http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt + +Up to date installation guides are available online, at: +https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation + + diff --git a/framework/src/suricata/doc/INSTALL.PF_RING b/framework/src/suricata/doc/INSTALL.PF_RING new file mode 100644 index 00000000..3c7fe732 --- /dev/null +++ b/framework/src/suricata/doc/INSTALL.PF_RING @@ -0,0 +1,149 @@ +An up to date version of this document is available online at: +https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING + +#Install DKMS +apt-get install dkms + +#We need subversion for checking out the PF_RING code we need flex and bisonfor libpcap +apt-get install subversion flex bison + +#Install the debs needed for suricata. +apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap-ng-dev libnet1-dev + +#In the exmple we will build from the GIT repo so we will need some extra packages +apt-get install git-core automake autoconf libtool + + +#Go to /usr/src/ we will need to be here to build our modules +cd /usr/src/ + +#Checkout the PF_RING code +svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING_CURRENT_SVN + +#Create the DKMS build directory and copy files over for the main PF_RING module +mkdir /usr/src/pf_ring-4 +cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/ +cd /usr/src/pf_ring-4/ + +#Create a file called dkms.conf and place the following into the file. +nano dkms.conf + +PACKAGE_NAME="pf_ring" +PACKAGE_VERSION="4" +BUILT_MODULE_NAME[0]="pf_ring" +DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/" +AUTOINSTALL="yes" + +#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04 +dkms add -m pf_ring -v 4 +dkms build -m pf_ring -v 4 +dkms install -m pf_ring -v 4 + +#if you issue the following command you can see that pf_ring should now be installed as DKMS module +dkms status + +#Now lets go through the steps to build a e1000e PF_RING aware driver. +mkdir /usr/src/e1000e-pf_ring-1.3.10a +cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/ + +#We copy this over so that DKMS can find it for driver rebuilds +cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/e1000e-1.3.10a/src/* /usr/src/e1000e-pf_ring-1.3.10a/ +cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000e-pf_ring-1.3.10a/ + +#Fix the path to pf_ring.h +cd /usr/src/e1000e-pf_ring-1.3.10a/ +sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' netdev.c + +#Create a file called dkms.conf and place the following into the file. +nano dkms.conf + +PACKAGE_NAME="e1000e-pf_ring" +PACKAGE_VERSION="1.3.10a" +BUILT_MODULE_NAME[0]="e1000e" +DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/" +AUTOINSTALL="yes" + +#Build and install the module we don't build a deb as currently this appears to be broken in Ubuntu-10.04 +dkms add -m e1000e-pf_ring -v 1.3.10a +dkms build -m e1000e-pf_ring -v 1.3.10a +dkms install -m e1000e-pf_ring -v 1.3.10a + +#Now lets go through the steps to build a e1000 PF_RING aware driver. +mkdir /usr/src/e1000-pf_ring-8.0.30 +cd /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/ + +#We copy this over so that DKMS can find it for driver rebuilds +cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000/e1000-8.0.30/src/* /usr/src/e1000-pf_ring-8.0.30 +cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/e1000-pf_ring-8.0.30 + +#Fix the path to pf_ring.h +cd /usr/src/e1000-pf_ring-8.0.30 +sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/' e1000_main.c + +#Create a file called dkms.conf and place the following into the file. +nano dkms.conf + +PACKAGE_NAME="e1000-pf_ring" +PACKAGE_VERSION="8.0.30" +BUILT_MODULE_NAME[0]="e1000" +DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000/" +AUTOINSTALL="yes" + +dkms add -m e1000-pf_ring -v 8.0.30 +dkms build -m e1000-pf_ring -v 8.0.30 +dkms install -m e1000-pf_ring -v 8.0.30 + +#Make the dir structure to hold are PF_RING enabled userland Apps. +mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin} + +#Build and install the userland lib. +cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/include/linux/ +cd /usr/src/PF_RING_CURRENT_SVN/userland/lib +./configure +sed -i -e 's/INSTDIR = \${DESTDIR}\/usr\/local/INSTDIR = \${DESTDIR}\/opt\/PF_RING/' Makefile +cp -f pfring_e1000e_dna.h /opt/PF_RING/include +make && make install + +#Build and install the PF_RING enabled libpcap +#PF_RING enabled libpcap +cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.1.1-ring +./configure +sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile +sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/' Makefile.in +./configure --prefix=/opt/PF_RING && make && make install + +#Build and install tcpdump using the PF_RING enabled version of libpcap +cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.1.1 +./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ --enable-ipv6 && make && make install + +#Pull down the latest version of suricata from the git repo and build with PF_RING support. +cd /usr/src/PF_RING_CURRENT_SVN/userland/ +git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew +cd oisfnew +./autogen.sh +./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ +make && make install + +#Make config and log directories for a more complete getting started see http://www.inliniac.net/blog/2010/05/10/setting-up-suricata-0-9-0-for-initial-use-on-ubuntu-lucid-10-04.html +mkdir /etc/suricata +cp suricata.yaml /etc/suricata/ +cp classification.config /etc/suricata/ +mkdir /var/log/suricata + +#Setup options for when we intialize the module (here is the output from modinfo) +#parm: num_slots:Number of ring slots (uint) +#parm: transparent_mode:0=standard Linux, 1=direct2pfring+transparent, 2=direct2pfring+non transparentFor 1 and 2 you need to use a PF_RING aware driver (uint) +#parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint) +#parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint) +echo "options pf_ring transparent_mode=0 num_slots=32768 enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf + +#start up suricata with PF_RING support currently these options don't have very much effect with the AutoMode but see src/runmodes.c for more more options. +/opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml + +#To check the status of PF_RING +modinfo pf_ring && cat /proc/net/pf_ring/info + +#If you need to uninstall PF_RING or rollback your PF_RING aware drivers to their previous state you can do so with the following commands. +dkms remove -m e1000e-pf_ring -v 1.3.10a --all +dkms remove -m e1000 -v 8.0.30 --all +dkms remove -m pf_ring -v 4 --all diff --git a/framework/src/suricata/doc/INSTALL.WINDOWS b/framework/src/suricata/doc/INSTALL.WINDOWS new file mode 100644 index 00000000..f03bd37b --- /dev/null +++ b/framework/src/suricata/doc/INSTALL.WINDOWS @@ -0,0 +1,181 @@ +Before you start +================ + +An up to date version of this document can be found online: +https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Windows + +Alternatively, an installation document for using CYGWIN instead of MinGW can +be found here: +https://redmine.openinfosecfoundation.org/attachments/download/676/SurWinInstallGuide.pdf + +This file describes how to build and run Suricata on Windows. Currently +Windows XP and above are supported. + + +Preparing the build environment +=============================== + +1. Setup MinGW environment from http://mingw.org + +Do not use the automatic installer as it is deprecated. Manually unpack +the following packages to c:\mingw (use newer versions if you like): + + * binutils + o binutils-2.20–1-mingw32-bin.tar.gz + * mingw-runtime (dev and dll): + o mingwrt-3.17-mingw32-dll.tar.gz + o mingwrt-3.17-mingw32-dev.tar.gz + * w32api + o w32api-3.14-mingw32-dev.tar.gz + * required runtime libraries for GCC (gmp, libiconv, MPFR and pthreads): + o gmp-4.2.4-mingw32-dll.tar.gz + o libiconv-1.13.1–1-mingw32-dll-2.tar.lzma + o mpfr-2.4.1-mingw32-dll.tar.gz + o pthreads-w32–2.8.0-mingw32-dll.tar.gz + * gcc-core (bin and dll): + o gcc-core-4.4.0-mingw32-bin.tar.gz + o gcc-core-4.4.0-mingw32-dll.tar.gz + * make + o make-3.81–20090914-mingw32-bin.tar.gz + * zlib + o libz-1.2.3-1-mingw32-dll-1.tar.gz + o libz-1.2.3-1-mingw32-dev.tar.gz + +2. Install MSYS + + http://sourceforge.net/projects/mingw/files/ + + MSYS-1.0.11.exe (MSYS Base System) + msysDTK-1.0.1.exe (MSYS Suplementary Tools) + autoconf-2.63–1-msys-1.0.11-bin.tar.lzma + automake-1.11–1-msys-1.0.11-bin.tar.lzma + libtool-2.2.7a-1-msys-1.0.11-bin.tar.lzma + + MSYS will ask questions during the installation: + Accept Post Install: [y] + MinGW Installed? : [y] + path to MinGW: [c:/MinGW] + +3. Install pkg-config taken from http://wiki.videolan.org/Win32CompileMSYSNew#PKG-CONFIG + Download and extract the following into c:\Msys\1.0 + http://ftp.gnome.org/pub/GNOME/binaries/win32/glib/2.18/glib_2.18.2-1_win32.zip + ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config_0.23-3_win32.zip + ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config-dev_0.23-3_win32.zip + + Set PKG_CONFIG_PATH=/win32/lib/pkgconfig + + (e.g. by adding the Windows enviroment variable PKG_CONFIG_PATH in "Control Panel"->"System"->"Advanced System Settings"->"Environment Variables" and setting the value to /win32/lib/pkgconfig) + + +4. Get git + + Download portable GIT from this URL: + http://code.google.com/p/msysgit/ + + - unpack to /msys/1.0 + - don't forget to edit your ~/.gitconfig to at least give youreself a name :-) + +5. Get libpcre + + http://www.pcre.org/ + + ./configure --enable-utf8 --disable-cpp --prefix=/mingw + make + make install + +6. Get libyaml + + http://pyyaml.org/wiki/LibYAML + + It does not support mingw compilation. However it works in static mode: + + ./configure --prefix=/mingw CFLAGS="-DYAML_DECLARE_STATIC" + make + make install + +7. Get libpcap + + Guide can be found here: + - Download Devlopers pack http://www.winpcap.org/devel.htm + - Download and install a coresponding installer package http://www.winpcap.org/install/default.htm (to have the driver in the system) + - Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib + - Rename libwpcap to libpcap + +8. Get and compile Suricata + + git clone git://phalanx.openinfosecfoundation.org/oisf.git + cd oisf + + Because of some weird autools port bug we do the following: + dos2unix.exe libhtp/configure.ac + dos2unix.exe libhtp/htp.pc.in + dos2unix.exe libhtp/Makefile.am + + ./autogen.sh + ./configure CFLAGS="-DYAML_DECLARE_STATIC" + # add --enable-nfqueue as parameter to configure to enable inline mode + make + +If everything goes well, you'll end up with suricata.exe in src/.lib. To test it +you will need libpcre-0.dll, libz-1.dll, and pthreadGC2.dll which you already have somewhere +under c:/mingw or c:/msys. To prepare the runtime environment: + + - copy the executable and the DLLs to a dedicated directory + - get there classification.config and suricata.yaml + - edit suricata.yaml (at least set the directories correctly) + +PCAP Mode +========= + +Make sure you have winpcap runtime and driver installed and then: + + - determine your eth device UUID in the registry: + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ + - now cross your fingers and do: + suricata.exe -c suricata.yaml -i \DEVICE\{your device uuid} + + +Inline Mode +=========== + +You need to downoad, compile and install netfilterforwin (the netfilter.sys +driver and Windows port of the libnetfilter_queue library): + +1. Download and install Windows Driver Kit from Microsoft + + http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff + +2. Download netfilterforwin + + http://sourceforge.net/projects/netfilterforwin/ + + Unpack it so the netfilterforwin directory (omit the version from its name) + is beside the oisf directory. + +3. Compile the driver + + - Open the build environment from you Start menu: + Start->All Programs->windows Driver Kits->WDK xxxx.yyyy.z->Build Environments + ->Windows Server 2003->x86 Free Build Environment + (or the one which is proper for your system) + - cd to netfilterforwin/netfilter + - enter command: + nmake + +4. Install the driver + + - copy inf/* files and the freshly built netfilter.sys to a separate directory + - open network connecions + - right-click an interface, select properties + - click install... + - select service + - click add + - click 'have disk...' + - browse to the directory with the inf files and netfilter.sys, select netfilter.inf anc click ok + - confirm everything + + You should have the driver installed now. + +5. Run Suricata in inline mode: + + suricata.exe -c suricata.yaml -q 0 diff --git a/framework/src/suricata/doc/Installation_from_GIT_with_PCRE-JIT.txt b/framework/src/suricata/doc/Installation_from_GIT_with_PCRE-JIT.txt new file mode 100644 index 00000000..93aecb0b --- /dev/null +++ b/framework/src/suricata/doc/Installation_from_GIT_with_PCRE-JIT.txt @@ -0,0 +1,119 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT + + +Installation from GIT with PCRE-JIT + +In this guide will be explained how to install and use the most recent code of +Suricata on Ubuntu together with PCRE with JIT 8.20-RC1 support. The goal of +PCRE-JIT is to improve the pcre pattern matching performance of the pcre +library. +The easiest way to see performance difference is to create a couple of pcre +only rules or use for example the SSN rules from ET, and compare the +performance statistics for rules. +Installing from GIT on other operating systems is basically the same, except +that some commands are Ubuntu-specific (like sudo and apt-get). In case you are +using another operating system, you should replace those commands by your +operating-specific commands. + +Pre-installation requirements + +Before you can build Suricata with PCRE-JIT for your system, run the following +command to ensure that you have everything you need for the installation. + + sudo apt-get -y install build-essential autoconf automake \ + libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev \ + zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ + make g++ + sudo apt-get install git-core + +Depending on the current status of your system, it may take a while to complete +this process. + +PCRE with JIT support + +Enter the following commands for PCRE JIT installation: + + wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/Testing/pcre-8.20- + RC1.tar.gz + tar -xzvf pcre-8.20-RC1.tar.gz + cd pcre-8.20-RC1 + ./configure --enable-jit + +Make sure you see that JIT compiling support is enabled, see example: + + make + sudo make install + + + +HTP + + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + + +IPS + + +By default, Suricata works as an IDS. If you want to use it as a IDS and IPS +program, enter: + + sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 + libnfnetlink-dev libnfnetlink0 + + +Suricata + +First, it is convenient to create a directory for Suricata. Name it 'suricata' +for example. Open the terminal and enter: + + mkdir suricata + +Followed by: + + cd suricata + +Next, enter the following line in the terminal: + + git clone git://phalanx.openinfosecfoundation.org/oisf.git + cd oisf + +Followed by: + + ./autogen.sh + + +Compile and install + +To configure, please enter: + + ./configure --enable-pcre-jit \ + --with-libpcre-includes=/usr/local/include \ + --with-libpcre-libraries=/usr/local/lib + +After entering the previous, make sure that your screen looks like the +following example and you have PCRE with JIT support: + + make + sudo make install + + sudo ldconfig + +To check the build information you can enter: + + suricata --build-info + +Please continue with Basic_Setup. +In case you have already made a map for the most recent code, downloaded the +code into that map, and want to download recent code again, please enter: + + cd suricata/oisf + +next, enter: + + git pull + +After that, you start again at running autogen. diff --git a/framework/src/suricata/doc/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt b/framework/src/suricata/doc/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt new file mode 100644 index 00000000..64012df9 --- /dev/null +++ b/framework/src/suricata/doc/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt @@ -0,0 +1,73 @@ +Autogenerated on 2012-01-11 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104 + + +Installation from GIT with PF RING on Ubuntu server 11.04 + +This guide is based on using Ubuntu Server 11.04 +Linux ubuntu 2.6.38-8-generic x86_64 GNU/Linux + + +Pre installation requirements + +Install the following packages, to make sure you have everything needed for the +installation: + + sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ + build-essential autoconf automake libtool libpcap-dev libnet1-dev \ + libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ + make flex bison git subversion + +Go to your download directory and get the latest PF_RING: + + svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING + + +Compile and install + +Next, enter the following commands for configuration and installation: + + cd PF_RING/kernel + make && make install + sudo insmod ./pf_ring.ko + cd ../userland + make && make install + cd /lib + ./configure && make && make install + cd ../libpcap + ./configure && make && make install + cd /examples + echo "options pf_ring transparent_mode=0 min_num_slots=32768 + enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf + +To check if you have everything you need, enter: + + lsmod |grep pf_ring + sudo modprobe pf_ring + sudo modinfo pf_ring && cat /proc/net/pf_ring/info + +To check if PF_RING is functional, enter the following: + + ./pfcount -i eth0 + + +Suricata + +Go to your download directory of choice, and enter: + + git clone git://phalanx.openinfosecfoundation.org/oisf.git + cd oisf + sudo ./autogen.sh + sudo ./configure --enable-pfring && make && make install + +You can always check if PF_RING is build in properly, by entering: + + suricata --build-info + +To run Suricata with PF_RING, enter: + + suricata --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster- + type=cluster_flow -c /etc/suricata/suricata.yaml + +Continue with the Basic_Setup. +Thanks to Peter Manev diff --git a/framework/src/suricata/doc/Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt b/framework/src/suricata/doc/Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt new file mode 100644 index 00000000..18ea5d10 --- /dev/null +++ b/framework/src/suricata/doc/Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt @@ -0,0 +1,149 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6 + + +Installation with CUDA and PFRING on Scientific Linux 6 + +For setup and install you need to be root: +mkdir /root/src +cd /root/src + +Pre installation requirements + +Install the following packages, to make sure you have everything needed for the +installation: + + yum install mpfr-2.4.1-6.el6.x86_64 cpp-4.4.4-13.el6.x86_64 ppl-0.10.2- + 11.el6.x86_64 \ + cloog-ppl-0.15.7-1.2.el6.x86_64 gcc-4.4.4-13.el6.x86_64 kernel-devel-2.6.32- + 131.2.1.el6.x86_64 \ + pcre-devel-7.8-3.1.el6.x86_64 libpcap-devel-1.0.0- + 6.20091201git117cb5.el6.x86_64 \ + yum-plugin-priorities-1.1.26-11.el6.noarch yum-conf-sl6x-1-1.noarch libyaml- + 0.1.3-1.el6.rf.x86_64 \ + libyaml-devel-0.1.3-1.el6.rf.x86_64 libnet-1.1.2.1-2.2.el6.rf.x86_64 flex- + 2.5.35-8.el6.x86_64 \ + bison-2.4.1-5.el6.x86_64 gcc-c++-4.4.4-13.el6.x86_64 + + +CUDA + +Download and install NVIDIA CUDA drivers: + + wget http://us.download.nvidia.com/XFree86/Linux-x86_64/270.41.19/NVIDIA- + Linux-x86_64-270.41.19.run + chmod +x NVIDIA-Linux-x86_64-270.41.19.run + ./NVIDIA-Linux-x86_64-270.41.19.run + +You also need to download and install the CUDA toolkit for RHEL6 : + + wget http://developer.download.nvidia.com/compute/cuda/4_0/toolkit/ + cudatoolkit_4.0.17_linux_64_rhel6.0.run + chmod +x cudatoolkit_4.0.17_linux_64_rhel6.0.run + ./cudatoolkit_4.0.17_linux_64_rhel6.0.run + +Make sure the kernel modules are loaded: + + /sbin/modprobe -r nouveau && /sbin/modprobe nvidia + +To ensure the proper NVIDIA CUDA modules get loaded on reboot, add the above +line to your /etc/rc.local file. + +PF_RING + +Go to your download directory and get the latest PF_RING: + + svn export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ pfring-svn- + latest + +Compile and install +Next, enter the following commands for configuration and installation: + + cd pfring-svn-latest/kernel + make && sudo make install + cd ../userland/lib + ./configure --prefix=/usr/local/pfring && make && sudo make install + cd ../libpcap-1.1.1-ring + ./configure --prefix=/usr/local/pfring && make && sudo make install + cd ../tcpdump-4.1.1 + ./configure --prefix=/usr/local/pfring && make && sudo make install + +Load the pf_ring kernel module: + + /sbin/modprobe pf_ring + +To ensure the pf_ring module gets loaded on reboot, add the above line to your +/etc/rc.local file. + +Suricata + +Download and install Suricata: + + wget http://www.openinfosecfoundation.org/download/suricata-1.1beta2.tar.gz + +And unpack it: + + tar -xvzf suricata-1.1beta2.tar.gz + +Change to the unpacked directory: + + cd suricata-1.1beta2 + +Now compile and install Suricata with PF_RING and CUDA support: + + ./configure --enable-gccprotect --enable-profiling --enable-cuda --with-cuda- + includes=/usr/local/cuda/include \ + --with-cuda-libraries=/usr/local/cuda/lib64 --enable-pfring --with-libpfring- + libraries=/usr/local/lib \ + --with-libpfring-includes=/usr/local/include --with-libpcap-libraries=/usr/ + local/lib --with-libpcap-includes=/usr/local/include + make + make install + +Continue with the Basic_Setup +Next, you need to edit max-pending-packets in your /etc/suricata/suricata.yaml. +If you don't have one, download a generic one to get started: + + cd /etc/suricata + wget https://rules.emergingthreatspro.com/open-nogpl/suricata/suricata- + open.yaml + +Edit your suricata-open.yaml file accordingly. +The number of packets allowed to be processed simultaneously can be whatever +you want but it is recommended that it be 4000 or more. +For example: + + max-pending-packets: 12288 + +Next make sure the following line is present in the multi pattern algorithm +section: + + mpm-algo: b2g_cuda + + +Rules + +Read the information in Rule_Management_with_Oinkmaster +Add rules to suricata: + + cd /etc/suricata + wget https://rules.emergingthreatspro.com/open-nogpl/suricata/ + emerging.rules.tar.gz + tar -xvzf emerging.rules.tar.gz + +Make sure your .yaml file includes the /etc/suricata/rules/emerging-*.rules +files (they may need to be uncommented). +Run Suricata as followed: + + cd /etc/suricata + /usr/local/bin/suricata -c /etc/suricata/suricata.yaml\ + --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow + + + touch /var/lock/subsys/local + + +References + +PF_RING +http://www.ntop.org/products/pf_ring/ diff --git a/framework/src/suricata/doc/Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt b/framework/src/suricata/doc/Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt new file mode 100644 index 00000000..1d1cd220 --- /dev/null +++ b/framework/src/suricata/doc/Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt @@ -0,0 +1,280 @@ +Autogenerated on 2012-01-11 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104 + + +Installation with CUDA and PF RING on Ubuntu server 11.04 + +THIS WOULD NOT WORK ON A VIRTUAL MACHINE! +This guide is written using: +Ubuntu Server 11.04 +Linux ubuntu 2.6.38-8-generic x86_64 GNU/Linux + +Pre installation requirements + + + apt-get update + apt-get upgrade + +To get the CUDA toolkit, enter: + + http://developer.nvidia.com/cuda-toolkit-40 + +Pick up the correct NVIDIA drivers for your card and system + + http://www.nvidia.com/Download/index.aspx?lang=en-us + +Go to your download directory +chmod the 2 *.run files that you just downloaded. +For example: + + chmod 655 cudatoolkit_4.0.17_linux_64_ubuntu10.10.run + chmod 655 NVIDIA-Linux-x86_64-280.13.run + + + sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ + build-essential autoconf automake libtool libpcap-dev libnet1-dev \ + libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ + make flex bison git + +Run the cuda toolkit installation package: + + sudo ./cudatoolkit_4.0.17_linux_64_ubuntu10.10.run + +Close all windows and as you are logged in press: + + Ctr+Alt+F1 + +Log in with your credentials + + sudo -i + +And enter your password +Stop the x server: + + /etc/init.d/gdm stop + +Uninstall xserver video drivers: + + apt-get remove --purge xserver-xorg-video-nouveau + +Go to the directory where you downloaded nvidia/cuda drivers. +Run the NVIDIA*******.run: + + ./NVIDIA********.run + +Ok and yes your way out. +At some point it will ask you to make a special configuration file to disable a +"nouveau" +driver that the system is currently using - say yes! +Reboot: + + shutdown -r now + +After reboot log in as you would normally do through the GUI +Log in as you would normally. +Go to shell: + + Ctrl+Alt+F1 + +Type in your credentials and pass + + sudo -i + +Stop the xserver again: + + /etc/init.d/gdm stop + +Run the NVIDIA driver again. +This time it would finish and be successful.... +Reboot: + + shutdown -r now + +After start you would notice that the display has much better resolution - it +is a good thing. +Log in as you would normally. +Because the 11.04 Ubuntu comes with gcc version 4.5 by default, you need to +install gcc 4.4 since you must use 4.4 for the cuda compilation: + + apt-get install gcc-4.4 gcc-4.4-base g++-4.4 + +Then we switch and make ubuntu use the gcc 4.4 by default: + + sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.5 40 -- + slave /usr/bin/g++ g++ /usr/bin/g++-4.5 + sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.4 60 -- + slave /usr/bin/g++ g++ /usr/bin/g++-4.4 + +Make sure that this is the case: + + sudo update-alternatives --config gcc + +"" + + update-alternatives --config gcc (as root) + +There are 2 choices for the alternative gcc (providing /usr/bin/gcc). + + + Selection Path Priority Status + ------------------------------------------------------------ + * 0 /usr/bin/gcc-4.4 60 auto mode + 1 /usr/bin/gcc-4.4 60 manual mode + 2 /usr/bin/gcc-4.5 40 manual mode + + Press enter to keep the current choice[*], or type selection number (as + root) + "" + + +PF_RING installation. + +Install pre-requisites: + + cd /opt + apt-get install subversion gobjc++-4.4-multilib gobjc++-4.4 + +Get the latest PF_RING: + + svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ PF_RING + +Install PF_RING: + + cd /kernel + make && make install + sudo insmod ./pf_ring.ko + cd ../userland + make && make install + cd /lib + ./configure && make && make install + cd ../libpcap + ./configure && make && make install + cd ../examples + echo "options pf_ring transparent_mode=0 min_num_slots=32768 + enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf + +Check info: + + cat /proc/net/pf_ring/info + "" + cd ../kernel + cat /proc/net/pf_ring/info + PF_RING Version : 4.7.3 ($Revision: exported$) + Ring slots : 4096 + Slot version : 13 + Capture TX : Yes [RX+TX] + IP Defragment : No + Socket Mode : Standard + Transparent mode : Yes (mode 0) + Total rings : 0 + Total plugins : 0 + + "" + +Check functionality: + + ./pfcount -i eth0 + +You should see something even if you have no traffic at the moment: +"" +cd /opt/PF_RING/userland/examples +./pfcount -i eth0 +Using PF_RING v.4.7.3 +Capturing from eth0 [88:AE:1D:56:90:FA] + + 1. Device RX channels: 1 + 2. Polling threads: 1 ========================= + Absolute Stats: [0 pkts rcvd][0 pkts dropped] + Total Pkts=0/Dropped=0.0 % + 0 pkts - 0 bytes ========================= + +========================= +Absolute Stats: [0 pkts rcvd][0 pkts dropped] +Total Pkts=0/Dropped=0.0 % +0 pkts - 0 bytes [0.00 pkt/sec - 0.00 Mbit/sec] ========================= +Actual Stats: 0 pkts [1'000.32 ms][0.00 pkt/sec] ========================= +^CLeaving... ========================= +Absolute Stats: [0 pkts rcvd][0 pkts dropped] +Total Pkts=0/Dropped=0.0 % +0 pkts - 0 bytes [0.00 pkt/sec - 0.00 Mbit/sec] ========================= +Actual Stats: 0 pkts [629.37 ms][0.00 pkt/sec] ========================= + + cd /opt/PF_RING/userland/examples + +"" + +Suricata + +Go to directory of your choice and get Suricata: + + git clone git://phalanx.openinfosecfoundation.org/oisf.git + cd oisf/ + +Configure: + + ./autogen.sh + ./configure --enable-gccprotect --enable-profiling --enable-cuda --with-cuda- + includes=/usr/local/cuda/include \ + --with-cuda-libraries=/usr/local/cuda/lib64 --enable-pfring + +You should get at the end: +"" + + Suricata Configuration: + NFQueue support: no + IPFW support: no + PF_RING support: yes + Prelude support: no + Unit tests enabled: no + Debug output enabled: no + Debug validation enabled: no + CUDA enabled: yes + DAG enabled: no + Profiling enabled: yes + GCC Protect enabled: yes + GCC march native enabled: yes + GCC Profile enabled: no + Unified native time: no + Non-bundled htp: no + PCRE sljit: no + + +"" +Install: + + make && make install + ldconfig + +Verify: + + suricata --build-info + + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:622) <Info> (main) -- This is + Suricata version 1.1beta2 (rev b3f7e6a) + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:507) <Info> (SCPrintBuildInfo) - + - Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 CUDA PF_RING LIBCAP_NG + LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:521) <Info> (SCPrintBuildInfo) - + - 64-bits, Little-endian architecture + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:523) <Info> (SCPrintBuildInfo) - + - GCC version 4.4.5, C version 199901 + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:529) <Info> (SCPrintBuildInfo) - + - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:532) <Info> (SCPrintBuildInfo) - + - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:535) <Info> (SCPrintBuildInfo) - + - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:538) <Info> (SCPrintBuildInfo) - + - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:541) <Info> (SCPrintBuildInfo) - + - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:545) <Info> (SCPrintBuildInfo) - + - compiled with -fstack-protector + [1840] 13/8/2011 -- 14:26:39 - (suricata.c:551) <Info> (SCPrintBuildInfo) - + - compiled with _FORTIFY_SOURCE=2 + +Run Suricata: + + suricata -c /etc/suricata/suricata.yaml\ + --pfring-int=eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow + diff --git a/framework/src/suricata/doc/Installation_with_CUDA_on_Scientific_Linux_6.txt b/framework/src/suricata/doc/Installation_with_CUDA_on_Scientific_Linux_6.txt new file mode 100644 index 00000000..604ee8bc --- /dev/null +++ b/framework/src/suricata/doc/Installation_with_CUDA_on_Scientific_Linux_6.txt @@ -0,0 +1,95 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_CUDA_on_Scientific_Linux_6 + + +Installation with CUDA on Scientific Linux 6 + +Hardware used: HP Proliant G7, 16 cores, 30 GB RAM, NVIDIA CUDA Quadro 4000 +graphics card +For setup you need to be root. Enter the following: + + mkdir /root/src + cd /root/src + + +Pre installation requirements + +Run the following command to ensure that you have everything you need for the +installation: + + yum install mpfr-2.4.1-6.el6.x86_64 cpp-4.4.4-13.el6.x86_64 ppl-0.10.2- + 11.el6.x86_64 \ + cloog-ppl-0.15.7-1.2.el6.x86_64 gcc-4.4.4-13.el6.x86_64 kernel-devel-2.6.32- + 131.2.1.el6.x86_64 \ + pcre-devel-7.8-3.1.el6.x86_64 libpcap-devel-1.0.0- + 6.20091201git117cb5.el6.x86_64 \ + yum-plugin-priorities-1.1.26-11.el6.noarch yum-conf-sl6x-1-1.noarch libyaml- + 0.1.3-1.el6.rf.x86_64 \ + libyaml-devel-0.1.3-1.el6.rf.x86_64 libnet-1.1.2.1-2.2.el6.rf.x86_64 flex- + 2.5.35-8.el6.x86_64 \ + bison-2.4.1-5.el6.x86_64 gcc-c++-4.4.4-13.el6.x86_64 + + +CUDA + +Download and install NVIDIA CUDA drivers: + + wget http://us.download.nvidia.com/XFree86/Linux-x86_64/270.41.19/NVIDIA- + Linux-x86_64-270.41.19.run + chmod +x NVIDIA-Linux-x86_64-270.41.19.run + ./NVIDIA-Linux-x86_64-270.41.19.run + +You also need to download and install the CUDA toolkit for RHEL6 : + + wget http://developer.download.nvidia.com/compute/cuda/4_0/toolkit/ + cudatoolkit_4.0.17_linux_64_rhel6.0.run + chmod +x cudatoolkit_4.0.17_linux_64_rhel6.0.run + ./cudatoolkit_4.0.17_linux_64_rhel6.0.run + +Make sure the kernel modules are loaded: + + /sbin/modprobe -r nouveau && /sbin/modprobe nvidia + +To ensure the proper NVIDIA CUDA modules get loaded on reboot, add the above +line to your /etc/rc.local file. + +Suricata + +Download and install Suricata: + + wget http://www.openinfosecfoundation.org/download/suricata-1.1beta2.tar.gz + +And unpack it: + + tar -xvzf suricata-1.1beta2.tar.gz + +Change to the unpacked directory: + + cd suricata-1.1beta2 + +Compile and install the engine with CUDA support: + + ./configure --enable-gccprotect --enable-profiling --enable-cuda \ + --with-cuda-includes=/usr/local/cuda/include --with-cuda-libraries=/usr/ + local/cuda/lib64/ + make + make install + + +Rules + +Read the information in Rule_Management_with_Oinkmaster +Add rules to suricata: + + cd /etc/suricata + wget https://rules.emergingthreatspro.com/open-nogpl/suricata/ + emerging.rules.tar.gz + tar -xvzf emerging.rules.tar.gz + +Make sure your .yaml file includes the /etc/suricata/rules/emerging-*.rules +files (they may need to be uncommented). +Run Suricata as followed: + + cd /etc/suricata + /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 + diff --git a/framework/src/suricata/doc/Installation_with_CUDA_on_Ubuntu_server_1104.txt b/framework/src/suricata/doc/Installation_with_CUDA_on_Ubuntu_server_1104.txt new file mode 100644 index 00000000..9c6c82fa --- /dev/null +++ b/framework/src/suricata/doc/Installation_with_CUDA_on_Ubuntu_server_1104.txt @@ -0,0 +1,183 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_CUDA_on_Ubuntu_server_1104 + + +Installation with CUDA on Ubuntu server 11.04 + +THIS WOULD NOT WORK ON A VIRTUAL MACHINE! +This guide is written using: +Ubuntu Server 11.04 +Linux ubuntu 2.6.38-8-generic x86_64 GNU/Linux + +Pre installation requirements + + + apt-get update + apt-get upgrade + +Get the CUDA toolkit + + http://developer.nvidia.com/cuda-toolkit-40 + +Pick up the correct NVIDIA drivers for your card and system + + http://www.nvidia.com/Download/index.aspx?lang=en-us + +Go to your download directory +and chmod the 2 *.run files that you just downloaded. +Example: + + chmod 655 cudatoolkit_4.0.17_linux_64_ubuntu10.10.run + chmod 655 NVIDIA-Linux-x86_64-280.13.run + + + sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ + build-essential autoconf automake libtool libpcap-dev libnet1-dev \ + libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ + make flex bison git + +Run the cuda toolkit installation package: + + sudo ./cudatoolkit_4.0.17_linux_64_ubuntu10.10.run + +Close all windows and as you are logged in press: + + Ctr+Alt+F1 + +Log in with your credentials + + sudo -i + +And enter your password +Stop the x server: + + /etc/init.d/gdm stop + +Uninstall xserver video drivers: + + apt-get remove --purge xserver-xorg-video-nouveau + +Go to the directory where you downloaded nvidia/cuda drivers. + + Run the NVIDIA*******.run: + ./NVIDIA********.run + +Ok and yes your way out. +At some point it will ask you to make a special configuration file to disable a +"nouveau" +driver that the system is currently using and prevents the NVIDIA drivers to be +installed - say yes! +Reboot: + + shutdown -r now + +After reboot log in as you would normally through the GUI +Log in as you would normally. +Go to shell: + + Ctrl+Alt+F1 + +Type in your credentials and pass + + sudo -i + +Stop the xserver again: + + /etc/init.d/gdm stop + +Run the NVIDIA driver again. +This time it would finish and be successful.... +Reboot: + + shutdown -r now + +After start you would notice that the display has much better resolution - it +is a good thing. +Log in as you would normally. +Because the 11.04 Ubuntu comes with gcc version 4.5 by default we need to +install gcc 4.4 since we must use 4.4 for the cuda compilation: + + apt-get install gcc-4.4 gcc-4.4-base g++-4.4 + +Then we switch and make ubuntu use the gcc 4.4 by default: + + sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.5 40 -- + slave /usr/bin/g++ g++ /usr/bin/g++-4.5 + udo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-4.4 60 -- + slave /usr/bin/g++ g++ /usr/bin/g++-4.4 + +We make sure that this is the case: + + sudo update-alternatives --config gcc + +"" + + update-alternatives --config gcc (as root) + + +There are 2 choices for the alternative gcc (providing /usr/bin/gcc). + +* 0 /usr/bin/gcc-4.4 60 auto mode + 1 /usr/bin/gcc-4.4 60 manual mode + 2 /usr/bin/gcc-4.5 40 manual mode + + + Selection Path Priority Status + ------------------------------------------------------------ + +Press enter to keep the current choice[*], or type selection number: +"" + +Suricata + +Enter the following in your download directory: + + git clone git://phalanx.openinfosecfoundation.org/oisf.git + cd oisf/ + ./autogen.sh + ./configure --enable-gccprotect --enable-profiling --enable-cuda \ + --with-cuda-includes=/usr/local/cuda/include --with-cuda-libraries=/usr/ + local/cuda/lib64/ + +After that you should get the following result: +"" + + Suricata Configuration: + NFQueue support: no + IPFW support: no + PF_RING support: no + Prelude support: no + Unit tests enabled: no + Debug output enabled: no + Debug validation enabled: no + CUDA enabled: yes + DAG enabled: no + Profiling enabled: yes + GCC Protect enabled: yes + GCC march native enabled: yes + GCC Profile enabled: no + Unified native time: no + Non-bundled htp: no + PCRE sljit: no + "" + + + make && make install + ldconfig + +Proceed with Basic_Setup +After you start suricata , you should see cuda + + example : + "" + suricata -c suricata.yaml -i eth0 + [12406] 13/8/2011 -- 10:14:39 - (suricata.c:622) <Info> (main) -- This is + Suricata version 1.1beta2 (rev b3f7e6a) + [12406] 13/8/2011 -- 10:14:39 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) + -- CPUs/cores online: 8 + [12406] 13/8/2011 -- 10:14:39 - (util-cuda.c:4504) <Info> + (SCCudaPrintBasicDeviceInfo) -- GPU Device 1: GeForce 310M, 2 + Multiprocessors, 1468MHz, CUDA Compute Capability 1.2................... + ........................ + "" + diff --git a/framework/src/suricata/doc/Installation_with_PF_RING.txt b/framework/src/suricata/doc/Installation_with_PF_RING.txt new file mode 100644 index 00000000..ea4f4172 --- /dev/null +++ b/framework/src/suricata/doc/Installation_with_PF_RING.txt @@ -0,0 +1,207 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_with_PF_RING + + +Installation with PF RING + +This is the installation guide for Suricata with PF_RING support and a guide to +install PF_RING. +To install DKMS, enter: + + sudo apt-get install dkms + +To get subversion for checking out the PF_RING code, flex and bison for +libpcap, enter: + + sudo apt-get install subversion flex bison + +To install the debs needed for Suricata, enter the following: + + sudo apt-get install libpcre3-dev libpcap-dev libyaml-dev zlib1g-dev libcap- + ng-dev libnet1-dev + +In the example you will build from the GIT repository, so you will need some +extra packages: + + sudo apt-get install git-core automake autoconf libtool + +To build your modules, please go to: + + cd /usr/src/ + +Checkout the PF_RING code: + + sudo svn --force export https://svn.ntop.org/svn/ntop/trunk/PF_RING/ + PF_RING_CURRENT_SVN + +Create the DKMS build directory and copy files over for the main PF_RING module +by entering the following: + + sudo mkdir /usr/src/pf_ring-4 + sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/kernel/* /usr/src/pf_ring-4/ + cd /usr/src/pf_ring-4/ + +Create a file called 'dkms.conf' + + sudo nano dkms.conf + +and place the following into the file: + + PACKAGE_NAME="pf_ring" + PACKAGE_VERSION="4" + BUILT_MODULE_NAME[0]="pf_ring" + DEST_MODULE_LOCATION[0]="/kernel/net/pf_ring/" + AUTOINSTALL="yes" + +To close the file, do so by pressing Ctrl and X at the same time, followed by y +and enter. +Build and install the kernel -module of PF_RING: + + sudo dkms add -m pf_ring -v 4 + sudo dkms build -m pf_ring -v 4 + sudo dkms install -m pf_ring -v 4 + +development headers.(zie aantekeningen) + + sudo mkdir -p /opt/PF_RING/{bin,lib,include/linux,sbin} + +Next, build and install the userland lib.: + + sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /opt/PF_RING/ + include/linux/ + cd /usr/src/PF_RING_CURRENT_SVN/userland/lib + sudo ./configure + sudo sed -i -e 's/INSTDIR = \${DESTDIR}\/usr\/local/INSTDIR = \$ + {DESTDIR}\/opt\/PF_RING/' Makefile + sudo cp -f pfring_e1000e_dna.h /opt/PF_RING/include + sudo make + sudo make install + +Enter the following to pull down the latest version of Suricata from the git +repository and build with PF_RING support: + + cd /usr/src/PF_RING_CURRENT_SVN/userland/ + sudo git clone git://phalanx.openinfosecfoundation.org/oisf.git oisfnew + cd oisfnew + sudo ./autogen.sh + sudo ./configure --enable-pfring --with-libpfring-libraries=/opt/PF_RING/lib + --with-libpfring-includes=/opt/PF_RING/include --with-libpcap-libraries=/opt/ + PF_RING/lib --with-libpcap-includes=/opt/PF_RING/include LD_RUN_PATH="/opt/ + PF_RING/lib:/usr/lib:/usr/local/lib" --prefix=/opt/PF_RING/ + sudo make install + sudo make + sudo mkdir etc/suricata + +To make config and log directories for a more complete getting started, see: +Basic_Setup. + + sudo mkdir /etc/suricata + sudo cp suricata.yaml /etc/suricata/ + sudo cp classification.config /etc/suricata/ + sudo mkdir /var/log/suricata + +The information about the setup options for when you initialise the module: +min_num_slots:Number of ring slots (uint) +transparent_mode:0=standard Linux, 1=direct2pfring+transparent, +2=direct2pfring+non transparent. +For 1 and 2 you need to use a PF_RING aware driver (uint) . +enable_tx_capture:Set to 1 to capture outgoing packets (uint) +enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is +defragmentead) (uint) +Enter the following as super-user: + + echo "options pf_ring transparent_mode=0 min_num_slots=32768 + enable_tx_capture=0" > /etc/modprobe.d/pf_ring.conf + +To check the status of PF_RING : + + sudo modprobe pf_ring + sudo modinfo pf_ring && cat /proc/net/pf_ring/info + +Start up Suricata with PF_RING support: + + sudo /opt/PF_RING/bin/suricata --pfring-int=eth0 --pfring-cluster-id=99 -- + pfring-cluster-type=cluster_flow -c /etc/suricata/suricata.yaml + +If you need to uninstall PF_RING or rollback your PF_RING aware drivers to +their previous state you can do so with the following commands: + + sudo dkms remove -m pf_ring -v 4 --all + + +Optional + +The following part is optional. + + sudo dkms remove -m e1000e-pf_ring -v 1.0.15 --all + +If you issue the following command, you can see that PF_RING should now be +installed as DKMS module: + + dkms status + +Now go through the steps to build a PF_RING aware driver: + + sudo mkdir /usr/src/e1000e-pf_ring-1.0.15 + sudo cp -Rf /usr/src/PF_RING_CURRENT_SVN/drivers/intel/e1000e/old/e1000e- + 1.0.15/src/* /usr/src/e1000e-pf_ring-1.0.15/ + +Enter the following so that DKMS can find it for driver rebuilds: + + sudo cp -f /usr/src/PF_RING_CURRENT_SVN/kernel/linux/pf_ring.h /usr/src/ + e1000e-pf_ring-1.0.15/ + cd /usr/src/e1000e-pf_ring-1.0.15/ + +After that, fix the path to pf_ring.h: + + sed -i -e 's/\.\.\/\.\.\/\.\.\/\.\.\/kernel\/linux\/pf\_ring\.h/pf\_ring\.h/ + ' netdev.c + +Then create a file called 'dkms.conf'. + + sudo nano dkms.conf + +and place the following into the file: + + PACKAGE_NAME="e1000e-pf_ring" + PACKAGE_VERSION="1.0.15" + BUILT_MODULE_NAME[0]="e1000e" + DEST_MODULE_LOCATION[0]="/kernel/drivers/net/e1000e/" + AUTOINSTALL="yes" + +Build and install the module of the e1000e-pf_ring network driver: + + sudo dkms add -m e1000e-pf_ring -v 1.0.15 + sudo dkms build -m e1000e-pf_ring -v 1.0.15 + sudo dkms install -m e1000e-pf_ring -v 1.0.15 + +After that, build and install the PF_RING enabled libpcap: + + cd /usr/src/PF_RING_CURRENT_SVN/userland/libpcap-1.0.0-ring + ./configure + sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/ + ' Makefile + sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/ + ' Makefile.in + ./configure --prefix=/opt/PF_RING && make && make install + +Subsequently, build and install tcpdump using the PF_RING enabled version of +libpcap: + + cd /usr/src/PF_RING_CURRENT_SVN/userland/tcpdump-4.0.0 + sudo ./configure + sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/ + ' Makefile + sudo sed -i -e 's/\.\.\/lib\/libpfring\.a/\/opt\/PF_RING\/lib\/libpfring\.a/ + ' Makefile.in + sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/ + ' Makefile + sudo sed -i -e 's/-I \.\.\/libpcap-1\.0\.0-ring/-I \/opt\/PF_RING\/include/ + ' Makefile.in + sudo sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\// + ' Makefile + sed -i -e 's/-L \.\.\/libpcap-1\.0\.0-ring\/-L /\/opt\/PF_RING\/lib\// + ' Makefile.in + sudo ./configure LD_RUN_PATH="/opt/PF_RING/lib:/usr/lib:/usr/local/lib" -- + prefix=/opt/PF_RING/ --enable-ipv6 && make && make install + diff --git a/framework/src/suricata/doc/Mac_OS_X_106x.txt b/framework/src/suricata/doc/Mac_OS_X_106x.txt new file mode 100644 index 00000000..0f76a047 --- /dev/null +++ b/framework/src/suricata/doc/Mac_OS_X_106x.txt @@ -0,0 +1,72 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Mac_OS_X_106x + + +Mac OS X (10.6.x) + + +Pre-installation requirements + +These instructions have been tested with Mac OS X (10.6.1). To begin, you will +need an essential development environment much like gcc/make. You can download +Xcode from http://developer.apple.com/technology/xcode.html. +MacPorts is required for you to fetch the depends, so you will also need to +install MacPorts, if you have not already done so. The online installation +guide is located at http://guide.macports.org/#installing. +Before you can build Suricata for your system, you must run the following +command to ensure that you have everything you need for the installation. + + port install autoconf automake gcc44 make libnet11 libpcap pcre \ + libyaml libtool + export AC_PROG_LIBTOOL=$( which libtool ) + +Depending on the current status of your system, it may take a while to complete +this process. + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + +IPS + +If you would like to have IPS capabilities with IPFW, then you should run +configure like this: + + ./configure --enable-ipfw --prefix=/usr --sysconfdir=/etc --localstatedir=/ + var + +and execute the rest of the commands the same as above. + +Suricata + +To download and build Suricata, enter the following: + + wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz + tar -xvzf suricata-1.3.3.tar.gz + cd suricata-1.3.3 + +You will also need to have an ipfw rule set for the engine to see the packets +from ipfw. For example: + + ipfw add 100 divert 8000 ip from any to any + +The 8000 above should be the same number you pass on the command line of +suricata with the option -d, that is, -d 8000: + + suricata -c config_file.yaml -d 8000 + +You will need a Suricata rule set with IPS options (drop, reject, etc). For +this, please refer to the Emerging Threats rule sets. +If you are building from Git sources, enter the following: + + bash autogen.sh + +If you are not building from Git sources, enter the following: + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + make + sudo make install + +Please continue with the Basic_Setup. diff --git a/framework/src/suricata/doc/Makefile.am b/framework/src/suricata/doc/Makefile.am new file mode 100644 index 00000000..386debc8 --- /dev/null +++ b/framework/src/suricata/doc/Makefile.am @@ -0,0 +1,35 @@ +EXTRA_DIST = \ +AUTHORS \ +GITGUIDE \ +INSTALL \ +NEWS \ +README \ +TODO \ +INSTALL.PF_RING \ +INSTALL.WINDOWS \ +\ +Basic_Setup.txt \ +CentOS5.txt \ +CentOS_56_Installation.txt \ +Debian_Installation.txt \ +Fedora_Core.txt \ +FreeBSD_8.txt \ +HTP_library_installation.txt \ +Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt \ +Installation_with_CUDA_on_Ubuntu_server_1104.txt \ +Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt \ +Installation_with_PF_RING.txt \ +Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt \ +Installation_from_GIT_with_PCRE-JIT.txt \ +Installation_with_CUDA_on_Scientific_Linux_6.txt \ +Mac_OS_X_106x.txt \ +OpenBSD_Installation_from_GIT.txt \ +Setting_up_IPSinline_for_Linux.txt \ +Third_Party_Installation_Guides.txt \ +Ubuntu_Installation.txt \ +Ubuntu_Installation_from_GIT.txt \ +Windows.txt + +datarootdir=@datarootdir@ +docdir = ${datarootdir}/doc/${PACKAGE} +dist_doc_DATA = ${EXTRA_DIST} diff --git a/framework/src/suricata/doc/NEWS b/framework/src/suricata/doc/NEWS new file mode 100644 index 00000000..e0de71b4 --- /dev/null +++ b/framework/src/suricata/doc/NEWS @@ -0,0 +1,2 @@ +http://suricata-ids.org/news/ + diff --git a/framework/src/suricata/doc/OpenBSD_Installation_from_GIT.txt b/framework/src/suricata/doc/OpenBSD_Installation_from_GIT.txt new file mode 100644 index 00000000..b5f27000 --- /dev/null +++ b/framework/src/suricata/doc/OpenBSD_Installation_from_GIT.txt @@ -0,0 +1,79 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/OpenBSD_Installation_from_GIT + + +OpenBSD Installation from GIT + + +Pre-installation Requirements + +Before you can build Suricata for your system, run the following commands to +ensure that you have everything you need for the installation. + + pkg_add gcc + pkg_add pcre + pkg_add libtool + pkg_add libyaml + pkg_add libnet-1.1.2.1p0 + +If you would like to build from Git sources, you have to install the following +building tools: + + pkg_add git + pkg_add autoconf + pkg_add automake + If you use OpenBSD 4.8, enter the following: + pkg_add git autoconf-2.61p3 automake-1.10.3 + + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + +Suricata + +Next, clone the repository and run autogen: + + git clone git://phalanx.openinfosecfoundation.org/oisf.git + cd oisf + export AUTOCONF_VERSION=2.61 + export AUTOMAKE_VERSION=1.10 + ./autogen.sh + +Enter the following to configure: + + CPPFLAGS="-I/usr/local/include" CFLAGS="-L/usr/local/lib" ./configure -- + prefix=/opt/suricata + +To build and install Suricata, enter the following in your command line: + + make + make install + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata +Next, continue with the Basic_Setup. +Source: http://home.regit.org/?p=478 diff --git a/framework/src/suricata/doc/README b/framework/src/suricata/doc/README new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/framework/src/suricata/doc/README diff --git a/framework/src/suricata/doc/Setting_up_IPSinline_for_Linux.txt b/framework/src/suricata/doc/Setting_up_IPSinline_for_Linux.txt new file mode 100644 index 00000000..68eaceac --- /dev/null +++ b/framework/src/suricata/doc/Setting_up_IPSinline_for_Linux.txt @@ -0,0 +1,83 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux + + +Setting up IPS/inline for Linux + +In this guide will be explained how to work with Suricata in inline mode and +how to set iptables for that purpose. +First start with compiling Suricata with NFQ support. For instructions see +Ubuntu_Installation. +For more information about NFQ and iptables, see suricata.yaml. +To check if you have NFQ enabled in your Suricata, enter the following command: + + suricata --build-info + +and examine if you have NFQ between the features. +To run suricata with the NFQ mode, you have to make use of the -q option. This +option tells Suricata which of the queue numbers it should use. + + sudo suricata -c /etc/suricata/suricata.yaml -q 0 + + +Iptables configuration + +First of all it is important to know which traffic you would like to send to +Suricata. Traffic that passes your computer or traffic that is generated by +your computer. + +If Suricata is running on a gateway and is meant to protect the computers +behind that gateway you are dealing with the first scenario: forward_ing . +If Suricata has to protect the computer it is running on, you are dealing with +the second scenario: host (see drawing 2). +These two ways of using Suricata can also be combined. +The easiest rule in case of the gateway-scenario to send traffic to Suricata +is: + + sudo iptables -I FORWARD -j NFQUEUE + +In this case, all forwarded traffic goes to Suricata. +In case of the host situation, these are the two most simple iptable rules; + + sudo iptables -I INPUT -j NFQUEUE + sudo iptables -I OUTPUT -j NFQUEUE + +It is possible to set a queue number. If you do not, the queue number will be 0 +by default. +Imagine you want Suricata to check for example just TCP-traffic, or all +incoming traffic on port 80, or all traffic on destination-port 80, you can do +so like this: + + sudo iptables -I INPUT -p tcp -j NFQUEUE + sudo iptables -I OUTPUT -p tcp -j NFQUEUE + +In this case, Suricata checks just TCP traffic. + + sudo iptables -I INPUT -p tcp --sport 80 -j NFQUEUE + sudo iptables -I OUTPUT -p tcp --dport 80 -j NFQUEUE + +In this example, Suricata checks all input and output on port 80. + +To see if you have set your iptables rules correct make sure Suricata is +running and enter: + + sudo iptables -vnL + +In the example you can see if packets are being logged. +This description of the use of iptables is the way to use it with IPv4. To use +it with IPv6 all previous mentioned commands have to start with 'ip6tables'. It +is also possible to let Suricata check both kinds of traffic. +There is also a way to use iptables with multiple networks (and interface +cards). Example: + + sudo iptables -I FORWARD -i eth0 -o eth1 -j NFQUEUE + sudo iptables -I FORWARD -i eth1 -o eth0 -j NFQUEUE + +The options -i (input) -o (output) can be combined with all previous mentioned +options +If you would stop Suricata and use internet, the traffic will not come through. +To make internet work correctly, you have to erase all iptable rules. +To erase all iptable rules, enter: + + sudo iptables -F + diff --git a/framework/src/suricata/doc/TODO b/framework/src/suricata/doc/TODO new file mode 100644 index 00000000..1b198e77 --- /dev/null +++ b/framework/src/suricata/doc/TODO @@ -0,0 +1,4 @@ +Plenty, and you're welcome to help! + +http://suricata-ids.org/participate/ + diff --git a/framework/src/suricata/doc/Third_Party_Installation_Guides.txt b/framework/src/suricata/doc/Third_Party_Installation_Guides.txt new file mode 100644 index 00000000..4028d292 --- /dev/null +++ b/framework/src/suricata/doc/Third_Party_Installation_Guides.txt @@ -0,0 +1,10 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Third_Party_Installation_Guides + + +Third Party Installation Guides + +On this page you can find links to third party installation guides for +Suricata. Beware that none of these guides is reviewed by us. Feel free to add +a link to your Suricata installation guide. +http://aldeid.com/index.php/Suricata/Installation-and-basic-configuration diff --git a/framework/src/suricata/doc/Ubuntu_Installation.txt b/framework/src/suricata/doc/Ubuntu_Installation.txt new file mode 100644 index 00000000..7bf90846 --- /dev/null +++ b/framework/src/suricata/doc/Ubuntu_Installation.txt @@ -0,0 +1,84 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation + + +Ubuntu Installation + + +Pre-installation requirements + +Before you can build Suricata for your system, run the following command to +ensure that you have everything you need for the installation. + + sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ + build-essential autoconf automake libtool libpcap-dev libnet1-dev \ + libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ + make libmagic-dev + +Depending on the current status of your system, it may take a while to complete +this process. + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + +IPS + +By default, Suricata works as an IDS. If you want to use it as a IDS and IPS +program, enter: + + sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 + libnfnetlink-dev libnfnetlink0 + + +Suricata + +To download and build Suricata, enter the following: + + wget http://www.openinfosecfoundation.org/download/suricata-1.3.3.tar.gz + tar -xvzf suricata-1.3.3.tar.gz + cd suricata-1.3.3 + +Compile and install the engine +If you plan to build Suricata with IPS capabilities, enter: + + ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc -- + localstatedir=/var + +instead of + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + +Continue with the next commands: + + ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var + make + sudo make install + sudo ldconfig + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata +Please continue with Basic_Setup. diff --git a/framework/src/suricata/doc/Ubuntu_Installation_from_GIT.txt b/framework/src/suricata/doc/Ubuntu_Installation_from_GIT.txt new file mode 100644 index 00000000..086f8431 --- /dev/null +++ b/framework/src/suricata/doc/Ubuntu_Installation_from_GIT.txt @@ -0,0 +1,115 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_from_GIT + + +Ubuntu Installation from GIT + +In this document will be explained how to install and use the most recent code +of Suricata on Ubuntu. Installing from GIT on other operating systems is +basically the same, except that some commands are Ubuntu-specific (like sudo +and apt-get). In case you are using another operating system, you should +replace those commands by your operating-specific commands. + +Pre-installation requirements + +Before you can build Suricata for your system, run the following command to +ensure that you have everything you need for the installation. + + sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \ + build-essential autoconf automake libtool libpcap-dev libnet1-dev \ + libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 \ + make libmagic-dev + + + sudo apt-get install git-core + +Depending on the current status of your system, it may take a while to complete +this process. + +HTP + +HTP is bundled with Suricata and installed automatically. If you need to +install HTP manually for other reasons, instructions can be found at HTP +library_installation. + +IPS + +By default, Suricata works as an IDS. If you want to use it as a IDS and IPS +program, enter: + + sudo apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 + libnfnetlink-dev libnfnetlink0 + + +Suricata + +First, it is convenient to create a directory for Suricata. Name it 'suricata' +for example. Open the terminal and enter: + + mkdir suricata + +Followed by: + + cd suricata + +Next, enter the following line in the terminal: + + git clone git://phalanx.openinfosecfoundation.org/oisf.git + + + cd oisf + +Followed by: + + ./autogen.sh + +To configure, please enter: + + ./configure + +To compile, please enter: + + make + +To install Suricata, enter: + + sudo make install + sudo ldconfig + + +Auto setup + +You can also use the available auto setup features of Suricata: +ex: + + ./configure && make && make install-conf + + +make install-conf +would do the regular "make install" and then it would automatically create/ +setup all the necessary directories and suricata.yaml for you. + + ./configure && make && make install-rules + + +make install-rules +would do the regular "make install" and then it would automatically download +and set up the latest ruleset from Emerging Threats available for Suricata + + ./configure && make && make install-full + + +make install-full +would combine everything mentioned above (install-conf and install-rules) - and +will present you with a ready to run (configured and set up) Suricata +Please continue with Basic_Setup. +In case you have already made a map for the most recent code, downloaded the +code into that map, and want to download recent code again, please enter: + + cd suricata/oisf + +next, enter: + + git pull + +After that, you start again at running autogen. diff --git a/framework/src/suricata/doc/Windows.txt b/framework/src/suricata/doc/Windows.txt new file mode 100644 index 00000000..ce94b1fe --- /dev/null +++ b/framework/src/suricata/doc/Windows.txt @@ -0,0 +1,189 @@ +Autogenerated on 2012-11-29 +from - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Windows + + +Windows + +NOTE - +A new instruction set for Suricata installation (and/or compilation from +scratch) can be found here: +https://redmine.openinfosecfoundation.org/projects/suricata/files +also a windows binary - self extracting auto install package is available here: +http://www.openinfosecfoundation.org/index.php/download-suricata + +Preparing the build environment + +The instructions below should be followed in the order they appear. If your +configuration requires unique actions to compile the package and/or you +significantly modify the configure shell script, please e-mail the details of +your requirements and/or solution to bugreports@openinfosecfoundation.org. +Set up MinGW environment from http://mingw.org/ +Do not use the automatic installer, as it is deprecated. Instead, manually +unpack the following packages to c:\mingw (you may use newer versions if you +prefer): + + + * binutils + o binutils-2.20-1-mingw32-bin.tar.gz + * mingw-runtime (dev and dll) + o mingwrt-3.17-mingw32-dll.tar.gz + o mingwrt-3.17-mingw32-dev.tar.gz + * w32api + o w32api-3.14-mingw32-dev.tar.gz + * Required runtime libraries for GCC (gmp, libiconv, MPFR and pthreads) + o gmp-4.2.4-mingw32-dll.tar.gz + o libiconv-1.13.1-1-mingw32-dll-2.tar.lzma + o mpfr-2.4.1-mingw32-dll.tar.gz + o pthreads-w32-2.8.0-mingw32-dll.tar.gz + * gcc-core (bin and dll) + o gcc-core-4.4.0-mingw32-bin.tar.gz + o gcc-core-4.4.0-mingw32-dll.tar.gz + * make + o make-3.81-20090914-mingw32-bin.tar.gz + * zlib + o libz-1.2.3-1-mingw32-dll-1.tar.gz + + libz-1.2.3-1-mingw32-dev.tar.gz + + +Download MSYS + +Get MSYS from http://sourceforge.net/projects/mingw/files/ and install + + MSYS-1.0.11.exe (MSYS Base System) + msysDTK-1.0.1.exe (MSYS Suplementary Tools) + autoconf-2.63-1-msys-1.0.11-bin.tar.lzma + automake-1.11-1-msys-1.0.11-bin.tar.lzma + libtool-2.2.7a-1-msys-1.0.11-bin.tar.lzma + +MSYS will ask the following questions during installation. + + Accept Post Install: [y] + MinGW Installed? : [y] + path to MinGW: [c:/MinGW] + + +Download pkg-config + +Install pkg-config taken from http://wiki.videolan.org/Win32CompileMSYSNew#PKG- +CONFIG +Download and extract the following into c:\Msys\1.0 + + http://ftp.gnome.org/pub/GNOME/binaries/win32/glib/2.18/glib_2.18.2- + 1_win32.zip + ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config_0.23- + 3_win32.zip + ftp://ftp.gnome.org/pub/gnome/binaries/win32/dependencies/pkg-config- + dev_0.23-3_win32.zip + + + Set PKG_CONFIG_PATH=/win32/lib/pkgconfig + +(e.g. by adding the Windows environment variable PKG_CONFIG_PATH in "Control +Panel"->"System"->"Advanced System Settings"->"Environment Variables" and +setting the value to /win32/lib/pkgconfig) + +Download Git sources + +Get Git sources from http://code.google.com/p/msysgit/ +Unpack to /msys/1.0 +Remember to edit ~/.gitconfig to set your username + +Download libpcre + +Get libpcre from http://www.pcre.org/ + + ./configure --enable-utf8 --disable-cpp --prefix=/mingw + make + make install + + +Download libyaml + +Download libyaml from http://pyyaml.org/wiki/LibYAML +Though libyaml does not support mingw compilation, it does work in static mode. + + ./configure --prefix=/mingw CFLAGS="-DYAML_DECLARE_STATIC" + make + make install + + +Download libpcap + +Download the developer pack from http://www.winpcap.org/devel.htm +To have the driver in the system, download and install a corresponding +installer package from http://www.winpcap.org/install/default.htm +Copy includes to c:/mingw/include and libs (.a) to c:/mingw/lib +Rename libwpcap.a to libpcap.a + +Get and compile Suricata + + + git clone git://phalanx.openinfosecfoundation.org/oisf.git + cd oisf + +Because of an autotools port bug, you will need to do the following: + + dos2unix.exe libhtp/configure.ac + dos2unix.exe libhtp/htp.pc.in + dos2unix.exe libhtp/Makefile.am + + ./autogen.sh + ./configure CFLAGS="-DYAML_DECLARE_STATIC" + +Add --enable-nfqueue as a configurable parameter to enable inline mode. + + make + +If the full installation is successful, suricata.exe will be located in +src/.lib. To test your build, you will need libpcre-0.dll, libz-1.dll, and +pthreadGC2.dll, all of which should already be installed under c:/mingw or c:/ +msys. +preparing the runtime environment. +To prepare the runtime environment, you must copy the executable and DLLs to a +dedicated directory. Get the classification.config and suricata.yaml, and then +edit suricata.yaml to ensure the directories are correctly identified. +pcap mode +If you have not already done so, install winpcap runtime and its driver. Then, +determine your eth device UUID in the registry: + + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ + suricata.exe -c suricata.yaml -i \device\ + +In the example above, device should be replaced with your device uuid. + +Inline mode + +To operate in inline mode, you must download, compile and install +netfilterforwin, which is the netfilter.sys driver and Windows port of the +libnetfilter_queue library. +Download and install the Windows Driver Kit from Microsoft +http://www.microsoft.com/downloads/ +details.aspx?displaylang=en&FamilyID=36a2630f-5d56-43b5-b996-7633f2ec14ff +Download netfilterforwin from http://sourceforge.net/projects/netfilterforwin/ +Unpack it so the netfilterforwin directory is beside the oisf directory. You +must omit the version from its name. +Compile the driver +Open the correct build environment from your Start menu +Start > All Programs > Windows Driver Kits > WDK xxxx.yyyy.z > Build +Environments > Windows Server 2003 > x86 Free Build Environment +At your command line prompt, enter the following: + + cd netfilterforwin/netfilter + nmake + +Install the driver +Copy inf/* files and the freshly built netfilter.sys to a separate directory, +and then open the network connections. +Right-click an interface, then select Properties +Click install... +Select Service +Click Add +Click Have disk... +Browse to the directory with the inf files and netfilter.sys, select +netfilter.inf, and then click Ok. +Confirm everything +The driver is now installed. +Run Suricata in inline mode + + suricata.exe -c suricata.yaml -q 0 + diff --git a/framework/src/suricata/doc/doxygen/.gitignore b/framework/src/suricata/doc/doxygen/.gitignore new file mode 100644 index 00000000..d6b7ef32 --- /dev/null +++ b/framework/src/suricata/doc/doxygen/.gitignore @@ -0,0 +1,2 @@ +* +!.gitignore |