<p><br clear="all">Hi, I need Your Help!!</p>
<p>I have x64 fedora 14 for suricata IPS</p>
<p>I prepared following:<br>sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre \<br>pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \<br>libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel</p>
<p>and manually install HTP: ~~</p>
<p>and install netfilter library for IPS <br>sudo yum -y install libnfnetlink libnfnetlink-devel \<br>libnetfilter_queue libnetfilter_queue-devel</p>
<p><br>and download and build Suricata, enter the following:<br>git clone git://<a href="http://phalanx.openinfosecfoundation.org/oisf.git">phalanx.openinfosecfoundation.org/oisf.git</a><br>cd oisf; ./autogen.sh; ./configure --enable-nfqueue; make; sudo make install</p>
<p>and make environment following:</p>
<p>mkdir /etc/suricata/<br>cp ./{*.config,*.yaml} /etc/suricata/<br>sudo mkdir /var/log/suricata</p>
<div>and download rules using oinkmaster<br>and edit suricata.yaml about rules, HOME_NET etc.</div>
<div> </div>
<div>suricata --build-info</div>
<div>[4998] 14/4/2011 -- 18:00:50 - (suricata.c:551) <Info> (main) -- This is Suricata version 1.1beta2 (rev d9e5413)<br>[4998] 14/4/2011 -- 18:00:50 - (suricata.c:436) <Info> (SCPrintBuildInfo) -- Features: <strong>NFQ</strong> IPFW PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 LIBCAP_NG LIBNET1.1 <br>
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:450) <Info> (SCPrintBuildInfo) -- 64-bits, Little-endian architecture<br>[4998] 14/4/2011 -- 18:00:50 - (suricata.c:452) <Info> (SCPrintBuildInfo) -- GCC version 4.5.1 20100924 (Red Hat 4.5.1-4), C version 199901<br>
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:458) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1<br>[4998] 14/4/2011 -- 18:00:50 - (suricata.c:461) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2<br>
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:464) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4<br>[4998] 14/4/2011 -- 18:00:50 - (suricata.c:467) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8<br>
[4998] 14/4/2011 -- 18:00:50 - (suricata.c:470) <Info> (SCPrintBuildInfo) -- __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16</div>
<p>ok now!!</p>
<p>run following:<br>suricata -c /etc/suricata/suricata.yaml -i eth0 -q 0</p>
<p>But I have Following Error<br>----------------------------------------------------------------------------------------------------------------------------<br>[4997] 14/4/2011 -- 17:48:58 - (suricata.c:551) <Info> (main) -- This is Suricata version 1.1beta2 (rev d9e5413)<br>
[4997] 14/4/2011 -- 17:48:58 - (suricata.c:816) <Error> (main) -- [ERRCODE: SC_ERR_MULTIPLE_RUN_MODE(124)] - more than one run mode has been specified<br> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^<br>
Suricata 1.1beta2 (rev d9e5413)<br>USAGE: suricata</p>
<p> -c <path> : path to configuration file<br> -i <dev or ip> : run in pcap live mode<br> -r <path> : run in pcap file/offline mode<br>
-q <qid> : run in inline nfqueue mode<br> -d <divert port> : run in inline ipfw divert mode<br> -s <path> : path to signature file (optional)<br>
-l <dir> : default log directory<br> -D : run as daemon<br> --list-runmodes : list supported runmodes<br> --runmode <runmode_id> : specific runmode modification the engine should run. The argument<br>
supplied should be the id for the runmode obtained by running<br> --list-runmodes<br> --engine-analysis : print reports on analysis of different sections in the engine and exit.<br>
Please have a look at the conf parameter engine-analysis on what reports<br> can be printed<br> --pidfile <file> : write pid to this file (only for daemon mode)<br>
--init-errors-fatal : enable fatal failure on signature init error<br> --dump-config : show the running configuration<br> --pcap-buffer-size : size of the pcap buffer value from 0 - 2147483647<br>
--user <user> : run suricata as this user after init<br> --group <group> : run suricata as this group after init<br> --erf-in <path> : process an ERF file</p>
<p><br>To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:</p>
<p>suricata -c suricata.yaml -s signatures.rules -i eth0 <br>----------------------------------------------------------------------------------------------------------------------------</p>
<p>But without -q option It's OK(disable inline)<br>suricata -c /etc/suricata/suricata.yaml -i eth0</p>
<p>What's wrong?<br>Let me know please!!<br></p>