[Oisf-users] suricata 1.3 installation observations

Sun Jul 8 18:03:47 EDT 2012

Hi,

With the release of 1.3 (thank you!) I wanted to install/configure
from scratch. Below are my steps and the issues I had using Ubuntu
12.04 server x64:

# sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev
build-essential autoconf automake libtool libpcap-dev libnet1-dev
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0
make libmagic-dev libnetfilter-queue-dev libnetfilter-queue1
libnfnetlink-dev libnfnetlink0 libhtp1

# wget http://www.openinfosecfoundation.org/download/suricata-1.3.tar.gz

# tar -xvzf suricata-1.3.tar.gz

# cd suricata-1.3/

# ./configure --enable-nfqueue

# make

# sudo make install

# sudo make install-full

# sudo ldconfig

# sudo apt-get install -y oinkmaster

# sudo vim /etc/oinkmaster.conf

Adding "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz"
under the commented-out Emerging Threats lines.

# sudo mkdir /etc/suricata

# sudo cp classification.config /etc/suricata

# sudo cp reference.config /etc/suricata

# sudo cp suricata.yaml /etc/suricata

# sudo mkdir /etc/suricata/rules

# sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules

# sudo suricata -c /etc/suricata/suricata.yaml -i eth1

------------------
Issue #1
------------------
suricata: error while loading shared libraries: libhtp-0.2.so.1:
cannot open shared object file: No such file or directory

When making Suricata, it did say:

If a library like libhtp.so is not found, you can run suricata with:
'LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata -c
/usr/local/etc/suricata//suricata.yaml -i eth0'.

That's too complicated, installing the libhtp1 package resolved this.

------------------
Issue #2
------------------
<Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file:
"/usr/local/etc/suricata//threshold.config": No such file or directory

I get this one warning when running Suricata even though this is
commented out in suricata.yaml.

------------------
Issue #3
------------------
Is "sudo make install" and "sudo make install-full" necessary?

The documentation says to "sudo make install" while the script while
installing says:

Run 'make install-conf' if you want to install initial configuration
files. Or 'make install-full' to install configuration and rules

------------------
Issue #4
------------------
The documentation pages are usable but not up to date (for 1.3). For
"juniors" like me, I'd like things to be more straight forward.

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
- Tar package not current
- sudo make install or install-full (explain differences like pros/cons)

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
- Log file necessary? Looks like it's automatically created in 1.3 elsewhere
- What is this for? "cd ~/suricata/oisf"

-- 
Chris Sheats