[Oisf-users] suricata 1.3 installation observations

Mon Jul 9 13:54:45 UTC 2012

My build craps out here:

source-af-packet.c:76:23: error: pcap/pcap.h: No such file or directory
source-af-packet.c:77:22: error: pcap/bpf.h: No such file or directory
source-af-packet.c: In function ‘AFPSetBPFFilter’:
source-af-packet.c:903: error: storage size of ‘filter’ isn’t known
source-af-packet.c:915: warning: implicit declaration of function
‘pcap_compile_nopcap’
source-af-packet.c:903: warning: unused variable ‘filter’
make[3]: *** [source-af-packet.o] Error 1
make[3]: Leaving directory `/data/infosec/suricata-1.3/src'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/data/infosec/suricata-1.3/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/data/infosec/suricata-1.3'
make: *** [all] Error 2

I was able to compile 1.2.1 with no major issues.  The OS is Fedora 9.
 Perhaps time to upgrade.

On Sun, Jul 8, 2012 at 6:03 PM, Chris Sheats <chris at sagawa.io> wrote:
> Hi,
>
> With the release of 1.3 (thank you!) I wanted to install/configure
> from scratch. Below are my steps and the issues I had using Ubuntu
> 12.04 server x64:
>
> # sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev
> build-essential autoconf automake libtool libpcap-dev libnet1-dev
> libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0
> make libmagic-dev libnetfilter-queue-dev libnetfilter-queue1
> libnfnetlink-dev libnfnetlink0 libhtp1
>
> # wget http://www.openinfosecfoundation.org/download/suricata-1.3.tar.gz
>
> # tar -xvzf suricata-1.3.tar.gz
>
> # cd suricata-1.3/
>
> # ./configure --enable-nfqueue
>
> # make
>
> # sudo make install
>
> # sudo make install-full
>
> # sudo ldconfig
>
> # sudo apt-get install -y oinkmaster
>
> # sudo vim /etc/oinkmaster.conf
>
> Adding "url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz"
> under the commented-out Emerging Threats lines.
>
> # sudo mkdir /etc/suricata
>
> # sudo cp classification.config /etc/suricata
>
> # sudo cp reference.config /etc/suricata
>
> # sudo cp suricata.yaml /etc/suricata
>
> # sudo mkdir /etc/suricata/rules
>
> # sudo oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
>
> # sudo suricata -c /etc/suricata/suricata.yaml -i eth1
>
> ------------------
> Issue #1
> ------------------
> suricata: error while loading shared libraries: libhtp-0.2.so.1:
> cannot open shared object file: No such file or directory
>
> When making Suricata, it did say:
>
> If a library like libhtp.so is not found, you can run suricata with:
> 'LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata -c
> /usr/local/etc/suricata//suricata.yaml -i eth0'.
>
> That's too complicated, installing the libhtp1 package resolved this.
>
> ------------------
> Issue #2
> ------------------
> <Warning> - [ERRCODE: SC_ERR_FOPEN(44)] - Error opening file:
> "/usr/local/etc/suricata//threshold.config": No such file or directory
>
> I get this one warning when running Suricata even though this is
> commented out in suricata.yaml.
>
> ------------------
> Issue #3
> ------------------
> Is "sudo make install" and "sudo make install-full" necessary?
>
> The documentation says to "sudo make install" while the script while
> installing says:
>
> Run 'make install-conf' if you want to install initial configuration
> files. Or 'make install-full' to install configuration and rules
>
> ------------------
> Issue #4
> ------------------
> The documentation pages are usable but not up to date (for 1.3). For
> "juniors" like me, I'd like things to be more straight forward.
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
> - Tar package not current
> - sudo make install or install-full (explain differences like pros/cons)
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Basic_Setup
> - Log file necessary? Looks like it's automatically created in 1.3 elsewhere
> - What is this for? "cd ~/suricata/oisf"
>
>
> --
> Chris Sheats
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users