Suricata 2.0 for Debian

Finally Suricata 2.0 is out!
There are a lot of new features and changes that you can read in the release notes.
My job here is to provide a simple way to let you use Suricata on debian, so I’ve built new packages for debian 7 stable release (wheezy).
Since debian oldstable version 6 (squeeze) is approaching its end of life (if no long time support will be added by the community) and due to the many new features of Suricata 2 there will be no new releases for the debian oldstable version.
Please keep in mind that with this new release, along with updated libhtp packages, you’ll have to install also luajit libraries. I’ve managed to backport them from testing to stable.
There are other installation dependencies (libnetfilter-queue1, libprelude2 and libjansson4) but they are part of debian default stable release, so easy to install.
You can install Suricata 2.0 easily using my debian repositories without worrying about its dependencies, but you can also download singular packages, or the source code and rebuild your own packages.
Suricata has many features that can be enabled at configuration time before building. To let you understand better what is supported or not in my packages here is the output table at configuration time:

Suricata Configuration:
  AF_PACKET support:                       yes
  PF_RING support:                         no
  NFQueue support:                         yes
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     yes
  Detection enabled:                       yes

  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  Prelude support:                         yes
  PCRE jit:                                yes
  libluajit:                               yes
  libgeoip:                                yes
  Non-bundled htp:                         yes
  Old barnyard2 support:                   yes
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     yes

Generic build parameters:
  Installation prefix (--prefix):          /usr
  Configuration directory (--sysconfdir):  /etc/suricata/
  Log directory (--localstatedir) :        /var/log/suricata/

  Host:                                    x86_64-pc-linux-gnu
  GCC binary:                              gcc
  GCC Protect enabled:                     yes
  GCC march native enabled:                no
  GCC Profile enabled:                     no

With this release you can deal with Suricata output in two main way: unified2 and JSON parsing. I’ve left unified2 (barnyard2 support) to let you test new way of collecting and parsing Suricata output data while maintaining the old method that you have in place.
I suggest you give a try to Kibana, Logstash and ElasticSearch combo: read this wiki to get you started (then also use this Kibana/Logstash templates).
I’ve been using this setup myself for a few days now and it looks pretty stable. Let me know if you encounter any issue. Happy sniffing!

This entry was posted on Wednesday, April 2nd, 2014 at 8:17 AM and is filed under stuff.

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.