Suricata 2.0 for Debian
Finally Suricata 2.0 is out!
There are a lot of new features and changes that you can read in the release notes.
My job here is to provide a simple way to let you use Suricata on debian, so I’ve built new packages for debian 7 stable release (wheezy).
Since debian oldstable version 6 (squeeze) is approaching its end of life (if no long time support will be added by the community) and due to the many new features of Suricata 2 there will be no new releases for the debian oldstable version.
Please keep in mind that with this new release, along with updated libhtp packages, you’ll have to install also luajit libraries. I’ve managed to backport them from testing to stable.
There are other installation dependencies (libnetfilter-queue1, libprelude2 and libjansson4) but they are part of debian default stable release, so easy to install.
You can install Suricata 2.0 easily using my debian repositories without worrying about its dependencies, but you can also download singular packages, or the source code and rebuild your own packages.
Suricata has many features that can be enabled at configuration time before building. To let you understand better what is supported or not in my packages here is the output table at configuration time:
Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: yes IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: yes PCRE jit: yes libluajit: yes libgeoip: yes Non-bundled htp: yes Old barnyard2 support: yes CUDA enabled: no Suricatasc install: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Profiling enabled: no Profiling locks enabled: no Coccinelle / spatch: yes Generic build parameters: Installation prefix (--prefix): /usr Configuration directory (--sysconfdir): /etc/suricata/ Log directory (--localstatedir) : /var/log/suricata/ Host: x86_64-pc-linux-gnu GCC binary: gcc GCC Protect enabled: yes GCC march native enabled: no GCC Profile enabled: no
With this release you can deal with Suricata output in two main way: unified2 and JSON parsing. I’ve left unified2 (barnyard2 support) to let you test new way of collecting and parsing Suricata output data while maintaining the old method that you have in place.
I suggest you give a try to Kibana, Logstash and ElasticSearch combo: read this wiki to get you started (then also use this Kibana/Logstash templates).
I’ve been using this setup myself for a few days now and it looks pretty stable. Let me know if you encounter any issue. Happy sniffing!