Monday, November 4, 2013

Suricata on CentOS 6

This post will cover building and installing the Suricata IDS on CentOS 6.4.  This procedure is adapted from the following documentation from

The following procedure assumes at least a minimal CentOS 6.4 installation with the base package group installed.

Not all of the prerequisite packages for building suricata are included in the CentOS repositories, so the EPEL package repository will fill in the gaps.

Add the EPEL repo to your system if you haven't already:

# rpm -Uvh
Start by installing the prerequisite packages: (may take some time depending on your system and internet connection)

# yum install gcc gcc-c++ make automake autoconf libtool pcre pcre-devel libyaml libyaml-devel libpcap libpcap-devel file-libs file-devel libpcap libpcap-devel zlib zlib-devel libnet libnet-devel libcap-ng libcap-ng-devel
I've chosen to install gcc and autotools individually rather than install the Development Tools package group.  I think it's a good practice to limit unnecessary software on internet-accessible systems or systems with security-related roles, so I don't want a lot of the packages that come in the Development Tools group.  In fact, if you're really serious about security you would probably want to compile suricata on a development machine and leave gcc and autotools off of your production systems altogether.

Download and extract the suricata source tarball from

# wget # tar -xzf suricata-1.4.6.tar.gz
Now build and install suricata:
# cd suricata-1.4.6 # ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var # make # make install-full
I've chosen the install-full target for installation, because this will create directories and install some rules and configuration files for us.

Now that suricata is built and installed we can go about configuring it and installing some support scripts.  I'm using oinkmaster set up to take care of updating the rules on my system.  Download the oinkmaster tarball from  (I don't want to post a direct link because I'd have to choose a mirror for you, and I'd rather not)

Extract the files and install oinkmaster.conf and on your system.
# tar -xzf oinkmaster-2.0.tar.gz # cd oinkmaster-2.0 # cp /usr/bin # cp oinkmaster.conf /etc
Edit /etc/oinkmaster.conf and correct the url:
url =
We can now test oinkmaster:
# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules
If all went well you should have a whole bunch of *.rules files in /etc/suricata/rules.  You probably want oinkmaster to update your IDS rules automatically, so something like the following in your crontab will do the trick.  For more information see:

30 2 * * * -C /etc/oinkmaster.conf -o /etc/suricata/rules 2>&1 | logger -t oinkmaster
In order to make suricata process these rules we'll have to update its configuration.  First get a list of all the rules in /etc/suricata/rules with something like:
# ls /etc/suricata/rules/*.rules
We need to make sure all these rule files are listed in the suricata configuration, so open up /etc/suricata/suricata.yaml and check the rule-files section against the list of rule files.

The rule-files section in my suricata.yaml looks like this:

rule-files: - botcc.rules - ciarmy.rules - compromised.rules - decoder-events.rules - drop.rules - dshield.rules - emerging-activex.rules - emerging-attack_response.rules - emerging-chat.rules - emerging-current_events.rules - emerging-deleted.rules - emerging-dns.rules - emerging-dos.rules - emerging-exploit.rules - emerging-ftp.rules - emerging-games.rules - emerging-icmp_info.rules - emerging-icmp.rules - emerging-imap.rules - emerging-inappropriate.rules - emerging-info.rules - emerging-malware.rules - emerging-misc.rules - emerging-mobile_malware.rules - emerging-netbios.rules - emerging-p2p.rules - emerging-policy.rules - emerging-pop3.rules - emerging-rpc.rules - emerging-scada.rules - emerging-scan.rules - emerging-shellcode.rules - emerging-smtp.rules - emerging-snmp.rules - emerging-sql.rules - emerging-telnet.rules - emerging-tftp.rules - emerging-trojan.rules - emerging-user_agents.rules - emerging-voip.rules - emerging-web_client.rules - emerging-web_server.rules - emerging-web_specific_apps.rules - emerging-worm.rules - files.rules - http-events.rules - rbn-malvertisers.rules - rbn.rules - smtp-events.rules - stream-events.rules - tls-events.rules - tor.rules While we're editing suricata.yaml, the classification-file and reference-config-file fields also need to be updated:

classification-file: /etc/suricata/rules/classification.config reference-config-file: /etc/suricata/rules/reference.config

At this point, suricata is configured and can be tested with the following command:

# suricata -c /etc/suricata/suricata.yaml -i eth0

For a real IDS setup, we also need an init script for suricata, but I'm going to cover that in a follow up post.

Hope this has been helpful, thanks for reading!