Hello All,
Pretty sure this is my second post, but, I wanted to run Suricata with PF_RING support to inspect a port mirror on a smart switch as a VM in VMware ESXi and I accomplished my goal! As I did it I took notes, and while there have been some edits, I believe I have the whole detail to get a running binary documented.
I’ve got quite a few options enabled, nothing really IPS, this is my home and technically, I’d need more UPSes. A future project!
There’s surely quite a few people here that have built this quite a few times, this was my first and currently, the latest available version (looking for that HTTP2 decoding). If you find this and have any questions, please ask!
To note, I see some very well maintained posts on here and guides, I may port this guide over to this site if there’s interest. This post does link you to my blog, and the instructions involve quite a lot of git and apt-get install work from developers that literally make the drivers/libraries/binaries that enable this product. There will be some conf/yaml/service files to edit, and, as always on the internet, work safe.
suricata --build-info
This is Suricata version 6.0.1-dev (95729e923 2020-10-09)
Features: PCAP_SET_BUFF PF_RING AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST
Suricata Configuration:
AF_PACKET support: yes
eBPF support: yes
XDP support: yes
PF_RING support: yes
Unix socket enabled: yes
Detection enabled: yes
Libmagic support: yes
libnss support: yes
libnspr support: yes
libjansson support: yes
hiredis support: yes
hiredis async with libevent: yes
PCRE jit: yes
LUA support: yes, through luajit
libluajit: yes
GeoIP2 support: yes
Non-bundled htp: yes
Libnet support: yes
liblz4 support: yes
Rust support: yes
Rust strict mode: no
Rust compiler path: /usr/bin/rustc
Rust compiler version: rustc 1.43.0
Cargo path: /usr/bin/cargo
Cargo version: cargo 1.43.0
Cargo vendor: yes
Python support: yes
Python path: /usr/bin/python3
Python distutils yes
Python yaml yes
Install suricatactl: yes
Install suricatasc: yes
Install suricata-update: not bundled
Plugin support (experimental): yes
Thank you for your time in reading this and possibly visiting my site, be well!