Back to 3rd Party Agents Installation

Installing Suricata

This section explains how to install Suricata with Prelude support.

Dependencies (CentOS)

On CentOS you have to add EPEL repositories:

   # yum install epel-release


   # yum -y install libpcap-devel libcap-ng-devel libnet-devel pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel libprelude-devel libtool-ltdl-devel file-devel

Get the sources

Download Suricata from

Unpack it :

   $ tar -zxvf suricata-*.tar.gz
   $ cd suricata-*

Comment the following lines in the configure file:

    # Prelude doesn't work with -Werror
    CFLAGS="${CFLAGS} -Wno-error=unused-result" 

Then, compile and install Suricata using the following:

   $ ./configure --enable-prelude --with-libprelude-prefix=/usr/local/ CC="gcc -std=gnu99" 
   $ make
   # make install-full


Edit /etc/suricata/suricata.yaml file to enable Prelude alerting:

  # alert output to prelude ( only
  # available if Suricata has been compiled with --enable-prelude
  - alert-prelude:
      enabled: yes
      profile: suricata
      log-packet-content: yes
      log-packet-header: yes

Registering Suricata profile

Nota : Each module from your Prelude installation must be registered with the manager which is in charge of communications between the modules. This can take a long time given the creation of the RSA key. Generating activity on your machine will reduce the time to create the key (ex : ls -l /, etc.)

Now you need to create the suricata profile, on the Suricata host :

   # prelude-admin register suricata "idmef:w" <manager address> --uid X --gid X

And, on the Prelude-Manager host:

   # prelude-admin registration-server prelude-manager

After your RSA key creation, a password is generated. Paste it from the second terminal to the first terminal, then confirm the registration on the second terminal.

   Approve registration? [y/n]: y successfully registered.

Please check the Agents Registration Page for more details about sensors registration.

Running Suricata

To launch Suricata, type:

   # LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

You can now see a new agent named Suricata on Prewikka.

Back to 3rd Party Agents Installation