How to Install Suricata on an AWS Instance of RedHat Enterprise Linux Server

Updated 11/29/17

These directions will allow you to install Suricata.  The script in step 2 was designed to install Suricata 4.0.1 on an AWS instance of RHEL 7.4.  This script requires that your AWS RedHat Enterprise Linux server is in a security group that has access to the internet.  You do not need a subscription to RedHat packages. 

Step #1  Log into the Red Hat Enterprise Linux server. 
Step #2  Create /tmp/installer.sh with the following content:

#!/bin/bash
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
yum -y install wget libpcap-devel libnet-devel pcre-devel gcc-c++ automake autoconf libtool make libyaml-devel zlib-devel file-devel jansson-devel nss-devel
wget https://www.openinfosecfoundation.org/download/suricata-4.0.1.tar.gz
tar -xvzf suricata-4.0.1.tar.gz
cd suricata-4.0.1
./configure
make
make install

Step #3  Run the script with this command: sudo bash /tmp/installer.sh

Step #4  Run this command to confirm Suricata is installed:

suricata -V

Step #5.  You are done.

FFR
The following 85 line script used to work to install Suricata 3.1 on an AWS instance of RHEL 7.2.  It is here for reference (in case you are working on a legacy project).

This below script was based on these here.  This script uses Fedora packages instead.  Some shared objects and files are backed up before the installation of the Fedora rpms.  The script restores these files.  The script takes approximately five minutes to run.  But bandwidth and resources on your instance may vary.

# Then input this script starting with the "#!/bin/bash" line below.  The final line is "make install-full"

#!/bin/bash

mkdir /bin/suricata/
mkdir /tmp/contint
cd /bin/suricata

sudo yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \
  zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel tar make \
  libnetfilter_queue-devel lua-devel

yum -y install wget
yum -y install bzip2

cp /usr/lib64/libyaml-0.so.2.0.4 /tmp/libyaml-0.so.2.0.4

wget ftp://rpmfind.net/linux/fedora/linux/releases/24/Everything/x86_64/os/Packages/l/libyaml-0.1.6-8.fc24.x86_64.rpm

rpm -ivh --force libyaml-0.1.6-8.fc24.x86_64.rpm

wget ftp://rpmfind.net/linux/fedora/linux/releases/24/Everything/x86_64/os/Packages/l/libyaml-devel-0.1.6-8.fc24.x86_64.rpm

rpm -ivh --force libyaml-devel-0.1.6-8.fc24.x86_64.rpm

cp /tmp/libyaml-0.so.2.0.4 /usr/lib64/libyaml-0.so.2.0.4

cp /usr/lib64/libpcap.so.1 /tmp/contint
cp /usr/share/man/man7/pcap-filter.7.gz /tmp/contint
cp /usr/share/man/man7/pcap-linktype.7.gz /tmp/contint
cp /usr/share/man/man7/pcap-tstamp.7.gz /tmp/contint

wget ftp://rpmfind.net/linux/fedora/linux/releases/24/Everything/x86_64/os/Packages/l/libpcap-1.7.4-2.fc24.x86_64.rpm

rpm -ivh --force libpcap-1.7.4-2.fc24.x86_64.rpm

wget ftp://rpmfind.net/linux/fedora/linux/releases/24/Everything/x86_64/os/Packages/l/libpcap-devel-1.7.4-2.fc24.x86_64.rpm

rpm -ivh libpcap-devel-1.7.4-2.fc24.x86_64.rpm
rpm -ivh --force libpcap-1.7.4-2.fc24.x86_64.rpm

cp /usr/lib64/libpcap.so.1 /tmp/contint
cp /usr/share/man/man7/pcap-filter.7.gz /tmp/contint
cp /usr/share/man/man7/pcap-linktype.7.gz /tmp/contint
cp /usr/share/man/man7/pcap-tstamp.7.gz /tmp/contint

rpm -ivh --force file-libs-5.25-6.fc24.x86_64.rpm

wget ftp://rpmfind.net/linux/fedora/linux/releases/24/Everything/x86_64/os/Packages/f/file-libs-5.25-6.fc24.x86_64.rpm

rpm -ivh --force file-libs-5.25-6.fc24.x86_64.rpm

cp /usr/bin/file /tmp/contint/file
cp /usr/share/man/man1/file.1.gz /tmp/contint/file.1.gz

wget ftp://rpmfind.net/linux/fedora/linux/releases/24/Everything/x86_64/os/Packages/f/file-5.25-6.fc24.x86_64.rpm

rpm -ivh --force file-5.25-6.fc24.x86_64.rpm

cp /tmp/contint/libmagic.so.1.0.0 /usr/lib64/libmagic.so.1.0.0
cp /tmp/contint/magic /usr/share/misc/magic
cp /tmp/contint/magic.5.gz /usr/share/man/man5/magic.5.gz
cp /tmp/contint/magic.mgc /usr/share/misc/magic.mgc

cp /tmp/contint/file /usr/bin/file
cp /tmp/contint/file.1.gz /usr/share/man/man1/file.1.gz

wget ftp://rpmfind.net/linux/fedora/linux/releases/24/Everything/x86_64/os/Packages/f/file-devel-5.25-6.fc24.x86_64.rpm

rpm -ivh file-devel-5.25-6.fc24.x86_64.rpm

wget ftp://ftp.netfilter.org/pub/libnfnetlink/libnfnetlink-1.0.1.tar.bz2

tar tvjf libnfnetlink-1.0.1.tar.bz2
./configure
make
make install

wget http://www.openinfosecfoundation.org/download/suricata-3.1.tar.gz

tar -xvzf suricata-3.1.tar.gz

cd suricata-3.1

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-lua
./configure
make install-full

How To Install PsExec on Windows Server

Not all directions are clear.  Here is an example where Microsoft has less than perfect directions:

"Installation

Just copy PsExec onto your executable path. Typing "psexec" displays its usage syntax."

First off, psexec won't display usage syntax until after the installation. If you are like me you are asking what is the executable path?

The answer can be found by opening PowerShell and typing this:

Get-ChildItem Env:Path | ft -wrap -AutoSize

Any of those semi-colon delimited results can be the destination of the files inside the PsTools.zip file.  The files must not be in a subdirectory of the results shown by the above PowerShell command.  They must be directly in the folder shown by the above PowerShell command.

It is an easy install because no services need to be recycled.  No reboot is needed either.  Psexec is useful because the other Windows servers on the network need no special configuration if you have a common administrator account.  The other Windows servers do not need to be part of a domain.  The network logon will be a Type 3 (as seen in the Event Viewer).  This is considered safe by SANS.

How Do Build and Release Engineers Target Specific Servers With Jenkins Builds?

Problem scenario:  Using a configuration management tool, you can modify the selections of servers for your configurations to exclude specific servers.  With Puppet Master you can create classes of nodes (that exclude various Puppet Agent servers) and have manifests apply to the class.  In Puppet you can also write manifests that specify individual servers.  Chef recipes can target certain Chef clients and exclude others.  SaltStack allows the Salt Master server to "call a highstate" (or run an action) on specific Salt Minion servers to push down files or execute commands while ignoring multiple Salt Minions.  Ansible playbooks can be ran with an --extra-vars flag to limit the target servers that receive the configuration changes.   

How do you do this in Jenkins?

Solution:  The first part of the solution is to configure nodes so Jenkins master is configured to communicate with the servers you want to target.  (There used to be an external page that was helpful here: https://wiki.jenkins-ci.org/display/JENKINS/Step+by+step+guide+to+set+up+master+and+slave+machines .)

Contrary to what the content of link says, you may need to install Jenkins on Windows servers if your Jenkins master is running on Linux.   Homogeneous operating systems or having your Jenkins run on Windows will obviate the need for you to install Jenkins on slave machines.  There are other ways, but installing Jenkins on the Windows servers can help you securely deploy from the Jenkins server running on Linux.

The second part of the solution happens when you are creating a new build.  When you create a job in Jenkins (e.g., New Item -> Freestyle Project -> ...) click "Restrict where this project can be run."  In the field that appears below it, enter the label of the node (e.g., it may be an IP address but it depends on what you entered when you configured Jenkins to manage the node).  

Create the build as you normally would, and it will only run on the servers that you restricted it to run on.

Troubleshooting Jenkins (Two Different Problems)

Problem scenario:  You are in the Jenkins master web UI and are trying to configure a Jenkins node (previously known as a slave) instance.  You entered the correct hostname, username and password.  You get this error:

"ERROR: Unexpected error in launching a slave. This is probably a bug in Jenkins.
java.lang.IllegalStateException: Connection is not established!"

Solution:  Instead of using the hostname of the Jenkins node (previously known as a slave) server, use its IP address.

================

Problem scenario:  You installed a new Jenkins instance.  When you go to the IP address over port 8080 in a web browser, you get a blank white screen.

Solution:  Go to Internet Explorer's tools (click the gear symbol if that is the version you have) and go to Options.  Go to the Security tab.  At the top, click the "Trusted Sites" icon.  Click "Sites."  Enter "http://x.x.x.x" with no quotes and replace x.x.x.x with the IP address of Jenkins.  Click Add. Click Close. Click Ok.  Now refresh your web browser.  You should be able to go to Jenkins' UI.

How Do You Install libyaml on a Red Hat Derivative of Linux?

Problem scenario
You are using a RedHat derivative of Linux.  You get an error about libyaml not being installed (e.g., when a dependency of Suricata is unmet).  You tried to install libyaml-devel, but it did not work.  What should you do?

Solution for RHEL
If you are using RedHat run these two commands:

sudo yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
sudo yum -y install libyaml-devel

Solution for CentOS/Fedora
If you are using CentOS or Fedora, go here to get the package you need.

Troubleshooting and an FYI Regarding OpenSSH

Problem scenario #1
You try to SSH to a Windows server with OpenSSH.  You get "Permission Denied."
Solution
Go to the Windows server.  Go to Server Manager -> Tools -> Computer Management -> Users and Groups.  Double click on the user you are trying with.  Uncheck "User must change password at next log on."  This setting will not allow an SSH connection to happen.

Problem scenario #2
ssh-agent service is running on a Windows server with OpenSSH.  From a Linux sever you use this command: nmap -p 22 x.x.x.x #where x.x.x.x is the IP address of the Windows server.  You find that the port is closed (but not filtered).  You cannot SSH to the Windows server.  What is wrong?
Solution
From a PowerShell prompt, run this: start-service sshd
Now port 22 will show as open if you try the nmap command again.  Now you should be able to ssh to the Windows server.

FYI
These directions have a variation of this step of running "start-service sshd" as optional.  It is not an optional step.

How Do You Create an RSA Private/Public Key Pair with OpenSSH in Windows?

Problem scenario
You have OpenSSH installed on a Windows machine.  You are in a PowerShell prompt as Administrator in the directory where the ssh-keygen.exe file is.  You run this:  .\ssh-keygen.exe -t rsa
You get "Generating public/private rsa key pair."  No new prompt appears.  It hangs (or stalls) for a long time.  You wait, and find that it is essentially frozen.  You control-c to interrupt it and move on.

You are in a PowerShell prompt as Administrator in the directory where the ssh-keygen.exe file is.  You run this:  .\ssh-keygen.exe -t rsa -f C:\\Program Files\\OpenSSH\\Openssh-Win64\\newfile
No new prompt appears.  It hangs (or stalls) for a long time.  You wait, and find that it is essentially frozen.  You control-c to interrupt it and move on.

How do you generate a public/private rsa key pair?

Possible Solution #1
Open a cmd prompt. You do not need to do it as Administrator.  cd to the directory where ssh-keygen.exe is.  Use this command ssh-keygen -t rsa (with no .exe).  This creates a private/public key pair.

Alternative solution #2
Open a PowerShell prompt but not as administrator. Run this command: ssh-keygen -t rsa

Two Error Messages when Installing Gems On Linux

Problem scenario:  You are trying to use gem install, but you get an error like this:
"usr/bin/ruby extconf.rb
mkmf.rb can't find header files for ruby at /usr/lib/ruby/ruby.h"

Solution:  Install ruby-devel.  For RedHat deriviatives, you can find the rpm here.

=====================================================================================

Problem scenario:  You are running gem install *.gem, and you get 'ERROR: While executing gem ...
(Net::HTTPServerException) 407 "Proxy Authentication Required"'

Potential Solutions:  The server's Internet connection seems to be somewhat working (but not completely and not completely broken either).  Change your proxy settings.  Your proxy seems to be causing an issue.  It could potentially help to disable the proxy to eliminate Internet access.  It may help to reboot the server that you ran the gem install command on.

Using a rubyntlm script (http.rb), you get “connection refused.”

Problem scenario:  You modify this script to have a hostname, username, and password of a Windows server with IIS installed.  You add a "puts line" stanza on line 32 for debugging.  You try to run the script with ruby http.rb, but you get "connection refused."  

Possible solutions:  If you changed the port stanza in the http.rb file from 80, make sure there is no firewall blocking the port in the path to the Windows server.  Some port numbers will not be accessible by default on your Windows servers.  Assuming you leave the port to be assigned to 80, make sure there is nothing blocking it on the network or on the target Windows server.

Rubyntlm: Communication from a Linux Server to a Windows Server

Problem scenario:  You modify this script to have a hostname, username, and password of a Windows server on your network.  You add a "puts line" stanza on line 32.

You run the script but you get a message like this: "HTTP/1.1 404 Not Found error. "

Solution:  Make sure that the Windows server has IIS installed, make sure the server name you entered was correct, and make sure the Windows server is turned on.