I personally have not tried it, but I think passing "--enable-prelude" to configure should be enough.
This is how Suricata is configured on SELKS - https://github.com/StamusNetworks/SELKS/wiki/Config-files#suricata - then the suricata.yaml is located here - /etc/suricata/suricata.yaml

from selks.

Thx for this answer;

But I must re-complied with --enable-prelude right ? I didn't find the configure.sh. Or i just must write "yes" instead "no" in suricata.yaml ? Because on the section "prelude" in suricata.yaml it's write :

alert output to prelude (http://www.prelude-technologies.com/) only

available if Suricata has been compiled with --enable-prelude

Sorry for this stupid questions, i'm student and i'm newbie with IDS and monitoring ^^

Thx to you

from selks.

You could use those two guides as a reference:
https://github.com/StamusNetworks/SELKS/wiki/How-to-compile-latest-Suricata-on-SELKS
https://www.prelude-siem.org/projects/prelude/wiki/InstallingAgentThirdpartySuricata

from selks.

Thx you, but after did :
git clone git://phalanx.openinfosecfoundation.org/oisf.git
&& cd oisf && git clone https://github.com/OISF/libhtp.git -b 0.5.x

./autogen.sh
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/
--enable-nfqueue --enable-non-bundled-htp --disable-gccmarch-native
--enable-geoip --enable-gccprotect
--with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/
--with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr
--enable-luajit --enable-prelude

service suricata restart

When I got on Scirius panel page "Suricata" :
Unable to get data from Elasticsearch

Why all my service restart ? I also updated, builded and pushed rulset suricata but always this error ...

What did I do wrong ?

Thx for the answers :)

from selks.

Ho and on system status, suricata is red and elasticsearch is yellow

from selks.

Did you check if Suricata is running?

from selks.

yes I think :

/etc/init.d/suricata status
● suricata.service - LSB: Next Generation IDS/IPS
Loaded: loaded (/etc/init.d/suricata)
Active: active (exited) since ven. 2015-06-05 11:43:20 CEST; 3min 24s ago
Process: 845 ExecStart=/etc/init.d/suricata start (code=exited, status=0/SUCCESS)

juin 05 11:43:16 SELKS suricata[845]: Starting suricata in IDS (af-packet) ...e.

from selks.

I think you need to is stop suricata, delete /var/run/suricata.pid (if any existing), start suricata.

from selks.

It works, I re-installed SELKS iso, because I think the issue was when I touched the surcata.yaml and configuration prelude before re-compiling. And Now I compiled with --enable-prelude and I touched the surcicata.yaml and it works. Now I must install Prelude and OSSEC.

Thx to you, have a nice day !

from selks.