I wanted to evaluate Suricata in its recommended configuration, using libpcap linked against the pf_ring library. But there are a lot of READMEs out there, a lot of them referring to older versions of pf_ring, and the pf_ring documentation itself isn’t very clear.
It took me some digging around and experimenting, but this blog post has a comment by Wil Metcalf that made it all much easier for me.
Succinctly: check out pf_ring revision 4079, then build the kernel modules, then the userland/lib stuff. You may need to add /usr/local/lib to /etc/ld.so.conf. I had troubles with the latest version of pf_ring on my RHEL 5.5 installation. YMMV by this point, of course.
You may also find this post to be useful, although it still talks about patching kernel sources.
Tangentially but also useful if you’re relatively new to RHEL and kernel sources, you might find this post also to be helpful – I did, but there’s probably nothing new there for experienced RedHat admins.
Once you have pf_ring going, you’ll want to rebuild libpcap to link against pf_ring. I used vanilla source for this, and it was no problem with a straight ./configure && make. And now suricata:
./configure –enable-pfring –with-libpfring-libraries=/usr/local/lib –with-libpfring-includes=/usr/local/include
And that was pretty much it for me.