Suricata IDS is published in different formats, among the standard ones are the pre-compiled binaries as RPM or DEB packages.
Those packages offer an easy way to install/upgrade Suricata and are configured for the most common use-cases, for that, some of the features that you might want to use are disabled in these packages, and you will need to compile Suricata your self to have them available.
Recently, one of IDSTower users needed to use Napatech NICs with Suricata but faced several hurdles since this features is understandably not enabled by default in the default RPM/DEB packages and manually compiling Suricata IDS on each cluster host is a bit too much.
The customer needed a way to compile Suricata once and deploy it to the IDS Cluster using the Custom Packages Repository feature in IDSTower.
In this post, we will go thru the steps to create a custom Suricata DEB package that have the features that we wants enabled (eBPF support in this example) while maintaining the standard features enabled as well.
The build setup
We did everything in this tutorial using:
– Ubuntu 22.04.2 LTS (Jammy Jellyfish)
– Suricata 6.0.11
Building the Suricata IDS .deb package, howto
a ded package is a simple Unix archive that contains both the application binaries and other utility files, to create the .deb package, we need to obtain Suricata source code, configure it to enable the features/options we want to use, compile it and finally package it as a DEB file that can be used on Ubuntu/Debian.
Compiling the source code
First, we need to download the all of the libraries and tools needed to build Suricata IDS from the source
sudo apt update sudo apt -y install jq curl checkinstall build-essential pkg-config make rustc cargo sudo apt -y install libpcre3 libpcre3-dbg libpcre3-dev libpcap-dev \ libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev \ libcap-ng-dev libcap-ng0 libmagic-dev \ libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \ python3-yaml libjansson-dev libluajit-5.1-dev libhyperscan-dev libmaxminddb-dev liblz4-dev \ libnetfilter-queue-dev libnetfilter-queue1 \ libnetfilter-log-dev libnetfilter-log1 \ libnfnetlink-dev libnfnetlink0 \ libelf-dev libbpf-dev
Then, lets create a directory to host our build and download and extract source code in it.
mkdir suricata_build cd suricata_build/ wget https://www.openinfosecfoundation.org/download/suricata-6.0.11.tar.gz tar xzvf suricata-6.0.11.tar.gz cd suricata-6.0.11/
Once Suricata source code is extracted, proceed to “configure” the build to enable all of the standard features that are normally enabled in the “official” Suricata DEB package, plus eBPF support (notice the option in bold)
./configure --build=x86_64-linux-gnu --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --disable-silent-rules --disable-maintainer-mode --disable-dependency-tracking --enable-nfqueue --disable-gccmarch-native --enable-hiredis --enable-geoip --enable-gccprotect --enable-pie --enable-luajit --enable-ebpf
Now we are ready to compile Suricata
make clean make
Compilation will take a while depending on system resources, once it is done successfully, we will proceed to bundle Suricata as a DEB package that can be used to deploy Suricata to Ubuntu/Debian systems
Creating the DEB package
To create the Suricata IDS .deb package, we will use the checkinstall tool, which is among the easies ways to bundle compiled source code into .deb and .rpm packages.
We will start by creating a list of configuration files we want checkinstall to bundle inside our suricata .deb package
echo "/etc/suricata" > suricata_conf_files echo "/var/log/suricata" >> suricata_conf_files
We will need to tell checkinstall about all of the dependencies that Suricata requires to be installed so that they get automatically installed by apt when we install the Suricata package.
sudo checkinstall -y -D -A amd64 --install=no --fstrans=no --backup=no --exclude=/home,/root --include=./suricata_conf_files --requires "libevent-2.1-7,libevent-pthreads-2.1-7,libhiredis0.14,libhtp2,libhyperscan5,libluajit-5.1-2,libnet1,libnetfilter-log1,libnetfilter-queue1,python3-simplejson" make install install-conf
Once the checkinstall tool finishes creating the deb package, we can find it written in our source directory and we can proceed to install it and verify that eBPF support is now enabled
sudo apt install ./suricata_6.0.11-1_amd64.deb -y user@suricathost:~/suricata_build/suricata-6.0.11$ suricata --build-info This is Suricata version 6.0.11 RELEASE Features: NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LUA HAVE_LUAJIT HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST SIMD support: none Atomic intrinsics: 1 2 4 8 byte(s) 64-bits, Little-endian architecture GCC version 11.3.0, C version 201112 compiled with -fstack-protector compiled with _FORTIFY_SOURCE=2 L1 cache line size (CLS)=64 thread local storage method: _Thread_local compiled with LibHTP v0.5.42, linked against LibHTP v0.5.39 Suricata Configuration: AF_PACKET support: yes eBPF support: yes XDP support: yes PF_RING support: no NFQueue support: yes NFLOG support: no IPFW support: no
Using the Suricata DEB package
Now that you have the Suricata deb package ready, you can use it to install Suricata IDS on other hosts Ubuntu/Debian hosts.
The same steps that we followed above, can be used to enable other features that are not enabled by default in official Suricata binaries, including Napatech & PF_RING support.
How IDSTower can help?
IDSTower helps you provision and deploy you custom Suicata packages to 10’s of hosts using the Custom Packages Repository feature. It also offer an easy to use GUI for Suricata hosts configuration management, health monitoring and rules life-cycle management.