Suricata 5.0.3?

Anyone have any interest in a Suricata 5.0.3 package for OpenWrt?

I've got it working, although I seriously cheated in some things, so I doubt it would ever end up as a real package for OpenWrt. I've not checked "performance" because I've never used suricata before, so .. I'm working on figuring things out :slight_smile:

So.. anyone interested?

root@Shield:/etc# suricata -V
This is Suricata version 5.0.3 RELEASE
root@Shield:/etc# suricata --list-runmodes
------------------------------------- Runmodes ------------------------------------------
| RunMode Type      | Custom Mode       | Description 
|----------------------------------------------------------------------------------------
| PCAP_DEV          | single            | Single threaded pcap live mode 
|                   ---------------------------------------------------------------------
|                   | autofp            | Multi threaded pcap live mode.  Packets from each flow are assigned to a single detect thread, unlike "pcap_live_auto" where packets from th 
|                   ---------------------------------------------------------------------
|                   | workers           | Workers pcap live mode, each thread does all tasks from acquisition to logging 
|----------------------------------------------------------------------------------------
| PCAP_FILE         | single            | Single threaded pcap file mode 
|                   ---------------------------------------------------------------------
|                   | autofp            | Multi threaded pcap file mode.  Packets from each flow are assigned to a single detect thread, unlike "pcap-file-auto" where packets from th 
|----------------------------------------------------------------------------------------
| PFRING(DISABLED)  | autofp            | Multi threaded pfring mode.  Packets from each flow are assigned to a single detect thread, unlike "pfring_auto" where packets from the same 
|                   ---------------------------------------------------------------------
|                   | single            | Single threaded pfring mode 
|                   ---------------------------------------------------------------------
|                   | workers           | Workers pfring mode, each thread does all tasks from acquisition to logging 
|----------------------------------------------------------------------------------------
| NFQ               | autofp            | Multi threaded NFQ IPS mode with respect to flow 
|                   ---------------------------------------------------------------------
|                   | workers           | Multi queue NFQ IPS mode with one thread per queue 
|----------------------------------------------------------------------------------------
| NFLOG             | autofp            | Multi threaded nflog mode   
|                   ---------------------------------------------------------------------
|                   | single            | Single threaded nflog mode  
|                   ---------------------------------------------------------------------
|                   | workers           | Workers nflog mode          
|----------------------------------------------------------------------------------------
| IPFW              | autofp            | Multi threaded IPFW IPS mode with respect to flow 
|                   ---------------------------------------------------------------------
|                   | workers           | Multi queue IPFW IPS mode with one thread per queue 
|----------------------------------------------------------------------------------------
| ERF_FILE          | single            | Single threaded ERF file mode 
|                   ---------------------------------------------------------------------
|                   | autofp            | Multi threaded ERF file mode.  Packets from each flow are assigned to a single detect thread 
|----------------------------------------------------------------------------------------
| ERF_DAG           | autofp            | Multi threaded DAG mode.  Packets from each flow are assigned to a single detect thread, unlike "dag_auto" where packets from the same flow  
|                   ---------------------------------------------------------------------
|                   | single            | Singled threaded DAG mode   
|                   ---------------------------------------------------------------------
|                   | workers           | Workers DAG mode, each thread does all  tasks from acquisition to logging 
|----------------------------------------------------------------------------------------
| AF_PACKET_DEV     | single            | Single threaded af-packet mode 
|                   ---------------------------------------------------------------------
|                   | workers           | Workers af-packet mode, each thread does all tasks from acquisition to logging 
|                   ---------------------------------------------------------------------
|                   | autofp            | Multi socket AF_PACKET mode.  Packets from each flow are assigned to a single detect thread. 
|----------------------------------------------------------------------------------------
| NETMAP(DISABLED)  | single            | Single threaded netmap mode 
|                   ---------------------------------------------------------------------
|                   | workers           | Workers netmap mode, each thread does all tasks from acquisition to logging 
|                   ---------------------------------------------------------------------
|                   | autofp            | Multi threaded netmap mode.  Packets from each flow are assigned to a single detect thread. 
|----------------------------------------------------------------------------------------
| UNIX_SOCKET       | single            | Unix socket mode            
|                   ---------------------------------------------------------------------
|                   | autofp            | Unix socket mode            
|----------------------------------------------------------------------------------------
| WINDIVERT(DISABLED) | autofp            | Multi-threaded WinDivert IPS mode load-balanced by flow 
|----------------------------------------------------------------------------------------
root@Shield:/etc# suricata --dump-config
vars = (null)
vars.address-groups = (null)
vars.address-groups.HOME_NET = [192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]
vars.address-groups.EXTERNAL_NET = !$HOME_NET
vars.address-groups.HTTP_SERVERS = $HOME_NET
vars.address-groups.SMTP_SERVERS = $HOME_NET
vars.address-groups.SQL_SERVERS = $HOME_NET
vars.address-groups.DNS_SERVERS = $HOME_NET
vars.address-groups.TELNET_SERVERS = $HOME_NET
vars.address-groups.AIM_SERVERS = $EXTERNAL_NET
vars.address-groups.DC_SERVERS = $HOME_NET
vars.address-groups.DNP3_SERVER = $HOME_NET
vars.address-groups.DNP3_CLIENT = $HOME_NET
vars.address-groups.MODBUS_CLIENT = $HOME_NET
vars.address-groups.MODBUS_SERVER = $HOME_NET
vars.address-groups.ENIP_CLIENT = $HOME_NET
vars.address-groups.ENIP_SERVER = $HOME_NET
vars.port-groups = (null)
vars.port-groups.HTTP_PORTS = 80
vars.port-groups.SHELLCODE_PORTS = !80
vars.port-groups.ORACLE_PORTS = 1521
vars.port-groups.SSH_PORTS = 22
vars.port-groups.DNP3_PORTS = 20000
vars.port-groups.MODBUS_PORTS = 502
vars.port-groups.FILE_DATA_PORTS = [$HTTP_PORTS,110,143]
vars.port-groups.FTP_PORTS = 21
vars.port-groups.VXLAN_PORTS = 4789
vars.port-groups.TEREDO_PORTS = 3544
default-log-dir = /var/log/suricata/
stats = (null)
stats.enabled = yes
stats.interval = 8
outputs = (null)
outputs.0 = fast
outputs.0.fast = (null)
outputs.0.fast.enabled = yes
outputs.0.fast.filename = fast.log
outputs.0.fast.append = yes
outputs.1 = eve-log
outputs.1.eve-log = (null)
outputs.1.eve-log.enabled = yes
outputs.1.eve-log.filetype = regular
outputs.1.eve-log.filename = eve.json
outputs.1.eve-log.pcap-file = false
outputs.1.eve-log.community-id = false
outputs.1.eve-log.community-id-seed = 0
outputs.1.eve-log.xff = (null)
outputs.1.eve-log.xff.enabled = no
outputs.1.eve-log.xff.mode = extra-data
outputs.1.eve-log.xff.deployment = reverse
outputs.1.eve-log.xff.header = X-Forwarded-For
outputs.1.eve-log.types = (null)
outputs.1.eve-log.types.0 = alert
outputs.1.eve-log.types.0.alert = (null)
outputs.1.eve-log.types.0.alert.tagged-packets = yes
outputs.1.eve-log.types.1 = anomaly
outputs.1.eve-log.types.1.anomaly = (null)
outputs.1.eve-log.types.1.anomaly.enabled = yes
outputs.1.eve-log.types.1.anomaly.types = 
outputs.1.eve-log.types.2 = http
outputs.1.eve-log.types.2.http = (null)
outputs.1.eve-log.types.2.http.extended = yes
outputs.1.eve-log.types.3 = dns
outputs.1.eve-log.types.3.dns = 
outputs.1.eve-log.types.4 = tls
outputs.1.eve-log.types.4.tls = (null)
outputs.1.eve-log.types.4.tls.extended = yes
outputs.1.eve-log.types.5 = files
outputs.1.eve-log.types.5.files = (null)
outputs.1.eve-log.types.5.files.force-magic = no
outputs.1.eve-log.types.6 = smtp
outputs.1.eve-log.types.6.smtp = 
outputs.1.eve-log.types.7 = ftp
outputs.1.eve-log.types.8 = nfs
outputs.1.eve-log.types.9 = smb
outputs.1.eve-log.types.10 = tftp
outputs.1.eve-log.types.11 = ikev2
outputs.1.eve-log.types.12 = krb5
outputs.1.eve-log.types.13 = snmp
outputs.1.eve-log.types.14 = dhcp
outputs.1.eve-log.types.14.dhcp = (null)
outputs.1.eve-log.types.14.dhcp.enabled = yes
outputs.1.eve-log.types.14.dhcp.extended = no
outputs.1.eve-log.types.15 = ssh
outputs.1.eve-log.types.16 = stats
outputs.1.eve-log.types.16.stats = (null)
outputs.1.eve-log.types.16.stats.totals = yes
outputs.1.eve-log.types.16.stats.threads = no
outputs.1.eve-log.types.16.stats.deltas = no
outputs.1.eve-log.types.17 = flow
outputs.2 = unified2-alert
outputs.2.unified2-alert = (null)
outputs.2.unified2-alert.enabled = no
outputs.3 = http-log
outputs.3.http-log = (null)
outputs.3.http-log.enabled = no
outputs.3.http-log.filename = http.log
outputs.3.http-log.append = yes
outputs.4 = tls-log
outputs.4.tls-log = (null)
outputs.4.tls-log.enabled = no
outputs.4.tls-log.filename = tls.log
outputs.4.tls-log.append = yes
outputs.5 = tls-store
outputs.5.tls-store = (null)
outputs.5.tls-store.enabled = no
outputs.6 = pcap-log
outputs.6.pcap-log = (null)
outputs.6.pcap-log.enabled = no
outputs.6.pcap-log.filename = log.pcap
outputs.6.pcap-log.limit = 1000mb
outputs.6.pcap-log.max-files = 2000
outputs.6.pcap-log.compression = none
outputs.6.pcap-log.mode = normal
outputs.6.pcap-log.use-stream-depth = no
outputs.6.pcap-log.honor-pass-rules = no
outputs.7 = alert-debug
outputs.7.alert-debug = (null)
outputs.7.alert-debug.enabled = no
outputs.7.alert-debug.filename = alert-debug.log
outputs.7.alert-debug.append = yes
outputs.8 = alert-prelude
outputs.8.alert-prelude = (null)
outputs.8.alert-prelude.enabled = no
outputs.8.alert-prelude.profile = suricata
outputs.8.alert-prelude.log-packet-content = no
outputs.8.alert-prelude.log-packet-header = yes
outputs.9 = stats
outputs.9.stats = (null)
outputs.9.stats.enabled = yes
outputs.9.stats.filename = stats.log
outputs.9.stats.append = yes
outputs.9.stats.totals = yes
outputs.9.stats.threads = no
outputs.10 = syslog
outputs.10.syslog = (null)
outputs.10.syslog.enabled = no
outputs.10.syslog.facility = local5
outputs.11 = drop
outputs.11.drop = (null)
outputs.11.drop.enabled = no
outputs.12 = file-store
outputs.12.file-store = (null)
outputs.12.file-store.version = 2
outputs.12.file-store.enabled = no
outputs.12.file-store.xff = (null)
outputs.12.file-store.xff.enabled = no
outputs.12.file-store.xff.mode = extra-data
outputs.12.file-store.xff.deployment = reverse
outputs.12.file-store.xff.header = X-Forwarded-For
outputs.13 = file-store
outputs.13.file-store = (null)
outputs.13.file-store.enabled = no
outputs.14 = tcp-data
outputs.14.tcp-data = (null)
outputs.14.tcp-data.enabled = no
outputs.14.tcp-data.type = file
outputs.14.tcp-data.filename = tcp-data.log
outputs.15 = http-body-data
outputs.15.http-body-data = (null)
outputs.15.http-body-data.enabled = no
outputs.15.http-body-data.type = file
outputs.15.http-body-data.filename = http-data.log
outputs.16 = lua
outputs.16.lua = (null)
outputs.16.lua.enabled = no
outputs.16.lua.scripts = 
logging = (null)
logging.default-log-level = notice
logging.default-output-filter = 
logging.outputs = (null)
logging.outputs.0 = console
logging.outputs.0.console = (null)
logging.outputs.0.console.enabled = yes
logging.outputs.1 = file
logging.outputs.1.file = (null)
logging.outputs.1.file.enabled = yes
logging.outputs.1.file.level = info
logging.outputs.1.file.filename = suricata.log
logging.outputs.2 = syslog
logging.outputs.2.syslog = (null)
logging.outputs.2.syslog.enabled = no
logging.outputs.2.syslog.facility = local5
logging.outputs.2.syslog.format = [%i] <%d> -- 
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = eth0
af-packet.0.cluster-id = 99
af-packet.0.cluster-type = cluster_flow
af-packet.0.defrag = yes
af-packet.1 = interface
af-packet.1.interface = default
pcap = (null)
pcap.0 = interface
pcap.0.interface = eth0
pcap.1 = interface
pcap.1.interface = default
pcap-file = (null)
pcap-file.checksum-checks = auto
app-layer = (null)
app-layer.protocols = (null)
app-layer.protocols.krb5 = (null)
app-layer.protocols.krb5.enabled = yes
app-layer.protocols.snmp = (null)
app-layer.protocols.snmp.enabled = yes
app-layer.protocols.ikev2 = (null)
app-layer.protocols.ikev2.enabled = yes
app-layer.protocols.tls = (null)
app-layer.protocols.tls.enabled = yes
app-layer.protocols.tls.detection-ports = (null)
app-layer.protocols.tls.detection-ports.dp = 443
app-layer.protocols.dcerpc = (null)
app-layer.protocols.dcerpc.enabled = yes
app-layer.protocols.ftp = (null)
app-layer.protocols.ftp.enabled = yes
app-layer.protocols.rdp = 
app-layer.protocols.ssh = (null)
app-layer.protocols.ssh.enabled = yes
app-layer.protocols.smtp = (null)
app-layer.protocols.smtp.enabled = yes
app-layer.protocols.smtp.raw-extraction = no
app-layer.protocols.smtp.mime = (null)
app-layer.protocols.smtp.mime.decode-mime = yes
app-layer.protocols.smtp.mime.decode-base64 = yes
app-layer.protocols.smtp.mime.decode-quoted-printable = yes
app-layer.protocols.smtp.mime.header-value-depth = 2000
app-layer.protocols.smtp.mime.extract-urls = yes
app-layer.protocols.smtp.mime.body-md5 = no
app-layer.protocols.smtp.inspected-tracker = (null)
app-layer.protocols.smtp.inspected-tracker.content-limit = 100000
app-layer.protocols.smtp.inspected-tracker.content-inspect-min-size = 32768
app-layer.protocols.smtp.inspected-tracker.content-inspect-window = 4096
app-layer.protocols.imap = (null)
app-layer.protocols.imap.enabled = detection-only
app-layer.protocols.smb = (null)
app-layer.protocols.smb.enabled = yes
app-layer.protocols.smb.detection-ports = (null)
app-layer.protocols.smb.detection-ports.dp = 139, 445
app-layer.protocols.nfs = (null)
app-layer.protocols.nfs.enabled = yes
app-layer.protocols.tftp = (null)
app-layer.protocols.tftp.enabled = yes
app-layer.protocols.dns = (null)
app-layer.protocols.dns.tcp = (null)
app-layer.protocols.dns.tcp.enabled = yes
app-layer.protocols.dns.tcp.detection-ports = (null)
app-layer.protocols.dns.tcp.detection-ports.dp = 53
app-layer.protocols.dns.udp = (null)
app-layer.protocols.dns.udp.enabled = yes
app-layer.protocols.dns.udp.detection-ports = (null)
app-layer.protocols.dns.udp.detection-ports.dp = 53
app-layer.protocols.http = (null)
app-layer.protocols.http.enabled = yes
app-layer.protocols.http.libhtp = (null)
app-layer.protocols.http.libhtp.default-config = (null)
app-layer.protocols.http.libhtp.default-config.personality = IDS
app-layer.protocols.http.libhtp.default-config.request-body-limit = 100kb
app-layer.protocols.http.libhtp.default-config.response-body-limit = 100kb
app-layer.protocols.http.libhtp.default-config.request-body-minimal-inspect-size = 32kb
app-layer.protocols.http.libhtp.default-config.request-body-inspect-window = 4kb
app-layer.protocols.http.libhtp.default-config.response-body-minimal-inspect-size = 40kb
app-layer.protocols.http.libhtp.default-config.response-body-inspect-window = 16kb
app-layer.protocols.http.libhtp.default-config.response-body-decompress-layer-limit = 2
app-layer.protocols.http.libhtp.default-config.http-body-inline = auto
app-layer.protocols.http.libhtp.default-config.swf-decompression = (null)
app-layer.protocols.http.libhtp.default-config.swf-decompression.enabled = yes
app-layer.protocols.http.libhtp.default-config.swf-decompression.type = both
app-layer.protocols.http.libhtp.default-config.swf-decompression.compress-depth = 0
app-layer.protocols.http.libhtp.default-config.swf-decompression.decompress-depth = 0
app-layer.protocols.http.libhtp.default-config.double-decode-path = no
app-layer.protocols.http.libhtp.default-config.double-decode-query = no
app-layer.protocols.http.libhtp.server-config = 
app-layer.protocols.modbus = (null)
app-layer.protocols.modbus.enabled = no
app-layer.protocols.modbus.detection-ports = (null)
app-layer.protocols.modbus.detection-ports.dp = 502
app-layer.protocols.modbus.stream-depth = 0
app-layer.protocols.dnp3 = (null)
app-layer.protocols.dnp3.enabled = no
app-layer.protocols.dnp3.detection-ports = (null)
app-layer.protocols.dnp3.detection-ports.dp = 20000
app-layer.protocols.enip = (null)
app-layer.protocols.enip.enabled = no
app-layer.protocols.enip.detection-ports = (null)
app-layer.protocols.enip.detection-ports.dp = 44818
app-layer.protocols.enip.detection-ports.sp = 44818
app-layer.protocols.ntp = (null)
app-layer.protocols.ntp.enabled = yes
app-layer.protocols.dhcp = (null)
app-layer.protocols.dhcp.enabled = yes
app-layer.protocols.sip = 
asn1-max-frames = 256
coredump = (null)
coredump.max-dump = unlimited
host-mode = auto
unix-command = (null)
unix-command.enabled = auto
legacy = (null)
legacy.uricontent = enabled
engine-analysis = (null)
engine-analysis.rules-fast-pattern = yes
engine-analysis.rules = yes
pcre = (null)
pcre.match-limit = 3500
pcre.match-limit-recursion = 1500
host-os-policy = (null)
host-os-policy.windows = (null)
host-os-policy.windows.0 = 0.0.0.0/0
host-os-policy.bsd = (null)
host-os-policy.bsd-right = (null)
host-os-policy.old-linux = (null)
host-os-policy.linux = (null)
host-os-policy.old-solaris = (null)
host-os-policy.solaris = (null)
host-os-policy.hpux10 = (null)
host-os-policy.hpux11 = (null)
host-os-policy.irix = (null)
host-os-policy.macos = (null)
host-os-policy.vista = (null)
host-os-policy.windows2k3 = (null)
defrag = (null)
defrag.memcap = 32mb
defrag.hash-size = 65536
defrag.trackers = 65535
defrag.max-frags = 65535
defrag.prealloc = yes
defrag.timeout = 60
flow = (null)
flow.memcap = 256mb
flow.hash-size = 65536
flow.prealloc = 10000
flow.emergency-recovery = 30
vlan = (null)
vlan.use-for-tracking = true
flow-timeouts = (null)
flow-timeouts.default = (null)
flow-timeouts.default.new = 30
flow-timeouts.default.established = 300
flow-timeouts.default.closed = 0
flow-timeouts.default.bypassed = 100
flow-timeouts.default.emergency-new = 10
flow-timeouts.default.emergency-established = 100
flow-timeouts.default.emergency-closed = 0
flow-timeouts.default.emergency-bypassed = 50
flow-timeouts.tcp = (null)
flow-timeouts.tcp.new = 60
flow-timeouts.tcp.established = 600
flow-timeouts.tcp.closed = 60
flow-timeouts.tcp.bypassed = 100
flow-timeouts.tcp.emergency-new = 5
flow-timeouts.tcp.emergency-established = 100
flow-timeouts.tcp.emergency-closed = 10
flow-timeouts.tcp.emergency-bypassed = 50
flow-timeouts.udp = (null)
flow-timeouts.udp.new = 30
flow-timeouts.udp.established = 300
flow-timeouts.udp.bypassed = 100
flow-timeouts.udp.emergency-new = 10
flow-timeouts.udp.emergency-established = 100
flow-timeouts.udp.emergency-bypassed = 50
flow-timeouts.icmp = (null)
flow-timeouts.icmp.new = 30
flow-timeouts.icmp.established = 300
flow-timeouts.icmp.bypassed = 100
flow-timeouts.icmp.emergency-new = 10
flow-timeouts.icmp.emergency-established = 100
flow-timeouts.icmp.emergency-bypassed = 50
stream = (null)
stream.memcap = 64mb
stream.checksum-validation = yes
stream.inline = auto
stream.reassembly = (null)
stream.reassembly.memcap = 256mb
stream.reassembly.depth = 1mb
stream.reassembly.toserver-chunk-size = 2560
stream.reassembly.toclient-chunk-size = 2560
stream.reassembly.randomize-chunk-size = yes
host = (null)
host.hash-size = 4096
host.prealloc = 1000
host.memcap = 64mb
decoder = (null)
decoder.teredo = (null)
decoder.teredo.enabled = true
decoder.teredo.ports = $TEREDO_PORTS
decoder.vxlan = (null)
decoder.vxlan.enabled = true
decoder.vxlan.ports = $VXLAN_PORTS
decoder.erspan = (null)
decoder.erspan.typeI = (null)
decoder.erspan.typeI.enabled = false
detect = (null)
detect.profile = medium
detect.custom-values = (null)
detect.custom-values.toclient-groups = 3
detect.custom-values.toserver-groups = 25
detect.sgh-mpm-context = auto
detect.inspection-recursion-limit = 3000
detect.prefilter = (null)
detect.prefilter.default = mpm
detect.grouping = 
detect.profiling = (null)
detect.profiling.grouping = (null)
detect.profiling.grouping.dump-to-disk = false
detect.profiling.grouping.include-rules = false
detect.profiling.grouping.include-mpm-stats = false
mpm-algo = auto
spm-algo = auto
threading = (null)
threading.set-cpu-affinity = no
threading.cpu-affinity = (null)
threading.cpu-affinity.0 = management-cpu-set
threading.cpu-affinity.0.management-cpu-set = (null)
threading.cpu-affinity.0.management-cpu-set.cpu = (null)
threading.cpu-affinity.0.management-cpu-set.cpu.0 = 0
threading.cpu-affinity.1 = receive-cpu-set
threading.cpu-affinity.1.receive-cpu-set = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu = (null)
threading.cpu-affinity.1.receive-cpu-set.cpu.0 = 0
threading.cpu-affinity.2 = worker-cpu-set
threading.cpu-affinity.2.worker-cpu-set = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu = (null)
threading.cpu-affinity.2.worker-cpu-set.cpu.0 = all
threading.cpu-affinity.2.worker-cpu-set.mode = exclusive
threading.cpu-affinity.2.worker-cpu-set.prio = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.low.0 = 0
threading.cpu-affinity.2.worker-cpu-set.prio.medium = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.medium.0 = 1-2
threading.cpu-affinity.2.worker-cpu-set.prio.high = (null)
threading.cpu-affinity.2.worker-cpu-set.prio.high.0 = 3
threading.cpu-affinity.2.worker-cpu-set.prio.default = medium
threading.detect-thread-ratio = 1.0
luajit = (null)
luajit.states = 128
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.filename = rule_perf.log
profiling.rules.append = yes
profiling.rules.limit = 10
profiling.rules.json = yes
profiling.keywords = (null)
profiling.keywords.enabled = yes
profiling.keywords.filename = keyword_perf.log
profiling.keywords.append = yes
profiling.prefilter = (null)
profiling.prefilter.enabled = yes
profiling.prefilter.filename = prefilter_perf.log
profiling.prefilter.append = yes
profiling.rulegroups = (null)
profiling.rulegroups.enabled = yes
profiling.rulegroups.filename = rule_group_perf.log
profiling.rulegroups.append = yes
profiling.packets = (null)
profiling.packets.enabled = yes
profiling.packets.filename = packet_stats.log
profiling.packets.append = yes
profiling.packets.csv = (null)
profiling.packets.csv.enabled = no
profiling.packets.csv.filename = packet_stats.csv
profiling.locks = (null)
profiling.locks.enabled = no
profiling.locks.filename = lock_stats.log
profiling.locks.append = yes
profiling.pcap-log = (null)
profiling.pcap-log.enabled = no
profiling.pcap-log.filename = pcaplog_stats.log
profiling.pcap-log.append = yes
nfq = 
nflog = (null)
nflog.0 = group
nflog.0.group = 2
nflog.0.buffer-size = 18432
nflog.1 = group
nflog.1.group = default
nflog.1.qthreshold = 1
nflog.1.qtimeout = 100
nflog.1.max-size = 20000
capture = 
netmap = (null)
netmap.0 = interface
netmap.0.interface = eth2
netmap.1 = interface
netmap.1.interface = default
pfring = (null)
pfring.0 = interface
pfring.0.interface = eth0
pfring.0.threads = auto
pfring.0.cluster-id = 99
pfring.0.cluster-type = cluster_flow
pfring.1 = interface
pfring.1.interface = default
ipfw = 
napatech = (null)
napatech.streams = (null)
napatech.streams.0 = 0-3
napatech.auto-config = yes
napatech.ports = (null)
napatech.ports.0 = all
napatech.hashmode = hash5tuplesorted
default-rule-path = /etc/suricata/rules
rule-files = (null)
rule-files.0 = suricata.rules
classification-file = /etc/suricata/classification.config
reference-config-file = /etc/suricata/reference.config
root@Shield:/etc# suricata --build-info
This is Suricata version 5.0.3 RELEASE
Features: DEBUG NFQ PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HAVE_LIBJANSSON TLS MAGIC RUST 
SIMD support: none
Atomic intrinsics: 1 2 4 8 byte(s)
64-bits, Big-endian architecture
GCC version 10.1.0, C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=1
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.33, linked against LibHTP v0.5.33

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         yes
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  GeoIP2 support:                          no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  Hyperscan support:                       no
  Libnet support:                          yes
  liblz4 support:                          yes

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /home/grommish/.cargo/bin/rustc
  Rust compiler version:                   rustc 1.45.0 (5c1f21c3b 2020-07-13)
  Cargo path:                              /home/grommish/.cargo/bin/cargo
  Cargo version:                           cargo 1.45.0 (744bd1fbb 2020-06-15)
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /home/grommish/openwrt/staging_dir/hostpkg/bin/python3
  Python distutils                         yes
  Python yaml                              no
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 no, requires pyyaml

  Profiling enabled:                       no
  Profiling locks enabled:                 no

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    yes
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    mips64-unknown-linux-muslabi64
  Compiler:                                ccache_cc (exec name) / gcc (real)
  GCC Protect enabled:                     yes
  GCC march native enabled:                no
  GCC Profile enabled:                     no
  Position Independent Executable enabled: yes
  CFLAGS                                   -Os -pipe -mno-branch-likely -march=octeon3 -mabi=64 -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-erros
  PCAP_CFLAGS                              -I/home/grommish/openwrt/staging_dir/target-mips64_octeon3_64_musl/usr/include 
  SECCFLAGS                                -fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security
root@Shield:/etc# uname -a
Linux Shield 5.4.52 #0 SMP Tue Jul 28 03:51:24 2020 mips64 GNU/Linux
1 Like

I'm interested in suricata on OpenWrt...
Probably you can submit it to the official package repo as PR and wecan improve the support from time to time if it isn't perfect now.

1 Like

Oh, this might happen, but the biggest reason (and issue) as to why i built Suricata out was that it requires rustc and cargo to compile.

I wanted to be sure I could get rustc/cargo to work with the OpenWrt build system. And, it does.. The big hurdle is that in order to get Suricata as an official package, it has to have all the pieces in-place inside the build sysytem - including rust.

I cheated in order to do this by installing rustup on the host machine and using that to compile with the appropriate toolchain. None of it was baked into a rustup package, although I'm working on one.

For those who are interested in playing, here is my feeds/packages/net/suricata/Makefile

#
# Copyright (C) 2006-2015 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
include $(TOPDIR)/rules.mk

PKG_NAME:=suricata
PKG_VERSION:=5.0.3

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.openinfosecfoundation.org/download/
PKG_HASH:=34413ecdad2ff2452526dbcd22f1279afd0935151916c0ff9cface4b0b5665db

PKG_FIXUP:=autoreconf
PKG_FIXUP:=patch-libtool
PKG_FIXUP:=gettext-version
PKG_INSTALL:=1

include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/nls.mk

define Package/suricata
    SUBMENU:=Firewall
    SECTION:=net
    CATEGORY:=Network
    DEPENDS:=+libpcre +libpcre2 +libpcap +libnet-1.2.x +libyaml +zlib +libmagic \
       +jansson +libnetfilter-queue +libnfnetlink +libnss +luajit +lua +liblz4 \
	  +python3-yaml +libcap-ng $(ICONV_DEPENDS)
    TITLE:=OISF Suricata IDS
    URL:=https://www.openinfosecfoundation.org/
endef

CONFIGURE_ARGS = \
   --prefix="/usr" \
   --sysconfdir="/etc" \
   --enable-nfqueue \
   --localstatedir="/var" \
   --enable-gccprotect \
   --enable-debug \
   --enable-pie \
   --host=mips64-unknown-linux-muslabi64  # RustC Target Triple goes here

define Package/suricata/install
	$(INSTALL_DIR) $(1)/usr/bin
	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricata $(1)/usr/bin/suricata

	$(INSTALL_DIR) $(1)/usr/lib
	$(CP) $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/
	$(INSTALL_DIR) $(1)/usr/lib/pkgconfig

	$(INSTALL_DIR) $(1)/etc/suricata
	$(CP) \
	$(PKG_BUILD_DIR)/suricata.yaml \
	$(PKG_BUILD_DIR)/etc/classification.config \
	$(PKG_BUILD_DIR)/threshold.config \
	$(PKG_BUILD_DIR)/etc/reference.config \
	$(1)/etc/suricata/
	$(INSTALL_DIR) $(1)/etc/suricata/rules
	$(CP) $(PKG_BUILD_DIR)/rules/*.rules $(1)/etc/suricata/rules/
	$(INSTALL_DIR) $(1)/etc/init.d
	$(INSTALL_BIN) ./files/suricata.init $(1)/etc/init.d/suricata
endef

$(eval $(call BuildPackage,suricata))

Normally, there would be an entry in the Package/suricata/install to move the suricata.yaml file from files/etc/suricata/ to the $1/etc/suricata directory, but I don't make use of it yet for testing.

There are still issues where suricata won't recognize that py-yaml is installed (or libyaml) and prevents suricata-update from being built/installed. I'm sure I'm just missing something obvious. I'm also pretty sure there are DEPENDS that I can remove that I put in for testing.