Suricata 6 for OpenWrt

Community Builds, Projects & Packages
1

Anyone want to test for me? Must build from source. This will, at some point, error.. I'll promise it now (rust will do it until I get more testers). I would suggest building outside of your main buildroot.

This requires a decent piece of kit. Running the Emerging-Threats Open and built-in rules, it has a massive RAM footprint on my device.

21556 root 486m S {Suricata-Main} suricata -c /etc/suricata/suricata.yaml -i eth0 -v -D

I do not have an init.d script for it yet - there is no luCi app for Suricata. Just testing to see if it'll work and, when it doesn't, why. Any help anyone can give would be gratefully appreciated!

Using gh pr or git cherry-pick


Suricata6 will be under Network/Firewall and Language/Rust will give you compiler options that I'm still working on :slight_smile:

3 Likes
2

Thank you for starting on this project. I look forward to seeing the results down the road.

3

It's done, but isn't going to go anywhere until I get Rust-lang tested by the community. Until Rust-lang is tested and incorporated into OpenWrt, you can't compile Suricata6

1 Like
4

For anyone who is willing, or wanting, to test Rust and/or Suricata6 AND are building from SOURCE main branch (Not ImageBuilder). Testing will PROBABLY AND MOST LIKELY fail because I need people to test in order to add support for various toolchains Rust knows how to build. Until I get tests and failures, it makes it difficult to build in support for various targets.

Currently targets I've setup: MIPS MUSL, MIPS64 MUSL, X86/64 MUSL, PowerPC MUSL, and ARM MUSLGNUEABI

Still interested in playing? Continue on...

Install git-pr to make it easier to pull the Pull Requests (sudo apt-get install git-extras)

cd ./feeds/packages
git-pr 13916 origin

This assumes you've not renamed the origin branch for the upstream repo.

cd ~/openwrt
./scripts/feeds update -i && ./scripts/feeds install -a

This will force the build system to re-index the feeds, and then install them (including anything new it finds, like rust)

Special Note: If you are building for a MIPS64 target, you must also modify your libunwind to recognize it actually works under MIPS64 by changing:

Edit ./package/libs/libunwind/Makefile and change the following line from:

DEPENDS:=@((mips||mipsel||x86_64||arm||aarch64)||(USE_GLIBC&&(powerpc||i386))) +zlib

to

DEPENDS:=@((mips||mipsel||x86_64||arm||aarch64||mips64)||(USE_GLIBC&&(powerpc||i386))) +zlib

And, you're done. You should be able to now make menuconfig and select Rust under Languages

image
image1127×630 27.5 KB

image
image1125×627 20.4 KB

You can select various options under Compiler Options, but the defaults should be fine.

The initial compile will take a WHILE.. Don't panic, let it run. The Rust-lang host toolchains are large, have to compiled from the relative ground-up, then packaged for re-use and install. Future compiles will find the installation binaries YOU create during the first compile and use it instead of recompiling on future builds. These installation binaries will survive even a make clean, as the installation binary archive is kept in ./dl/, so the only time the toolchain is recompiled would be when the version of Rust itself changes.

5

The PR for Suricata6 has been updated. Corrected issues with typedef errors and missing libatomics. Created some engine options.

This is running on my Edgerouter 10x running Linux OpenWrt 5.10.23 #0 SMP Wed Mar 17 17:28:49 2021 mips GNU/Linux (mipsel_24kc)

The rust pr will be updated as well to handle mipsel.

This is still a WIP.. The init.d/suricata script doesn't work worth a damn and I'm still missing the /etc/config/suricata from the PR (I'm editing them on device and haven't moved them yet).. but, suricata itself works :slight_smile:

6

Hi I wish to help! I have an rpi4 do you think it's compatible or that I can be useful in any way?

7

What chipset is the RPi4?

edit: Found it.. aarch64_cortex-a72

I need to see if Rust is setup for it or not. If not I'll update rust and let you know. Are you building from source?

8

i'll likely test a bit as well on the rpi4 if ipk's are available/installable ( not building from source )

snort was right on the limit of not a little over hardware wise @ 50/15 so would be interesting to compare resource consumption figures...

9

Suricata requires kernel-tied libraries, so a pre-compiled ipk isn't an option :frowning:

Also, would be helpful for source builders to help finalize rust-lang so I can actually get Suricata accepted into the package repo.

1 Like
10

I could build in a main branch RPi4 build with Suricata built in if you want to test the whole image

1 Like
11

I can do it... was just a little lazy ( to switch sdcards due to the community build process ) :wink: ... let us know when you think aarch64/aarch64_cortex-a72 is worth a whack / if you think it may work...

12

Will do. I will test the update for rust-lang to support aarch64 and test build. When I get that working, I'll let you know so you can pull the rust and suricata PRs

1 Like
13

Ok @anon50098793 , here are some PR's to play with.

I would recommend pulling both, but do me a favor and build out your rust toolchain first.

Once you pull and reindex, go into make menuconfig, Language, and check-mark Rust.. Save, exit.

make -jx package/feeds/packages/rust/host/compile
I'm still working on some weird bugs where if it isn't selected in the package, it won't build. Besides.. this will take an incredible amount of time and I don't want you thinking the build hung :D. All the first run does is make the toolchain, any future call for it will be no time at all, even from a clean state.

Both rust and suricata have menu options to play with. If you have suggestions on changes, I'm always open to them.

I fixed the init.d script for suricata, so when you get it, it should just work once you turn it on :slight_smile:

1 Like
14

oops I mistakenly forgot they were 'packages' patches...

what happens when you try to apply packages patches to the buildroot 
git pull
ln -s ../cache/dl/ dl
wget https://github.com/openwrt/packages/pull/13916.patch
git apply 13916.patch 
wget https://github.com/openwrt/packages/pull/13924.patch
git apply 13924.patch 
./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig #select bcm2711

no rust is visible under languages... ( nor suricata under network > firewall or network... where i'd expect to find it )

selecting x86_64/ipq806x makes no difference still results in no selectable options in menconfig

patch-stdout

###################$ git am ../RUST/13916.patch 
Applying: rust: Initial commit for Rust lang 1.50.0 toolchain
.git/rebase-apply/patch:348: trailing whitespace.
.git/rebase-apply/patch:379: trailing whitespace.
.git/rebase-apply/patch:383: trailing whitespace.
.git/rebase-apply/patch:394: trailing whitespace.
.git/rebase-apply/patch:399: trailing whitespace.
warning: squelched 3 whitespace errors
warning: 8 lines add whitespace errors.
############$ git am ../RUST/13924.patch 
Applying: suricata6: Initial commit Suricata 6 IDS/IPS/NSM engine
.git/rebase-apply/patch:36: trailing whitespace.
	endchoice 
.git/rebase-apply/patch:123: space before tab in indent.
  	+libmagic +libpcap +libpcre +libmaxminddb +libnet-1.2.x \
.git/rebase-apply/patch:124: space before tab in indent.
  	+libnetfilter-log +libnetfilter-queue +libnfnetlink +libnss \
.git/rebase-apply/patch:125: space before tab in indent.
  	+libopenssl +luajit +python3 +python3-pip +python3-yaml \
.git/rebase-apply/patch:126: space before tab in indent.
  	+python3-yaml-src +zlib +libatomic +file
warning: squelched 2 whitespace errors
warning: 7 lines add whitespace errors.
15

I'm guessing this is something local to your built. When you ran the patch, you were in ./feeds/packages? Is there a ./feeds/packages/lang/rust or ./feeds/packages/net/suricata6 in your tree?

If they are there, try running: ./scripts/feeds update -i and ./scripts/feeds install rust suricata6

The only other thing could be a dep issue, but since I built out the aarch64 toolchain and suricata for the RPi4, I don't know what I would have that you wouldn't.

1 Like
16

yes... identical to fresh git clone...

the root-directory of the buildroot... o! your patches are in the packages repo right ( slaps-forehead )... totally forgot they were for packages...

apologies for the noise...

17

There is every possibility something I did causes issues ;p I've come to expect it :smiley:

But, hopefully it works because I can't move Suricata forward without rust and it's going to be a bear trying to get accepted as it is hehhe

18

yeah rust is compiling away... apart from my stuff up everything smooth so far...

edit: required host > ccache
edit: compiled ok
edit: potential issue ( probably just me not knowing these apps... but there was a knob for [ ] with python that I thought was default non-selected... yet... the build pulled in carploads of python ipks -> i'll double check this next time I build could be imagining things )
edit: boot/run test seems problematic at the moment due to (non-related?) logread issue...

results-v1 
root@(none):~# logread | grep sur
Failed to find log object: Not found
Failed to find log object: Not found
^CFailed to find log object: Not found
Failed to find log object: Not found
^X^X^Z
[3]+  Stopped                    logread | grep sur
root@(none):~# ps w | grep suricata

root@(none):~# /etc/init.d/suricata enable
root@(none):~# /etc/init.d/suricata restart
BusyBox v1.33.0 () multi-call binary.

Usage: mkdir [-m MODE] [-p] DIRECTORY...

Create DIRECTORY

	-m MODE	Mode
	-p	No error if exists; make parent directories as needed
validation failed
root@(none):~#
1 Like
19

Ok, then you should be good for Suricata.. Your rust toolchain is in dl/rust-1.50.0-x86_64-unknown-linux-gnu_aarch64-openwrt-linux-musl-install.tar.xz :slight_smile: and installs to ./staging_dir for use

1 Like
20

yup both were ok...

1 Like