Suricata 6 for OpenWrt

echelon · October 17, 2023, 8:16pm

It seems your build host has libnet-dev version 1.1.x installed, because the one from OpenWrt Snapshot is version 1.2.x.

From your config.log :

configure:20994: checking for libnet.h version 1.1.x
configure:21003: result: yes
configure:21011: checking for libnet_write in -lnet
configure:21034: x86_64-openwrt-linux-musl-gcc -o conftest -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/home/user/Desktop/openwrt/build_dir/target-x86_64_musl/suricata-7.0.2=suricata-7.0.2 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/include -I/home/user/Desktop/openwrt/staging_dir/host/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/include/hs  -fPIC -std=c11 -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/usr/include -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/include/fortify -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include  -I/usr/include/hs -L/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/usr/lib -L/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/lib -fuse-ld=bfd -znow -zrelro -L/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/lib -Wl,-rpath-link=/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/lib -L/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/lib -Wl,-rpath-link=/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/lib -L/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib -lnet -L/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/lib -lintl -L/home/user/Desktop/openwrt/staging_dir/host/lib -lelf  -rdynamic conftest.c -lnet  -ljansson -lpthread -lyaml -lhs -lpcre2-8  -lz -L/usr/lib -lhs >&5
configure:21034: $? = 0
configure:21044: result: yes
configure:21086: checking for libnet_build_icmpv6_unreach in -lnet
configure:21109: x86_64-openwrt-linux-musl-gcc -o conftest -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/home/user/Desktop/openwrt/build_dir/target-x86_64_musl/suricata-7.0.2=suricata-7.0.2 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/include -I/home/user/Desktop/openwrt/staging_dir/host/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/include/hs  -fPIC -std=c11 -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/usr/include -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/include/fortify -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include  -I/usr/include/hs -L/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/usr/lib -L/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/lib -fuse-ld=bfd -znow -zrelro -L/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/lib -Wl,-rpath-link=/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/lib -L/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/lib -Wl,-rpath-link=/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/lib -L/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib -lnet -L/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/lib -lintl -L/home/user/Desktop/openwrt/staging_dir/host/lib -lelf  -rdynamic conftest.c -lnet  -lnet -ljansson -lpthread -lyaml -lhs -lpcre2-8  -lz -L/usr/lib -lhs >&5
configure:21109: $? = 0
configure:21119: result: yes
configure:21159: checking libnet_init dev type
configure:21185: x86_64-openwrt-linux-musl-gcc -c -Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -fmacro-prefix-map=/home/user/Desktop/openwrt/build_dir/target-x86_64_musl/suricata-7.0.2=suricata-7.0.2 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/include -I/home/user/Desktop/openwrt/staging_dir/host/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/include/hs  -fPIC -std=c11 -Werror -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/usr/include -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/include/fortify -I/home/user/Desktop/openwrt/staging_dir/toolchain-x86_64_gcc-12.3.0_musl/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libiconv-full/include -I/home/user/Desktop/openwrt/staging_dir/target-x86_64_musl/usr/lib/libintl-full/include  -I/usr/include/hs conftest.c >&5
configure:21185: $? = 0
configure:21192: result: yes

As we don't use libnet 1.2.x, so delete it from dependencies list.

Suricata 7 buildsystem error out because it looking for libnet lib binary version 1.1.x.

LunarLobster · October 18, 2023, 4:46pm

I was able to get it built and seems like Suricata is running properly.

You were right, it did seem to be confused with the build host having libnet-dev 1.1.x installed while it tried to use 1.2.x from OpenWrt.

echelon · October 18, 2023, 7:20pm

Congratulations ! , finally we are able to finished the line the probable edge cases for the Suricata 7 Makefile which were @Grommish meant to do. Don't know much about OpenWrt Build system on why it picking up outside the OpenWrt Buildroot as I am a also a Junior open OpenWrt user.

Pepe · October 22, 2023, 9:27pm

Guys, are you planning to send Suricata 7 to OpenWrt packages feed?

echelon · October 22, 2023, 9:30pm

@Pepe
Still thinking about it.

Odyssey · November 23, 2023, 1:42am

Hello, I'm tring to build the suricata6.0.4 by following the working branch(https://github.com/Itus-Shield/packages/tree/working) you mentioned. I can build the rust-1.59 successfully, however, I encounted an issue when building the suricata6.

error: failed to compile `cbindgen v0.26.0`, intermediate artifacts can be found at `/mnt/openwrt/tmp/cargo-installI                                                                          CZnJc`

Caused by:
  package `cbindgen v0.26.0` cannot be built because it requires rustc 1.64 or newer, while the currently active rus                                                                          tc version is 1.59.0-nightly
make[2]: *** [Makefile:180: /mnt/openwrt/build_dir/target-x86_64_musl/suricata-6.0.4/.prepared_aa11930e39e8413fb0fe8                                                                          61ce0b4b4d2_6664517399ebbbc92a37c5bb081b5c53] Error 101
make[2]: Leaving directory '/mnt/openwrt/feeds/packages/net/suricata6'

Any suggestions? Or which branch should I try?

Thanks.

supersebbo · January 21, 2024, 6:20pm

Hi folks, I'm interested to help out here. Just one question, I understand the main thrust of this thread is getting suricata to compile, but after that has anyone actually got it running and proven it can do IDS/IPS on OpenWRT and not break anything on the networking/firewall stack?

buggz · January 21, 2024, 7:19pm

This sounds interesting.
I'd like to help.
Is the original post the source to get started, it is updated instructions, etc?

Grommish · January 25, 2024, 8:30am

This potentially might not be a dead duck yet.. I'll look into things as I get more and more back up and running.

echelon · March 28, 2024, 5:25pm

@Grommish
Welcome back, I have put together based on your previous works and still using it Suricata 8 OpenWrt Package files :

https://uploadnow.io/f/Lrz8rpx

Might be useful.

dingo · March 29, 2024, 8:23am

nice, please confirm with me this works on OpenWRT 23.05

echelon · March 29, 2024, 9:53am

I don't know, you should try it, afaik all development mostly goes in SNAPSHOT. I think should not much of differences. As suricata is really memory consuming, I suggest to run it on x86_64.

dingo · March 29, 2024, 11:32am

mmm nope, options show in make menuconfig, but not the suricata itself to select... so somethings off.

buggz · March 29, 2024, 11:34am

How can I download this to test?
Need to be on latest SNAPSHOT to run?
All I currently have open for testing is a GL.iNet GL-MT6000, probrably underpowered for this package?

dingo · March 29, 2024, 12:09pm

need it to build properly first... ive put it in the tree but make menuconfig only shows the config options for suricata, not suricata itself.

echelon · March 29, 2024, 1:38pm

@buggz
I don't have more powerful mobile device to test on as such your GL-MT6000, probably it can run but problematic as needs more memory in more than one gigabyte of ram (if I am not mistaken).
You need to compile yourself to test it out, there are no specific compilation for your device.

@dingo
Did you compile for x86_64?, I haven't test for other platform. because it has :

@!SMALL_FLASH @!LOW_MEMORY_FOOTPRINT

You can remove it if you wanted to test it for other platform, I haven't test this!.

Please put the whole suricata folder inside ./feeds/packages/net and runs :

./scripts/feeds update -a
./scripts/feeds install -a

and retry make menuconfig, it's located in Network-->Firewall-->Suricata

dingo · March 29, 2024, 2:08pm

Ive removed that for ARM64, i did get a proper Makefile done, and its goes to build however it does fail with

openwrt/staging_dir/target-aarch64_cortex-a53+neon-vfpv4_musl/usr/include -fPIC -D__SCFILENAME__=\"app-layer-parser\"  -Wextra -Werror-implicit-function-declaration   -I/home/dingo/wlan-ap/openwrt/staging_dir/target-aarch64_cortex-a53+neon-vfpv4_musl/usr/include -DLOCAL_STATE_DIR=\"/var\" -Wall -Wno-unused-parameter -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes -Wwrite-strings -Wbad-function-cast -Wformat-security -Wno-format-nonliteral -Wmissing-format-attribute -funsigned-char  -Os -pipe -mcpu=cortex-a53 -fno-caller-saves -fno-plt -fhonour-copts -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro    -fPIC -std=c11 -I./../rust/gen -I./../rust/dist -c -o app-layer-parser.o app-layer-parser.c
app-layer-parser.c: In function 'AppLayerParserRegisterProtocolParsers':
app-layer-parser.c:1770:5: error: implicit declaration of function 'SCMqttRegisterParser'; did you mean 'rs_mqtt_register_parser'? [-Werror=implicit-function-declaration]
 1770 |     SCMqttRegisterParser();
      |     ^~~~~~~~~~~~~~~~~~~~
      |     rs_mqtt_register_parser
cc1: some warnings being treated as errors
make[6]: *** [Makefile:3550: app-layer-parser.o] Error 1
make[6]: Leaving directory '/home/dingo/wlan-ap/openwrt/build_dir/target-aarch64_cortex-a53+neon-vfpv4_musl/suricata-8.0.0/src'
make[5]: *** [Makefile:2731: all] Error 2
make[5]: Leaving directory '/home/dingo/wlan-ap/openwrt/build_dir/target-aarch64_cortex-a53+neon-vfpv4_musl/suricata-8.0.0/src'
make[4]: *** [Makefile:502: all-recursive] Error 1
make[4]: Leaving directory '/home/dingo/wlan-ap/openwrt/build_dir/target-aarch64_cortex-a53+neon-vfpv4_musl/suricata-8.0.0'
make[3]: *** [Makefile:184: /home/dingo/wlan-ap/openwrt/build_dir/target-aarch64_cortex-a53+neon-vfpv4_musl/suricata-8.0.0/.built] Error 2
make[3]: Leaving directory '/home/dingo/wlan-ap/feeds/optim/net/suricata8'
time: package/feeds/optim/suricata8/compile#422.08#22.60#147.86
    ERROR: package/feeds/optim/suricata8 failed to build.
make[2]: *** [package/Makefile:124: package/feeds/optim/suricata8/compile] Error 1
make[2]: Leaving directory '/home/dingo/wlan-ap/openwrt'
make[1]: *** [package/Makefile:118: /home/dingo/wlan-ap/openwrt/staging_dir/target-aarch64_cortex-a53+neon-vfpv4_musl/stamp/.package_compile] Error 2
make[1]: Leaving directory '/home/dingo/wlan-ap/openwrt'
make: *** [/home/dingo/wlan-ap/openwrt/include/toplevel.mk:232: world] Error 2

echelon · March 29, 2024, 3:01pm

Add "-Wno-error" into at the end of TARGET_CFLAGS in the Makefile.

Or Download new one :

https://uploadnow.io/s/d0b85181-11fd-4648-8016-5d9e5e1e3ead

dingo · March 29, 2024, 3:40pm

this is what i mean by there is no menu item for suricata

echelon · March 29, 2024, 5:32pm

It was hyperscan-runtime dependency, replace "hyperscan-runtime" with "+(TARGET_x86||TARGET_x86_64):hyperscan-runtime", in the DEPENDS:= variable inside the Makefile.