Suricata 6 for OpenWrt

Some rust packages are indeed arch dependent, usually x86-64. There is a crypto crate that I can't remember the name of that is like this, for example. Hyperscan is another.

Also, for those who are trying to run Suricata, please be aware that it is resource intensive compared to most residential router hardware. Using the public threat list, I was using 600Mb of RAM on device when I had it running and it will require the SoC cycles to inspect the packets, which will reduce your throughput on the device. I was using AFPacket round-robin to spread the load, if I recall correctly (it's been a while). There is a reason security network appliances usually mention both line speed throughput and inspection throughput. Keep this in mind when playing with Suricata (or Snort, for that matter).

By default, rust/host and things like Suricata should have a !@LOW_MEM Dependency which will keep it from showing on menuconfig. If it isn't a supported rust/host Arch, it won't show either.

I've been toying with an OpenWrt implementation of rustup in my spare time, but I've not gotten overly far in it due to time constraints.

1 Like

like "warning: dropping unsupported crate type cdylib for target aarch64-unknown-linux-musl
"

Hello @echelon ,

this link is not working anymore.

Could you please share it a new one? I would like to try compiling suricata 6.x.

Thanks in advance!

Here is it :

https://www.mediafire.com/file/fbesq125tsjcedr/suricata.zip/file

Thank you!

After few hours of work, I'm now stuck here:

Making all in rust
make[4]: Entering directory '/home/build/openwrt/build_dir/target-x86_64_musl/suricata-8.0.0/rust'
cd /home/build/openwrt/build_dir/target-x86_64_musl/suricata-8.0.0/rust && \
	 CARGO_HOME="/home/build/.cargo" \
	CARGO_TARGET_DIR="/home/build/openwrt/build_dir/target-x86_64_musl/suricata-8.0.0/rust/target" \
	/home/build/openwrt/staging_dir/target-x86_64_musl/host/bin/cargo build --release  \
		--features " ja3 ja4  " --target x86_64-unknown-linux-musl
   Compiling proc-macro2 v1.0.69
   Compiling unicode-ident v1.0.12
   Compiling autocfg v1.1.0
   Compiling typenum v1.17.0
   Compiling version_check v0.9.4
   Compiling memchr v2.4.1
   Compiling thiserror v1.0.50
   Compiling syn v1.0.109
   Compiling minimal-lexical v0.2.1
   Compiling libc v0.2.150
   Compiling serde v1.0.192
   Compiling subtle v2.4.1
error[E0463]: can't find crate for `core`
  |
  = note: the `x86_64-unknown-linux-musl` target may not be installed
  = help: consider downloading the target with `rustup target add x86_64-unknown-linux-musl`

error[E0463]: can't find crate for `compiler_builtins`

I'm building using 23.05.3 branch. Do I need to change to main?

For x86_64 I recommended glibc instead of musl, yes I am using main branch.

I haven't encountered such an error like yours, normally I am also compiling OpenWrt toolchain by my own from beginning.

1 Like

FYI..

Suricata 7.0.6..

grommish@DESKTOP-AW:~/openwrt/build_dir/target-mips64_octeonplus_64_musl/suricata-7.0.6/src$ file .libs/suricata
.libs/suricata: ELF 64-bit MSB executable, MIPS, MIPS64 rel2 version 1 (SYSV), dynamically linked, interpreter /lib/ld-musl-mips64-sf.so.1, with debug_info, not stripped

This is using my rustup package rather than rust-lang that is already integrated into OpenWrt.

And no, I've not tested it on Hardware yet, as I've got to figure out what needs to be packaged and where.

2 Likes

Hei man, I really have appreciated your work. I'm trying to get my own version of suricata (based on 8.0.0) compiled for x86-musl openwrt, do you still have the package's files for suricatav7? the link does not work anymore. thanks

You can find my Suricata 7 package https://github.com/Grommish/grom_feeds/tree/main/suricata

Somethings to bear in mind:
You will need to revert it back to using rust-lang rather than my rustup package. While my rustup package works, it isn't finished and only works for mips64 primarily at the moment.

My package isn't finished. While I compile everything, including the rust code, I've stalled on gathering the installation files.

It might not be overly helpful, but it's something. Though, if 8 is out, I may just look at that.

2 Likes

Haven't tried much with musl or other architectures, only targeting x86_64 glibc. I have tried compiling for musl before but if I've remembered it right, it needs some patches on various OpenWrt packages.

https://www.mediafire.com/file/2m5blj43xkgqon8/suricata-04-11-2024.zip/file

Credit goes to @Grommish . Thanks man.

Thanks for the fast reply, i was using the sdk for 23.05.5 that was using musl but after some attempts i decided to build the image with glibc.
Doing some research i saw that @Grommish was the "founder" XD.
You have all my respect for such a thing.

@echelon @Grommish Hello, I really hope you can help me.
I'm trying to cross compile Openwrt with Suricata from x86_64 (Ubuntu specifically) to aarch64(for a raspberry pi 3). Right now I'm using the same settings explained by Echelon (so "Compile with full language support", "xdp sockets enabled", etc.), the compilation goes until the rust part of Suricata where I get:
"error: linking with cc failed: exit status: 1"
While compiling sawp.
I tried searching on Google and I found that I should add, in the cargo home of the Openwrt environment, config.toml with:

[target.aarch64-unknown-linux-gnu]
linker = "aarch64-openwrt-linux-gnu-gcc"

Doing this the compilation blocks here:

Compiling suricata v8.0.0-dev (/home/gianiadi/suricata/openwrt/build_dir/target-aarch64_cortex-a53_glibc/suricata-8.0.0/rust)

error: linking with `aarch64-openwrt-linux-gnu-gcc` failed: exit status: 1
  = note: /home/gianiadi/suricata/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.3.0_glibc/lib/gcc/aarch64-openwrt-linux-gnu/12.3.0/../../../../aarch64-openwrt-linux-gnu/bin/ld: /home/gianiadi/suricata/openwrt/build_dir/target-aarch64_cortex-a53_glibc/suricata-8.0.0/rust/target/aarch64-unknown-linux-gnu/release/deps/libsuricata_lua_sys-f181d4cf3290b5d9.rlib(lapi.o): Relocations in generic ELF (EM: 62) 
          /home/gianiadi/suricata/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.3.0_glibc/lib/gcc/aarch64-openwrt-linux-gnu/12.3.0/../../../../aarch64-openwrt-linux-gnu/bin/ld: /home/gianiadi/suricata/openwrt/build_dir/target-aarch64_cortex-a53_glibc/suricata-8.0.0/rust/target/aarch64-unknown-linux-gnu/release/deps/libsuricata_lua_sys-f181d4cf3290b5d9.rlib(lapi.o): Relocations in generic ELF (EM: 62)
          /home/gianiadi/suricata/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.3.0_glibc/lib/gcc/aarch64-openwrt-linux-gnu/12.3.0/../../../../aarch64-openwrt-linux-gnu/bin/ld: /home/gianiadi/suricata/openwrt/build_dir/target-aarch64_cortex-a53_glibc/suricata-8.0.0/rust/target/aarch64-unknown-linux-gnu/release/deps/libsuricata_lua_sys-f181d4cf3290b5d9.rlib(lapi.o): Relocations in generic ELF (EM: 62)
          /home/gianiadi/suricata/openwrt/staging_dir/toolchain-aarch64_cortex-a53_gcc-12.3.0_glibc/lib/gcc/aarch64-openwrt-linux-gnu/12.3.0/../../../../aarch64-openwrt-linux-gnu/bin/ld: /home/gianiadi/suricata/openwrt/build_dir/target-aarch64_cortex-a53_glibc/suricata-8.0.0/rust/target/aarch64-unknown-linux-gnu/release/deps/libsuricata_lua_sys-f181d4cf3290b5d9.rlib: error adding symbols: file in wrong format
          collect2: error: ld returned 1 exit status

The problem seems to be that some libraries are compiled in a wrong way.
Online I found nothing so I hope that you can give some hint to find the root of the problem. Thank you very much.

Rust-lang isn't going to know what to do with aarch64-openwrt-linux-musl, as Rust-lang doesn't know anything about the OpenWrt toolchain defines, except for mips64-openwrt-linux-musl, which I upstreamed.

I'm trying to balance several open-ended projects along with work and holidays. I'm still working on using rustup and locally defined toolchains; I'm working on Suricata6 (which compiles fully, including the rust side of things, but I need to dig through the artifacts to see what and where things need to be packaged, etc), and the like.

Those EM: 62 errors are your system trying to use the host x86_64 compiler to cross-compile to aarch64 and failing.

@guca11
Managed to compile for aarch64 but not run-tested

https://www.mediafire.com/file/dhdk0xm10wvyiof/suricata-8.0-aarch64.zip/file
  1. Extract "suricata-lua-sys" into a directory outside of OpenWrt build root, it's not an OpenWrt Package!, it's a rust package. Remember the path.

  2. Extract suricata OpenWrt Package into a folder (e.g: openwrt/feeds/packages/net/suricata)

  3. Edit suricata/patches/005-fixes-lua.patch :

+suricata-lua-sys = { path = "/home/user/works/suricata-lua-sys", version = "0.1.0-alpha.5" }

Edit /home/user/works/suricata-lua-sys into the patch in which suricata-lua-sys above (steps #1) is located.
4. Try to do compilation.

make package/suricata/{clean,compile} -j9 V=s 2>&1 | tee build.log

Thanks for the reply, I managed to make it work too.
It's really strange that the Suricata-lua-sys library is configured to use host's gcc.
I've also tested it on a raspberry pi 3 and it seems to work just fine.
What about submit the suricata package to the Openwrt 's official repo?
I'm about to publish a GitHub repo with a complete guide about "how to build an Openwrt image with Suricata" where suricata could be the original 8.0.0 or a custom version (you can enable/disable protocols during the configure fase) so I'm documenting all the steps necessary.

@guca11
Glad that you can make it work too, From the author of Suricata-lua-sys, it seems that it's not intended for cross compilation.

Suricata is quite huge package, not to mention need to supports musl also. Also my changes for Suricata-lua-sys is not yet committed upstream.

Great, have you tried compiling for musl?.

1 Like

Not yet, right now I'm testing on glibc and see if it works and adding some features for my custom Suricata.
I've tried some time ago and I got problems on functions like "fopen64" or "fstats64" but It was like 2 months ago.
After that I will try again.
I will let you know if it actually works.

Compiled fine on musl, please test it once you have the chances.