Project

General

Profile

Suricata » Suricata Installation »

Build your own Suricata package - deb,rpm.

This is a step by step guide of how to build your own deabian and rpm package for Ubuntu/Fedora distros.
The guide has the following sections:

Manual Build
Script it
Quick and Dirty with checkinstall
RPM

For this particular example we are using Suricata 1.3beta1 .

The Manual Build approach , the Script it, the Quick and Dirty with checkinstall and RPM will build a deb/rpm package which will be architecture dependent.
In other words - if the system that you build it on is 32 bit, it will create a 32 bit deb/rpm package.

Manual Build

This might not be the cleanest and by the book guide - but it works and has been tested on a number of 32/64 bit Ubuntu installations.
The guide is meant to help you with your own Suricata package building and to make it easier for you to build and distribute/upgrade multiple Suricata sensors in one shot.

First you need the following packages:

apt-get install wget build-essential autoconf automake autotools-dev dh-make debhelper devscripts fakeroot xutils lintian pbuilder

Then you need to download the source:

wget http://www.openinfosecfoundation.org/download/suricata-1.3beta1.tar.gz
tar -zxf suricata-1.3beta1.tar.gz && cd suricata-1.3beta1

echo "" | dh_make -s -c gpl2 -n -e -f ../suricata-1.3beta1.tar.gz

The e-mail is important here if you would like to sign the package! Please use the same e-mail that is yoused to create your PGP key, if you would like to sign the package.
If not you still need to provide some e-mail.

dpkg-depcheck -d ./configure

This will get all the pkgs that configuring Suricata is dependend on.
besides what dpkg-depcheck says, make sure these packages are thre as well (in the control file - explained bellow )

cd debian

echo "override_dh_auto_configure:" >> rules
echo " dh_auto_configure -- --enable-non-bundled-htp --disable-gccmarch-native" >> rules

This above is how you would pass special configure options at the time of building the pkg.
In other words add specific ./configure options before the package is build
ex ./configure --enable-something_awesome

In this particular case we are building the package with non-bundled-htp - so make sure you have the libhtp1 and libhtp-dev pkgs on the system.
If you would like to use the bundled htp (comes by default) just remove "--enable-non-bundled-htp" .
this is how it is done - period . !! If you need more info about the debian control and rules files, you can find it here:

http://www.debian.org/doc/manuals/maint-guide/dreq.en.html#rules

sed -i '/suricata (1.3beta1) unstable/c suricata (1.3beta1-4ubuntu4) precise; urgency=low' changelog

notice "4ubuntu4", this number should be incremented every time if you are planing of updating over different pkgs of the same release - ex:
you made a pkg for 1.3beta1 but would actually like to try/add other ./configure options on an already installed pkg ->
"5ubuntu5"

sed -i "/Build-Depends:/s/$/, add pkg dependancies /" control

Here you need to add all the pkgs that "dpkg-depcheck" says it needs , plus make sure you have these as well:
libpcre3-dbg, libpcre3-dev, libpcap-dev, libnet1-dev, libyaml-0-2, libyaml-dev, zlib1g, zlib1g-dev, libcap-ng-dev, libcap-ng0, libhtp1, libhtp-dev

sed -i '/Section: unknown/c Section: devel' control
sed -i '/Maintainer:/c Maintainer: First Last <>' control

Make sure you have a proper e-mail in your debian control file (and if you decide to sign it , it must be the same e-mail used to create your PGP key.)

sed -i '/Homepage:/c Homepage: http://www.openinfosecfoundation.org/' control

add website address - replace "Homepage:" with "Homepage: http://www.openinfosecfoundation.org/"

sed -i '/Description:/c Description: Suricata open source multi-thread IDS/IPS.' control

Add description.

sed -i -n -e '1,/Description: Suricata open source multi-thread IDS\/IPS/p' control

delete all lines after the Description, without the description itself.

echo " The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine.
This engine is not intended to just replace or emulate the existing tools in the industry, but will bring
new ideas and technologies to the field. OISF is part of and funded by the Department of
Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security
Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the
very generous support of the members of the OISF Consortium. More information about the Consortium is
available, as well as a list of our current Consortium Members. The Suricata Engine and the HTP Library
are available to use under the GPLv2." >> control

cd ..

dpkg-buildpackage -rfakeroot -kA2G34589

this above will build the deb package and will sign it with your PGP key.
To get your key ID:

gpg --list-keys

will display a list with all key ids on your PC/server.

After the above command is done - you will have a deb pkg of your preferred configured Suricata way!
Install with

dpkg -i pakage_name.deb

Script it

For the people that would like to script that out - and do it with a push of a button - the bellow is a shell script that you can just execute
and it will get the 1.3beta sources and create a regular Suricata package (just a simple "configure" with no extra special options).
Please do not forget that you need these installed before running the script -

apt-get install wget build-essential autoconf automake autotools-dev dh-make debhelper devscripts fakeroot xutils lintian pbuilder

BEFORE you copy/paste and execute the script -- you need to change you e-mail address and key ID.
ALSO you need to change all occurrences of "1.3beta1" with the proper name (if different) for example - "1.2.1" if you are building a package different than 1.3beta1

Here is the script:
(after you run it, give it a minute, do not interrupt it until finished)

#!/bin/bash
#make sure we have the following pkgs installed
#apt-get install wget dput build-essential autoconf automake autotools-dev dh-make debhelper devscripts fakeroot xutils lintian pbuilder

if ` wget http://www.openinfosecfoundation.org/download/suricata-1.3beta1.tar.gz` ; then
echo "Downloaded Suricata."

else
echo "Could not download! Aborting. Check your connection and try again." 1>&2
exit 1
fi

tar -zxf suricata-1.3beta1.tar.gz
cd suricata-1.3beta1

echo "" | dh_make -s -c gpl2 -n -e -f ../suricata-1.3beta1.tar.gz
#the echo above is in order to simulate pressed key "Enter", that dh_make is waiting for ..so that it can continue

#get all the packages we need to add to the control file
dpkg-depcheck -d ./configure >> pkgstoadd.txt
to_add="$(sed -n '/Packages needed:/,$p' pkgstoadd.txt)"
rm pkgstoadd.txt

#prints all the packages that are needed, without "Pckages needed:" and make the pkgs comma separated
pkgs_to_add="$(echo $to_add |awk '{$1=$2=""; print $0}' |awk '{for(i=1;i<=NF;i++){$i=$i","} }1')"
addme="libpcre3-dbg, libpcre3-dev, libpcap-dev, libnet1-dev, libyaml-0-2, libyaml-dev, zlib1g, zlib1g-dev, libcap-ng-dev, libcap-ng0, libhtp1, libhtp-dev "
pkgs_to_add_more=$pkgs_to_add$addme

cd debian

#add specific ./configure options before the package is build
echo "override_dh_auto_configure:" >> rules
echo " dh_auto_configure -- --enable-non-bundled-htp --disable-gccmarch-native" >> rules
#http://www.debian.org/doc/manuals/maint-guide/dreq.en.html#rules
#In this particular case we are building the package with non-bundled-htp - so make sure you have the libhtp1 and libhtp-dev pkgs on the system.
#If you would like to use the bundled htp (comes by default) just remove "--enable-non-bundled-htp" .

#add the proper distro name in changelog
sed -i '/suricata (1.3beta1) unstable/c suricata (1.3beta1-4ubuntu4) precise; urgency=low' changelog
#notice "4ubuntu4", this number should be incremented so that we can upload
#multiple pkg updates of ver 1.3beta1 for example

#add the pkgs to line #5 in the control file
sed -i "/Build-Depends:/s/$/, $pkgs_to_add_more/" control

#changing the repo source to "devel" for ubuntu, must be "devel" for PPA, does not accept anything else
sed -i '/Section: unknown/c Section: devel' control

#add proper Mantainer of the pkg so that it could be signed with the pgp key!! You need UID - run " gpg --list-secret-keys " to get it
sed -i '/Maintainer:/c Maintainer: Peter Manev <>' control

  1. add website address - replace "Homepage:" with "Homepage: http://www.openinfosecfoundation.org/"
    sed -i '/Homepage:/c Homepage: http://www.openinfosecfoundation.org/' control

#the same for "Description:"
sed -i '/Description:/c Description: Suricata open source multi-thread IDS/IPS.' control

#delete all lines after the Description, without the description itself
sed -i -n -e '1,/Description: Suricata open source multi-thread IDS\/IPS/p' control

#append extra description
echo " The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine.
This engine is not intended to just replace or emulate the existing tools in the industry, but will bring
new ideas and technologies to the field. OISF is part of and funded by the Department of
Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security
Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the
very generous support of the members of the OISF Consortium. More information about the Consortium is
available, as well as a list of our current Consortium Members. The Suricata Engine and the HTP Library
are available to use under the GPLv2." >> control

cd ..

#Do not forget to put in your key ID !!!
dpkg-buildpackage -rfakeroot -kXXXXXXXX

Quick and Dirty with checkinstall

For this we need the checkinstall utility (on Ubuntu):

apt-get install checkinstall

man checkinstall
...DESCRIPTION
checkinstall is a program that monitors an installation procedure (such as make install, install.sh ), and creates a standard package for your distribution
(currently deb, rpm and tgz packages are supported) that you can install through your distribution's package management system (dpkg, rpm or inst
...

So we download the sources:

wget http://www.openinfosecfoundation.org/download/suricata-1.3beta1.tar.gz
tar -zxf suricata-1.3beta1.tar.gz && cd suricata-1.3beta1

In this particular case we will enable with MD5s, debug and profiling:

./configure --enable-debug --enable-profiling --enable-profiling-locks --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr && make clean

After done a simple:

sudo checkinstall

NOTE: "sudo checkinstall" will create and install the package, if you would like to just create it (without installing it)you have to do the following - "sudo checkinstall --install=no"

just follow and answer/edit the questions presented:

Preparing package documentation...OK

Please write a description for the package.
End your description with an empty line or EOF.

Suri beta IDS checkinstall test

  • Debian package creation selected *** *********************************

This package will be built according to these values:

0 - Maintainer: [ root@ubuntu32 ]
1 - Summary: [ Suri beta ids checkinstall test ]
2 - Name: [ suricata ]
3 - Version: [ 1.3beta1 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ i386 ]
8 - Source location: [ suricata-1.3beta1 ]
9 - Alternate source location: [ ]
10 - Requires: [ ]
11 - Provides: [ suricata ]
12 - Conflicts: [ ]
13 - Replaces: [ ]

Enter a number to change any of them or press ENTER to continue:

root@ubuntu32:~/Downloads/suricata-1.3beta1# suricata --build-info
29/5/2012 -- 22:14:06 - <Info> - This is Suricata version 1.3beta1 RELEASE
29/5/2012 -- 22:14:06 - <Info> - Features: DEBUG UNITTESTS PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW HAVE_NSS PROFILING PROFILE_LOCKING
29/5/2012 -- 22:14:06 - <Info> - 32-bits, Little-endian architecture
29/5/2012 -- 22:14:06 - <Info> - GCC version 4.4.5, C version 199901
29/5/2012 -- 22:14:06 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
29/5/2012 -- 22:14:06 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
29/5/2012 -- 22:14:06 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
29/5/2012 -- 22:14:06 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8
29/5/2012 -- 22:14:06 - <Info> - compiled with fstack-protector
29/5/2012 - 22:14:06 - <Info> - compiled with _FORTIFY_SOURCE=2

and you will end up with a Suricata deb package (with debug,MD5s and profiling enabled) ready to install!

RPM

For this particular rpm build example we are using Fedora 16 32 bit, suricata 1.3beta1 and a FPM package manager that is able to create deb/rpm/solaris packages.

Also for this particular tutorial you would need to set up/add your config files like yaml,rulesets...etc. to the server/machine where you install the package (if it is a clean/fresh distro - Suricata has never been run there before).

If this is a clean/fresh distro you need the follwoing installed (depending how you would like to configure Suricata):

sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel file-devel file

The above are needed for Suricata itself.

These bellow re needed for the rpm packaging part.

sudo yum -y install gcc make git ruby ruby-devel ruby-libs ruby-mode ruby-rdoc ruby-irb ruby-ri ruby-docs rubygems
sudo gem install fpm

Here we installed the "fpm" package manager

pwd
/home/user/Downloads
wget http://www.openinfosecfoundation.org/download/suricata-1.3beta1.tar.gz && tar -zxf suricata-1.3beta1.tar.gz && cd suricata-1.3beta1

Get Suricata.

sudo ./configure && sudo make && sudo make install DESTDIR=/home/user/Downloads/testrpm

that way Suricata will be installed in the /home/user/Downloads/testrpm directory from where we are actually going to build the rpm package.

Then we actually make the rpm pkg - which is so easy with "fpm":

sudo fpm -s dir -t rpm -n suricata-beta -v 1.3 -C /home/user/Downloads/testrpm/ -p suricata-1.3Beta1_32.rpm usr/

so we and up with suricata-1.3Beta1_32.rpm

then we just install:

Fedora16-32 Downloads]$ sudo rpm -ivh suricata-1.3Beta1_32.rpm && sudo ldconfig
Preparing... ########################################### [100%]
1:suricata-beta ########################################### [100%]

and lets check it:

@Fedora16-32 Downloads]$ sudo yum list all suricata-beta
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
suricata-beta.i686 1.3-1 installed

@Fedora16-32 Downloads]$ suricata --build-info
3/6/2012 -- 12:12:21 - <Info> - This is Suricata version 1.3beta1 RELEASE
3/6/2012 -- 12:12:21 - <Info> - Features: UNITTESTS PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW
3/6/2012 -- 12:12:21 - <Info> - 32-bits, Little-endian architecture
3/6/2012 -- 12:12:21 - <Info> - GCC version 4.6.3 20120306 (Red Hat 4.6.3-2), C version 199901
3/6/2012 -- 12:12:21 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
3/6/2012 -- 12:12:21 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
3/6/2012 -- 12:12:21 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
3/6/2012 -- 12:12:21 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8

NOTE: Custom made - You can pass any configure options at the time of configure if you would like, for example:

sudo ./configure --enable-debug --enable-profiling --enable-profiling-locks && sudo make && sudo make install DESTDIR=/home/user/Downloads/testrpm

Then build the rpm:

@Fedora16-32 Downloads]$ sudo fpm -s dir -t rpm -n suricata-beta-profile-debug -v 1.3 -C /home/user/Downloads/testrpm/ -p suricata-profile-debug-1.3Beta1_32.rpm usr/

That way you will end up with an rpm package that has debuggiing and profilinf enabled, ready for installation and/or distribution!
Well .... let see:

@Fedora16-32 Downloads]$ sudo rpm -ivh suricata-profile-debug-1.3Beta1_32.rpm && sudo ldconfig
Preparing... ########################################### [100%]
1:suricata-beta-profile-d########################################### [100%]

@Fedora16-32 Downloads]$ suricata --build-info
3/6/2012 -- 12:38:09 - <Info> - This is Suricata version 1.3beta1 RELEASE
3/6/2012 -- 12:38:09 - <Info> - Features: DEBUG UNITTESTS PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK HAVE_HTP_TX_GET_RESPONSE_HEADERS_RAW PROFILING PROFILE_LOCKING
3/6/2012 -- 12:38:09 - <Info> - 32-bits, Little-endian architecture
3/6/2012 -- 12:38:09 - <Info> - GCC version 4.6.3 20120306 (Red Hat 4.6.3-2), C version 199901
3/6/2012 -- 12:38:09 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1
3/6/2012 -- 12:38:09 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2
3/6/2012 -- 12:38:09 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4
3/6/2012 -- 12:38:09 - <Info> - __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8

[pevma@Fedora16-32 Downloads]$ sudo yum list all "suricata*"
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
suricata-beta-profile-debug.i686 1.3-1 installed

That's it.

Please let us know if any trouble.
Feedback/Suggestions are always welcome!

Peter Manev