Build your own Suricata package - deb,rpm.¶
NOTE:
When making a package if portability across hardware is needed - ALWAYS make sure you compile with -
./configure --disable-gccmarch-native ......
This will ensure usability of the package across different hardware than just the build machine!
This is a step by step guide of how to build your own Debian and rpm package for Ubuntu/Fedora distros.
The guide has the following sections:
Manual Build
Quick and Dirty with checkinstall
RPM
RPM Fedora guide
For this particular example we are using Suricata 3.0RC3 .
The Manual Build approach , the Script it, the Quick and Dirty with checkinstall and RPM will build a deb/rpm package which will be architecture dependent.
In other words - if the system that you build it on is 32 bit, it will create a 32 bit deb/rpm package.
Manual Build¶
This might not be the cleanest and by the book guide - but it works and has been tested on a number of 32/64 bit Ubuntu installations.
The guide is meant to help you with your own Suricata package building and to make it easier for you to build and distribute/upgrade multiple Suricata sensors in one shot.
First you need the following packages:
apt-get install wget build-essential autoconf automake autotools-dev dh-make debhelper devscripts fakeroot xutils lintian pbuilder
Then you need to download the source:
wget http://www.openinfosecfoundation.org/download/suricata-3.0RC3.tar.gz tar -zxf suricata-3.0RC3.tar.gz && cd suricata-3.0RC3
echo "" | dh_make -s -c gpl2 -n -e first.last@somemail.com -f ../suricata-3.0RC3.tar.gz
The e-mail is important here if you would like to sign the package! Please use the same e-mail that is used to create your PGP key, if you would like to sign the package.
If not you still need to provide some e-mail.
dpkg-depcheck -d ./configure
This will get all the pkgs that configuring Suricata is depended on.
besides what dpkg-depcheck says, make sure these packages are there as well (in the control file - explained bellow )
cd debian
echo "override_dh_auto_configure:" >> rules echo " dh_auto_configure -- --enable-non-bundled-htp --disable-gccmarch-native" >> rules
This above is how you would pass special configure options at the time of building the pkg.
In other words add specific ./configure options before the package is build
ex ./configure --enable-something_awesome
In this particular case we are building the package with non-bundled-htp - so make sure you have the libhtp1 and libhtp-dev pkgs on the system.
If you would like to use the bundled htp (comes by default) just remove --enable-non-bundled-htp.
this is how it is done - period . !! If you need more info about the debian control and rules files, you can find it here:
http://www.debian.org/doc/manuals/maint-guide/dreq.en.html#rules
sed -i '/suricata (3.0RC3) unstable/c suricata (3.0RC3-4ubuntu4) precise; urgency=low' changelog
notice "4ubuntu4", this number should be incremented every time if you are planing of updating over different pkgs of the same release - ex:
you made a pkg for 3.0RC3 but would actually like to try/add other ./configure options on an already installed pkg ->
5ubuntu5
sed -i "/Build-Depends:/s/$/, add pkg dependancies /" control
Here you need to add all the pkgs that "dpkg-depcheck" says it needs , plus make sure you have these as well:
libpcre3-dbg, libpcre3-dev, libpcap-dev, libnet1-dev, libyaml-0-2, libyaml-dev, zlib1g, zlib1g-dev, libcap-ng-dev, libcap-ng0, libhtp1, libhtp-dev
sed -i '/Section: unknown/c Section: devel' control sed -i '/Maintainer:/c Maintainer: First Last <first.last@somemail.com>' control
Make sure you have a proper e-mail in your debian control file (and if you decide to sign it , it must be the same e-mail used to create your PGP key.)
sed -i '/Homepage:/c Homepage: http://www.openinfosecfoundation.org/' control
add website address - replace "Homepage:" with "Homepage: http://www.openinfosecfoundation.org/"
sed -i '/Description:/c Description: Suricata open source multi-thread IDS/IPS.' control
Add description.
sed -i -n -e '1,/Description: Suricata open source multi-thread IDS\/IPS/p' control
delete all lines after the Description, without the description itself.
echo " The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members. The Suricata Engine and the HTP Library are available to use under the GPLv2." >> control
Then
cd .. dpkg-buildpackage -rfakeroot -kA2G34589
this above will build the deb package and will sign it with your PGP key.
To get your key ID:
gpg --list-keys
will display a list with all key ids on your PC/server.
After the above command is done - you will have a deb pkg of your preferred configured Suricata way!
Install with
dpkg -i pakage_name.deb
Quick and Dirty with checkinstall¶
For this we need the checkinstall utility (on Ubuntu):
apt-get install checkinstall ..... man checkinstall ...DESCRIPTION checkinstall is a program that monitors an installation procedure (such as make install, install.sh ), and creates a standard package for your distribution (currently deb, rpm and tgz packages are supported) that you can install through your distribution's package management system (dpkg, rpm or inst ...
So we download the sources:
wget http://www.openinfosecfoundation.org/download/suricata-3.0RC3.tar.gz tar -zxf suricata-3.0RC3.tar.gz && cd suricata-3.0RC3
In this particular case we will enable with MD5s, debug and profiling:
/home/pevma/Tests/checkinstall/suricata-3.0RC3# ./configure --disable-gccmarch-native --enable-debug --enable-profiling --enable-profiling-locks --with-libnss-libraries=/usr/lib --with-libnss-includes=/usr/include/nss/ --with-libnspr-libraries=/usr/lib --with-libnspr-includes=/usr/include/nspr && make clean ... ...
After done:
/home/pevma/Tests/checkinstall/suricata-3.0RC3# checkinstall
checkinstall 1.6.2, Copyright 2009 Felipe Eduardo Sanchez Diaz Duran
This software is released under the GNU GPL.
*****************************************
**** Debian package creation selected ***
*****************************************
This package will be built according to these values:
0 - Maintainer: [ root@DONPEDRO ]
1 - Summary: [ Suri IDPS ]
2 - Name: [ suricata ]
3 - Version: [ 3.0RC3 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ amd64 ]
8 - Source location: [ suricata-3.0RC3 ]
9 - Alternate source location: [ ]
10 - Requires: [ ]
11 - Provides: [ suricata ]
12 - Conflicts: [ ]
13 - Replaces: [ ]
Enter a number to change any of them or press ENTER to continue: 10
Enter the additional requirements:
>> libpcre3-dev, libpcre3, libpcre3-dbg, libtool, libpcap-dev, libyaml-0-2, zlib1g, libmagic-dev, pkg-config, wget, python, libluajit-5.1-common, libluajit-5.1-dev, libjansson4
This package will be built according to these values:
0 - Maintainer: [ root@DONPEDRO ]
1 - Summary: [ Suri IDPS ]
2 - Name: [ suricata ]
3 - Version: [ 3.0RC3 ]
4 - Release: [ 1 ]
5 - License: [ GPL ]
6 - Group: [ checkinstall ]
7 - Architecture: [ amd64 ]
8 - Source location: [ suricata-3.0RC3 ]
9 - Alternate source location: [ ]
10 - Requires: [ libpcre3-dev, libpcre3, libpcre3-dbg, libtool, libpcap-dev, libyaml-0-2, zlib1g, libmagic-dev, pkg-config, wget, python, libluajit-5.1-common, libluajit-5.1-dev, libjansson4 ]
11 - Provides: [ suricata ]
12 - Conflicts: [ ]
13 - Replaces: [ ]
Enter a number to change any of them or press ENTER to continue:
and you will end up with a Suricata deb package (with debug,MD5s and profiling enabled) ready to install!
/home/pevma/Tests/checkinstall/suricata-3.0RC3# ll total 5436 -rw-r--r-- 1 root root 56660 Dec 21 14:12 aclocal.m4 -rw-r--r-- 1 root root 1963056 Jan 15 22:59 backup-011520162259-pre-suricata.tgz -rw-r--r-- 1 root root 42444 Dec 21 14:12 ChangeLog -rw-r--r-- 1 root root 3533 Dec 21 14:12 classification.config -rwxr-xr-x 1 root root 7333 Dec 21 14:12 compile -rwxr-xr-x 1 root root 45297 Dec 21 14:12 config.guess -rw-r--r-- 1 root root 14492 Jan 15 22:38 config.h -rw-r--r-- 1 root root 13657 Dec 21 14:12 config.h.in -rw-r--r-- 1 root root 104181 Jan 15 22:42 config.log -rw-r--r-- 1 root root 0 Dec 21 14:12 config.rpath -rwxr-xr-x 1 root root 68690 Jan 15 22:38 config.status -rwxr-xr-x 1 root root 35564 Dec 21 14:12 config.sub -rwxr-xr-x 1 root root 724834 Dec 21 14:12 configure -rw-r--r-- 1 root root 75382 Dec 21 14:12 configure.ac drwxr-xr-x 4 root root 4096 Jan 15 22:38 contrib -rw-r--r-- 1 root root 18092 Dec 21 14:12 COPYING -rwxr-xr-x 1 root root 23566 Dec 21 14:12 depcomp -rw-r--r-- 1 root root 10 Jan 15 22:40 description-pak drwxr-xr-x 2 root root 4096 Jan 15 22:38 doc drwxr-xr-x 3 root root 4096 Jan 15 22:40 doc-pak -rwxr-xr-x 1 root root 13997 Dec 21 14:12 install-sh drwxr-xr-x 6 root root 4096 Jan 15 22:38 libhtp -rwxr-xr-x 1 root root 293324 Jan 15 22:38 libtool -rw-r--r-- 1 root root 18092 Dec 21 14:12 LICENSE -rw-r--r-- 1 root root 283684 Dec 21 14:12 ltmain.sh drwxr-xr-x 2 root root 4096 Dec 21 14:13 m4 -rw-r--r-- 1 root root 31011 Jan 15 22:38 Makefile -rw-r--r-- 1 root root 3442 Dec 21 14:12 Makefile.am -rw-r--r-- 1 root root 30780 Dec 21 14:12 Makefile.in -rwxr-xr-x 1 root root 6872 Dec 21 14:12 missing drwxr-xr-x 3 root root 4096 Jan 15 22:38 qa -rw-r--r-- 1 root root 1375 Dec 21 14:12 reference.config drwxr-xr-x 2 root root 4096 Jan 15 22:38 rules drwxr-xr-x 3 root root 4096 Jan 15 22:38 scripts drwxr-xr-x 4 root root 45056 Jan 15 22:42 src -rw-r--r-- 1 root root 23 Jan 15 22:42 stamp-h1 -rw-r--r-- 1 root root 1422934 Jan 15 22:59 suricata_3.0RC3-1_amd64.deb -rw-r--r-- 1 root root 61469 Jan 15 22:38 suricata.yaml -rw-r--r-- 1 root root 61367 Dec 21 14:12 suricata.yaml.in -rw-r--r-- 1 root root 1651 Dec 21 14:12 threshold.config
RPM¶
For this particular rpm build example we are using Fedora 23 64 bit, Suricata 3.0RC3 and a FPM package manager that is able to create deb/rpm/solaris packages.
NOTE: FPM - can be used to create deb and rpm packages among many others.
If this is a clean/fresh distro you need the following installed (depending how you would like to configure Suricata):
sudo yum -y install libpcap libpcap-devel libnet libnet-devel pcre pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel file-devel file
The above are needed for Suricata itself.
These bellow re needed for the rpm packaging part.
sudo yum -y install gcc make git ruby ruby-devel ruby-libs ruby-irb rubygems auto-buildrequires sudo gem install fpm
Here we installed the "fpm" package manager
Get Suricata:
wget http://www.openinfosecfoundation.org/download/suricata-3.0RC3.tar.gz && tar -zxf suricata-3.0RC3.tar.gz && cd suricata-3.0RC3
sudo ./configure --disable-gccmarch-native --prefix=/usr --sysconfdir=/etc --localstatedir=/var && sudo make && sudo make install-full DESTDIR=/home/usera/rpm/
that way Suricata will be installed in the /home/usera/rpm/ directory from where we are actually going to build the rpm package.
Then we actually make the rpm pkg - which is so easy with "fpm":
fpm -s dir -t rpm -n suricata-RC -v 3.0RC3 -C /home/usera/rpm/ -p suricata-3.0RC3_64-1.rpm usr/
so we and up with suricata-3.0RC3_64-1.rpm
[root@localhost suricata-3.0RC3]# ll total 8632 -rw-r--r--. 1 root root 56660 Dec 21 14:12 aclocal.m4 -rw-r--r--. 1 root root 42444 Dec 21 14:12 ChangeLog -rw-r--r--. 1 root root 3533 Dec 21 14:12 classification.config -rwxr-xr-x. 1 root root 7333 Dec 21 14:12 compile -rwxr-xr-x. 1 root root 45297 Dec 21 14:12 config.guess -rw-r--r--. 1 root root 14506 Jan 16 19:04 config.h -rw-r--r--. 1 root root 13657 Dec 21 14:12 config.h.in -rw-r--r--. 1 root root 114333 Jan 16 19:04 config.log -rw-r--r--. 1 root root 0 Dec 21 14:12 config.rpath -rwxr-xr-x. 1 root root 67285 Jan 16 19:04 config.status -rwxr-xr-x. 1 root root 35564 Dec 21 14:12 config.sub -rwxr-xr-x. 1 root root 724834 Dec 21 14:12 configure -rw-r--r--. 1 root root 75382 Dec 21 14:12 configure.ac drwxr-xr-x. 4 root root 4096 Jan 16 19:04 contrib -rw-r--r--. 1 root root 18092 Dec 21 14:12 COPYING -rwxr-xr-x. 1 root root 23566 Dec 21 14:12 depcomp drwxr-xr-x. 2 root root 4096 Jan 16 19:04 doc -rwxr-xr-x. 1 root root 13997 Dec 21 14:12 install-sh drwxr-xr-x. 6 root root 4096 Jan 16 19:04 libhtp -rwxr-xr-x. 1 root root 293200 Jan 16 19:04 libtool -rw-r--r--. 1 root root 18092 Dec 21 14:12 LICENSE -rw-r--r--. 1 root root 283684 Dec 21 14:12 ltmain.sh drwxr-xr-x. 2 root root 4096 Dec 21 14:13 m4 -rw-r--r--. 1 root root 30246 Jan 16 19:04 Makefile -rw-r--r--. 1 root root 3442 Dec 21 14:12 Makefile.am -rw-r--r--. 1 root root 30780 Dec 21 14:12 Makefile.in -rwxr-xr-x. 1 root root 6872 Dec 21 14:12 missing drwxr-xr-x. 3 root root 4096 Jan 16 19:04 qa -rw-r--r--. 1 root root 1375 Dec 21 14:12 reference.config drwxr-xr-x. 2 root root 4096 Jan 16 19:04 rules drwxr-xr-x. 3 root root 4096 Jan 16 19:04 scripts drwxr-xr-x. 4 root root 49152 Jan 16 19:06 src -rw-r--r--. 1 root root 23 Jan 16 19:04 stamp-h1 -rw-r--r--. 1 root root 6664192 Jan 16 19:32 suricata-3.0RC3_64-1.rpm -rw-r--r--. 1 root root 61389 Jan 16 19:04 suricata.yaml -rw-r--r--. 1 root root 61367 Dec 21 14:12 suricata.yaml.in -rw-r--r--. 1 root root 1651 Dec 21 14:12 threshold.config [root@localhost suricata-3.0RC3]#
then we just install:
[root@localhost suricata-3.0RC3]# dnf install suricata-3.0RC3_64-1.rpm Last metadata expiration check performed 1:44:49 ago on Sat Jan 16 17:49:22 2016. Dependencies resolved. ========================================================================================================================================================================================= Package Arch Version Repository Size ========================================================================================================================================================================================= Installing: suricata-RC x86_64 3.0RC3-1 @commandline 6.4 M Transaction Summary ========================================================================================================================================================================================= Install 1 Package Total size: 6.4 M Installed size: 18 M Is this ok [y/N]: y Downloading Packages: Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Installing : suricata-RC-3.0RC3-1.x86_64 1/1 Verifying : suricata-RC-3.0RC3-1.x86_64 1/1 Installed: suricata-RC.x86_64 3.0RC3-1 Complete!
and lets check it:
[root@localhost suricata-3.0RC3]# dnf list installed |grep suricata
suricata-RC.x86_64 3.0RC3-1 @@commandline
[root@localhost suricata-3.0RC3]# uname -a
Linux localhost.localdomain 4.2.7-300.fc23.x86_64 #1 SMP Wed Dec 9 22:28:30 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[root@localhost suricata-3.0RC3]#
[root@localhost suricata-3.0RC3]# ldd /usr/bin/suricata
linux-vdso.so.1 (0x00007ffd4e156000)
libhtp-0.5.18.so.1 => /usr/lib64/libhtp-0.5.18.so.1 (0x00007fedb1b0f000)
libmagic.so.1 => /usr/lib64/libmagic.so.1 (0x00007fedb18ed000)
libcap-ng.so.0 => /usr/lib64/libcap-ng.so.0 (0x00007fedb16e7000)
libpcap.so.1 => /usr/lib64/libpcap.so.1 (0x00007fedb14a4000)
libnet.so.1 => /usr/lib64/libnet.so.1 (0x00007fedb1288000)
libpthread.so.0 => /usr/lib64/libpthread.so.0 (0x00007fedb106b000)
libyaml-0.so.2 => /usr/lib64/libyaml-0.so.2 (0x00007fedb0e4c000)
libpcre.so.1 => /usr/lib64/libpcre.so.1 (0x00007fedb0bdb000)
libc.so.6 => /usr/lib64/libc.so.6 (0x00007fedb081a000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00007fedb0604000)
/lib64/ld-linux-x86-64.so.2 (0x0000559685a53000)
[root@localhost suricata-3.0RC3]#
[root@localhost suricata-3.0RC3]# suricata --build-info
This is Suricata version 3.0RC3 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT TLS
SIMD support: SSE_3
Atomic intrisics: 1 2 4 8 byte(s)
64-bits, Little-endian architecture
GCC version 5.3.1 20151207 (Red Hat 5.3.1-2), C version 199901
L1 cache line size (CLS)=64
thread local storage method: __thread
compiled with LibHTP v0.5.18, linked against LibHTP v0.5.18
Suricata Configuration:
AF_PACKET support: yes
PF_RING support: no
NFQueue support: no
NFLOG support: no
IPFW support: no
Netmap support: no
DAG enabled: no
Napatech enabled: no
Unix socket enabled: no
Detection enabled: yes
libnss support: no
libnspr support: no
libjansson support: no
hiredis support: no
Prelude support: no
PCRE jit: yes
LUA support: no
libluajit: no
libgeoip: no
Non-bundled htp: no
Old barnyard2 support: no
CUDA enabled: no
Suricatasc install: yes
Unit tests enabled: no
Debug output enabled: no
Debug validation enabled: no
Profiling enabled: no
Profiling locks enabled: no
Coccinelle / spatch: no
Generic build parameters:
Installation prefix: /usr
Configuration directory: /etc/suricata/
Log directory: /var/log/suricata/
--prefix /usr
--sysconfdir /etc
--localstatedir /var
Host: x86_64-unknown-linux-gnu
Compiler: gcc (exec name) / gcc (real)
GCC Protect enabled: no
GCC march native enabled: yes
GCC Profile enabled: no
Position Independent Executable enabled: no
CFLAGS -g -O2 -march=native
PCAP_CFLAGS
SECCFLAGS
NOTE: Custom made - You can pass any configure options at the time of configure if you would like, for example:
sudo ./configure --disable-gccmarch-native --enable-debug --enable-profiling --enable-profiling-locks && sudo make && sudo make install DESTDIR=/home/usera/rpm/
Then build the rpm:
sudo fpm -s dir -t rpm -n suricata-beta-profile-debug -v 3.0RC3 -C /home/usera/rpm/ -p suricata-profile-debug-3.0RC3_64-2.rpm usr/
That way you will end up with an rpm package that has debuggiing and profilinf enabled, ready for installation and/or distribution!
RPM Fedora guide¶
https://fedoraproject.org/wiki/How_to_create_a_GNU_Hello_RPM_package
https://fedoraproject.org/wiki/How_to_create_an_RPM_package
That's it.
Please let us know if any trouble.
Feedback/Suggestions are always welcome!
Peter Manev