formula 'suricata' isn't able to be configured as IPS (--enable-nfqueue and --enable-ipfw)

[drew1kun]

Hi, I'm trying to modify suricata.rb formula to be able to configure suricata as IPS -- that's a main sense in using suricata (by default it's configured as IDS only.):

...
    args = %W[
      --enable-ipfw        # added myself
      --enable-nfqueue # added myself
      --disable-debug
      --disable-dependency-tracking
      --disable-silent-rules
      --prefix=#{prefix}
      --sysconfdir=#{etc}
      --localstatedir=#{var}
      --with-libnet-includes=#{libnet.opt_include}
      --with-libnet-libs=#{libnet.opt_lib}
      --with-libmagic-includes=#{libmagic.opt_include}
      --with-libmagic-libraries=#{libmagic.opt_lib}
    ]
...

but after installing suricata and running suricata --build-info getting:

This is Suricata version 2.0.7 RELEASE
Features: PCAP_SET_BUFF LIBPCAP_VERSION_MAJOR=1 HAVE_PACKET_FANOUT LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT 
SIMD support: SSE_3 
Atomic intrisics: 1 2 4 8 16 byte(s)
64-bits, Little-endian architecture
GCC version 4.2.1 Compatible Apple LLVM 6.1.0 (clang-602.0.49), C version 199901
compiled with -fstack-protector
compiled with _FORTIFY_SOURCE=2
L1 cache line size (CLS)=64
compiled with LibHTP v0.5.17, linked against LibHTP v0.5.17
Suricata Configuration:
  AF_PACKET support:                       no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  DAG enabled:                             no
  Napatech enabled:                        no
  Unix socket enabled:                     no
  Detection enabled:                       yes

  libnss support:                          no
  libnspr support:                         no
  libjansson support:                      no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             no
  libluajit:                               no
  libgeoip:                                no
  Non-bundled htp:                         no
  Old barnyard2 support:                   no
  CUDA enabled:                            no

  Suricatasc install:                      yes

  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no
  Profiling enabled:                       no
  Profiling locks enabled:                 no
  Coccinelle / spatch:                     no

Generic build parameters:
  Installation prefix (--prefix):          /usr/local/Cellar/suricata/2.0.7
  Configuration directory (--sysconfdir):  /usr/local/etc/suricata/
  Log directory (--localstatedir) :        /usr/local/var/log/suricata/

  Host:                                    x86_64-apple-darwin14.3.0
  GCC binary:                              clang
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no

IPFW support: no and NFQueue support: no shows that it doesn't work. May anyone help me to modify suricata formula to configure with all the possible options (--enable-ipfw, --enable-nfqueue, --enable-dag, --enable-af-packet)... Also my research led me to comprehension that for --enable-nfqueue there are some dependencies needed that are not available in homebrew. When trying to configure the sourcecode like this:

CC=llvm-gcc ./configure --enable-nfqueue 

getting:

...
checking for json_dump_callback in -ljansson... yes
checking for nfnl_fd in -lnfnetlink... no

   ERROR!  nfnetlink library not found, go get it
   from www.netfilter.org.
   we automatically append libnetfilter_queue/ when searching
   for headers etc. when the --with-libnfnetlink-inlcudes directive
   is used

checking libnetfilter_queue/libnetfilter_queue.h usability... no
checking libnetfilter_queue/libnetfilter_queue.h presence... no
checking for libnetfilter_queue/libnetfilter_queue.h... no
configure: error: libnetfilter_queue/libnetfilter_queue.h not found ...

I have not enough experience to fix it myself so asking for your help. Just want to make homebrew more usable for those who use suricata IPS. Any help appreciated. Thank you!

[jacknagel]

Some cursory googling suggests that nfnetlink, nfqueue, etc. are only available on Linux.

[jacknagel]

When I add the arguments you suggest (--enable-nfqueue --enable-ipfw) to the formula, the configure script errors out and the build fails due to the missing netfilter stuff. If I just add --enable-ipfw then it succeeds and enables ipfw support.

Please remove the --enable-nfqueue (since it's not going to work), leaving only --enable-ipfw, and then try to install it. If it fails then please run brew gist-logs suricata and post the link.

[drew1kun]

Thanx! But how to make it correct? should I do it like in my example above? Or am I missing anything? Because I've done it only with --enable-ipfw and then checked the result with suricata --build-info and still getting IPFW support: no. Seems like it just ignores this argument (((( What am I doing wrong?

[drew1kun]

brew gist-logs suricata
couldn't understand kern.osversion `14.3.0'
https://gist.github.com/f18806a5133c8874ba67

[drew1kun]

and btw there is 2.0.8 version of suricata available...

[drew1kun]

Well now I've changed version number from 2.0.7 to 2.0.8 and hash and got:

$ brew install suricata
==> Downloading https://homebrew.bintray.com/bottles/suricata-2.0.8.yosemite.bottle.tar.gz

curl: (22) The requested URL returned error: 404 Not Found
Error: Failed to download resource "suricata"
Download failed: https://homebrew.bintray.com/bottles/suricata-2.0.8.yosemite.bottle.tar.gz
Warning: Bottle installation failed: building from source.

Now everything works and I got IPFW support: yes! So I assume it didn't work before, because homebrew used the "bottle" installation instead of building from source. Now question: what is the bottle and how to make it. In suricata.rb I see bottle hashes for different versions of osx:

  bottle do
    sha256 "f67922f17fd54ad460fac601c489324a3fc9649332c235b19188db673ac1dd37" => :yosemite
    sha256 "5da62c060b67d37acccef04a3e94da3c6a12a2d33140ece6d83259144bbf4dfb" => :mavericks
    sha256 "4e84abe9e22b63d8ab7161d704da16202bfd8320c50b70a87c5da42ee095efbb" => :mountain_lion
  end

What are the advantages of 'bottle installation' and how can I create them if needed?

[jacknagel]

Bottles are pre-compiled packages that we create.

If you make local changes, you need to use --build-from-source to have them reflected in the build.

If you would like the addition of the --enable-ipfw flag to find its way into the main formula, then the next step is to submit a pull request: https://github.com/Homebrew/homebrew/blob/master/share/doc/homebrew/How-To-Open-a-Homebrew-Pull-Request-(and-get-it-merged).md

Thanks!

[drew1kun]

Thanx!