Suricata 6.0.6 fails to compile with pf_ring 8

storm_zy · September 15, 2022, 6:07am

I have the same problem.
env:
os: rhel 8.2
suricata: 6.0.6
pfring: 8.2.0

When run ./configure with enable-pfring, it say “–enable-pfring was passed but the library version is < 6”, please take a look thanks.

vjulien · September 15, 2022, 6:57am

Can someone open a ticket for this?

Jeff_Lucovsky · September 17, 2022, 2:43pm

Hi,
Can you post the config.log file?

greg · September 19, 2022, 6:07pm

This is interesting, Suricata 6.0.6 compiles fine with PF_RING 8.2.0 on
RHEL7

LIBS=“-lrt” ./configure --prefix=/opt/suricata --enable-pfring=yes --with-libpfring-includes=/usr/include --with-libpfring-libraries=/usr/lib --with-libhs-includes=/usr/local/include/hs --with-libhs-libraries=/usr/local/lib64 --enable-af-packet=no

Greg

storm_zy · September 20, 2022, 8:24am

yes, I try ok on rhel7 with suricata6.0.4 too.

storm_zy · September 21, 2022, 2:41pm

config.log (184.1 KB)
Please take a look, thanks.

Jeff_Lucovsky · September 29, 2022, 1:55pm

Hi,

Could you try patching configure.ac and then re-running configure?

Your config.log file shows that types defined in <sys/types.h> aren’t being found – these are basic typedefs available on your system (they were checked earlier in the configure process): u_char, u_int, ...

Here’s the patch:

diff --git a/configure.ac b/configure.ac
index 34b2b811c..4b2e8ecfc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1409,6 +1409,7 @@
             AC_COMPILE_IFELSE(
                 [AC_LANG_PROGRAM(
                     [
+                    #include <sys/types.h>
                     #include <pfring.h>
                     ],
                     [

storm_zy · October 11, 2022, 1:17am

Thanks a lot, I have switched to af_packet.

vjulien · October 14, 2022, 1:32pm

FYI PF_RING 8.2 builds fine. It’s also the only version of PF_RING that is supported by ntop:

github.com/ntop/PF_RING

Unable to compile suricata with latest pf_ring installation

opened 04:34PM - 28 Feb 22 UTC

closed 03:43PM - 01 Apr 22 UTC

a-czyrny

# Summary The suricata configuration script does not find the installed pf_ri…ng libraries due to an "error" during the check: ``` > LIBS="-lrt" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-geoip --enable-pfring --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib [...] checking for pfring_open in -lpfring... no ERROR! --enable-pfring was passed but the library was not found, go get it from http://www.ntop.org/products/pf_ring/ [...] ``` ``` > cat config.log [...] configure:17469: checking for pfring_open in -lpfring configure:17494: gcc -o conftest -g -O2 -std=c11 -march=native -I/usr/local/include -rdynamic -L/usr/local/lib conftest.c -lpfring -lpcap -lpcap -lnet -ljansson -lpthread -lyaml -lpcre -lrt -lnuma -lz -lpcap >&5 /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/9/../../../../lib/libpfring.so: undefined reference to `utils_ethtoa' /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/9/../../../../lib/libpfring.so: undefined reference to `utils_read_version' /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/9/../../../../lib/libpfring.so: undefined reference to `utils_time_msec' collect2: error: ld returned 1 exit status [...] ``` This is the first time this error has occurred with this version of suricata. The version has already been successfully compiled. pf_ring was installed from packages. # Additional information ``` > cat /proc/net/pf_ring/info PF_RING Version : 8.0.0 (8.0.0-stable:58e764f619bb4711a66b021f7a475401d99ba371) Total rings : 0 Standard (non ZC) Options Ring slots : 65536 Slot version : 18 Capture TX : Yes [RX+TX] IP Defragment : No Socket Mode : Standard Cluster Fragment Queue : 0 Cluster Fragment Discard : 0 ``` ``` > modinfo pf_ring filename: /lib/modules/5.4.0-100-generic/updates/dkms/pf_ring.ko alias: net-pf-27 version: 8.0.0 description: Packet capture acceleration and analysis author: ntop.org license: GPL srcversion: 39A03DB35F34BABB24A42CB depends: retpoline: Y name: pf_ring vermagic: 5.4.0-100-generic SMP mod_unload modversions parm: min_num_slots:Min number of ring slots (uint) parm: perfect_rules_hash_size:Perfect rules hash size (uint) parm: enable_tx_capture:Set to 1 to capture outgoing packets (uint) parm: enable_frag_coherence:Set to 1 to handle fragments (flow coherence) in clusters (uint) parm: enable_ip_defrag:Set to 1 to enable IP defragmentation(only rx traffic is defragmentead) (uint) parm: quick_mode:Set to 1 to run at full speed but with upto one socket per interface (uint) parm: force_ring_lock:Set to 1 to force ring locking (automatically enable with rss) (uint) parm: enable_debug:Set to 1 to enable PF_RING debug tracing into the syslog, 2 for more verbosity (uint) parm: transparent_mode:(deprecated) (uint) ``` ``` > uname -a Linux [private] 5.4.0-100-generic #113-Ubuntu SMP Thu Feb 3 18:43:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux ```

8.0 and older versions are EOL.

storm_zy · November 7, 2022, 8:34am

But my environment is:
os: rhel 8.2
suricata: 6.0.6
pfring: 8.2.0

It didn’t work out.
It say “–enable-pfring was passed but the library version is < 6”, please take a look thanks.

storm_zy · November 7, 2022, 9:38am

And is there a tutorial on using dpdk on version 6?
Thanks.

vjulien · November 7, 2022, 12:12pm

DPDK is introduced in Suricata 7. You could try 7.0.0-beta1.

vjulien · November 7, 2022, 12:14pm

Can you attach the config.log?

greg · November 7, 2022, 5:30pm

Suricata 6.0.8 builds just fine with most recent PF_RING - update your
Suricata version…

Greg

storm_zy · November 8, 2022, 1:15am

OK，I will try Suricata 7
the log file: Suricata 6.0.6 fails to compile with pf_ring 8 - #8 by storm_zy

storm_zy · November 8, 2022, 1:15am

OK, I will try 6.0.8, thanks.

storm_zy · November 8, 2022, 3:17am

Today I tried Suricata6.0.8 with pfring 8.2.0.
It still wrong with: ERROR! --enable-pfring was passed but the library version is < 6

OS: rhel 8.2
uname -r: 4.18.0-193.el8.x86_64
Suricata: 6.0.8
pfring: 8.2.0
The config.log file:
config.log (184.3 KB)

I’m so depressed T_T.
Please take a look. Thank you.

greg · November 8, 2022, 4:05am

Hello,

Yes this can be confusing, here is how to do it

Use only the Linux package manager available from NTOP to install pf_ring,
don’t bother trying to compile it and install it yourself, it just
causes headaches.

Once pf_ring is installed with the package manager, configure and compile
Suricata as follows

cd suricata-6.0.8

LIBS=“-lrt” ./configure --prefix=/opt/suricata --enable-pfring=yes --with-libpfring-includes=/usr/include --with-libpfring-libraries=/usr/lib --with-libhs-includes=/usr/local/include/hs --with-libhs-libraries=/usr/local/lib64 --enable-af-packet=no

make
make install

You may or may not need the libhs includes depending on your install and
you may need to update the prefix path to suit your environment.

Greg

storm_zy · November 8, 2022, 5:45am

Thank you very much.
But I am in an Intranet environment and it is difficult for me to use the package manager.

greg · November 8, 2022, 1:23pm

Well you are obviously able to get external sources to your system, NTOP
provides RPMs you can download as well, then install locally instead of
using the system package manager.

That said, how exactly do you perform security updates to this system if
you don’t have external access? It is a hugely bad idea to run Suricata
or any other IDS on systems that are not regularly patched.