Hi Suricata Developers!
Firstly, i have not contributed to Suricata as of yet but i intend to! i have a few things going on regarding Suricata and one thing i have realized i do recently is that i re/build Suricata a lot depending on the deployment or CTF challenge i wish to use Suricata in etc.
What id like to know is what tooling or workflow other developers out there use for testing out dev features that may need a new flag being configured and additional dev libraries installed to test a feature against pcap data to verify the results?
Is a set of docker images best with different versions of Suricata all having access to pcaps?
or Suricata installed as .deb from the ppa on a vm do other people then compile Suricata in a different directory and have multiple instances of Suricata on the same machine?
a snippet of my build options are below. I was going to script this to do either pull latest from suricata master or development branch to build against but just looking to more experienced people than i to ask for specifics around their setup
Pip install pyaml or pip3 install pyaml
needs to be installed as the command “suricata-update” requires it and suricata update is used to manage the rulebase within Suricata 4+ versions
apt install libhtp-dev libcap-ng-dev libmagic-dev libluajit-5.1-dev libhiredis-dev liblz4-dev libjansson-dev lua-zlib-dev libgeoip-dev zlib1g-dev pkg-config python-yaml libyaml-dev cargo pfring nprobe ntopng ntopng-data cento nbox libnet1-dev libevent1-dev ragel cmake libboost-dev libpcap-dev libnspr4-dev nss-devel libmaxminddb-dev && export CFLAGS="-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security" && export SECCFLAGS="-fstack-protector -D_FORTIFY_SOURCE=2 -Wformat -Wformat-security" && export PCAP_CFLAGS="-I/usr/include" libmaxminddb-dev libnspr4-dev libfl-dev libnetfilter-log-dev
Hyperscan is a high-performance multiple regex matching library. It follows the regular expression syntax of the commonly-used libpcre library, yet functions as a standalone library with its own API written in C. Hyperscan uses hybrid automata techniques to allow simultaneous matching of large numbers (up to tens of thousands) of regular expressions, as well as matching of regular expressions across streams of data.
#download hyperscan source onto the system
apt install libpcre2-dev libpcre2 libpcre2-32-0
cmake -DBUILD_STATIC_AND_SHARED=1 …/ && make && make install
echo “/usr/local/lib” |tee --append /etc/ld.so.conf.d/usrlocal.conf
Now lets download latest source file from APT for Suricata Apt source suricata
apt source suricata
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --datarootdir=/usr/share --enable-gccprotect --enable-gccmarch-native --enable-python --enable-afl --enable-nfqueue --enable-pfring --enable-non-bundled-htp --enable-luajit --enable-geoip --enable-pie --enable-hiredis --enable-rust --with-libpfring-includes=/usr/local/include --with-libpfring-libraries=/usr/local/lib
#build a deb
fpm -s dir -t deb -n dev-suricata-5.0.1 /home/user/suricata-5.0.1/
#compile from source
do make install-rules to install binaries and download latest rules
do make install-full if you want configuration files as well as rules
Also, Is it common for researchers or students to use ET Pro rulesets for personal use of signature development? I have used them previously professionally and think it would be a great addition for an individual to use them for their own research? if the cost was different from an enterprise to an individual?