Suricata not recognising packets, but tshark does

The_Radiant · June 12, 2020, 7:01am

Bumping this thread.

pevma · June 12, 2020, 2:06pm

I think it will most likely not work with the Ubuntu package that way as the environment is Debian.

satta · June 12, 2020, 6:10pm

Debian buster backports for ARM has Suricata 5.0.3. Indeed the stable buster only has 4.1.2 because that was the latest version when buster was released, but backports can have newer versions.
I am using that myself on a Raspberry Pi 3.

Just add

deb http://httpredir.debian.org/debian buster-backports main contrib

to your /etc/apt/sources.list, do apt update and reinstall suricata. That should give you 5.0.3 and its dependencies.

ish · June 12, 2020, 9:30pm

Hi @satta,

Is this backport usable on Raspbian? I have PRETTY_NAME="Raspbian GNU/Linux 10 (buster)". It appears that libbpf4.19 is not available on Raspbian which is required by Suricata.

Thanks

Just got myself a Raspberry Pi so this post is rather timely.

satta · June 12, 2020, 9:42pm

Uh possible. It is in buster, so you can get the .deb for armhf (http://security.debian.org/debian-security/pool/updates/main/l/linux/libbpf4.19_4.19.118-2+deb10u1_armhf.deb) and use that. Here’s what I have altogether:

[pi@tiptap:~] $ apt show suricata libbpf4.19 libhtp2
Package: suricata
Version: 1:5.0.3-1~bpo10+1
Priority: optional
Section: net
Maintainer: Pierre Chifflier <pollux@debian.org>
Installed-Size: 4,607 kB
Pre-Depends: dpkg (>= 1.15.7.2), init-system-helpers (>= 1.54~)
Depends: python3 (>= 3.2), python3-simplejson, python3:any, libbpf4.19, libc6 (>= 2.28), libcap-ng0 (>= 0.7.9), libelf1 (>= 0.131), libevent-2.1-6 (>= 2.1.8-stable), libevent-pthreads-2.1-6 (>= 2.1.8-stable), libgcc1 (>= 1:4.3), libgnutls30 (>= 3.6.5), libhiredis0.14 (>= 0.14.0), libhtp2 (>= 1:0.5.33-1~bpo10+1~), libjansson4 (>= 2.3), libltdl7 (>= 2.4.6), libluajit-5.1-2 (>= 2.0.4+dfsg), liblz4-1 (>= 0.0~r127), libmagic1 (>= 5.12), libmaxminddb0 (>= 1.0.2), libnet1 (>= 1.1.5), libnetfilter-log1, libnetfilter-queue1, libnfnetlink0, libnspr4 (>= 2:4.9-2~), libnss3 (>= 2:3.13.4-2~), libpcap0.8 (>= 1.0.0), libpcre3, libprelude23 (>= 4.1), libyaml-0-2, zlib1g (>= 1:1.1.4), lsb-base (>= 3.0-6)
Recommends: snort-rules-default, suricata-update
Suggests: libtcmalloc-minimal4
Conflicts: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)
Replaces: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)
Homepage: https://www.suricata-ids.org/
Download-Size: 1,664 kB
APT-Manual-Installed: yes
APT-Sources: http://httpredir.debian.org/debian buster-backports/main armhf Packages
Description: Next Generation Intrusion Detection and Prevention Tool
 Suricata is a network Intrusion Detection System (IDS). It is based on
 rules (and is fully compatible with snort rules) to detect a variety of
 attacks / probes by searching packet content.
 .
 It can also be used as Intrusion Prevention System (IPS), and as higher layer
 firewall.
 .
 This new Engine supports Multi-Threading, Automatic Protocol Detection
 (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast
 IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU
 cards.
 .
 This version has inline (NFQUEUE) support enabled.

Package: libbpf4.19
Version: 4.19.118-2
Status: install ok installed
Priority: optional
Section: libs
Source: linux
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Installed-Size: 499 kB
Depends: libc6 (>= 2.26), libelf1 (>= 0.131)
Homepage: https://www.kernel.org/
Download-Size: unknown
APT-Manual-Installed: yes
APT-Sources: /var/lib/dpkg/status
Description: eBPF helper library (shared library)
 libbpf is a library for loading eBPF programs and reading and manipulating
 eBPF objects from user-space.

Package: libhtp2
Version: 1:0.5.33-1~bpo10+1
Priority: optional
Section: libs
Source: libhtp
Maintainer: Arturo Borrero Gonzalez <arturo@debian.org>
Installed-Size: 133 kB
Depends: libc6 (>= 2.4), zlib1g (>= 1:1.1.4)
Homepage: http://openinfosecfoundation.org/
Download-Size: 59.5 kB
APT-Manual-Installed: no
APT-Sources: http://httpredir.debian.org/debian buster-backports/main armhf Packages
Description: HTTP normalizer and parser library
 The HTP Library is an HTTP normalizer and parser.  This integrates and
 provides very advanced processing of HTTP streams for Suricata. The HTP
 library is required by the engine, but may also be used independently in a
 range of applications and tools.
 .
 This package provides the runtime files for libhtp.

Indeed it looks like I installed that manually, yes. No idea why it’s not in Raspbian proper.

ish · June 12, 2020, 9:48pm

Thanks. I got 5.0.3 installed. For completeness, here is what I did:

Added:

deb http://httpredir.debian.org/debian buster-backports main contrib

to /etc/apt/sources.list.

I then had to do:

gpg --recv-keys 04EE7237B7D453EC
gpg --recv-keys 648ACFD622F3D138

gpg --export 04EE7237B7D453EC | sudo apt-key add -
gpg --export 648ACFD622F3D138 | sudo apt-key add -

Then manually download and install libbpf:

curl -OL http://security.debian.org/debian-security/pool/updates/main/l/linux/libbpf4.19_4.19.118-2+deb10u1_armhf.deb
dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.deb

Now Suricata successfully installed:

apt -t buster-backports suricata

satta · June 12, 2020, 9:57pm

Cool
One more hint: if you have a Pi with less than 2GB of RAM, you might also want to use the suricata-update version from backports, as that one has lots of memory usage improvements.

The_Radiant · June 14, 2020, 6:53am

Sorry I am confused. Why do we need two gpg keys, how do you create the specific ones shown in your solution. When I try to run dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.deb I get an error

sudo dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.de
dpkg-deb: error: 'libbpf4.19_4.19.118-2+deb10u1_armhf.de' is not a Debian format                                        archive

The extension of this file is de not deb

Jeff_Lucovsky · June 14, 2020, 7:36pm

You omitted the trailing b.
Here’s the commands that Jason gave to download and install libbpf:

curl -OL http://security.debian.org/debian-security/pool/updates/main/l/linux/libbpf4.19_4.19.118-2+deb10u1_armhf.deb
dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.deb

The_Radiant · June 15, 2020, 7:47am

Weird, i get this error E: Invalid operation suricata
on this line apt -t buster-backports suricata. Should suricata already be installed before following those steps. If so, by doing the sudo apt-get method?

syoc · June 15, 2020, 8:45am

The command should probably be: apt install -t buster-backports suricata

The_Radiant · June 15, 2020, 10:28am

I received this error when executing that command.
E: The value 'buster-backports' is invalid for APT::Default-Release as such a re lease is not available in the sources

The_Radiant · June 16, 2020, 8:29am

Bumping this thread.

satta · June 16, 2020, 8:51am

Do you really have

deb http://httpredir.debian.org/debian buster-backports main contrib

in your /etc/apt/sources.list, as mentioned in Jason’s post above (#40)? And run sudo apt update afterwards? Your package manager does not seem to know that you added this extra repository.

The_Radiant · June 16, 2020, 9:52am

Right I don’t think I have done the key generation correctly, can you walk me through it?. The source.list is correct:

sudo apt update
Get:1 http://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB]
Get:2 http://archive.raspberrypi.org/debian buster InRelease [32.6 kB]
Get:3 http://httpredir.debian.org/debian buster-backports InRelease [46.7 kB]
Get:4 http://archive.raspberrypi.org/debian buster/main armhf Packages [330 kB]
Err:3 http://httpredir.debian.org/debian buster-backports InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7                 237B7D453EC NO_PUBKEY 648ACFD622F3D138
Reading package lists... Done
W: GPG error: http://httpredir.debian.org/debian buster-backports InRelease: The following signatures co                 uldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD                 622F3D138
E: The repository 'http://httpredir.debian.org/debian buster-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

satta · June 16, 2020, 1:53pm

The package manager needs to have the PGP keys to verify package sets from the new repository.
You first have to fetch the keys from a keyserver, e.g. the SKS one:

$ gpg --recv-keys --keyserver ipv4.pool.sks-keyservers.net 04EE7237B7D453EC
gpg: key E0B11894F66AEC98: public key "Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ gpg --recv-keys --keyserver ipv4.pool.sks-keyservers.net 648ACFD622F3D138
gpg: key DC30D7C23CBBABEE: public key "Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

then import them into your local APT key store:

$ gpg --export 04EE7237B7D453EC | sudo apt-key add -
OK
$ gpg --export 648ACFD622F3D138 | sudo apt-key add -
OK

Then your apt update should work.

The_Radiant · June 16, 2020, 2:18pm

That all worked but when I do apt -t buster-backports suricata I get an error saying
E: Invalid operation suricata. Should I install suricata at this point using sudo apt-get install suricata?

I have already done:
curl -OL http://security.debian.org/debian-security/pool/updates/main/l/linux/libbpf4.19_4.19.118-2+deb10u1_armhf.deb
dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.deb

satta · June 16, 2020, 2:19pm

It should be

sudo apt install -t buster-backports suricata

where install is the operation, -t buster-backports is the -target distribution, and suricata is the package to install via apt.
With libbpf already present, that should pull in the rest of the dependencies from backports.

The_Radiant · June 16, 2020, 2:22pm

Great I now have it installed. I will now re run my tests and see what happens.

The_Radiant · June 16, 2020, 2:37pm

Okay, so I have suricata 5 and I can now pickup the ICMP packets. The issue now is I can’t seem to install the emerging rules I was using previously. Here is the install script I was using. Are the emerging rules still compatible with suricata v5?

#!/usr/bin/python

import os
import urllib2

suricatadirectory='/etc/suricata/'
md5file=suricatadirectory+'lastmd5'
rulesdirectory=suricatadirectory+'rules.tar.gz'
rulesurl='https://rules.emergingthreats.net/open-nogpl/suricata-2.0/emerging.rules.tar.gz'


#Actualizacion de reglas
def deploynewrules():
	os.system("wget " + rulesurl + " -o /tmp/wget.output -O" + rulesdirectory)
	os.system("tar -xzf " + rulesdirectory + " -C " + suricatadirectory)

#Comprobar si ha cambiado el md5
def md5change():
	re = urllib2.urlopen(rulesurl+".md5")
	newmd5 = re.read()

	oldmd5file = open(md5file,"r")
	oldmd5 = oldmd5file.read()
	oldmd5file.close()

	if newmd5!=oldmd5 :
		md5 = open (md5file,"w")
		md5.write(newmd5)
		md5.close()
		return 1

	else:
		return 0

def main():     
	if os.path.exists(md5file):
		if md5change():
			deploynewrules()
	else:
		re = urllib2.urlopen(rulesurl+".md5")
		newmd5 = re.read()
		md5 = open (md5file,"w")
		md5.write(newmd5)
		md5.close()
		deploynewrules()


if __name__ == '__main__':
	main()