Suricata not recognising packets, but tshark does

Then it seems like Ubuntu provides very old packages for Suricata. I think what syoc was trying to say was to use PPAs as your method of installation and re-install the entire thing if you want to be able to upgrade to more recent versions. We (OISF) maintain the PPA so that ensures that your package is always up-to-date after you perform an upgrade. Follow the steps here for that: https://suricata.readthedocs.io/en/suricata-5.0.3/install.html#ubuntu-debian
You could also try installing it manually if that’s what suits you better. (Download the package -> Run configure -> make -> sudo make install)
Follow the steps here for that: https://suricata.readthedocs.io/en/suricata-5.0.3/install.html#source

So I should delete/remoive suricata and then reinstall it by running apt-get install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev
libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev
libcap-ng-dev libcap-ng0 make libmagic-dev libjansson-dev
libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev
python-yaml rustc cargo

Instead of sudo apt-get install suricata

Maybe there is a way to keep all the configuration intact and add PPA. Ubuntu is not my primary OS but maybe @pevma can help. He maintains our PPAs and Ubuntu specific queries. :wink:

I have the config files saved.

Why don’t I install via the Source, as https://suricata.readthedocs.io/en/suricata-5.0.3/install.html#ubuntu-debian claims it gives “gives the most control over the Suricata installation.” I would need the suricata-5.0.0.tar.gz file however.

Typing your error into google indicates to me that there is a problem parsing /etc/lsb_release.
This seems to be a common issue with raspbian (I assume you are using raspbian and not ubuntu).
An easier solution could be just downloading the deb package from the ppa directly and installing it with dpkg -i
https://launchpad.net/~oisf/+archive/ubuntu/suricata-stable/+files/suricata_5.0.3-0ubuntu3_armhf.deb
You will probably need libhtp as well which can also be downloaded from:
https://launchpad.net/~oisf/+archive/ubuntu/suricata-stable/+packages

You need to click on “view package details” to get download links.
You need armhf packages if you are using raspbian.

@The_Radiant - can you try

sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt-get update
sudo apt-get install suricata 

?
I would not need to uninstall anything .

Typing sudo add-apt-repository ppa:oisf/suricata-stable

Gives me this error:

Traceback (most recent call last):
  File "/usr/bin/add-apt-repository", line 95, in <module>
    sp = SoftwareProperties(options=options)
  File "/usr/lib/python3/dist-packages/softwareproperties/SoftwareProperties.py", line 109, in __init__
    self.reload_sourceslist()
  File "/usr/lib/python3/dist-packages/softwareproperties/SoftwareProperties.py", line 599, in reload_sourceslist
    self.distro.get_sources(self.sourceslist)
  File "/usr/lib/python3/dist-packages/aptsources/distro.py", line 93, in get_sources
    (self.id, self.codename))
aptsources.distro.NoDistroTemplateException: Error: could not find a distribution template for Raspbian/buster

Remember that I am using a Raspberry Pi 4 and so the Raspbian image must be buster.

I missed that - appologes. Those are only Ubuntu/PPA repos, they would not be possible to install on raspberry at the moment i think.

Maybe building from source is your best option - unless there is latest Rasp Buster package available.

I get these errors, after installing the libhtp without issue.

sudo dpkg -i suricata_5.0.3-0ubuntu3_armhf.deb
(Reading database ... 69411 files and directories currently installed.)
Preparing to unpack suricata_5.0.3-0ubuntu3_armhf.deb ...
Unpacking suricata (5.0.3-0ubuntu3) over (5.0.3-0ubuntu3) ...
dpkg: dependency problems prevent configuration of suricata:
 suricata depends on libc6 (>= 2.29); however:
  Version of libc6:armhf on system is 2.28-10+rpi1.
 suricata depends on python3-yaml; however:
  Package python3-yaml is not installed.
 suricata depends on liblzma-dev; however:
  Package liblzma-dev is not installed.

dpkg: error processing package suricata (--install):
 dependency problems - leaving unconfigured
Processing triggers for systemd (241-7~deb10u4+rpi1) ...
Processing triggers for man-db (2.8.5-2) ...
Errors were encountered while processing:
 suricata

Can you please try to install

liblzma-dev python3-yaml  

and try installing the suri pkg once again see if those two errs disappear ?

Btw - where is that package from - “suricata_5.0.3-0ubuntu3_armhf.deb” ? Seems it is Ubuntu? If that is so - it is not advisable to try it out on Raspian (Debian)

It was built under arm https://launchpad.net/~oisf/+archive/ubuntu/suricata-ids-ips/+build/19228232/+files/suricata_5.0.3-0ubuntu3_armhf.deb

I don’t understand why sudo apt-get install suricata does not get you the most updated version.

Bumping this thread.

I think it will most likely not work with the Ubuntu package that way as the environment is Debian.

Debian buster backports for ARM has Suricata 5.0.3. Indeed the stable buster only has 4.1.2 because that was the latest version when buster was released, but backports can have newer versions.
I am using that myself on a Raspberry Pi 3.

Just add

deb http://httpredir.debian.org/debian buster-backports main contrib

to your /etc/apt/sources.list, do apt update and reinstall suricata. That should give you 5.0.3 and its dependencies.

Hi @satta,

Is this backport usable on Raspbian? I have PRETTY_NAME="Raspbian GNU/Linux 10 (buster)". It appears that libbpf4.19 is not available on Raspbian which is required by Suricata.

Thanks

Just got myself a Raspberry Pi so this post is rather timely.

Uh possible. It is in buster, so you can get the .deb for armhf (http://security.debian.org/debian-security/pool/updates/main/l/linux/libbpf4.19_4.19.118-2+deb10u1_armhf.deb) and use that. Here’s what I have altogether:

[pi@tiptap:~] $ apt show suricata libbpf4.19 libhtp2
Package: suricata
Version: 1:5.0.3-1~bpo10+1
Priority: optional
Section: net
Maintainer: Pierre Chifflier <pollux@debian.org>
Installed-Size: 4,607 kB
Pre-Depends: dpkg (>= 1.15.7.2), init-system-helpers (>= 1.54~)
Depends: python3 (>= 3.2), python3-simplejson, python3:any, libbpf4.19, libc6 (>= 2.28), libcap-ng0 (>= 0.7.9), libelf1 (>= 0.131), libevent-2.1-6 (>= 2.1.8-stable), libevent-pthreads-2.1-6 (>= 2.1.8-stable), libgcc1 (>= 1:4.3), libgnutls30 (>= 3.6.5), libhiredis0.14 (>= 0.14.0), libhtp2 (>= 1:0.5.33-1~bpo10+1~), libjansson4 (>= 2.3), libltdl7 (>= 2.4.6), libluajit-5.1-2 (>= 2.0.4+dfsg), liblz4-1 (>= 0.0~r127), libmagic1 (>= 5.12), libmaxminddb0 (>= 1.0.2), libnet1 (>= 1.1.5), libnetfilter-log1, libnetfilter-queue1, libnfnetlink0, libnspr4 (>= 2:4.9-2~), libnss3 (>= 2:3.13.4-2~), libpcap0.8 (>= 1.0.0), libpcre3, libprelude23 (>= 4.1), libyaml-0-2, zlib1g (>= 1:1.1.4), lsb-base (>= 3.0-6)
Recommends: snort-rules-default, suricata-update
Suggests: libtcmalloc-minimal4
Conflicts: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)
Replaces: libhtp1 (<< 0.5.16), suricata-hyperscan (<< 3.2)
Homepage: https://www.suricata-ids.org/
Download-Size: 1,664 kB
APT-Manual-Installed: yes
APT-Sources: http://httpredir.debian.org/debian buster-backports/main armhf Packages
Description: Next Generation Intrusion Detection and Prevention Tool
 Suricata is a network Intrusion Detection System (IDS). It is based on
 rules (and is fully compatible with snort rules) to detect a variety of
 attacks / probes by searching packet content.
 .
 It can also be used as Intrusion Prevention System (IPS), and as higher layer
 firewall.
 .
 This new Engine supports Multi-Threading, Automatic Protocol Detection
 (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast
 IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU
 cards.
 .
 This version has inline (NFQUEUE) support enabled.

Package: libbpf4.19
Version: 4.19.118-2
Status: install ok installed
Priority: optional
Section: libs
Source: linux
Maintainer: Debian Kernel Team <debian-kernel@lists.debian.org>
Installed-Size: 499 kB
Depends: libc6 (>= 2.26), libelf1 (>= 0.131)
Homepage: https://www.kernel.org/
Download-Size: unknown
APT-Manual-Installed: yes
APT-Sources: /var/lib/dpkg/status
Description: eBPF helper library (shared library)
 libbpf is a library for loading eBPF programs and reading and manipulating
 eBPF objects from user-space.

Package: libhtp2
Version: 1:0.5.33-1~bpo10+1
Priority: optional
Section: libs
Source: libhtp
Maintainer: Arturo Borrero Gonzalez <arturo@debian.org>
Installed-Size: 133 kB
Depends: libc6 (>= 2.4), zlib1g (>= 1:1.1.4)
Homepage: http://openinfosecfoundation.org/
Download-Size: 59.5 kB
APT-Manual-Installed: no
APT-Sources: http://httpredir.debian.org/debian buster-backports/main armhf Packages
Description: HTTP normalizer and parser library
 The HTP Library is an HTTP normalizer and parser.  This integrates and
 provides very advanced processing of HTTP streams for Suricata. The HTP
 library is required by the engine, but may also be used independently in a
 range of applications and tools.
 .
 This package provides the runtime files for libhtp.

Indeed it looks like I installed that manually, yes. No idea why it’s not in Raspbian proper.

Thanks. I got 5.0.3 installed. For completeness, here is what I did:

Added:

deb http://httpredir.debian.org/debian buster-backports main contrib

to /etc/apt/sources.list.

I then had to do:

gpg --recv-keys 04EE7237B7D453EC
gpg --recv-keys 648ACFD622F3D138

gpg --export 04EE7237B7D453EC | sudo apt-key add -
gpg --export 648ACFD622F3D138 | sudo apt-key add -

Then manually download and install libbpf:

curl -OL http://security.debian.org/debian-security/pool/updates/main/l/linux/libbpf4.19_4.19.118-2+deb10u1_armhf.deb
dpkg -i libbpf4.19_4.19.118-2+deb10u1_armhf.deb

Now Suricata successfully installed:

apt -t buster-backports suricata
1 Like

Cool :slightly_smiling_face:
One more hint: if you have a Pi with less than 2GB of RAM, you might also want to use the suricata-update version from backports, as that one has lots of memory usage improvements.