bløgg.no

I’ve recently revamped my home network security monitoring. Currently I’m capturing and streaming all network traffic on my MikroTik router’s outside interface to a remote sensor, namely a Raspberry Pi 4 with 4 GB RAM running Suricata IDS. Suricata’s log is read by Elastic’s Filebeat and shipped to an Elasticsearch instance, making the data available for further analysis with Kibana and its SIEM/security capabilities. This blog post is one of a series detailing the various components in this setup.

Other posts:

• Traffic capturing and streaming with MikroTik – revisited
• Filebeat on a Raspberry Pi

Compiling Suricata IDS on an RPi4

If you want a recent version of Suricata, the Raspberry Pi OS repos will not suffice. At the time of writing, precompiled Suricata packages for the ARM architecture exist only up to version 4.1, while the current version is 6.0. Debian’s Backports repositories currently provide some 5.x versions for ARM, which may be used after installing some additional dependencies. Peter Manev of the OISF team, however, maintains a Ubuntu PPA providing the most recent versions. While the PPA does not provide ARM packages, the source code with Debian build instructions is included so we can roll our own!

Start by adding the PPA. On Ubuntu distributions one can use the apt-add-repository tool, on Debian not so much so we’ll just do it manually. The Raspberry Pi OS version in use, Raspbian GNU/Linux 10 (buster), maps pretty well to Ubuntu’s 20.04 LTS “Focal” release so we’ll use that:
# cat > /etc/apt/sources.list.d/suricata.list
deb http://ppa.launchpad.net/oisf/suricata-stable/ubuntu focal main
deb-src http://ppa.launchpad.net/oisf/suricata-stable/ubuntu focal main

Add the PPA’s public key:
# gpg --keyserver pgpkeys.mit.edu --recv-key D7F87B2966EB736F
# gpg --export --armor D7F87B2966EB736F | apt-key add -

Update the OS, make sure the standard Suricata package is not installed from the repos, add some required build tools, download the Suricata source from the PPA, and finally install the libraries and tools required to compile Suricata:
# apt -y update
# apt-mark hold suricata
# apt -y install devscripts
# apt -y source suricata
# apt -y build-dep suricata

When the above set of commands have run, the apt source command will have created a new directory named suricata-$version, in the current case suricata-6.0.0. In this directory we find a new directory named debian, with a rules file telling how Debian based distributions should build the software. For building on Raspbian we need to make one small change to this file, namely add LDFLAGS="-latomic" to the configure stanza. By default it looks like this:
CONFIGURE_ARGS = --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-nfqueue \
--disable-gccmarch-native --enable-hiredis --enable-geoip \
--enable-gccprotect --enable-pie \
--enable-non-bundled-htp \
$(ENABLE_LUAJIT) \
$(ENABLE_LUA)

After making the required change it should look like this, modification in bold:
CONFIGURE_ARGS = --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/ --enable-nfqueue \
--disable-gccmarch-native --enable-hiredis --enable-geoip \
--enable-gccprotect --enable-pie \
--enable-non-bundled-htp \
LDFLAGS="-latomic" \
$(ENABLE_LUAJIT) \
$(ENABLE_LUA)

After saving the file, make sure you’re back in the source code directory (suricata-$version) and then start building the package with Debian’s tools:
~/suricata-6.0.0# debuild -b -uc -us

The build process will run for some time – on my Raspberry Pi the build took 15-20 minutes or so – and when it’s done you will find the completed product in the parent directory – a .deb file to install. Actually there will be two .deb files, one of which is a debug version that can be safely ignored. Install the regular package using dpkg:
# dpkg -i suricata_6.0.0-0ubuntu2_armhf.deb
Selecting previously unselected package suricata.
(Reading database ... 49265 files and directories currently installed.)
Preparing to unpack suricata_6.0.0-0ubuntu2_armhf.deb ...
Unpacking suricata (6.0.0-0ubuntu2) ...
Setting up suricata (6.0.0-0ubuntu2) ...
Processing triggers for systemd (241-7~deb10u4+rpi1) ...

After having installed Suricata, configure it to listen on the correct interface. Additional configuration and rule activation/deactivation should be performed as usual – that’s out of scope for this blog post but I’ll note that the included tool suricata-update works perfectly fine for managing rules and updates on this platform as well.

Important note: When building from source, you will not receive regular updates from the PPA. You should keep an eye on release notes and security notes for the project, and build new versions when required.

The next article in this series is Filebeat on a Raspberry Pi, explaining how I’m using Filebeat to ship Suricata logs to an external Elasticsearch log server.