Install suricata 3 on Gentoo via Portage with an external libhtp

quick-tip
open-source
intrusion-detection
config_management
linux
Tags: #<Tag:0x00007f0ca878e7c0> #<Tag:0x00007f0ca878e680> #<Tag:0x00007f0ca878e540> #<Tag:0x00007f0ca878e400> #<Tag:0x00007f0ca878e2c0>

#1

Install suricata 3 on Gentoo via Portage with an external libhtp

It’s possible that you run into compilation errors with LibHTP and suricata 3 on a modern Gentoo Linux.
This blog post is about how to fix this quickly.

The symptom

 emerge -av suricata
These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild  N     ] dev-libs/nspr-4.13.1::gentoo  USE="-debug" ABI_X86="(64) -32 (-x32)" 1,111 KiB
[ebuild  N    ~] net-libs/libhtp-0.5.22::gentoo  USE="-debug -static-libs" ABI_X86="(64) -32 (-x32)" 5,638 KiB
[ebuild  N     ] dev-libs/jansson-2.9::gentoo  USE="-doc -static-libs" ABI_X86="(64) -32 (-x32)" 474 KiB
[ebuild  N     ] dev-db/sqlite-3.13.0:3::gentoo  USE="readline -debug -doc -icu -secure-delete -static-libs -tcl {-test} -tools" ABI_X86="(64) -32 (-x32)" 2,403 KiB
[ebuild  N     ] dev-libs/nss-3.28.1::gentoo  USE="nss-pem -cacert -utils" ABI_X86="(64) -32 (-x32)" 7,304 KiB
[ebuild  N     ] net-libs/libnetfilter_queue-1.0.2::gentoo  USE="-static-libs" 346 KiB
[ebuild  N    ~] net-analyzer/suricata-3.2-r1::gentoo  USE="af-packet detection nfqueue rules -control-socket -cuda -debug -geoip -hardened -logrotate -lua -luajit -nflog -redis {-test}" 11,458 KiB

Ok, looks good. Time to set some USE flags… and fire up the build chain.

Whooops:

app-layer-htp.c: In function "HTPConfigParseParameters"
app-layer-htp.c:2380:13: error: implicit declaration of function 
htp_config_set_response_decompression_layer_limit [-Werror=implicit-function-declaration]
             htp_config_set_response_decompression_layer_limit(cfg_prec->cfg, value);
             ^

You are not alone with this problem

There are some posts on bug trackers about it: [1], [2]

The gist of this is, that some Linux distributions prefer to handle the LibHTP dependency instead of leaving it to the suricata package.

Why is this so important?

LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces.

Essentially this is the dissection component for HTTP. OISF Suricata 3 uses its own LibHtp, or you can use an external one. If you use an external one, make sure you use the version that fits your Suricata release. Otherwise you will get build errors.

Fix: install LibHtp and then Suricata

If you are interested in my Portage USE flags for suricata:

cat /etc/portage/package.use  | grep suricata
net-analyzer/suricata af-packet detection geoip logrotate luajit redis control-socket -nfqueue

Here is what that means:

equery uses suricata

[ Legend : U - final flag setting for installation]
[        : I - package is installed with flag     ]
[ Colors : set, unset                             ]
 * Found these USE flags for net-analyzer/suricata-3.2-r1:
 U I
 + + af-packet      : Enable AF_PACKET support
 + + control-socket : Enable unix socket
 - - cuda           : Enable NVIDIA Cuda computations support
 - - debug          : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see
                      https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
 + + detection      : Enable detection modules
 + + geoip          : Add geoip support for country and city lookup based on IPs
 - - hardened       : Activate default security enhancements for toolchain (gcc, glibc, binutils)
 + + logrotate      : Install logrotate rule
 - - lua            : Enable Lua scripting support
 + + luajit         : Enable Luajit support
 - - nflog          : Enable libnetfilter_log support
 - - nfqueue        : Enable NFQUEUE support for inline IDP
 + + redis          : Enable Redis support
 + + rules          : Install default ruleset
 - - test           : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore

Easy.

Let’s install all the dependencies:

emerge -oaq net-analyzer/suricata

We can see that this would set us up with a LibHTP which does not git. Bummer. LibHTP version 0.5.21 is not in Portage.

emerge -C net-libs/libhtp

For more infos you can go here.

My fix also involves to use the correct library path:

./configure  --libdir=/usr/lib
make -j 6
make install

This is important because if the compilation succeeds, the build scripts need to find it.

Last but not least:

emerge -Oav net-analyzer/suricata

Summary

This might end up as one of your dirtier Ansible playbooks, but it will work. It’s a workaround, which appears to be necessary if you want Portage to handle suricata. Something I would recommend to do.


Network Intrusion Detection System workflows for Suricata - beyond packets