Suricata + Myricom

246 views
Skip to first unread message

Michal Purzynski

unread,
Mar 11, 2014, 9:33:49 AM3/11/14
to securit...@googlegroups.com

Hey.

Testing Suricata with Myricom support and I need to rebuild the former
with a specific version of libpcap (unfortunately the Myricom license
forbids distributing its code). I want to create a proper .deb package
so that's how I approached it.

mpurzynski@nsmbuild1:~/src/suricata$ cat
securityonion-suricata-1.4.7/debian/rules

#!/usr/bin/make -f
# -*- makefile -*-
# Sample debian/rules that uses debhelper.
# This file was originally written by Joey Hess and Craig Small.
# As a special exception, when this file is copied by dh-make into a
# dh-make output file, you may use that output file without restriction.
# This special exception was added by Craig Small in version 0.37 of
dh-make.

# Uncomment this to turn on verbose mode.
#export DH_VERBOSE=1

export LD_LIBRARY_PATH := $(LD_LIBRARY_PATH):/opt/myri-snf/lib

%:
dh $@
override_dh_auto_configure:
dh_auto_configure -- --disable-gccmarch-native --enable-luajit
--with-libpcap-includes=/opt/myri-snf/include
--with-libpcap-libraries=/opt/myri-snf/lib
--with-libnss-libraries=/usr/lib
--with-libnss-includes=/usr/include/nss/
--with-libnspr-libraries=/usr/lib
--with-libnspr-includes=/usr/include/nspr --enable-gccprotect

As you can see, there's no sign of pf_ring at all, yet the resulting
binary is linked with... pf_ring specific libpcap. How's that even
possible and how come suricata knows where is the pfring-libpcap hiding?
It's a pure mystery for me ;)

ldd
securityonion-suricata-1.4.7/debian/securityonion-suricata/usr/bin/suricata
| grep -i pcap
libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f3d5de3e000)

Yes, I can clearly see (while building) the include + lib paths to the
Myricom being used, so the result surprises me. So I've installed the
resulting package.

ii securityonion-suricata 1.4.7-0ubuntu0securityonion3ubuntu1moz
Suricata open source multi-thread IDS/IPS.

(see the little 'moz' there? It's me ;)

ldd `which suricata` | grep -i pcap
libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f2ff6d9c000)

No, I'm not Debian packaging fluent ;)

I'm clearly missing something obvious and looking for help here. Happy
to write a documentation how to provide a Myricom support in SO, or even
help to include necessary packages (modified Bro and Suricata).



Keith Butler

unread,
Mar 11, 2014, 10:06:43 AM3/11/14
to securit...@googlegroups.com
It probably has to due with dynamic linking, and /etc/ld.so.conf.d/pfring.conf.
$ cat /etc/ld.so.conf.d/pfring.conf
/opt/pfring/lib

What happens if you run either:
LD_PRELOAD=/opt/myri-snf/lib/libpcap.so suricata ...
OR
LD_LIBRARY_PATH=/opt/myri-snf/lib suricata ...

Keith Butler

unread,
Mar 11, 2014, 10:13:13 AM3/11/14
to securit...@googlegroups.com
I've had success in the past setting the runtime path of an executable (for the linker) at compile time using Xlinker and rpath. Maybe try something similar to or however it needs to be incorporated for the package build:

CPPFLAGS="-I/opt/myri-snf/include" LDFLAGS="-L/opt/myri-snf/lib -Xlinker -rpath -Xlinker /opt/myri-snf/lib" LIBS="-lpcap" ./configure --prefix=$DSTDIR/suricata...

Keith Butler

unread,
Mar 11, 2014, 10:14:45 AM3/11/14
to securit...@googlegroups.com
p.s. definitely interested in the Myricom experience, I have a few on the way.

Keith Butler

unread,
Mar 11, 2014, 10:28:34 AM3/11/14
to securit...@googlegroups.com
I'm no packaging expert either, but maybe simplest test is to switch this line:

export LD_LIBRARY_PATH := $(LD_LIBRARY_PATH):/opt/myri-snf/lib

with this one and see what happens:
export LD_LIBRARY_PATH := /opt/myri-snf/lib:$(LD_LIBRARY_PATH)

OR remove the pfring.conf from the ld.so... if you don't need pfring at all, and run ldconfig before building.

Michal Purzynski

unread,
Mar 11, 2014, 10:50:51 AM3/11/14
to securit...@googlegroups.com
This has helped indeed. I have removed the pfring file and rebuild the
package. The resulting suricata binary can't find the pcap but if I
export LD_LIBRARY_PATH - it can.

Still it's a mystery to me why the same steps worked for Bro and did not
here.

Keith Butler

unread,
Mar 11, 2014, 11:00:28 AM3/11/14
to securit...@googlegroups.com
You might need to add:
$ cat /etc/ld.so.conf.d/myricom.conf
/opt/myri-snf/lib

$ ldconfig

Then build and see if suricata binary can find the pcap lib

Michal Purzynski

unread,
Mar 11, 2014, 11:30:04 AM3/11/14
to securit...@googlegroups.com
Thanks, worked like magic. It makes sense, actually, but sometimes /me
forgetting obvious things :)

As for the Myricom - the first experience with Bro was good, so good
we've decided to buy Myricom for all 11 sensors. I'll have more
performance data in about a week and will share them here, along with
(maybe) some Suricata info :)

Seth Hall

unread,
Mar 11, 2014, 12:30:47 PM3/11/14
to securit...@googlegroups.com

On Mar 11, 2014, at 10:50 AM, Michal Purzynski <mic...@rsbac.org> wrote:

> Still it's a mystery to me why the same steps worked for Bro and did not here.

We set an RPATH when installing Bro so that Bro can find libraries outside of your system configured library directories if needed. It was specifically to improve the experience of using alternate libpcap's, so I guess it worked. :)

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

signature.asc

Victor Julien

unread,
Mar 11, 2014, 1:43:22 PM3/11/14
to securit...@googlegroups.com
On 03/11/2014 05:30 PM, Seth Hall wrote:
>
> On Mar 11, 2014, at 10:50 AM, Michal Purzynski <mic...@rsbac.org>
> wrote:
>
>> Still it's a mystery to me why the same steps worked for Bro and
>> did not here.
>
> We set an RPATH when installing Bro so that Bro can find libraries
> outside of your system configured library directories if needed.
> It was specifically to improve the experience of using alternate
> libpcap's, so I guess it worked. :)

Great idea Seth, we'll consider it in suri as well:
https://redmine.openinfosecfoundation.org/issues/1132

--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

Reply all
Reply to author
Forward
0 new messages