1

I'm trying to build Suricata following the tutorial of [Rapid7][1] I did it before, but in the new machine I stack at this problem...

My steps:

# suricata static build
apt-get install libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev llvm
#more dependencies:
sudo apt install python3-pip libnspr4-dev libnss3-dev liblz4-dev rustc cargo
pip3 install PyYAML


# IPS dependencies:
apt-get install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev

# install suricata:
wget https://www.openinfosecfoundation.org/download/suricata-6.0.1.tar.gz
tar -xzvf suricata-6.0.1.tar.gz
cd suricata-6.0.1
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make

result:

  Compiling der-oid-macro v0.2.0
  Compiling x509-parser v0.6.5
  Compiling der-parser v4.1.0
error: /home/juan/suricata-6.0.1/rust/target/release/deps/libder_oid_macro-6303e17a207c2efa.so: undefined symbol: llvm.x86.subborrow.64
  --> /home/juan/suricata-6.0.1/rust/vendor/der-parser/src/lib.rs:171:9
   |
171 | pub use der_oid_macro::oid;
   |         ^^^^^^^^^^^^^

error: aborting due to previous error

error: could not compile `der-parser`.
warning: build failed, waiting for other jobs to finish...
error: build failed
make[1]: *** [Makefile:544: all-local] Error 101
make[1]: Leaving directory '/home/juan/suricata-6.0.1/rust'
make: *** [Makefile:492: all-recursive] Error 1

Same problem configuring with rust enabled:

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-rust

Thanks for your attention

#########

solved:

It seems a problem with Rust environment variables or installation. Installing Rust using rustup:

sudo apt remove --purge rustc
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-rust
make
sudo make install
sudo make install-full
sudo ldconfig

succesful!

note: Purging rustc and doing ldconfig after installation solves this error message:

# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp35s0

/usr/bin/suricata: symbol lookup error: /usr/bin/suricata: undefined symbol: htp_config_set_lzma_layers





  [1]: https://blog.rapid7.com/2017/02/14/how-to-install-suricata-nids-on-ubuntu-linux/
Ecofintech
  • 323
  • 2
  • 5
  • 15
  • The Rust included with Debian 10 (I think) seems to be broken, but you moved onto a Rustup. Anyways, did you do an ldconfig after installation? – Jason Dec 16 '20 at 20:49
  • I will purge rust and reinsatll all again to check. Do you mean just teh command #ldconfig after installing, doesn't? I will try – Ecofintech Dec 16 '20 at 20:52
  • nice! solved. I needed to purge rustc. Then install again with rustup, compile suricata, install-full and finally sudo ldconfig. I will check what ldconfig does, I didn't known that command. thanks for the support! – Ecofintech Dec 16 '20 at 21:08
  • 1
    Please do not edit solution announcements into the question. Especially if the end of your question seems like you do not in fact have a solution. If you have one create yourself an answer instead or accept one of the existing answers. And please remove the answering parts from your question. Explaining failed solution attempts and how exactly they failed is fine, even appreciated. Just do not confuse things with "solved". – Yunnosch Dec 16 '20 at 21:17
  • I agree with @Yunnosch, please create a separate answer for this, the rule is,, a question must have an answer below it. – MaXi32 Jan 17 '21 at 09:50
  • What do you mean 'after' installation fixed the problem because that error occured before installation. – MaXi32 Jan 17 '21 at 19:32

0 Answers0