public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

suricata: 4.1.5 -> 5.0.0

Browse Source 
Additional Changes:
 - Disabled AFL build configuration
 - Enabled eBPF support
This commit is contained in:
Tobias Mayer 2019-10-16 23:39:24 +02:00 committed by Lassulus
parent cbdff8bf01
commit d46de73253
3 changed files with 62 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pkgs/applications/networking/ids/suricata/bpf_stubs_workaround.patch Normal file
View File

@ -0,0 +1,19 @@
*** suricata-5.0.0/ebpf/Makefile.in 2019-10-16 22:39:13.174649416 +0200
--- suricata-5.0.0/ebpf/Makefile.in.fixed 2019-10-16 22:38:41.822201802 +0200
***************
*** 527,533 ****
@BUILD_EBPF_TRUE@$(BPF_TARGETS): %.bpf: %.c
# From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm)
@BUILD_EBPF_TRUE@ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \
! @BUILD_EBPF_TRUE@ -I/usr/include/$(build_cpu)-$(build_os)/ \
@BUILD_EBPF_TRUE@ -D__KERNEL__ -D__ASM_SYSREG_H \
@BUILD_EBPF_TRUE@ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll}
# From LLVM-IR to BPF-bytecode in ELF-obj file
--- 527,533 ----
@BUILD_EBPF_TRUE@$(BPF_TARGETS): %.bpf: %.c
# From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm)
@BUILD_EBPF_TRUE@ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \
! @BUILD_EBPF_TRUE@ -idirafter ../bpf_stubs_workaround \
@BUILD_EBPF_TRUE@ -D__KERNEL__ -D__ASM_SYSREG_H \
@BUILD_EBPF_TRUE@ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll}
# From LLVM-IR to BPF-bytecode in ELF-obj file

49
pkgs/applications/networking/ids/suricata/default.nix
View File

@ -1,14 +1,18 @@
{ stdenv { stdenv
, lib , lib
, fetchurl , fetchurl
, clang
, llvm
, pkgconfig , pkgconfig
, makeWrapper , makeWrapper
, file , file
, geoip
, hyperscan , hyperscan
, jansson , jansson
, libbpf
, libcap_ng , libcap_ng
, libelf
, libevent , libevent
, libmaxminddb
, libnet , libnet
, libnetfilter_log , libnetfilter_log
, libnetfilter_queue , libnetfilter_queue
@ -30,24 +34,30 @@
in in
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "suricata"; pname = "suricata";
version = "4.1.5"; version = "5.0.0";
src = fetchurl { src = fetchurl {
url = "https://www.openinfosecfoundation.org/download/${pname}-${version}.tar.gz"; url = "https://www.openinfosecfoundation.org/download/${pname}-${version}.tar.gz";
sha256 = "0jy738rs3ds1gbn8hv26ck23z9k6pjrjxdpavkyn7znpbi9zdrff"; sha256 = "0qwav4qpvx3i5khkyvdvx42n8b9mza8c4cpxvrf7m4lnf51cqgba";
}; };
nativeBuildInputs = [ nativeBuildInputs = [
clang
llvm
makeWrapper makeWrapper
pkgconfig pkgconfig
]; ]
++ lib.optionals rustSupport [ rustc cargo ]
;
buildInputs = [ buildInputs = [
geoip
jansson jansson
libbpf
libcap_ng libcap_ng
libelf
libevent libevent
libmagic libmagic
libmaxminddb
libnet libnet
libnetfilter_log libnetfilter_log
libnetfilter_queue libnetfilter_queue
@ -62,17 +72,29 @@ stdenv.mkDerivation rec {
python python
zlib zlib
] ]
++ lib.optional hyperscanSupport [ hyperscan ] ++ lib.optional hyperscanSupport hyperscan
++ lib.optional redisSupport [ redis hiredis ] ++ lib.optionals redisSupport [ redis hiredis ]
++ lib.optional rustSupport [ rustc cargo ]
; ;
enableParallelBuilding = true; enableParallelBuilding = true;
patches = lib.optional stdenv.is64bit ./bpf_stubs_workaround.patch;
postPatch = ''
substituteInPlace ./configure \
--replace "/usr/bin/file" "${file}/bin/file"
substituteInPlace ./libhtp/configure \
--replace "/usr/bin/file" "${file}/bin/file"
mkdir -p bpf_stubs_workaround/gnu
touch bpf_stubs_workaround/gnu/stubs-32.h
'';
configureFlags = [ configureFlags = [
"--disable-gccmarch-native" "--disable-gccmarch-native"
"--enable-afl"
"--enable-af-packet" "--enable-af-packet"
"--enable-ebpf"
"--enable-ebpf-build"
"--enable-gccprotect" "--enable-gccprotect"
"--enable-geoip" "--enable-geoip"
"--enable-luajit" "--enable-luajit"
@ -97,6 +119,13 @@ stdenv.mkDerivation rec {
"--enable-rust-experimental" "--enable-rust-experimental"
]; ];
postConfigure = ''
# Avoid unintended clousure growth.
sed -i 's|/nix/store/\(.\{8\}\)[^-]*-|/nix/store/\1...-|g' ./src/build-info.h
'';
hardeningDisable = [ "stackprotector" ];
installFlags = [ installFlags = [
"e_localstatedir=\${TMPDIR}" "e_localstatedir=\${TMPDIR}"
"e_logdir=\${TMPDIR}" "e_logdir=\${TMPDIR}"
@ -115,6 +144,8 @@ stdenv.mkDerivation rec {
postInstall = '' postInstall = ''
wrapProgram "$out/bin/suricatasc" \ wrapProgram "$out/bin/suricatasc" \
--prefix PYTHONPATH : $PYTHONPATH:$(toPythonPath "$out") --prefix PYTHONPATH : $PYTHONPATH:$(toPythonPath "$out")
substituteInPlace "$out/etc/suricata/suricata.yaml" \
--replace "/etc/suricata" "$out/etc/suricata"
''; '';
meta = with stdenv.lib; { meta = with stdenv.lib; {

4
pkgs/top-level/all-packages.nix
View File

@ -6252,7 +6252,9 @@ in
sshguard = callPackage ../tools/security/sshguard {}; sshguard = callPackage ../tools/security/sshguard {};
suricata = callPackage ../applications/networking/ids/suricata { }; suricata = callPackage ../applications/networking/ids/suricata {
python = python3;
};
softhsm = callPackage ../tools/security/softhsm { softhsm = callPackage ../tools/security/softhsm {
inherit (darwin) libobjc; inherit (darwin) libobjc;