diff options
author | Alyssa Ross <hi@alyssa.is> | 2020-01-11 23:37:02 +0000 |
---|---|---|
committer | Alyssa Ross <hi@alyssa.is> | 2020-01-11 23:41:30 +0000 |
commit | 6c557e3f1c28cf87e9fba232811d6875dd1399c1 (patch) | |
tree | 035a071d5d8980df6de0fa42e2ef8fc0cce7055e /nixpkgs/pkgs/applications/networking/ids | |
parent | da7500bc026e937ac7fce7b50f67a0e1765737a7 (diff) | |
parent | e4134747f5666bcab8680aff67fa3b63384f9a0f (diff) | |
download | nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.gz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.bz2 nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.lz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.xz nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.tar.zst nixlib-6c557e3f1c28cf87e9fba232811d6875dd1399c1.zip |
Merge commit 'e4134747f5666bcab8680aff67fa3b63384f9a0f'
Diffstat (limited to 'nixpkgs/pkgs/applications/networking/ids')
4 files changed, 97 insertions, 38 deletions
diff --git a/nixpkgs/pkgs/applications/networking/ids/bro/default.nix b/nixpkgs/pkgs/applications/networking/ids/bro/default.nix deleted file mode 100644 index f90457ba9379..000000000000 --- a/nixpkgs/pkgs/applications/networking/ids/bro/default.nix +++ /dev/null @@ -1,24 +0,0 @@ -{stdenv, fetchurl, cmake, flex, bison, openssl, libpcap, perl, zlib, file, curl -, geoip, gperftools, python, swig }: - -stdenv.mkDerivation rec { - name = "bro-2.5.5"; - - src = fetchurl { - url = "https://www.bro.org/downloads/${name}.tar.gz"; - sha256 = "1kvkiq8jjsqryry9jd4vw45pbfb46jly988mq62mv4sd1fqsxwhq"; - }; - - nativeBuildInputs = [ cmake flex bison file ]; - buildInputs = [ openssl libpcap perl zlib curl geoip gperftools python swig ]; - - enableParallelBuilding = true; - - meta = with stdenv.lib; { - description = "Powerful network analysis framework much different from a typical IDS"; - homepage = https://www.bro.org/; - license = licenses.bsd3; - maintainers = with maintainers; [ pSub ]; - platforms = with platforms; linux; - }; -} diff --git a/nixpkgs/pkgs/applications/networking/ids/suricata/bpf_stubs_workaround.patch b/nixpkgs/pkgs/applications/networking/ids/suricata/bpf_stubs_workaround.patch new file mode 100644 index 000000000000..d4e8c95fea22 --- /dev/null +++ b/nixpkgs/pkgs/applications/networking/ids/suricata/bpf_stubs_workaround.patch @@ -0,0 +1,19 @@ +*** suricata-5.0.0/ebpf/Makefile.in 2019-10-16 22:39:13.174649416 +0200 +--- suricata-5.0.0/ebpf/Makefile.in.fixed 2019-10-16 22:38:41.822201802 +0200 +*************** +*** 527,533 **** + @BUILD_EBPF_TRUE@$(BPF_TARGETS): %.bpf: %.c + # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm) + @BUILD_EBPF_TRUE@ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \ +! @BUILD_EBPF_TRUE@ -I/usr/include/$(build_cpu)-$(build_os)/ \ + @BUILD_EBPF_TRUE@ -D__KERNEL__ -D__ASM_SYSREG_H \ + @BUILD_EBPF_TRUE@ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll} + # From LLVM-IR to BPF-bytecode in ELF-obj file +--- 527,533 ---- + @BUILD_EBPF_TRUE@$(BPF_TARGETS): %.bpf: %.c + # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm) + @BUILD_EBPF_TRUE@ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \ +! @BUILD_EBPF_TRUE@ -idirafter ../bpf_stubs_workaround \ + @BUILD_EBPF_TRUE@ -D__KERNEL__ -D__ASM_SYSREG_H \ + @BUILD_EBPF_TRUE@ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll} + # From LLVM-IR to BPF-bytecode in ELF-obj file diff --git a/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix b/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix index 3cd5fe4b8ea5..d0829fd73a99 100644 --- a/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix +++ b/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix @@ -1,14 +1,18 @@ { stdenv , lib , fetchurl +, clang +, llvm , pkgconfig , makeWrapper , file -, geoip , hyperscan , jansson +, libbpf , libcap_ng +, libelf , libevent +, libmaxminddb , libnet , libnetfilter_log , libnetfilter_queue @@ -16,6 +20,7 @@ , libpcap , libyaml , luajit +, lz4 , nspr , nss , pcre @@ -29,24 +34,30 @@ in stdenv.mkDerivation rec { pname = "suricata"; - version = "4.1.4"; + version = "5.0.1"; src = fetchurl { url = "https://www.openinfosecfoundation.org/download/${pname}-${version}.tar.gz"; - sha256 = "02901wjf90171rhkymcgp0h48hkn3wv8iwrhz4d8ppraz68hv99d"; + sha256 = "034b0nl0hkh0v26gwbawi2wdv7mb9p54cfg8gc9b8hsw49k3c1wh"; }; nativeBuildInputs = [ + clang + llvm makeWrapper pkgconfig - ]; + ] + ++ lib.optionals rustSupport [ rustc cargo ] + ; buildInputs = [ - geoip jansson + libbpf libcap_ng + libelf libevent libmagic + libmaxminddb libnet libnetfilter_log libnetfilter_queue @@ -54,23 +65,36 @@ stdenv.mkDerivation rec { libpcap libyaml luajit + lz4 nspr nss pcre python zlib ] - ++ lib.optional hyperscanSupport [ hyperscan ] - ++ lib.optional redisSupport [ redis hiredis ] - ++ lib.optional rustSupport [ rustc cargo ] + ++ lib.optional hyperscanSupport hyperscan + ++ lib.optionals redisSupport [ redis hiredis ] ; enableParallelBuilding = true; + patches = lib.optional stdenv.is64bit ./bpf_stubs_workaround.patch; + + postPatch = '' + substituteInPlace ./configure \ + --replace "/usr/bin/file" "${file}/bin/file" + substituteInPlace ./libhtp/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + + mkdir -p bpf_stubs_workaround/gnu + touch bpf_stubs_workaround/gnu/stubs-32.h + ''; + configureFlags = [ "--disable-gccmarch-native" - "--enable-afl" "--enable-af-packet" + "--enable-ebpf" + "--enable-ebpf-build" "--enable-gccprotect" "--enable-geoip" "--enable-luajit" @@ -85,16 +109,23 @@ stdenv.mkDerivation rec { "--with-libnet-includes=${libnet}/include" "--with-libnet-libraries=${libnet}/lib" ] - ++ lib.optional hyperscanSupport [ - "--with-libhs-includes=${hyperscan}/include" + ++ lib.optionals hyperscanSupport [ + "--with-libhs-includes=${hyperscan.dev}/include/hs" "--with-libhs-libraries=${hyperscan}/lib" ] - ++ lib.optional redisSupport [ "--enable-hiredis" ] - ++ lib.optional rustSupport [ + ++ lib.optional redisSupport "--enable-hiredis" + ++ lib.optionals rustSupport [ "--enable-rust" "--enable-rust-experimental" ]; + postConfigure = '' + # Avoid unintended clousure growth. + sed -i 's|/nix/store/\(.\{8\}\)[^-]*-|/nix/store/\1...-|g' ./src/build-info.h + ''; + + hardeningDisable = [ "stackprotector" ]; + installFlags = [ "e_localstatedir=\${TMPDIR}" "e_logdir=\${TMPDIR}" @@ -108,11 +139,13 @@ stdenv.mkDerivation rec { "sysconfdir=\${out}/etc" ]; - installTargets = "install install-conf"; + installTargets = [ "install" "install-conf" ]; postInstall = '' wrapProgram "$out/bin/suricatasc" \ --prefix PYTHONPATH : $PYTHONPATH:$(toPythonPath "$out") + substituteInPlace "$out/etc/suricata/suricata.yaml" \ + --replace "/etc/suricata" "$out/etc/suricata" ''; meta = with stdenv.lib; { diff --git a/nixpkgs/pkgs/applications/networking/ids/zeek/default.nix b/nixpkgs/pkgs/applications/networking/ids/zeek/default.nix new file mode 100644 index 000000000000..947abc39c21a --- /dev/null +++ b/nixpkgs/pkgs/applications/networking/ids/zeek/default.nix @@ -0,0 +1,31 @@ +{stdenv, fetchurl, cmake, flex, bison, openssl, libpcap, zlib, file, curl +, libmaxminddb, gperftools, python, swig, rocksdb }: + +stdenv.mkDerivation rec { + pname = "zeek"; + version = "3.0.1"; + + src = fetchurl { + url = "https://www.zeek.org/downloads/zeek-${version}.tar.gz"; + sha256 = "1lhik212wrbi092qizc08f3i0b9pj318sxwm0abc5jc3v3pz7x3r"; + }; + + nativeBuildInputs = [ cmake flex bison file ]; + buildInputs = [ openssl libpcap zlib curl libmaxminddb gperftools python swig rocksdb ]; + + enableParallelBuilding = true; + + cmakeFlags = [ + "-DPY_MOD_INSTALL_DIR=${placeholder "out"}/${python.sitePackages}" + "-DENABLE_PERFTOOLS=true" + "-DINSTALL_AUX_TOOLS=true" + ]; + + meta = with stdenv.lib; { + description = "Powerful network analysis framework much different from a typical IDS"; + homepage = "https://www.zeek.org"; + license = licenses.bsd3; + maintainers = with maintainers; [ pSub marsam tobim ]; + platforms = platforms.unix; + }; +} |