diff options
Diffstat (limited to 'nixpkgs/pkgs/applications/networking/ids/suricata/default.nix')
-rw-r--r-- | nixpkgs/pkgs/applications/networking/ids/suricata/default.nix | 61 |
1 files changed, 47 insertions, 14 deletions
diff --git a/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix b/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix index 3cd5fe4b8ea5..d0829fd73a99 100644 --- a/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix +++ b/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix @@ -1,14 +1,18 @@ { stdenv , lib , fetchurl +, clang +, llvm , pkgconfig , makeWrapper , file -, geoip , hyperscan , jansson +, libbpf , libcap_ng +, libelf , libevent +, libmaxminddb , libnet , libnetfilter_log , libnetfilter_queue @@ -16,6 +20,7 @@ , libpcap , libyaml , luajit +, lz4 , nspr , nss , pcre @@ -29,24 +34,30 @@ in stdenv.mkDerivation rec { pname = "suricata"; - version = "4.1.4"; + version = "5.0.1"; src = fetchurl { url = "https://www.openinfosecfoundation.org/download/${pname}-${version}.tar.gz"; - sha256 = "02901wjf90171rhkymcgp0h48hkn3wv8iwrhz4d8ppraz68hv99d"; + sha256 = "034b0nl0hkh0v26gwbawi2wdv7mb9p54cfg8gc9b8hsw49k3c1wh"; }; nativeBuildInputs = [ + clang + llvm makeWrapper pkgconfig - ]; + ] + ++ lib.optionals rustSupport [ rustc cargo ] + ; buildInputs = [ - geoip jansson + libbpf libcap_ng + libelf libevent libmagic + libmaxminddb libnet libnetfilter_log libnetfilter_queue @@ -54,23 +65,36 @@ stdenv.mkDerivation rec { libpcap libyaml luajit + lz4 nspr nss pcre python zlib ] - ++ lib.optional hyperscanSupport [ hyperscan ] - ++ lib.optional redisSupport [ redis hiredis ] - ++ lib.optional rustSupport [ rustc cargo ] + ++ lib.optional hyperscanSupport hyperscan + ++ lib.optionals redisSupport [ redis hiredis ] ; enableParallelBuilding = true; + patches = lib.optional stdenv.is64bit ./bpf_stubs_workaround.patch; + + postPatch = '' + substituteInPlace ./configure \ + --replace "/usr/bin/file" "${file}/bin/file" + substituteInPlace ./libhtp/configure \ + --replace "/usr/bin/file" "${file}/bin/file" + + mkdir -p bpf_stubs_workaround/gnu + touch bpf_stubs_workaround/gnu/stubs-32.h + ''; + configureFlags = [ "--disable-gccmarch-native" - "--enable-afl" "--enable-af-packet" + "--enable-ebpf" + "--enable-ebpf-build" "--enable-gccprotect" "--enable-geoip" "--enable-luajit" @@ -85,16 +109,23 @@ stdenv.mkDerivation rec { "--with-libnet-includes=${libnet}/include" "--with-libnet-libraries=${libnet}/lib" ] - ++ lib.optional hyperscanSupport [ - "--with-libhs-includes=${hyperscan}/include" + ++ lib.optionals hyperscanSupport [ + "--with-libhs-includes=${hyperscan.dev}/include/hs" "--with-libhs-libraries=${hyperscan}/lib" ] - ++ lib.optional redisSupport [ "--enable-hiredis" ] - ++ lib.optional rustSupport [ + ++ lib.optional redisSupport "--enable-hiredis" + ++ lib.optionals rustSupport [ "--enable-rust" "--enable-rust-experimental" ]; + postConfigure = '' + # Avoid unintended clousure growth. + sed -i 's|/nix/store/\(.\{8\}\)[^-]*-|/nix/store/\1...-|g' ./src/build-info.h + ''; + + hardeningDisable = [ "stackprotector" ]; + installFlags = [ "e_localstatedir=\${TMPDIR}" "e_logdir=\${TMPDIR}" @@ -108,11 +139,13 @@ stdenv.mkDerivation rec { "sysconfdir=\${out}/etc" ]; - installTargets = "install install-conf"; + installTargets = [ "install" "install-conf" ]; postInstall = '' wrapProgram "$out/bin/suricatasc" \ --prefix PYTHONPATH : $PYTHONPATH:$(toPythonPath "$out") + substituteInPlace "$out/etc/suricata/suricata.yaml" \ + --replace "/etc/suricata" "$out/etc/suricata" ''; meta = with stdenv.lib; { |