1 files changed, 47 insertions, 14 deletions
diff --git a/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix b/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix
index 3cd5fe4b8ea5..d0829fd73a99 100644
--- a/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix
+++ b/nixpkgs/pkgs/applications/networking/ids/suricata/default.nix
@@ -1,14 +1,18 @@
 { stdenv
 , lib
 , fetchurl
+, clang
+, llvm
 , pkgconfig
 , makeWrapper
 , file
-, geoip
 , hyperscan
 , jansson
+, libbpf
 , libcap_ng
+, libelf
 , libevent
+, libmaxminddb
 , libnet
 , libnetfilter_log
 , libnetfilter_queue
@@ -16,6 +20,7 @@
 , libpcap
 , libyaml
 , luajit
+, lz4
 , nspr
 , nss
 , pcre
@@ -29,24 +34,30 @@
 in
 stdenv.mkDerivation rec {
   pname = "suricata";
-  version = "4.1.4";
+  version = "5.0.1";
 
   src = fetchurl {
     url = "https://www.openinfosecfoundation.org/download/${pname}-${version}.tar.gz";
-    sha256 = "02901wjf90171rhkymcgp0h48hkn3wv8iwrhz4d8ppraz68hv99d";
+    sha256 = "034b0nl0hkh0v26gwbawi2wdv7mb9p54cfg8gc9b8hsw49k3c1wh";
   };
 
   nativeBuildInputs = [
+    clang
+    llvm
     makeWrapper
     pkgconfig
-  ];
+  ]
+  ++ lib.optionals rustSupport [ rustc cargo ]
+  ;
 
   buildInputs = [
-    geoip
     jansson
+    libbpf
     libcap_ng
+    libelf
     libevent
     libmagic
+    libmaxminddb
     libnet
     libnetfilter_log
     libnetfilter_queue
@@ -54,23 +65,36 @@ stdenv.mkDerivation rec {
     libpcap
     libyaml
     luajit
+    lz4
     nspr
     nss
     pcre
     python
     zlib
   ]
-  ++ lib.optional hyperscanSupport [ hyperscan ]
-  ++ lib.optional redisSupport [ redis hiredis ]
-  ++ lib.optional rustSupport [ rustc cargo ]
+  ++ lib.optional hyperscanSupport hyperscan
+  ++ lib.optionals redisSupport [ redis hiredis ]
   ;
 
   enableParallelBuilding = true;
 
+  patches = lib.optional stdenv.is64bit ./bpf_stubs_workaround.patch;
+
+  postPatch = ''
+    substituteInPlace ./configure \
+      --replace "/usr/bin/file" "${file}/bin/file"
+    substituteInPlace ./libhtp/configure \
+      --replace "/usr/bin/file" "${file}/bin/file"
+
+    mkdir -p bpf_stubs_workaround/gnu
+    touch bpf_stubs_workaround/gnu/stubs-32.h
+  '';
+
   configureFlags = [
     "--disable-gccmarch-native"
-    "--enable-afl"
     "--enable-af-packet"
+    "--enable-ebpf"
+    "--enable-ebpf-build"
     "--enable-gccprotect"
     "--enable-geoip"
     "--enable-luajit"
@@ -85,16 +109,23 @@ stdenv.mkDerivation rec {
     "--with-libnet-includes=${libnet}/include"
     "--with-libnet-libraries=${libnet}/lib"
   ]
-  ++ lib.optional hyperscanSupport [
-    "--with-libhs-includes=${hyperscan}/include"
+  ++ lib.optionals hyperscanSupport [
+    "--with-libhs-includes=${hyperscan.dev}/include/hs"
     "--with-libhs-libraries=${hyperscan}/lib"
   ]
-  ++ lib.optional redisSupport [ "--enable-hiredis" ]
-  ++ lib.optional rustSupport [
+  ++ lib.optional redisSupport "--enable-hiredis"
+  ++ lib.optionals rustSupport [
     "--enable-rust"
     "--enable-rust-experimental"
   ];
 
+  postConfigure = ''
+    # Avoid unintended clousure growth.
+    sed -i 's|/nix/store/\(.\{8\}\)[^-]*-|/nix/store/\1...-|g' ./src/build-info.h
+  '';
+
+  hardeningDisable = [ "stackprotector" ];
+
   installFlags = [
     "e_localstatedir=\${TMPDIR}"
     "e_logdir=\${TMPDIR}"
@@ -108,11 +139,13 @@ stdenv.mkDerivation rec {
     "sysconfdir=\${out}/etc"
   ];
 
-  installTargets = "install install-conf";
+  installTargets = [ "install" "install-conf" ];
 
   postInstall = ''
     wrapProgram "$out/bin/suricatasc" \
       --prefix PYTHONPATH : $PYTHONPATH:$(toPythonPath "$out")
+    substituteInPlace "$out/etc/suricata/suricata.yaml" \
+      --replace "/etc/suricata" "$out/etc/suricata"
   '';
 
   meta = with stdenv.lib; {