suricata源码编译从Centos迁移到Debian过程记录
安装依赖
通过apt install安装依赖
apt install libpcap-dev
apt install libhiredis-dev
apt install zlib-dev
apt install zlib1g-dev
apt install libmysql-dev
apt install mysql-dev
apt install libmysqlclient-dev
apt install libmariadb-dev
apt install uuid-dev
apt install librdkafka-devconfigure
执行autogen.sh,期间出现了
事实上为PKG_CHECK_MODULES未定义的错误,参照PKG_CHECK_MODULES未定义解决该问题。
而后通过configure,完成配置,发现有库未安装,使用apt install安装即可
编译
执行make后,首次出现的错误如下:
./../rust/gen/rust-bindings.h:1136:27: error: field 'probe_ts' has incomplete type
1136 | struct Option_ProbeFn probe_ts;看上去是rust编译转化出了问题,但是这个代码之前在centos下编译时没有问题的,所以通过对照两边环境的差异发现,centos的cbindgen版本号为0.26.0,Debian的cbindgen版本号位0.27.0;遂通过命令对Debian的版本进行降级处理:
cargo uninstall cbindgen
cargo install cbindgen@0.26.0继续编译后出现如下错误:
···
/usr/include/pcap/bpf.h:97:9: error: unknown type name 'u_int'
97 | typedef u_int bpf_u_int32;
| ^~~~~
CC conf-yaml-loader.o
/usr/include/pcap/bpf.h:117:9: error: unknown type name 'u_int'
117 | u_int bf_len;
| ^~~~~
/usr/include/pcap/bpf.h:245:9: error: unknown type name 'u_short'
245 | u_short code;
| ^~~~~~~
/usr/include/pcap/bpf.h:246:9: error: unknown type name 'u_char'
246 | u_char jt;
| ^~~~~~
/usr/include/pcap/bpf.h:247:9: error: unknown type name 'u_char'
247 | u_char jf;
| ^~~~~~
/usr/include/pcap/bpf.h:271:10: error: unknown type name 'u_int'
271 | PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);
| ^~~~~
/usr/include/pcap/bpf.h:271:59: error: unknown type name 'u_char'
271 | PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);
| ^~~~~~
/usr/include/pcap/bpf.h:271:69: error: unknown type name 'u_int'; did you mean 'int'?
271 | PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);
| ^~~~~
| int
/usr/include/pcap/bpf.h:271:76: error: unknown type name 'u_int'; did you mean 'int'?
271 | PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char , u_int, u_int);
| ^~~~~
| int
/usr/include/pcap/pcap.h:209:9: error: unknown type name 'u_short'
209 | u_short version_major;
| ^~~~~~~
/usr/include/pcap/pcap.h:210:9: error: unknown type name 'u_short'
210 | u_short version_minor;
| ^~~~~~~
/usr/include/pcap/pcap.h:255:9: error: unknown type name 'u_int'
255 | u_int ps_recv; / number of packets received /
| ^~~~~
/usr/include/pcap/pcap.h:256:9: error: unknown type name 'u_int'
256 | u_int ps_drop; / number of packets dropped /
| ^~~~~
/usr/include/pcap/pcap.h:257:9: error: unknown type name 'u_int'
257 | u_int ps_ifdrop; / drops by interface -- only supported on some platforms */
| ^~~~~
/usr/include/pcap/pcap.h:330:30: error: unknown type name 'u_char'; did you mean 'char'?
330 | typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
| ^~~~~~
| char
/usr/include/pcap/pcap.h:331:36: error: unknown type name 'u_char'
331 | const u_char *);
| ^~~~~~
/usr/include/pcap/pcap.h:521:65: error: unknown type name 'u_int'; did you mean 'int'?
521 | PCAP_API pcap_t *pcap_open_dead_with_tstamp_precision(int, int, u_int);
| ^~~~~
| int
/usr/include/pcap/pcap.h:524:72: error: unknown type name 'u_int'; did you mean 'int'?
524 | PCAP_API pcap_t *pcap_open_offline_with_tstamp_precision(const char *, u_int, char *);
| ^~~~~
| int
/usr/include/pcap/pcap.h:555:75: error: unknown type name 'u_int'; did you mean 'int'?
555 | PCAP_API pcap_t *pcap_fopen_offline_with_tstamp_precision(FILE *, u_int, char *);
| ^~~~~
| int
/usr/include/pcap/pcap.h:565:42: error: unknown type name 'pcap_handler'
565 | PCAP_API int pcap_loop(pcap_t *, int, pcap_handler, u_char *);
| ^~~~~~~~~~~~
/usr/include/pcap/pcap.h:565:56: error: unknown type name 'u_char'; did you mean 'char'?
565 | PCAP_API int pcap_loop(pcap_t *, int, pcap_handler, u_char *);
| ^~~~~~
| char
/usr/include/pcap/pcap.h:568:46: error: unknown type name 'pcap_handler'
568 | PCAP_API int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
| ^~~~~~~~~~~~
/usr/include/pcap/pcap.h:568:60: error: unknown type name 'u_char'; did you mean 'char'?
568 | PCAP_API int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
| ^~~~~~
| char
/usr/include/pcap/pcap.h:571:16: error: unknown type name 'u_char'
571 | PCAP_API const u_char *pcap_next(pcap_t *, struct pcap_pkthdr *);
| ^~~~~~
/usr/include/pcap/pcap.h:574:69: error: unknown type name 'u_char'
574 | PCAP_API int pcap_next_ex(pcap_t *, struct pcap_pkthdr **, const u_char **);
| ^~~~~~
/usr/include/pcap/pcap.h:598:49: error: unknown type name 'u_char'
598 | PCAP_API int pcap_sendpacket(pcap_t *, const u_char *, int);
| ^~~~~~
/usr/include/pcap/pcap.h:627:47: error: unknown type name 'u_char'
627 | const struct pcap_pkthdr *, const u_char *);
| ^~~~~~
/usr/include/pcap/pcap.h:743:27: error: unknown type name 'u_char'; did you mean 'char'?
743 | PCAP_API void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);
| ^~~~~~
| char
/usr/include/pcap/pcap.h:743:71: error: unknown type name 'u_char'
743 | PCAP_API void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);
| ^~~~~~
conf-engine-yaml-loader.c: In function 'get_localIPAndMask':
conf-engine-yaml-loader.c:21:18: error: array type has incomplete element type 'struct ifreq'
···
这些错误经测试发现都是因为默认使用-std=c11的编译选项导致的问题,需要将该编译选项修改为-std=gnu99或者-std=gnu11可解决该问题,此处我使用了比较暴力的办法,把configure中所有-std=c11的地方替换为了-std=gnu11,(感觉上,应该有配置选项进行配置);修改完成之后,重新进行configure及make后可正常编译。
安装及验证
执行make install
默认安装路径为/usr/local/suricata/bin/
cd /usr/local/suricata/bin/
通过ldd suricata查看是否缺少依赖,
而后通过./suricata -v确定版本是否能够正常运行。
总结
操作系统切换后,或多或少都会有一些意想不到的问题存在;好在有正确的版本可参照执行比如cbindgen可通过回退版本得到解决。此外,gcc -std=c11及-std=gnu11的差异点,还需进一步研究