suricata源码编译从Centos迁移到Debian过程记录

suricata源码编译从Centos迁移到Debian过程记录

• 安装依赖
• configure
• 编译
• 安装及验证
• 总结

安装依赖

通过apt install安装依赖

 apt install libpcap-dev
 apt install libhiredis-dev
 apt install zlib-dev
 apt install zlib1g-dev
 apt install libmysql-dev
 apt install mysql-dev
 apt install libmysqlclient-dev
 apt install libmariadb-dev
 apt install uuid-dev
 apt install librdkafka-dev

configure

执行autogen.sh,期间出现了

事实上为PKG_CHECK_MODULES未定义的错误，参照PKG_CHECK_MODULES未定义解决该问题。

而后通过configure，完成配置，发现有库未安装，使用apt install安装即可

编译

执行make后，首次出现的错误如下：

./../rust/gen/rust-bindings.h:1136:27: error: field 'probe_ts' has incomplete type
 1136 |     struct Option_ProbeFn probe_ts;

看上去是rust编译转化出了问题，但是这个代码之前在centos下编译时没有问题的，所以通过对照两边环境的差异发现，centos的cbindgen版本号为0.26.0，Debian的cbindgen版本号位0.27.0；遂通过命令对Debian的版本进行降级处理：

cargo uninstall cbindgen
cargo install cbindgen@0.26.0

继续编译后出现如下错误：

···

/usr/include/pcap/bpf.h:97:9: error: unknown type name 'u_int'

97 | typedef u_int bpf_u_int32;

| ^~~~~

CC conf-yaml-loader.o

/usr/include/pcap/bpf.h:117:9: error: unknown type name 'u_int'

117 | u_int bf_len;

| ^~~~~

/usr/include/pcap/bpf.h:245:9: error: unknown type name 'u_short'

245 | u_short code;

| ^~~~~~~

/usr/include/pcap/bpf.h:246:9: error: unknown type name 'u_char'

246 | u_char jt;

| ^~~~~~

/usr/include/pcap/bpf.h:247:9: error: unknown type name 'u_char'

247 | u_char jf;

| ^~~~~~

/usr/include/pcap/bpf.h:271:10: error: unknown type name 'u_int'

271 | PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);

| ^~~~~

/usr/include/pcap/bpf.h:271:59: error: unknown type name 'u_char'

271 | PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);

| ^~~~~~

/usr/include/pcap/bpf.h:271:69: error: unknown type name 'u_int'; did you mean 'int'?

271 | PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char *, u_int, u_int);

| ^~~~~

| int

/usr/include/pcap/bpf.h:271:76: error: unknown type name 'u_int'; did you mean 'int'?

271 | PCAP_API u_int bpf_filter(const struct bpf_insn *, const u_char , u_int, u_int);
| ^~~~~
| int
/usr/include/pcap/pcap.h:209:9: error: unknown type name 'u_short'
209 | u_short version_major;
| ^~~~~~~
/usr/include/pcap/pcap.h:210:9: error: unknown type name 'u_short'
210 | u_short version_minor;
| ^~~~~~~
/usr/include/pcap/pcap.h:255:9: error: unknown type name 'u_int'
255 | u_int ps_recv; / number of packets received /
| ^~~~~
/usr/include/pcap/pcap.h:256:9: error: unknown type name 'u_int'
256 | u_int ps_drop; / number of packets dropped /
| ^~~~~
/usr/include/pcap/pcap.h:257:9: error: unknown type name 'u_int'
257 | u_int ps_ifdrop; / drops by interface -- only supported on some platforms */

| ^~~~~

/usr/include/pcap/pcap.h:330:30: error: unknown type name 'u_char'; did you mean 'char'?

330 | typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,

| ^~~~~~

| char

/usr/include/pcap/pcap.h:331:36: error: unknown type name 'u_char'

331 | const u_char *);

| ^~~~~~

/usr/include/pcap/pcap.h:521:65: error: unknown type name 'u_int'; did you mean 'int'?

521 | PCAP_API pcap_t *pcap_open_dead_with_tstamp_precision(int, int, u_int);

| ^~~~~

| int

/usr/include/pcap/pcap.h:524:72: error: unknown type name 'u_int'; did you mean 'int'?

524 | PCAP_API pcap_t *pcap_open_offline_with_tstamp_precision(const char *, u_int, char *);

| ^~~~~

| int

/usr/include/pcap/pcap.h:555:75: error: unknown type name 'u_int'; did you mean 'int'?

555 | PCAP_API pcap_t *pcap_fopen_offline_with_tstamp_precision(FILE *, u_int, char *);

| ^~~~~

| int

/usr/include/pcap/pcap.h:565:42: error: unknown type name 'pcap_handler'

565 | PCAP_API int pcap_loop(pcap_t *, int, pcap_handler, u_char *);

| ^~~~~~~~~~~~

/usr/include/pcap/pcap.h:565:56: error: unknown type name 'u_char'; did you mean 'char'?

565 | PCAP_API int pcap_loop(pcap_t *, int, pcap_handler, u_char *);

| ^~~~~~

| char

/usr/include/pcap/pcap.h:568:46: error: unknown type name 'pcap_handler'

568 | PCAP_API int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);

| ^~~~~~~~~~~~

/usr/include/pcap/pcap.h:568:60: error: unknown type name 'u_char'; did you mean 'char'?

568 | PCAP_API int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);

| ^~~~~~

| char

/usr/include/pcap/pcap.h:571:16: error: unknown type name 'u_char'

571 | PCAP_API const u_char *pcap_next(pcap_t *, struct pcap_pkthdr *);

| ^~~~~~

/usr/include/pcap/pcap.h:574:69: error: unknown type name 'u_char'

574 | PCAP_API int pcap_next_ex(pcap_t *, struct pcap_pkthdr **, const u_char **);

| ^~~~~~

/usr/include/pcap/pcap.h:598:49: error: unknown type name 'u_char'

598 | PCAP_API int pcap_sendpacket(pcap_t *, const u_char *, int);

| ^~~~~~

/usr/include/pcap/pcap.h:627:47: error: unknown type name 'u_char'

627 | const struct pcap_pkthdr *, const u_char *);

| ^~~~~~

/usr/include/pcap/pcap.h:743:27: error: unknown type name 'u_char'; did you mean 'char'?

743 | PCAP_API void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);

| ^~~~~~

| char

/usr/include/pcap/pcap.h:743:71: error: unknown type name 'u_char'

743 | PCAP_API void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);

| ^~~~~~

conf-engine-yaml-loader.c: In function 'get_localIPAndMask':

conf-engine-yaml-loader.c:21:18: error: array type has incomplete element type 'struct ifreq'

···

这些错误经测试发现都是因为默认使用-std=c11的编译选项导致的问题，需要将该编译选项修改为-std=gnu99或者-std=gnu11可解决该问题，此处我使用了比较暴力的办法，把configure中所有-std=c11的地方替换为了-std=gnu11,(感觉上，应该有配置选项进行配置);修改完成之后，重新进行configure及make后可正常编译。

安装及验证

执行make install

默认安装路径为/usr/local/suricata/bin/

cd /usr/local/suricata/bin/

通过ldd suricata查看是否缺少依赖，

而后通过./suricata -v确定版本是否能够正常运行。

总结

操作系统切换后，或多或少都会有一些意想不到的问题存在；好在有正确的版本可参照执行比如cbindgen可通过回退版本得到解决。此外，gcc -std=c11及-std=gnu11的差异点，还需进一步研究