lukegb/depot
1
0
Fork 0
Code Issues 1 Pull requests Projects Packages Activity Actions
depot/third_party/nixpkgs/pkgs/by-name/su/suricata/package.nix

185 lines
3.9 KiB
Nix
Raw Blame History

{
stdenv,
lib,
fetchurl,
clang,
llvm,
pkg-config,
makeWrapper,
elfutils,
file,
hyperscan,
jansson,
libbpf_0,
libcap_ng,
libevent,
libmaxminddb,
libnet,
libnetfilter_log,
libnetfilter_queue,
libnfnetlink,
libpcap,
libyaml,
luajit,
lz4,
nspr,
pcre2,
python3,
zlib,
redisSupport ? true,
redis,
hiredis,
rustSupport ? true,
rustc,
cargo,
nixosTests,
}:
let
libmagic = file;
hyperscanSupport = stdenv.system == "x86_64-linux" || stdenv.system == "i686-linux";
in
stdenv.mkDerivation rec {
pname = "suricata";
version = "7.0.7";
src = fetchurl {
url = "https://www.openinfosecfoundation.org/download/${pname}-${version}.tar.gz";
hash = "sha256-JtCjYZTVMID8iwm5mbK1qDxASfQK0H72rmnHIlpyi4Y=";
};
nativeBuildInputs =
[
clang
llvm
makeWrapper
pkg-config
]
++ lib.optionals rustSupport [
rustc
cargo
];
propagatedBuildInputs = with python3.pkgs; [
pyyaml
];
buildInputs =
[
elfutils
jansson
libbpf_0
libcap_ng
libevent
libmagic
libmaxminddb
libnet
libnetfilter_log
libnetfilter_queue
libnfnetlink
libpcap
libyaml
luajit
lz4
nspr
pcre2
python3
zlib
]
++ lib.optional hyperscanSupport hyperscan
++ lib.optionals redisSupport [
redis
hiredis
];
enableParallelBuilding = true;
patches = lib.optional stdenv.hostPlatform.is64bit ./bpf_stubs_workaround.patch;
postPatch = ''
substituteInPlace ./configure \
--replace "/usr/bin/file" "${file}/bin/file"
substituteInPlace ./libhtp/configure \
--replace "/usr/bin/file" "${file}/bin/file"
mkdir -p bpf_stubs_workaround/gnu
touch bpf_stubs_workaround/gnu/stubs-32.h
'';
configureFlags =
[
"--disable-gccmarch-native"
"--enable-af-packet"
"--enable-ebpf"
"--enable-ebpf-build"
"--enable-gccprotect"
"--enable-geoip"
"--enable-luajit"
"--enable-nflog"
"--enable-nfqueue"
"--enable-pie"
"--enable-python"
"--enable-unix-socket"
"--localstatedir=/var"
"--sysconfdir=/etc"
"--with-libnet-includes=${libnet}/include"
"--with-libnet-libraries=${libnet}/lib"
]
++ lib.optionals hyperscanSupport [
"--with-libhs-includes=${hyperscan.dev}/include/hs"
"--with-libhs-libraries=${hyperscan}/lib"
]
++ lib.optional redisSupport "--enable-hiredis"
++ lib.optionals rustSupport [
"--enable-rust"
"--enable-rust-experimental"
];
postConfigure = ''
# Avoid unintended clousure growth.
sed -i 's|${builtins.storeDir}/\(.\{8\}\)[^-]*-|${builtins.storeDir}/\1...-|g' ./src/build-info.h
'';
# zerocallusedregs interferes during BPF compilation; TODO: perhaps improve
hardeningDisable = [
"stackprotector"
"zerocallusedregs"
];
doCheck = true;
installFlags = [
"e_datadir=\${TMPDIR}"
"e_localstatedir=\${TMPDIR}"
"e_logdir=\${TMPDIR}"
"e_logcertsdir=\${TMPDIR}"
"e_logfilesdir=\${TMPDIR}"
"e_rundir=\${TMPDIR}"
"e_sysconfdir=\${out}/etc/suricata"
"e_sysconfrulesdir=\${out}/etc/suricata/rules"
"localstatedir=\${TMPDIR}"
"runstatedir=\${TMPDIR}"
"sysconfdir=\${out}/etc"
];
installTargets = [
"install"
"install-conf"
];
postInstall = ''
wrapProgram "$out/bin/suricatasc" \
--prefix PYTHONPATH : $PYTHONPATH:$(toPythonPath "$out")
substituteInPlace "$out/etc/suricata/suricata.yaml" \
--replace "/etc/suricata" "$out/etc/suricata"
'';
passthru.tests = { inherit (nixosTests) suricata; };
meta = with lib; {
description = "Free and open source, mature, fast and robust network threat detection engine";
homepage = "https://suricata.io";
license = licenses.gpl2;
platforms = platforms.linux;
maintainers = with maintainers; [ magenbluten ];
};
}
Reference in a new issue View git blame Copy permalink