jansson is required as of Suricata 5.0:
e49c40428e
This is still required in the latest release:
https://github.com/OISF/suricata/blob/suricata-8.0.2/configure.ac#L828
On exclusion attempt:
[...]
| checking for jansson.h... no
| checking for json_dump_callback in -ljansson... no
|
| ERROR: Jansson is now required.
|
| Go get it from your distribution or from:
| http://www.digip.org/jansson/
|
| Ubuntu/Debian: apt install libjansson-dev
| CentOS: yum install jansson-devel
| Fedora: dnf install jansson-devel
|
| NOTE: The following config.log files may provide further information.
| NOTE: [...]/poky-whinlatter/build/tmp/work/cortexa57-poky-linux/suricata/7.0.13/sources/suricata-7.0.13/config.log
| ERROR: configure failed
| WARNING: exit code 1 from a shell command.
ERROR: Task ([...]/poky-whinlatter/layers/meta-security/recipes-ids/suricata/suricata_7.0.13.bb:do_configure) failed with exit code '1'
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
Remove the tripwire recipe since it has been disabled since May 2021,
and upstream has shown no activity since 2018.
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
suricata.yaml references these configs
Resolve:
<Warning> -- could not open: "/etc/suricata/classification.config": No
such file or directory
<Error> -- please check the "classification-file" option in your
suricata.yaml file
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
v2 : also fix some typos while we are here.
v3 : add fixes for isic and checksecurity
Signed-off-by: Jason Schonberg <schonm@gmail.com>
[removed already applied change]
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
/var/log/suricata initialization is handled by
systemd-tmpfiles-setup.service, which occurs before services like
suricata
Work towards resolving:
ERROR: [...] do_rootfs: The following packages could not be configured
offline and rootfs is read-only: ['100-suricata']
Added in commit 36d656fe72 ("suricata: add tmpfiles.d config")
systemd testing:
root@beaglebone-yocto:~# ls -d /var/log/suricata
/var/log/suricata
root@beaglebone-yocto:~# systemctl enable suricata
Created symlink '/etc/systemd/system/multi-user.target.wants/suricata.service' -> '/usr/lib/systemd/system/suricata.service'.
root@beaglebone-yocto:~# rmdir /var/log/suricata
root@beaglebone-yocto:~# reboot now
root@beaglebone-yocto:~# ls -d /var/log/suricata
/var/log/suricata
root@beaglebone-yocto:~# journalctl -o short-iso-precise -u systemd-tmpfiles-setup -u suricata
2025-05-20T00:45:46.450027+00:00 beaglebone-yocto systemd[1]: Starting Create System Files and Directories...
[...]
2025-05-20T00:45:47.041049+00:00 beaglebone-yocto systemd[1]: Finished Create System Files and Directories.
2025-05-20T00:45:47.542976+00:00 beaglebone-yocto systemd[1]: Started Suricata IDS/IDP daemon.
[...]
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File /usr/bin/suricata
in package suricata contains reference to TMPDIR [buildpaths]
ERROR: suricata-7.0.0-r0 do_package_qa: QA Issue: File
/usr/src/debug/suricata/7.0.0/src/build-info.h in package suricata-src
contains reference to TMPDIR [buildpaths]
Address references when src/build-info.h is being written
This is similar to Debian's approach:
https://sources.debian.org/patches/suricata/1:7.0.10-1~bpo12%2B1/reproducible.patch/
Restore the "already-stripped" check and CFLAGS info
Original resolution in commit c0e3fecc3b ("suricata: fix QA warnings")
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Otherwise Makefile isn't regenerated and do_compile fails with:
suricata/7.0.0/suricata-7.0.0/missing: line 81: aclocal-1.16: command not found
after automake upgrade from 1.16.5 to 1.17 from:
https://git.openembedded.org/openembedded-core/commit/?id=b98328a6ff07119e7ba4f1072090d789e69edef8
Fixes:
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash 'TOPDIR/BUILD/work/mach-distro-linux/suricata/7.0.0/suricata-7.0.0/missing' aclocal-1.16 -I m4
TOPDIR/BUILD/work/mach-distro-linux/suricata/7.0.0/suricata-7.0.0/missing: line 81: aclocal-1.16: command not found
WARNING: 'aclocal-1.16' is missing on your system.
You should only need it if you modified 'acinclude.m4' or
'configure.ac' or m4 files included by 'configure.ac'.
The 'aclocal' program is part of the GNU Automake package:
<https://www.gnu.org/software/automake>
It also requires GNU Autoconf, GNU m4 and Perl in order to run:
<https://www.gnu.org/software/autoconf>
<https://www.gnu.org/software/m4/>
<https://www.perl.org/>
make: *** [Makefile:465: aclocal.m4] Error 127
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
address new configure error.
Enable pthread always
mhash is being dropped in the next release so switch to gcrypt for now.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Upstream-Status: Backport from [aab7f35c76, a753cdbe84, c82fa5ca0d, 2bd3bd0e31]
CVE's Fixed:
CVE-2024-37151 suricata: suricata: packet reassembly failure, which can lead to policy bypass
CVE-2024-38534 suricata: suricata: Crafted modbus traffic can lead to unlimited resource accumulation within a flow
CVE-2024-38535 suricata: Suricata: can run out of memory when parsing crafted HTTP/2 traffic
CVE-2024-38536 suricata: NULL pointer dereference when http.memcap is reached
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Replace references of WORKDIR with UNPACKDIR where it makes sense to do so in preparation for changing the default value of UNPACKDIR.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
* WORKDIR -> UNPACKDIR transition
* Switch away from S = WORKDIR
Signed-off-by: Changqing Li <changqing.li@windriver.com>
[Fixed up the smack changes due to prior patch]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
If you want to try to generate the lock file without accessing the network, remove the --frozen flag and use --offline instead.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
There could be some false possitives (the script is far from perfect), so please
test it on your QA, I've only double checked with "git grep" (the script looks
only in parent directory).
@ ~/layers/meta-security $ /OE/extra-layers/meta-ros/scripts/check-patch-files.sh .
./recipes-ids/tripwire/files/add_armeb_arch.patch: not used in any recipe
./dynamic-layers/meta-python/recipes-security/fail2ban/files/0001-To-fix-build-error-of-xrang.patch: not used in any recipe
./recipes-scanners/clamav/files/fix2_libcurl_check.patch: not used in any recipe
./recipes-scanners/arpwatch/files/postfix_workaround.patch: not used in any recipe
./meta-tpm/recipes-tpm/libtpm/files/Use-format-s-for-call-to-dprintf.patch: not used in any recipe
./meta-tpm/recipes-tpm/libtpm/files/fix_signed_issue.patch: not used in any recipe
./meta-tpm/recipes-tpm/libtpm/files/Convert-another-vdprintf-to-dprintf.patch: not used in any recipe
./meta-tpm/recipes-tpm/swtpm/files/fix_lib_search_path.patch: not used in any recipe
./meta-tpm/recipes-tpm/swtpm/files/fix_fcntl_h.patch: not used in any recipe
./recipes-mac/AppArmor/files/disable_perl_h_check.patch: not used in any recipe
@ ~/layers/meta-security $ git grep add_armeb_arch.patch
@ ~/layers/meta-security $ git grep 0001-To-fix-build-error-of-xrang.patch
@ ~/layers/meta-security $ git grep fix2_libcurl_check.patch
@ ~/layers/meta-security $ git grep postfix_workaround.patch
@ ~/layers/meta-security $ git grep Use-format-s-for-call-to-dprintf.patch
@ ~/layers/meta-security $ git grep fix_signed_issue.patch
@ ~/layers/meta-security $ git grep Convert-another-vdprintf-to-dprintf.patch
@ ~/layers/meta-security $ git grep fix_lib_search_path.patch
@ ~/layers/meta-security $ git grep fix_fcntl_h.patch
@ ~/layers/meta-security $ git grep disable_perl_h_check.patch
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Had to delete some wonky Cargo.toml files to get update_crates to work.
Manually updated one crate to a newer version included by update_crates as it would not compile.
Manually applied several crates missed by update_crates.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
OE-Core changed the cache handling which made the use of ${BPN} no fail.
| Parsing recipes...WARNING: .../samhain-standalone.bb: Exception during build_dependencies for do_configure
| WARNING: .../samhain-standalone.bb: Error during finalise of .../samhain-standalone.bb
| ERROR: ExpansionError during parsing .../samhain-standalone.bb
| Traceback (most recent call last):
| File "Var <MODE_NAME>", line 1, in <module>
| bb.data_smart.ExpansionError: Failure expanding variable MODE_NAME, expression was ${@d.getVar('BPN').split('-')[1]} which triggered exception IndexError: list index out of range
| The variable dependency chain for the failure is: MODE_NAME -> SAMHAIN_MODE -> do_configure
Simplify the setting of MODE_NAME and SAMHAIN_MODE by setting them
in the recipe files where we know their values.
bitbake:
ee89ade5 cache/codeparser: Switch to a new BB_CACHEDIR variable for cache location
oe-core:
7c15e03dd3 bitbake.conf: Add BB_HASH_CODEPARSER_VALS
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
make[2]: *** No rule to make target '../rust/target/arm-poky-linux-gnueabi/release/libsuricata.a', needed by 'suricata'
Signed-off-by: Armin Kuster <akuster808@gmail.com>
This will help create a aide db during build that is
then installed on the rootfs for verification at boot time.
This work was inspired by:
Marco Cavallini
Yocto Project Ambassador
Signed-off-by: Armin Kuster <akuster808@gmail.com>
