Prelude support is broken in current 6.0.0 release
I cannot get Suricata 6.0.0 to build with Prelude support (
In file included from /usr/include/libprelude/prelude.h:55, from alert-prelude.c:81: /usr/include/libprelude/prelude-inttypes.h:52:11: fatal error: config.h: No such file or directory 52 | # include "config.h" | ^~~~~~~~~~ compilation terminated. make: *** [Makefile:2635: alert-prelude.o] Error 1
The code in
/usr/include/libprelude/prelude-inttypes.h checks for
HAVE_CONFIG_H and tries to include
config.h. But Suricata renamed
config.h in its build process to
autoconf.h (https://github.com/OISF/suricata/commit/900f1522b444e8391250683d48855ceb3d23f225) while still defining
HAVE_CONFIG_H so, the libprelude headers are trying to include a nonexistent file.
After copying autoconf.h to config.h, another problem surfaces:
alert-prelude.c: In function 'PacketToDataProtoHTTP': alert-prelude.c:680:10: error: implicit declaration of function 'JsonHttpAddMetadata'; did you mean 'EveHttpAddMetadata'? [-Werror=implicit-function-declaration] 680 | js = JsonHttpAddMetadata(p->flow, pa->tx_id); | ^~~~~~~~~~~~~~~~~~~ | EveHttpAddMetadata alert-prelude.c:680:8: warning: assignment to 'json_t *' from 'int' makes pointer from integer without a cast [-Wint-conversion] 680 | js = JsonHttpAddMetadata(p->flow, pa->tx_id); | ^ alert-prelude.c: In function 'PacketToDataProtoHTTP2': alert-prelude.c:699:41: error: 'f' undeclared (first use in this function) 699 | void *http2_state = FlowGetAppState(f); | ^ alert-prelude.c:699:41: note: each undeclared identifier is reported only once for each function it appears in alert-prelude.c:702:22: error: too few arguments to function 'rs_http2_log_json' 702 | json_t *js = rs_http2_log_json(tx_ptr); | ^~~~~~~~~~~~~~~~~ In file included from rust.h:22, from output-json.h:31, from alert-prelude.c:56: ./../rust/dist/rust-bindings.h:646:6: note: declared here 646 | bool rs_http2_log_json(void *tx, JsonBuilder *js); | ^~~~~~~~~~~~~~~~~ alert-prelude.c: In function 'PacketToDataProtoTLS': alert-prelude.c:729:25: warning: passing argument 1 of 'JsonTlsLogJSONBasic' from incompatible pointer type [-Wincompatible-pointer-types] 729 | JsonTlsLogJSONBasic(js, ssl_state); | ^~ | | | json_t * In file included from alert-prelude.c:58: output-json-tls.h:31:39: note: expected 'JsonBuilder *' but argument is of type 'json_t *' 31 | void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state); | ~~~~~~~~~~~~~^~ alert-prelude.c:730:28: warning: passing argument 1 of 'JsonTlsLogJSONExtended' from incompatible pointer type [-Wincompatible-pointer-types] 730 | JsonTlsLogJSONExtended(js, ssl_state); | ^~ | | | json_t * In file included from alert-prelude.c:58: output-json-tls.h:32:42: note: expected 'JsonBuilder *' but argument is of type 'json_t *' 32 | void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state); | ~~~~~~~~~~~~~^~ alert-prelude.c: In function 'PacketToDataProtoSSH': alert-prelude.c:754:10: error: too few arguments to function 'rs_ssh_log_json' 754 | js = rs_ssh_log_json(tx_ptr); | ^~~~~~~~~~~~~~~ In file included from rust.h:22, from output-json.h:31, from alert-prelude.c:56: ./../rust/dist/rust-bindings.h:1623:6: note: declared here 1623 | bool rs_ssh_log_json(void *tx, JsonBuilder *js); | ^~~~~~~~~~~~~~~ alert-prelude.c: In function 'PacketToDataProtoSMTP': alert-prelude.c:783:10: error: implicit declaration of function 'JsonSMTPAddMetadata'; did you mean 'EveSMTPAddMetadata'? [-Werror=implicit-function-declaration] 783 | js = JsonSMTPAddMetadata(p->flow, pa->tx_id); | ^~~~~~~~~~~~~~~~~~~ | EveSMTPAddMetadata alert-prelude.c:783:8: warning: assignment to 'json_t *' from 'int' makes pointer from integer without a cast [-Wint-conversion] 783 | js = JsonSMTPAddMetadata(p->flow, pa->tx_id); | ^ [...]]
It looks like the code was not migrated to the new JSONBuilder infrastructure and relies on the now missing
JsonHttpAddMetadata() and friends. It also needs to traverse the
json_t which -- as far as I can see -- can now only be obtained by parsing the JSONBuilder buffer again. Any ideas?
This currently blocks an update in Debian without removing Prelude support altogether.