Bug #4065
closedPrelude support is broken in current 6.0.0 release
Description
Hi,
I cannot get Suricata 6.0.0 to build with Prelude support (--enable-prelude):
In file included from /usr/include/libprelude/prelude.h:55,
from alert-prelude.c:81:
/usr/include/libprelude/prelude-inttypes.h:52:11: fatal error: config.h: No such file or directory
52 | # include "config.h"
| ^~~~~~~~~~
compilation terminated.
make[4]: *** [Makefile:2635: alert-prelude.o] Error 1
The code in /usr/include/libprelude/prelude-inttypes.h checks for HAVE_CONFIG_H and tries to include config.h. But Suricata renamed config.h in its build process to autoconf.h (https://github.com/OISF/suricata/commit/900f1522b444e8391250683d48855ceb3d23f225) while still defining HAVE_CONFIG_H so, the libprelude headers are trying to include a nonexistent file.
After copying autoconf.h to config.h, another problem surfaces:
alert-prelude.c: In function 'PacketToDataProtoHTTP':
alert-prelude.c:680:10: error: implicit declaration of function 'JsonHttpAddMetadata'; did you mean 'EveHttpAddMetadata'? [-Werror=implicit-function-declaration]
680 | js = JsonHttpAddMetadata(p->flow, pa->tx_id);
| ^~~~~~~~~~~~~~~~~~~
| EveHttpAddMetadata
alert-prelude.c:680:8: warning: assignment to 'json_t *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
680 | js = JsonHttpAddMetadata(p->flow, pa->tx_id);
| ^
alert-prelude.c: In function 'PacketToDataProtoHTTP2':
alert-prelude.c:699:41: error: 'f' undeclared (first use in this function)
699 | void *http2_state = FlowGetAppState(f);
| ^
alert-prelude.c:699:41: note: each undeclared identifier is reported only once for each function it appears in
alert-prelude.c:702:22: error: too few arguments to function 'rs_http2_log_json'
702 | json_t *js = rs_http2_log_json(tx_ptr);
| ^~~~~~~~~~~~~~~~~
In file included from rust.h:22,
from output-json.h:31,
from alert-prelude.c:56:
./../rust/dist/rust-bindings.h:646:6: note: declared here
646 | bool rs_http2_log_json(void *tx, JsonBuilder *js);
| ^~~~~~~~~~~~~~~~~
alert-prelude.c: In function 'PacketToDataProtoTLS':
alert-prelude.c:729:25: warning: passing argument 1 of 'JsonTlsLogJSONBasic' from incompatible pointer type [-Wincompatible-pointer-types]
729 | JsonTlsLogJSONBasic(js, ssl_state);
| ^~
| |
| json_t *
In file included from alert-prelude.c:58:
output-json-tls.h:31:39: note: expected 'JsonBuilder *' but argument is of type 'json_t *'
31 | void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state);
| ~~~~~~~~~~~~~^~
alert-prelude.c:730:28: warning: passing argument 1 of 'JsonTlsLogJSONExtended' from incompatible pointer type [-Wincompatible-pointer-types]
730 | JsonTlsLogJSONExtended(js, ssl_state);
| ^~
| |
| json_t *
In file included from alert-prelude.c:58:
output-json-tls.h:32:42: note: expected 'JsonBuilder *' but argument is of type 'json_t *'
32 | void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state);
| ~~~~~~~~~~~~~^~
alert-prelude.c: In function 'PacketToDataProtoSSH':
alert-prelude.c:754:10: error: too few arguments to function 'rs_ssh_log_json'
754 | js = rs_ssh_log_json(tx_ptr);
| ^~~~~~~~~~~~~~~
In file included from rust.h:22,
from output-json.h:31,
from alert-prelude.c:56:
./../rust/dist/rust-bindings.h:1623:6: note: declared here
1623 | bool rs_ssh_log_json(void *tx, JsonBuilder *js);
| ^~~~~~~~~~~~~~~
alert-prelude.c: In function 'PacketToDataProtoSMTP':
alert-prelude.c:783:10: error: implicit declaration of function 'JsonSMTPAddMetadata'; did you mean 'EveSMTPAddMetadata'? [-Werror=implicit-function-declaration]
783 | js = JsonSMTPAddMetadata(p->flow, pa->tx_id);
| ^~~~~~~~~~~~~~~~~~~
| EveSMTPAddMetadata
alert-prelude.c:783:8: warning: assignment to 'json_t *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
783 | js = JsonSMTPAddMetadata(p->flow, pa->tx_id);
| ^
[...]]
It looks like the code was not migrated to the new JSONBuilder infrastructure and relies on the now missing JsonHttpAddMetadata() and friends. It also needs to traverse the json_t which -- as far as I can see -- can now only be obtained by parsing the JSONBuilder buffer again. Any ideas?
This currently blocks an update in Debian without removing Prelude support altogether.
Updated by Victor Julien about 4 years ago
- Related to Optimization #3763: JsonBuilder - Update Prelude output to handle Alert conversion to JsonBuilder added
Updated by Victor Julien about 4 years ago
- Assignee set to Community Ticket
- Target version set to TBD
Updated by Thomas Andrejak about 4 years ago
Hello
This is because of this commit 900f1522b444e8391250683d48855ceb3d23f225 that remove config.h file but let HAVE_CONFIG_H defined.
I'm looking how to fix this with the right way.
Regards
Updated by Victor Julien almost 4 years ago
- Status changed from New to In Review
- Target version changed from TBD to 6.0.2
- Affected Versions 6.0.1 added
Updated by Victor Julien over 3 years ago
- Target version changed from 6.0.2 to 6.0.3
- Affected Versions 6.0.2 added
Updated by Victor Julien over 3 years ago
- Target version changed from 6.0.3 to 6.0.4
Updated by Philippe Antoine about 1 year ago
- Status changed from In Review to Rejected
Prelude support was deprecated by commit 54be743c48d0a9f64be75bd3de15384024e7fa0e
Is it ok @Sascha Steinbiss ?
Updated by Sascha Steinbiss about 1 year ago
Philippe Antoine wrote in #note-8:
Prelude support was deprecated by commit 54be743c48d0a9f64be75bd3de15384024e7fa0e
Is it ok @Sascha Steinbiss ?
Yes, anything do with Prelude has not been an issue for quite some time. Can be closed. Thanks!