Bug #4065
closedPrelude support is broken in current 6.0.0 release
Description
Hi,
I cannot get Suricata 6.0.0 to build with Prelude support (--enable-prelude):
In file included from /usr/include/libprelude/prelude.h:55,
from alert-prelude.c:81:
/usr/include/libprelude/prelude-inttypes.h:52:11: fatal error: config.h: No such file or directory
52 | # include "config.h"
| ^~~~~~~~~~
compilation terminated.
make[4]: *** [Makefile:2635: alert-prelude.o] Error 1
The code in /usr/include/libprelude/prelude-inttypes.h checks for HAVE_CONFIG_H and tries to include config.h. But Suricata renamed config.h in its build process to autoconf.h (https://github.com/OISF/suricata/commit/900f1522b444e8391250683d48855ceb3d23f225) while still defining HAVE_CONFIG_H so, the libprelude headers are trying to include a nonexistent file.
After copying autoconf.h to config.h, another problem surfaces:
alert-prelude.c: In function 'PacketToDataProtoHTTP':
alert-prelude.c:680:10: error: implicit declaration of function 'JsonHttpAddMetadata'; did you mean 'EveHttpAddMetadata'? [-Werror=implicit-function-declaration]
680 | js = JsonHttpAddMetadata(p->flow, pa->tx_id);
| ^~~~~~~~~~~~~~~~~~~
| EveHttpAddMetadata
alert-prelude.c:680:8: warning: assignment to 'json_t *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
680 | js = JsonHttpAddMetadata(p->flow, pa->tx_id);
| ^
alert-prelude.c: In function 'PacketToDataProtoHTTP2':
alert-prelude.c:699:41: error: 'f' undeclared (first use in this function)
699 | void *http2_state = FlowGetAppState(f);
| ^
alert-prelude.c:699:41: note: each undeclared identifier is reported only once for each function it appears in
alert-prelude.c:702:22: error: too few arguments to function 'rs_http2_log_json'
702 | json_t *js = rs_http2_log_json(tx_ptr);
| ^~~~~~~~~~~~~~~~~
In file included from rust.h:22,
from output-json.h:31,
from alert-prelude.c:56:
./../rust/dist/rust-bindings.h:646:6: note: declared here
646 | bool rs_http2_log_json(void *tx, JsonBuilder *js);
| ^~~~~~~~~~~~~~~~~
alert-prelude.c: In function 'PacketToDataProtoTLS':
alert-prelude.c:729:25: warning: passing argument 1 of 'JsonTlsLogJSONBasic' from incompatible pointer type [-Wincompatible-pointer-types]
729 | JsonTlsLogJSONBasic(js, ssl_state);
| ^~
| |
| json_t *
In file included from alert-prelude.c:58:
output-json-tls.h:31:39: note: expected 'JsonBuilder *' but argument is of type 'json_t *'
31 | void JsonTlsLogJSONBasic(JsonBuilder *js, SSLState *ssl_state);
| ~~~~~~~~~~~~~^~
alert-prelude.c:730:28: warning: passing argument 1 of 'JsonTlsLogJSONExtended' from incompatible pointer type [-Wincompatible-pointer-types]
730 | JsonTlsLogJSONExtended(js, ssl_state);
| ^~
| |
| json_t *
In file included from alert-prelude.c:58:
output-json-tls.h:32:42: note: expected 'JsonBuilder *' but argument is of type 'json_t *'
32 | void JsonTlsLogJSONExtended(JsonBuilder *js, SSLState *ssl_state);
| ~~~~~~~~~~~~~^~
alert-prelude.c: In function 'PacketToDataProtoSSH':
alert-prelude.c:754:10: error: too few arguments to function 'rs_ssh_log_json'
754 | js = rs_ssh_log_json(tx_ptr);
| ^~~~~~~~~~~~~~~
In file included from rust.h:22,
from output-json.h:31,
from alert-prelude.c:56:
./../rust/dist/rust-bindings.h:1623:6: note: declared here
1623 | bool rs_ssh_log_json(void *tx, JsonBuilder *js);
| ^~~~~~~~~~~~~~~
alert-prelude.c: In function 'PacketToDataProtoSMTP':
alert-prelude.c:783:10: error: implicit declaration of function 'JsonSMTPAddMetadata'; did you mean 'EveSMTPAddMetadata'? [-Werror=implicit-function-declaration]
783 | js = JsonSMTPAddMetadata(p->flow, pa->tx_id);
| ^~~~~~~~~~~~~~~~~~~
| EveSMTPAddMetadata
alert-prelude.c:783:8: warning: assignment to 'json_t *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
783 | js = JsonSMTPAddMetadata(p->flow, pa->tx_id);
| ^
[...]]
It looks like the code was not migrated to the new JSONBuilder infrastructure and relies on the now missing JsonHttpAddMetadata() and friends. It also needs to traverse the json_t which -- as far as I can see -- can now only be obtained by parsing the JSONBuilder buffer again. Any ideas?
This currently blocks an update in Debian without removing Prelude support altogether.
VJ Updated by Victor Julien over 5 years ago
- Related to Optimization #3763: JsonBuilder - Update Prelude output to handle Alert conversion to JsonBuilder added
VJ Updated by Victor Julien over 5 years ago
- Assignee set to Community Ticket
- Target version set to TBD
TA Updated by Thomas Andrejak over 5 years ago
Hello
This is because of this commit 900f1522b444e8391250683d48855ceb3d23f225 that remove config.h file but let HAVE_CONFIG_H defined.
I'm looking how to fix this with the right way.
Regards
VJ Updated by Victor Julien over 5 years ago
- Status changed from New to In Review
- Target version changed from TBD to 6.0.2
- Affected Versions 6.0.1 added
VJ Updated by Victor Julien about 5 years ago
- Target version changed from 6.0.2 to 6.0.3
- Affected Versions 6.0.2 added
VJ Updated by Victor Julien almost 5 years ago
- Target version changed from 6.0.3 to 6.0.4
VJ Updated by Victor Julien over 4 years ago
- Target version deleted (
6.0.4)
PA Updated by Philippe Antoine over 2 years ago
- Status changed from In Review to Rejected
Prelude support was deprecated by commit 54be743c48d0a9f64be75bd3de15384024e7fa0e
Is it ok @Sascha Steinbiss ?
SS Updated by Sascha Steinbiss over 2 years ago
Philippe Antoine wrote in #note-8:
Prelude support was deprecated by commit 54be743c48d0a9f64be75bd3de15384024e7fa0e
Is it ok @Sascha Steinbiss ?
Yes, anything do with Prelude has not been an issue for quite some time. Can be closed. Thanks!