Suricata

Basic steps, but I haven't tried myself, have only thought about it:

- build static versions of all the C dependencies, most modern Linux distributions as far as I know don't provide static versions for everything needed
- point Suricata at these static versions instead of shared ones, it can probably all be done with ./configure flags, but I wouldn't be surprised if some patching required
- the last bit, static libc - I'm not so sure, final build with MUSL maybe

We've managed to do this successfully, however, the plugin loading has a dlopen, patching this out (Its sadly not a configuration option) gave a fully static build of suricata.
Most dependencies (In (docker) ubuntu at least) came with a static library. We only had to rebuild libpcap without some dependencies, for example:

CFLAGS="-static" ./configure --disable-rdma --disable-shared --disable-usb --disable-netmap --disable-bluetooth --disable-dbus --without-libnl --with-pcap=linux

A command like

CFLAGS="-static" LDFLAGS="-static-libgcc -static -L/path/to/libpcap -L/lib/x86_64-linux-gnu/ -L/usr/lib/gcc/x86_64-linux-gnu/11/ -l:libgcc.a -l:libjansson.a -l:libm.a -l:liblz4.a -l:libyaml.a -l:libcap-ng.a -l:libyaml.a -l:libpcre2-8.a -l:libc.a -l:libz.a" CPPFLAGS="-I/path/to/libpcap" ./configure --disable-shared --enable-static --disable-gccmarch-native

Is probably enough to build suricata statically

I tried to build it in alpine linux 3.21 but when I compiled it with hyperscan, it will produce a problem, i don't know how to fix, this is my steps.

Build steps¶

apk add git clang llvm make automake autoconf pkgconfig libtool linux-headers bash vim
apk add zlib zlib-dev zlib-static 
apk add lz4 lz4-dev lz4-static
apk add pcre2-dev
apk add jansson-dev jansson-static
apk add yaml yaml-dev yaml-static
apk add libpcap-dev
apk add libcap-ng-dev libcap-ng-static
apk add file file libmagic
apk add libunwind-dev libunwind-static
apk add libelf libbpf-dev libxdp-dev libxdp-static
apk add rust cargo
apk add ragel boost-dev cmake

echo 'export PATH=/root/.cargo/bin:$PATH' >> /etc/profile
source /etc/profile
cargo install --force cbindgen

git clone https://github.com/Intel/hyperscan
cd hyperscan
cmake -DBUILD_STATIC_AND_SHARED=1 -DCMAKE_INSTALL_PREFIX:PATH=/usr -DCMAKE_C_FLAGS="-march=core-avx2" -DCMAKE_CXX_FLAGS="-march=core-avx2" 
cmake --build ./
cmake --install ./
cd ..

git clone https://github.com/OISF/suricata
cd suricata
git clone https://github.com/OISF/libhtp
./autogen.sh
# don't know why hyperscan can't configure
ln -s /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc.a /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc_s.a
LDFLAGS="-static" PKG_CONFIG="pkg-config --static" ./configure --disable-shared --enable-static --prefix=/usr --localstatedir=/var --sysconfdir=/etc
# compile rust failed
rm -f /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc_s.a
make -j4 V=1 LDFLAGS="-static -all-static" 
ln -s /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc.a /usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/libgcc_s.a
make -j4 V=1 LDFLAGS="-static -all-static" 

Error¶

/usr/lib/gcc/x86_64-alpine-linux-musl/14.2.0/../../../../x86_64-alpine-linux-musl/bin/ld: cannot find -lgcc_s: No such file or directory

Hans Vermeer wrote in #note-3:

We've managed to do this successfully, however, the plugin loading has a dlopen, patching this out (Its sadly not a configuration option) gave a fully static build of suricata.
Most dependencies (In (docker) ubuntu at least) came with a static library. We only had to rebuild libpcap without some dependencies, for example:

[...]

A command like
[...]

Is probably enough to build suricata statically

Thank you so much!!! I will try it.