<div dir="ltr">Static binaries can often be created, but as Jason notes, it's not trivial. You need the static versions of all the libraries linked in by the CCLD line (usually the final link step if you capture the output from "make V=1").<div><br></div><div>Here's the tail end of the link line from the suricata I'm running:</div><div><br></div><div>.....util-var-name.o win32-misc.o win32-service.o ../libhtp/htp/.libs/libhtp.so -lmagic -lcap-ng -lpcap -lnet -lnetfilter_queue -lnfnetlink -ljansson -lpthread -lyaml -lpcre</div><div><br></div><div>It's probably easiest to put the link command in a file and edit it, then run it as a command.</div><div><br></div><div>If one changes the libs part to their static counter parts, you can avoid fun things like moving or renaming libs:</div><div><br></div><div>../libhtp/htp/.libs/libhtp.so -lmagic -lcap-ng -lpcap -lnet -lnetfilter_queue -lnfnetlink -ljansson -lpthread -lyaml -lpcre<br></div><div><br></div><div>to</div><div><br></div><div>../libhtp/htp/.libs/libhtp.a /usr/lib/x86_64-linux-gnu/libmagic.a /usr/local/lib/libcap-ng.a /usr/local/lib/libpcap.a /usr/lib/x86_64-linux-gnu/libnet.a /usr/local/lib/libnetfilter_queue.a /usr/local/lib/libnfnetlink.a /usr/lib/x86_64-linux-gnu/libjansson.a /usr/lib/x86_64-linux-gnu/libpthread.a /usr/local/lib/libyaml.a /usr/local/lib/libpcre.a /usr/lib/x86_64-linux-gnu/libc.a -static<br></div><div><br></div><div>and run it, you'll probably get output like this:</div><div><br></div><div><div>util-privs.o: In function `SCGetUserID':</div><div>/usr/local/src/suricata-3.2.2/src/util-privs.c:193: warning: Using 'getgrnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/local/src/suricata-3.2.2/src/util-privs.c:206: warning: Using 'endgrent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/local/src/suricata-3.2.2/src/util-privs.c:177: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/local/src/suricata-3.2.2/src/util-privs.c:170: warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/local/src/suricata-3.2.2/src/util-privs.c:208: warning: Using 'endpwent' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>source-pcap.o: In function `PcapTranslateIPToDevice':</div><div>/usr/local/src/suricata-3.2.2/src/source-pcap.c:783: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/lib/x86_64-linux-gnu/libnet.a(libnet_resolve.o): In function `libnet_addr2name4':</div><div>(.text+0xa4): warning: Using 'gethostbyaddr' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/local/lib/libpcap.a(nametoaddr.o): In function `pcap_nametoaddr':</div><div>nametoaddr.c:(.text+0x425): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/lib/x86_64-linux-gnu/libnet.a(libnet_resolve.o): In function `libnet_name2addr6':</div><div>(.text+0x4e6): warning: Using 'gethostbyname2' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/local/lib/libpcap.a(nametoaddr.o): In function `pcap_nametonetaddr':</div><div>nametoaddr.c:(.text+0x405): warning: Using 'getnetbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>detect-ipproto.o: In function `DetectIPProtoParse':</div><div>/usr/local/src/suricata-3.2.2/src/detect-ipproto.c:126: warning: Using 'getprotobyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>/usr/local/lib/libpcap.a(nametoaddr.o): In function `pcap_nametoport':</div><div>nametoaddr.c:(.text+0x259): warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking</div><div>../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function `htp_gzip_decompressor_destroy':</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:337: undefined reference to `inflateEnd'</div><div>../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function `htp_gzip_decompressor_decompress':</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:220: undefined reference to `crc32'</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:253: undefined reference to `inflate'</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:280: undefined reference to `inflateEnd'</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:292: undefined reference to `inflateEnd'</div><div>../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function `htp_gzip_decompressor_restart':</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:108: undefined reference to `inflateInit2_'</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:130: undefined reference to `inflateInit2_'</div><div>../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function `htp_gzip_decompressor_decompress':</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:241: undefined reference to `inflateEnd'</div><div>../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function `htp_gzip_decompressor_restart':</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:105: undefined reference to `inflateInit2_'</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:118: undefined reference to `inflateInit2_'</div><div>../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function `htp_gzip_decompressor_create':</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:375: undefined reference to `inflateInit2_'</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:372: undefined reference to `inflateInit2_'</div><div>/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:381: undefined reference to `inflateEnd'</div><div>/usr/lib/x86_64-linux-gnu/libmagic.a(compress.o): In function `file_zmagic':</div><div>(.text+0x630): undefined reference to `inflateInit2_'</div><div>/usr/lib/x86_64-linux-gnu/libmagic.a(compress.o): In function `file_zmagic':</div><div>(.text+0x643): undefined reference to `inflate'</div><div>/usr/lib/x86_64-linux-gnu/libmagic.a(compress.o): In function `file_zmagic':</div><div>(.text+0x7db): undefined reference to `inflateEnd'</div><div>collect2: error: ld returned 1 exit status</div></div><div><br></div><div>The warnings are usually OK, if the shared (glibc) lib is available at runtime (it pretty much always is, at least on the machine you compiled on).</div><div><br></div><div>At which point you get to start going through the libraries and making sure that all the needed calls are available, or why the link editor is complaining. Often they're hiding in another library.</div><div><br></div><div>Modifying the Makefile to do this is possible, but even more non-trivial.</div><div><br></div><div>Sorry for the verboseness.... Not for the faint hearted. I'll see if I can actually produce a statically linked suricata that works... </div><div><br></div><div>I've used this to produce a static executable to run on another machine that I didn't want to copy all the shared libraries onto for testing.</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jun 28, 2017 at 7:29 AM, Jason Ish <span dir="ltr"><<a href="mailto:lists@ish.cx" target="_blank">lists@ish.cx</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 27/06/17 11:05 AM, Victor Julien wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 27-06-17 13:43, Breno Silva wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I just tried to play with C|LD|FLAGS (defining -static) and using .a<br>
version of the libraries (pcre, yaml, etc).<br>
However suricata binary is always dynamic. There is no error.<br>
<br>
Anything you think i should try ?<br>
</blockquote>
<br>
I don't know. Never tried it :)<br>
<br>
Anyone else have an idea?<br>
</blockquote>
<br>
I haven't tried with Suricata yet myself, but I used to build another app statically, and I found I had to remove the shared libraries so they wouldn't be found at all - a container helped here. Or copy the .a's into a directory and make sure that dir is on the library path before any standard location. But I find it far from trivial on modern Linux.<br>
<br>
Jason<br>
<br>
<br>
______________________________<wbr>_________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@openinfosecfoundati<wbr>on.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" rel="noreferrer" target="_blank">http://suricata-ids.org/partic<wbr>ipate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" rel="noreferrer" target="_blank">https://lists.openinfosecfound<wbr>ation.org/mailman/listinfo/<wbr>oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" rel="noreferrer" target="_blank">https://redmine.openinfosecfou<wbr>ndation.org/</a><br>
<br>
</blockquote></div><br></div>