[Oisf-devel] Compile suricata statically

Dave Remien dave.remien at gmail.com
Wed Jun 28 15:07:48 UTC 2017 

Static binaries can often be created, but as Jason notes, it's not trivial.
You need the static versions of all the libraries linked in by the CCLD
line (usually the final link step if you capture the output from "make
V=1").

Here's the tail end of the link line from the suricata I'm running:

.....util-var-name.o win32-misc.o win32-service.o
 ../libhtp/htp/.libs/libhtp.so -lmagic -lcap-ng -lpcap -lnet
-lnetfilter_queue -lnfnetlink -ljansson -lpthread -lyaml -lpcre

It's probably easiest to put the link command in a file and edit it, then
run it as a command.

If one changes the libs part to their static counter parts, you can avoid
fun things like moving or renaming libs:

../libhtp/htp/.libs/libhtp.so -lmagic -lcap-ng -lpcap -lnet
-lnetfilter_queue -lnfnetlink -ljansson -lpthread -lyaml -lpcre

to

../libhtp/htp/.libs/libhtp.a
/usr/lib/x86_64-linux-gnu/libmagic.a /usr/local/lib/libcap-ng.a
/usr/local/lib/libpcap.a  /usr/lib/x86_64-linux-gnu/libnet.a
 /usr/local/lib/libnetfilter_queue.a /usr/local/lib/libnfnetlink.a
 /usr/lib/x86_64-linux-gnu/libjansson.a /usr/lib/x86_64-linux-gnu/libpthread.a
 /usr/local/lib/libyaml.a /usr/local/lib/libpcre.a
/usr/lib/x86_64-linux-gnu/libc.a  -static

and run it, you'll probably get output like this:

util-privs.o: In function `SCGetUserID':
/usr/local/src/suricata-3.2.2/src/util-privs.c:193: warning: Using
'getgrnam' in statically linked applications requires at runtime the shared
libraries from the glibc version used for linking
/usr/local/src/suricata-3.2.2/src/util-privs.c:206: warning: Using
'endgrent' in statically linked applications requires at runtime the shared
libraries from the glibc version used for linking
/usr/local/src/suricata-3.2.2/src/util-privs.c:177: warning: Using
'getpwnam' in statically linked applications requires at runtime the shared
libraries from the glibc version used for linking
/usr/local/src/suricata-3.2.2/src/util-privs.c:170: warning: Using
'getpwuid' in statically linked applications requires at runtime the shared
libraries from the glibc version used for linking
/usr/local/src/suricata-3.2.2/src/util-privs.c:208: warning: Using
'endpwent' in statically linked applications requires at runtime the shared
libraries from the glibc version used for linking
source-pcap.o: In function `PcapTranslateIPToDevice':
/usr/local/src/suricata-3.2.2/src/source-pcap.c:783: warning: Using
'getaddrinfo' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
/usr/lib/x86_64-linux-gnu/libnet.a(libnet_resolve.o): In function
`libnet_addr2name4':
(.text+0xa4): warning: Using 'gethostbyaddr' in statically linked
applications requires at runtime the shared libraries from the glibc
version used for linking
/usr/local/lib/libpcap.a(nametoaddr.o): In function `pcap_nametoaddr':
nametoaddr.c:(.text+0x425): warning: Using 'gethostbyname' in statically
linked applications requires at runtime the shared libraries from the glibc
version used for linking
/usr/lib/x86_64-linux-gnu/libnet.a(libnet_resolve.o): In function
`libnet_name2addr6':
(.text+0x4e6): warning: Using 'gethostbyname2' in statically linked
applications requires at runtime the shared libraries from the glibc
version used for linking
/usr/local/lib/libpcap.a(nametoaddr.o): In function `pcap_nametonetaddr':
nametoaddr.c:(.text+0x405): warning: Using 'getnetbyname' in statically
linked applications requires at runtime the shared libraries from the glibc
version used for linking
detect-ipproto.o: In function `DetectIPProtoParse':
/usr/local/src/suricata-3.2.2/src/detect-ipproto.c:126: warning: Using
'getprotobyname' in statically linked applications requires at runtime the
shared libraries from the glibc version used for linking
/usr/local/lib/libpcap.a(nametoaddr.o): In function `pcap_nametoport':
nametoaddr.c:(.text+0x259): warning: Using 'getservbyname' in statically
linked applications requires at runtime the shared libraries from the glibc
version used for linking
../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function
`htp_gzip_decompressor_destroy':
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:337: undefined
reference to `inflateEnd'
../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function
`htp_gzip_decompressor_decompress':
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:220: undefined
reference to `crc32'
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:253: undefined
reference to `inflate'
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:280: undefined
reference to `inflateEnd'
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:292: undefined
reference to `inflateEnd'
../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function
`htp_gzip_decompressor_restart':
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:108: undefined
reference to `inflateInit2_'
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:130: undefined
reference to `inflateInit2_'
../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function
`htp_gzip_decompressor_decompress':
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:241: undefined
reference to `inflateEnd'
../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function
`htp_gzip_decompressor_restart':
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:105: undefined
reference to `inflateInit2_'
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:118: undefined
reference to `inflateInit2_'
../libhtp/htp/.libs/libhtp.a(htp_decompressors.o): In function
`htp_gzip_decompressor_create':
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:375: undefined
reference to `inflateInit2_'
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:372: undefined
reference to `inflateInit2_'
/usr/local/src/suricata-3.2.2/libhtp/htp/htp_decompressors.c:381: undefined
reference to `inflateEnd'
/usr/lib/x86_64-linux-gnu/libmagic.a(compress.o): In function `file_zmagic':
(.text+0x630): undefined reference to `inflateInit2_'
/usr/lib/x86_64-linux-gnu/libmagic.a(compress.o): In function `file_zmagic':
(.text+0x643): undefined reference to `inflate'
/usr/lib/x86_64-linux-gnu/libmagic.a(compress.o): In function `file_zmagic':
(.text+0x7db): undefined reference to `inflateEnd'
collect2: error: ld returned 1 exit status

The warnings are usually OK, if the shared (glibc) lib is available at
runtime (it pretty much always is, at least on the machine you compiled on).

At which point you get to start going through the libraries and making sure
that all the needed calls are available, or why the link editor is
complaining. Often they're hiding in another library.

Modifying the Makefile to do this is possible, but even more non-trivial.

Sorry for the verboseness.... Not for the faint hearted.  I'll see if I can
actually produce a statically linked suricata that works...

I've used this to produce a static executable to run on another machine
that I didn't want to copy all the shared libraries onto for testing.




On Wed, Jun 28, 2017 at 7:29 AM, Jason Ish <lists at ish.cx> wrote:

> On 27/06/17 11:05 AM, Victor Julien wrote:
>
>> On 27-06-17 13:43, Breno Silva wrote:
>>
>>> I just tried to play with C|LD|FLAGS (defining -static) and using .a
>>> version of the libraries (pcre, yaml, etc).
>>> However suricata binary is always dynamic. There is no error.
>>>
>>> Anything you think i should try ?
>>>
>>
>> I don't know. Never tried it :)
>>
>> Anyone else have an idea?
>>
>
> I haven't tried with Suricata yet myself, but I used to build another app
> statically, and I found I had to remove the shared libraries so they
> wouldn't be found at all - a container helped here. Or copy the .a's into a
> directory and make sure that dir is on the library path before any standard
> location. But I find it far from trivial on modern Linux.
>
> Jason
>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20170628/4b223be5/attachment-0002.html>

More information about the Oisf-devel mailing list