diff --git a/net/snort/Makefile b/net/snort/Makefile index 9266360eb72..13cf0678170 100644 --- a/net/snort/Makefile +++ b/net/snort/Makefile @@ -1,25 +1,33 @@ -# $OpenBSD: Makefile,v 1.47 2006/08/03 23:15:58 espie Exp $ +# $OpenBSD: Makefile,v 1.48 2006/10/10 13:33:17 aanriot Exp $ COMMENT= "highly flexible sniffer/NIDS" -DISTNAME= snort-2.4.5 -PKGNAME= ${DISTNAME}p0 +DISTNAME= snort-2.6.0.2 CATEGORIES= net security MASTER_SITES= ${HOMEPAGE}/dl/current/ HOMEPAGE= http://www.snort.org/ -# License: GPL +# GPL PERMIT_PACKAGE_CDROM= Yes PERMIT_PACKAGE_FTP= Yes PERMIT_DISTFILES_CDROM= Yes PERMIT_DISTFILES_FTP= Yes WANTLIB= c m pcap -SEPARATE_BUILD= concurrent -CONFIGURE_STYLE= gnu +SHARED_LIBS= sf_engine 0.0 \ + sf_dns_preproc 0.0 \ + sf_ftptelnet_preproc 0.0 \ + sf_smtp_preproc 0.0 -LIB_DEPENDS= pcre::devel/pcre +USE_LIBTOOL= Yes + +SEPARATE_BUILD= concurrent +CONFIGURE_STYLE=gnu +CONFIGURE_ARGS+=${CONFIGURE_SHARED} \ + --enable-dynamicplugin + +LIB_DEPENDS= pcre::devel/pcre # gcc 3.3.5, Bus errors .if ${MACHINE_ARCH} == "sparc64" @@ -30,21 +38,18 @@ FLAVORS= postgresql mysql flexresp prelude FLAVOR?= .if ${FLAVOR:L:Mflexresp} -LIB_DEPENDS+= lib/libnet-1.0/net.=0:libnet-1.0*:net/libnet/1.0 -CONFIGURE_ENV+= LDFLAGS="-L${LOCALBASE}/lib" -CONFIGURE_ARGS+= --enable-flexresp \ - --with-libnet-includes=${LOCALBASE}/include/libnet-1.0 \ - --with-libnet-libraries=${LOCALBASE}/lib/libnet-1.0 +LIB_DEPENDS+= dnet.=1::net/libdnet +CONFIGURE_ARGS+=--enable-flexresp2 .endif .if ${FLAVOR:L:Mpostgresql} LIB_DEPENDS+= pq.>=2::databases/postgresql -CONFIGURE_ARGS+= --with-postgresql="${LOCALBASE}" +CONFIGURE_ARGS+=--with-postgresql="${LOCALBASE}" .endif .if ${FLAVOR:L:Mmysql} LIB_DEPENDS+= lib/mysql/mysqlclient.>=10::databases/mysql -CONFIGURE_ARGS+= --with-mysql="${LOCALBASE}" +CONFIGURE_ARGS+=--with-mysql="${LOCALBASE}" WANTLIB+= z .endif @@ -59,10 +64,21 @@ MESSAGE= ${PKGDIR}/MESSAGE-prelude CONFIGS= classification.config gen-msg.map generators reference.config \ sid sid-msg.map snort.conf threshold.conf unicode.map +DOCS= AUTHORS CREDITS README.* *.pdf + +post-build: + @perl -pi -e "s,%%SYSCONFDIR%%,${SYSCONFDIR}," \ + ${WRKSRC}/etc/snort.conf + post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/snort .for i in ${CONFIGS} ${INSTALL_DATA} ${WRKSRC}/etc/${i} ${PREFIX}/share/examples/snort .endfor + ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/snort +.for j in ${DOCS} + ${INSTALL_DATA} ${WRKSRC}/doc/${j} ${PREFIX}/share/doc/snort +.endfor + .include diff --git a/net/snort/distinfo b/net/snort/distinfo index 0b86cc398f1..2fd8494e75d 100644 --- a/net/snort/distinfo +++ b/net/snort/distinfo @@ -1,4 +1,4 @@ -MD5 (snort-2.4.5.tar.gz) = 108b3c20dcbaf3cdb17ea9203342eaaa -RMD160 (snort-2.4.5.tar.gz) = 1b697ccd84e1c10406ac20ccc0c46f79ea661e11 -SHA1 (snort-2.4.5.tar.gz) = 3ba7dae8058aecf4e4eb1c7a816a7c8a4fb7c550 -SIZE (snort-2.4.5.tar.gz) = 2817837 +MD5 (snort-2.6.0.2.tar.gz) = 5c094ff6d82db845a5f023e4a492103e +RMD160 (snort-2.6.0.2.tar.gz) = 706d63db83b7d037ac8a71c8104324d9b7594eb5 +SHA1 (snort-2.6.0.2.tar.gz) = 1a6b3fb19a82f83bf0fce5a8db6eb1277c72379b +SIZE (snort-2.6.0.2.tar.gz) = 3350277 diff --git a/net/snort/patches/patch-configure b/net/snort/patches/patch-configure deleted file mode 100644 index da54f26de52..00000000000 --- a/net/snort/patches/patch-configure +++ /dev/null @@ -1,38 +0,0 @@ -$OpenBSD: patch-configure,v 1.3 2006/04/12 22:03:48 david Exp $ ---- configure.orig Wed Mar 8 15:38:24 2006 -+++ configure Thu Mar 9 09:03:15 2006 -@@ -8397,20 +8397,20 @@ fi - # Check whether --enable-flexresp or --disable-flexresp was given. - if test "${enable_flexresp+set}" = set; then - enableval="$enable_flexresp" -- CPPFLAGS="${CPPFLAGS} -DENABLE_RESPONSE `libnet-config --defines --cflags`" LDFLAGS="${LDFLAGS} `libnet-config --libs`" -+ CPPFLAGS="${CPPFLAGS} -DENABLE_RESPONSE `libnet-config-1.0 --defines --cflags`" LDFLAGS="`libnet-config-1.0 --libs` ${LDFLAGS} " - fi; - - - if test "$enable_flexresp" != "no" -a "$enable_flexresp" = "yes"; then - -- if test `libnet-config --cflags | wc -c` = "1"; then -+ if test `libnet-config-1.0 --cflags | wc -c` = "1"; then - CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include" - LIBNET_CONFIG_BROKEN_CFLAGS=yes - fi - -- if test `libnet-config --libs | wc -c` = "1"; then -- { echo "$as_me:$LINENO: WARNING: libnet-config --libs is broken on your system. If you" >&5 --echo "$as_me: WARNING: libnet-config --libs is broken on your system. If you" >&2;} -+ if test `libnet-config-1.0 --libs | wc -c` = "1"; then -+ { echo "$as_me:$LINENO: WARNING: libnet-config-1.0 --libs is broken on your system. If you" >&5 -+echo "$as_me: WARNING: libnet-config-1.0 --libs is broken on your system. If you" >&2;} - { echo "$as_me:$LINENO: WARNING: are using a precompiled package please notify the" >&5 - echo "$as_me: WARNING: are using a precompiled package please notify the" >&2;} - { echo "$as_me:$LINENO: WARNING: maintainer." >&5 -@@ -8590,7 +8590,7 @@ echo $ECHO_N "checking for libnet versio - libnet_dir="/usr/include /usr/local/include /sw/include" - fi - else -- libnet_dir=`libnet-config --cflags | cut -dI -f2` -+ libnet_dir=`libnet-config-1.0 --cflags | cut -dI -f2` - fi - - LIBNET_INC_DIR="" diff --git a/net/snort/patches/patch-etc_snort_conf b/net/snort/patches/patch-etc_snort_conf new file mode 100644 index 00000000000..81d1adb3460 --- /dev/null +++ b/net/snort/patches/patch-etc_snort_conf @@ -0,0 +1,22 @@ +$OpenBSD: patch-etc_snort_conf,v 1.1 2006/10/10 13:33:17 aanriot Exp $ +--- etc/snort.conf.orig Wed Sep 13 21:44:31 2006 ++++ etc/snort.conf Tue Oct 10 12:54:59 2006 +@@ -82,6 +82,9 @@ var SNMP_SERVERS $HOME_NET + # Port lists must either be continuous [eg 80:8080], or a single port [eg 80]. + # We will adding support for a real list of ports in the future. + ++# Ports you run ssh servers on ++var SSH_PORTS 22 ++ + # Ports you run web servers on + # + # Please note: [80,8080] does not work. +@@ -108,7 +111,7 @@ var AIM_SERVERS [64.12.24.0/23,64.12.28. + # Path to your rules files (this can be a relative path) + # Note for Windows users: You are advised to make this an absolute path, + # such as: c:\snort\rules +-var RULE_PATH ../rules ++var RULE_PATH %%SYSCONFDIR%%/snort/rules + + # Configure the snort decoder + # ============================ diff --git a/net/snort/patches/patch-src_dynamic-plugins_sf_dynamic_plugins_c b/net/snort/patches/patch-src_dynamic-plugins_sf_dynamic_plugins_c new file mode 100644 index 00000000000..ce387de73fa --- /dev/null +++ b/net/snort/patches/patch-src_dynamic-plugins_sf_dynamic_plugins_c @@ -0,0 +1,11 @@ +--- src/dynamic-plugins/sf_dynamic_plugins.c.orig Wed Sep 20 16:10:44 2006 ++++ src/dynamic-plugins/sf_dynamic_plugins.c Wed Sep 20 16:09:23 2006 +@@ -42,6 +42,8 @@ + #define EXT "*.sl" + #elif defined(MACOS) + #define EXT "*.dylib" ++#elif defined(OPENBSD) ++#define EXT "*.so.*" + #else + #define EXT "*.so" + #endif diff --git a/net/snort/patches/patch-src_dynamic-preprocessors_Makefile_in b/net/snort/patches/patch-src_dynamic-preprocessors_Makefile_in new file mode 100644 index 00000000000..3a4723b2c9b --- /dev/null +++ b/net/snort/patches/patch-src_dynamic-preprocessors_Makefile_in @@ -0,0 +1,26 @@ +$OpenBSD: patch-src_dynamic-preprocessors_Makefile_in,v 1.1 2006/10/10 13:33:17 aanriot Exp $ +--- src/dynamic-preprocessors/Makefile.in.orig Wed Sep 13 21:40:06 2006 ++++ src/dynamic-preprocessors/Makefile.in Sun Oct 1 17:38:17 2006 +@@ -480,7 +480,7 @@ maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES) +-@HAVE_DYNAMIC_PLUGINS_FALSE@install-data-local: ++install-data-local: + clean: clean-recursive + + clean-am: clean-generic clean-libtool clean-local mostlyclean-am +@@ -608,13 +608,6 @@ include/str_search.h: $(srcdir)/../prepr + clean-local: + rm -rf include build + +-@HAVE_DYNAMIC_PLUGINS_TRUE@install-data-local: +-@HAVE_DYNAMIC_PLUGINS_TRUE@ @for f in $(exported_files); do \ +-@HAVE_DYNAMIC_PLUGINS_TRUE@ truefile=`echo $$f | sed -e "s/.*\///"`; \ +-@HAVE_DYNAMIC_PLUGINS_TRUE@ $(mkinstalldirs) $(DESTDIR)$(srcinstdir); \ +-@HAVE_DYNAMIC_PLUGINS_TRUE@ if test -f $(srcdir)/$$f; then p=$(srcdir)/$$f; else p=$$f; fi; \ +-@HAVE_DYNAMIC_PLUGINS_TRUE@ $(INSTALL_DATA) $$p $(DESTDIR)$(srcinstdir)/$$truefile; \ +-@HAVE_DYNAMIC_PLUGINS_TRUE@ done + # Tell versions [3.59,3.63) of GNU make to not export all variables. + # Otherwise a system limit (for SysV at least) may be exceeded. + .NOEXPORT: diff --git a/net/snort/patches/patch-src_dynamic-preprocessors_dns_Makefile_in b/net/snort/patches/patch-src_dynamic-preprocessors_dns_Makefile_in new file mode 100644 index 00000000000..1cbb43555cb --- /dev/null +++ b/net/snort/patches/patch-src_dynamic-preprocessors_dns_Makefile_in @@ -0,0 +1,12 @@ +$OpenBSD: patch-src_dynamic-preprocessors_dns_Makefile_in,v 1.1 2006/10/10 13:33:17 aanriot Exp $ +--- src/dynamic-preprocessors/dns/Makefile.in.orig Tue Oct 10 12:22:55 2006 ++++ src/dynamic-preprocessors/dns/Makefile.in Tue Oct 10 12:23:59 2006 +@@ -373,7 +373,7 @@ distdir: $(DISTFILES) + check-am: all-am + check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-am +-all-am: Makefile $(LTLIBRARIES) all-local ++all-am: Makefile $(LTLIBRARIES) + installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(mkdir_p) "$$dir"; \ diff --git a/net/snort/patches/patch-src_dynamic-preprocessors_ftptelnet_Makefile_in b/net/snort/patches/patch-src_dynamic-preprocessors_ftptelnet_Makefile_in new file mode 100644 index 00000000000..55780658259 --- /dev/null +++ b/net/snort/patches/patch-src_dynamic-preprocessors_ftptelnet_Makefile_in @@ -0,0 +1,12 @@ +$OpenBSD: patch-src_dynamic-preprocessors_ftptelnet_Makefile_in,v 1.1 2006/10/10 13:33:17 aanriot Exp $ +--- src/dynamic-preprocessors/ftptelnet/Makefile.in.orig Tue Oct 10 12:18:08 2006 ++++ src/dynamic-preprocessors/ftptelnet/Makefile.in Tue Oct 10 12:18:34 2006 +@@ -409,7 +409,7 @@ distdir: $(DISTFILES) + check-am: all-am + check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-am +-all-am: Makefile $(LTLIBRARIES) all-local ++all-am: Makefile $(LTLIBRARIES) + installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(mkdir_p) "$$dir"; \ diff --git a/net/snort/patches/patch-src_dynamic-preprocessors_smtp_Makefile_in b/net/snort/patches/patch-src_dynamic-preprocessors_smtp_Makefile_in new file mode 100644 index 00000000000..f132a2df3bd --- /dev/null +++ b/net/snort/patches/patch-src_dynamic-preprocessors_smtp_Makefile_in @@ -0,0 +1,12 @@ +$OpenBSD: patch-src_dynamic-preprocessors_smtp_Makefile_in,v 1.1 2006/10/10 13:33:17 aanriot Exp $ +--- src/dynamic-preprocessors/smtp/Makefile.in.orig Tue Oct 10 12:22:47 2006 ++++ src/dynamic-preprocessors/smtp/Makefile.in Tue Oct 10 12:23:13 2006 +@@ -387,7 +387,7 @@ distdir: $(DISTFILES) + check-am: all-am + check: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) check-am +-all-am: Makefile $(LTLIBRARIES) all-local ++all-am: Makefile $(LTLIBRARIES) + installdirs: + for dir in "$(DESTDIR)$(libdir)"; do \ + test -z "$$dir" || $(mkdir_p) "$$dir"; \ diff --git a/net/snort/pkg/MESSAGE b/net/snort/pkg/MESSAGE index 2cffc4db399..f0ce4e94666 100644 --- a/net/snort/pkg/MESSAGE +++ b/net/snort/pkg/MESSAGE @@ -3,9 +3,9 @@ These can be downloaded manually or net/oinkmaster can be used to download the latest rules from several different sources. It is recommended that snort be run as an unprivileged chrooted user. -An _snort user/group and log directory has been created for this -purpose. You should start snort with the following options to take +A _snort user/group and a log directory have been created for this +purpose. You should start snort with the following options to take advantage of this: - -u _snort -g _snort -t /var/snort -and if you want to log: - -l /var/snort/log + + -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log + diff --git a/net/snort/pkg/MESSAGE-prelude b/net/snort/pkg/MESSAGE-prelude index cef56c79460..4c8f5a91fe0 100644 --- a/net/snort/pkg/MESSAGE-prelude +++ b/net/snort/pkg/MESSAGE-prelude @@ -2,18 +2,11 @@ An up-to-date set of rules is needed for Snort to be useful as an IDS. These can be downloaded manually or net/oinkmaster can be used to download the latest rules from several different sources. -It is recommended that snort be run as an unprivileged chrooted user. -An _snort user/group and log directory has been created for this -purpose. You should start snort with the following options to take -advantage of this: - -u _snort -g _snort -t /var/snort -and if you want to log: - -l /var/snort/log - To start with snort as sensor for prelude, you have to create a starting profile, e.g. "snort" by running on the manager side: -# prelude-adduser registration-server prelude-manager --uid=564 --gid=564 +# prelude-adduser registration-server prelude-manager \ + --uid=564 --gid=564 and on the sensor side: @@ -21,4 +14,10 @@ and on the sensor side: --uid 557 --gid 557 Then, fill in the prelude section in ${SYSCONFDIR}/snort/snort.conf -before starting snort. +before starting snort (the name of the profile is "snort" in the +example). + +Eventually, you should start snort with the following options: + + -c /etc/snort/snort.conf -u _snort -g _snort -l /var/snort/log + diff --git a/net/snort/pkg/PFRAG.shared b/net/snort/pkg/PFRAG.shared new file mode 100644 index 00000000000..92937bf5386 --- /dev/null +++ b/net/snort/pkg/PFRAG.shared @@ -0,0 +1,5 @@ +@comment $OpenBSD: PFRAG.shared,v 1.1 2006/10/10 13:33:17 aanriot Exp $ +@lib lib/snort_dynamicengine/libsf_engine.so.${LIBsf_engine_VERSION} +@lib lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.${LIBsf_dns_preproc_VERSION} +@lib lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.${LIBsf_ftptelnet_preproc_VERSION} +@lib lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.${LIBsf_smtp_preproc_VERSION} diff --git a/net/snort/pkg/PLIST b/net/snort/pkg/PLIST index 3ea58a9b524..c30b6778546 100644 --- a/net/snort/pkg/PLIST +++ b/net/snort/pkg/PLIST @@ -1,10 +1,51 @@ -@comment $OpenBSD: PLIST,v 1.14 2006/02/04 13:15:42 david Exp $ +@comment $OpenBSD: PLIST,v 1.15 2006/10/10 13:33:17 aanriot Exp $ @newgroup _snort:557 @newuser _snort:557:_snort:daemon:Snort Account:/nonexistent:/sbin/nologin +%%SHARED%% bin/snort +lib/snort_dynamicengine/ +lib/snort_dynamicengine/libsf_engine.a +@comment lib/snort_dynamicengine/libsf_engine.la +lib/snort_dynamicpreprocessor/ +lib/snort_dynamicpreprocessor/libsf_dns_preproc.a +@comment lib/snort_dynamicpreprocessor/libsf_dns_preproc.la +lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.a +@comment lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la +lib/snort_dynamicpreprocessor/libsf_smtp_preproc.a +@comment lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la @man man/man8/snort.8 +share/doc/snort/ +share/doc/snort/AUTHORS +share/doc/snort/CREDITS +share/doc/snort/README.FLEXRESP +share/doc/snort/README.FLEXRESP2 +share/doc/snort/README.INLINE +share/doc/snort/README.PLUGINS +share/doc/snort/README.PerfProfiling +share/doc/snort/README.SMTP +share/doc/snort/README.UNSOCK +@comment share/doc/snort/README.WIN32 +share/doc/snort/README.alert_order +share/doc/snort/README.asn1 +share/doc/snort/README.csv +share/doc/snort/README.database +share/doc/snort/README.dns +share/doc/snort/README.event_queue +share/doc/snort/README.flow +share/doc/snort/README.flow-portscan +share/doc/snort/README.flowbits +share/doc/snort/README.frag3 +share/doc/snort/README.ftptelnet +share/doc/snort/README.http_inspect +share/doc/snort/README.sfportscan +share/doc/snort/README.thresholding +share/doc/snort/README.wireless +share/doc/snort/faq.pdf +share/doc/snort/snort_manual.pdf +share/doc/snort/snort_schema_v106.pdf share/examples/snort/ @sample ${SYSCONFDIR}/snort/ +@sample ${SYSCONFDIR}/snort/rules/ share/examples/snort/classification.config @sample ${SYSCONFDIR}/snort/classification.config share/examples/snort/gen-msg.map