# HG changeset patch # User Michael Schloh von Bennewitz # Date 1346171510 -7200 # Node ID 00e5f0537340618943b180b9b8518606e58d3c04 # Parent efb4f295e1cf052a0f8e6b417c8a7dbcfd39f93b Import package vendor original specs for necessary manipulations. diff -r efb4f295e1cf -r 00e5f0537340 snort/fsl.snort --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/snort/fsl.snort Tue Aug 28 18:31:50 2012 +0200 @@ -0,0 +1,16 @@ +## +## fsl.snort -- OSSP fsl configuration +## + +ident (snort)/.+ q{ + prefix( + prefix="%b %d %H:%M:%S %N <%L> $1[%P]: " + ) + -> { + debug: file( + path="@l_prefix@/var/snort/snort.log", + perm=0644 + ) + } +}; + diff -r efb4f295e1cf -r 00e5f0537340 snort/rc.snort --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/snort/rc.snort Tue Aug 28 18:31:50 2012 +0200 @@ -0,0 +1,92 @@ +#!@l_prefix@/bin/openpkg rc +## +## rc.snort -- Run-Commands +## + +%config + snort_enable="$openpkg_rc_def" + snort_if="" + snort_flags="-N -Afast -o" + snort_log_prolog="true" + snort_log_epilog="true" + snort_log_numfiles="10" + snort_log_minsize="1M" + snort_log_complevel="9" + snort_update_time="once" + snort_update_source="file://@l_prefix@/share/snort/rules.tar.gz" + +%common + snort_cfgfile="@l_prefix@/etc/snort/snort.conf" + snort_logdir="@l_prefix@/var/snort" + snort_piddir="@l_prefix@/var/snort" + snort_pidfile="$snort_piddir/snort_${snort_if}.pid" + snort_signal () { + [ -f $snort_pidfile ] && kill -$1 `cat $snort_pidfile` + } + snort_update () { + @l_prefix@/sbin/snort-update "$snort_update_source" + } + +%status -u @l_susr@ -o + snort_usable="no" + snort_active="no" + @l_prefix@/sbin/snort \ + -q -T \ + -u "@l_rusr@" -g "@l_rgrp@" \ + -i "$snort_if" \ + -c "$snort_cfgfile" \ + -l "$snort_logdir" \ + >/dev/null 2>&1 && snort_usable="yes" + [ ".$snort_if" = . ] && snort_usable="no" + rcService snort enable yes && snort_signal 0 && snort_active="yes" + echo "snort_enable=\"$snort_enable\"" + echo "snort_usable=\"$snort_usable\"" + echo "snort_active=\"$snort_active\"" + +%start -p 100 -u @l_susr@ + rcService snort enable yes || exit 0 + rcService snort active yes && exit 0 + @l_prefix@/sbin/snort \ + -q -D \ + -u "@l_rusr@" -g "@l_rgrp@" \ + -i "$snort_if" \ + -c "$snort_cfgfile" \ + -l "$snort_logdir" \ + ${snort_flags} + +%stop -p 900 -u @l_susr@ + rcService snort enable yes || exit 0 + rcService snort active no && exit 0 + snort_signal TERM + sleep 2 + rm -f $snort_pidfile 2>/dev/null || true + +%restart -p 100 -u @l_susr@ + rcService snort enable yes || exit 0 + rcService snort active no && exit 0 + rc snort stop start + +%hourly -u @l_rusr@ + rcService snort enable yes || exit 0 + if [ ".$snort_update_time" = .hourly ]; then + snort_update || exit $? + fi + +%daily -u @l_rusr@ + rcService snort enable yes || exit 0 + if [ ".$snort_update_time" = .daily ]; then + snort_update || exit $? + fi + shtool rotate -f \ + -n ${snort_log_numfiles} -s ${snort_log_minsize} -d \ + -z ${snort_log_complevel} -m 644 -o @l_rusr@ -g @l_rgrp@ \ + -P "${snort_log_prolog}" \ + -E "${snort_log_epilog}; rc snort reload" \ + $snort_logdir/snort.alert.log + +%weekly -u @l_rusr@ + rcService snort enable yes || exit 0 + if [ ".$snort_update_time" = .weekly ]; then + snort_update || exit $? + fi + diff -r efb4f295e1cf -r 00e5f0537340 snort/snort-update.sh --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/snort/snort-update.sh Tue Aug 28 18:31:50 2012 +0200 @@ -0,0 +1,43 @@ +#!/bin/sh +## +## snort-update.sh -- Snort Rule Updating Utility +## Copyright (c) 2005-2007 Ralf S. Engelschall +## + +# command line parameters +url="$1" +if [ ".$url" = . ]; then + echo "USAGE: $0 " 1>&2 + exit 1 +fi + +# configuration +rulesdir="@l_prefix@/var/snort/rules" +tmpdir="@l_prefix@/var/snort/tmp" +oinkmaster="@l_prefix@/sbin/oinkmaster" +logfile="@l_prefix@/var/snort/oinkmaster.log" +statsfile="@l_prefix@/var/snort/snort.stats" + +# parameter post-processing +url=`echo "$url" |\ + sed -e 's;^oinkcode:\(.*\)$;http://www.snort.org/pub-bin/oinkmaster.cgi/\1/snortrules-snapshot-@V_rules@.tar.gz;' \ + -e 's;^\(/.*\)$;file://\1;'` + +# ruleset updating +( echo "++ SNORT-UPDATE START (`date`)" + echo "++ Update URL: \"$url\"" + $oinkmaster -q -o $rulesdir -u $url + if [ ! -f $rulesdir/local.rules ]; then + touch $rulesdir/local.rules + fi + @l_prefix@/lib/openpkg/shtool subst \ + -e 's;\(var HOME_NET\) any;\1 $(HOME_NET:-any);' \ + -e 's;\(var EXTERNAL_NET\) any;\1 $(EXTERNAL_NET:-any);' \ + -e 's; \([^ /]*\.map\); $(RULE_PATH)/\1;' \ + -e 's; \([^ /]*\.config\); $(RULE_PATH)/\1;' \ + -e "s;\\(var RULE_PATH\\).*;\\1 \$(RULE_PATH:-$rulesdir);" \ + -e "s;/var/snort/snort\.stats;$statsfile;" \ + $rulesdir/snort.conf + echo "++ SNORT-UPDATE END (`date`)" +) >>$logfile 2>&1 + diff -r efb4f295e1cf -r 00e5f0537340 snort/snort.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/snort/snort.conf Tue Aug 28 18:31:50 2012 +0200 @@ -0,0 +1,22 @@ +## +## snort.conf -- Snort Daemon Configuration +## + +# common variables +var VAR_PATH @l_prefix@/var/snort +var RULE_PATH $VAR_PATH/rules + +# output selection +config alertfile: $VAR_PATH/snort.alert.log +output alert_fast: $VAR_PATH/snort.alert.log +#output log_tcpdump: $VAR_PATH/snort.alert.cap + +# configuration parameters +config show_year +config order: alert pass log + +# load snort rules configuration +var HOME_NET any +var EXTERNAL_NET any +include $RULE_PATH/snort.conf + diff -r efb4f295e1cf -r 00e5f0537340 snort/snort.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/snort/snort.patch Tue Aug 28 18:31:50 2012 +0200 @@ -0,0 +1,12 @@ +Index: src/snort.h +--- src/snort.h.orig 2009-09-14 21:12:14 +0200 ++++ src/snort.h 2009-09-19 09:27:59 +0200 +@@ -92,7 +92,7 @@ + #define RF_ANY_FLAGS 0x20 + + #ifndef WIN32 +-# define DEFAULT_LOG_DIR "/var/log/snort" ++# define DEFAULT_LOG_DIR "@l_prefix@/var/snort" + # define DEFAULT_DAEMON_ALERT_FILE "alert" + #else + # define DEFAULT_LOG_DIR "log" diff -r efb4f295e1cf -r 00e5f0537340 snort/snort.spec --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/snort/snort.spec Tue Aug 28 18:31:50 2012 +0200 @@ -0,0 +1,282 @@ +## +## snort.spec -- OpenPKG RPM Package Specification +## Copyright (c) 2000-2010 OpenPKG Foundation e.V. +## +## Permission to use, copy, modify, and distribute this software for +## any purpose with or without fee is hereby granted, provided that +## the above copyright notice and this permission notice appear in all +## copies. +## +## THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED +## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +## IN NO EVENT SHALL THE AUTHORS AND COPYRIGHT HOLDERS AND THEIR +## CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +## SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +## LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +## USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +## ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +## OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +## SUCH DAMAGE. +## + +# package version +%define V_snort 2.8.6 +%define V_rules 2.4 +%define V_oinkmaster 2.0 + +# package information +Name: snort +Summary: Network Intrusion Detection System +URL: http://www.snort.org/ +Vendor: B. Caswell, M. Roesch +Packager: OpenPKG Foundation e.V. +Distribution: OpenPKG Community +Class: BASE +Group: Monitoring +License: GPL +Version: %{V_snort} +Release: 20100427 + +# package options +%option with_fsl yes +%option with_mysql no +%option with_pgsql no + +# list of sources +Source0: http://dl.snort.org/snort-current/snort-%{V_snort}.tar.gz +Source1: http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-%{V_rules}.tar.gz +Source2: http://switch.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-%{V_oinkmaster}.tar.gz +Source3: snort.conf +Source4: rc.snort +Source5: fsl.snort +Source6: snort-update.sh +Patch0: snort.patch + +# build information +BuildPreReq: OpenPKG, openpkg >= 20100101, make, gcc +PreReq: OpenPKG, openpkg >= 20100101, perl, perl-www, perl-sys, perl-comp +BuildPreReq: libpcap, libnet, pcre +PreReq: libpcap, libnet, pcre +%if "%{with_fsl}" == "yes" +BuildPreReq: fsl +PreReq: fsl +%endif +%if "%{with_mysql}" == "yes" +BuildPreReq: mysql +PreReq: mysql +%endif +%if "%{with_pgsql}" == "yes" +BuildPreReq: postgresql +PreReq: postgresql +%endif + +%description + Snort is an open source network intrusion detection system, + capable of performing real-time traffic analysis and packet + logging on IP networks. It can perform protocol analysis, content + searching/matching and can be used to detect a variety of attacks + and probes. Snort uses a flexible rules language to describe traffic + that it should collect or pass, as well as a detection engine that + utilizes a modular plugin architecture. Snort has a real-time + alerting capability as well. Snort has three primary uses. It can be + used as a straight packet sniffer like tcpdump(1), a packet logger + (useful for network traffic debugging, etc), or as a full blown + network intrusion detection system. + +%track + prog snort = { + version = %{V_snort} + url = http://www.snort.org/downloads + regex = snort-(\d+\.\d+\.\d+(\.\d+)*)\.tar\.gz + } + prog snort:rules = { + version = %{V_rules} + url = http://www.snort.org/pub-bin/downloads.cgi + regex = snortrules-pr-(\d+\.\d+)\.tar\.gz + } + prog snort:oinkmaster = { + version = %{V_oinkmaster} + url = http://sourceforge.net/projects/oinkmaster/files/ + regex = oinkmaster-(__VER__)\.tar\.gz + } + +%prep + %setup -q + %setup -q -D -T -a 2 + %patch -p0 + %{l_shtool} subst %{l_value -s -a} \ + src/snort.h + +%build + # configure program + LIBS="" +%if "%{with_pgsql}" == "yes" + LIBS="$LIBS -lpq -lcrypt -lssl -lcrypto" +%endif + case "%{l_platform -t}" in + *-sunos* ) LIBS="$LIBS -lresolv" ;; + esac + CC="%{l_cc}" \ + CFLAGS="%{l_cflags -O}" \ + CPPFLAGS="%{l_cppflags}" \ + LDFLAGS="%{l_ldflags} %{l_fsl_ldflags}" \ + LIBS="$LIBS %{l_fsl_libs}" \ + ./configure \ + --prefix=%{l_prefix} \ + --sysconfdir=%{l_prefix}/etc/snort \ +%if "%{with_mysql}" == "yes" + --with-mysql=%{l_prefix} \ +%else + --without-mysql \ +%endif +%if "%{with_pgsql}" == "yes" + --with-postgresql=%{l_prefix} \ +%else + --without-postgresql \ +%endif + --with-libpcap-includes=%{l_prefix}/include \ + --with-libpcap-libraries=%{l_prefix}/lib \ + --with-libnet-includes=%{l_prefix}/include \ + --with-libnet-libraries=%{l_prefix}/lib \ + --with-libpcre-includes=%{l_prefix}/include \ + --with-libpcre-libraries=%{l_prefix}/lib \ + --enable-perfmonitor + + # build program + %{l_make} %{l_mflags} + +%install + # create installation hierarchy + rm -rf $RPM_BUILD_ROOT + %{l_shtool} mkdir -f -p -m 755 \ + $RPM_BUILD_ROOT%{l_prefix}/sbin \ + $RPM_BUILD_ROOT%{l_prefix}/man/man8 \ + $RPM_BUILD_ROOT%{l_prefix}/etc/fsl \ + $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \ + $RPM_BUILD_ROOT%{l_prefix}/etc/snort \ + $RPM_BUILD_ROOT%{l_prefix}/share/snort \ + $RPM_BUILD_ROOT%{l_prefix}/var/snort/rules \ + $RPM_BUILD_ROOT%{l_prefix}/var/snort/tmp + + # install program and manual page + %{l_shtool} install -c -s -m 755 \ + src/snort $RPM_BUILD_ROOT%{l_prefix}/sbin/ + %{l_shtool} install -c -m 644 \ + snort.8 $RPM_BUILD_ROOT%{l_prefix}/man/man8/ + + # install default configuration + %{l_shtool} install -c -m 644 %{l_value -s -a} \ + %{SOURCE snort.conf} $RPM_BUILD_ROOT%{l_prefix}/etc/snort/ + + # install default ruleset tarball + %{l_shtool} install -c -m 644 \ + %{SOURCE snortrules-pr-%{V_rules}.tar.gz} \ + $RPM_BUILD_ROOT%{l_prefix}/share/snort/rules.tar.gz + + # install run-command script + %{l_shtool} install -c -m 755 %{l_value -s -a} \ + %{SOURCE rc.snort} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/ + + # install OSSP fsl configuration + %{l_shtool} install -c -m 644 %{l_value -s -a} \ + %{SOURCE fsl.snort} $RPM_BUILD_ROOT%{l_prefix}/etc/fsl/ + + # install optional/additional files +%if "%{with_mysql}" == "yes" + %{l_shtool} install -c -m 644 \ + schemas/create_mysql \ + $RPM_BUILD_ROOT%{l_prefix}/share/snort/ +%endif +%if "%{with_pgsql}" == "yes" + %{l_shtool} install -c -m 644 \ + schemas/create_postgresql \ + $RPM_BUILD_ROOT%{l_prefix}/share/snort/ +%endif + + # install oinkmaster utility + ( cd oinkmaster-%{V_oinkmaster} + %{l_shtool} install -c -m 755 \ + -e 's;#!/usr/bin/perl;#!%{l_prefix}/bin/perl;g' \ + -e 's;/etc/oinkmaster\.conf;%{l_prefix}/etc/snort/oinkmaster.conf;' \ + oinkmaster.pl $RPM_BUILD_ROOT%{l_prefix}/sbin/oinkmaster + %{l_shtool} install -c -m 644 \ + oinkmaster.1 $RPM_BUILD_ROOT%{l_prefix}/man/man8/oinkmaster.8 + %{l_shtool} install -c -m 644 \ + -e 's;^\(path = \);\1%{l_prefix}/bin:;' \ + -e 's;^# tmpdir = /home/oinkmaster/tmp/;tmpdir = %{l_prefix}/var/snort/tmp;' \ + -e 's;^\(use_external_bins = 0\);\1;' \ + -e 's;^\(skipfile snort\.conf\);# \1;' \ + oinkmaster.conf $RPM_BUILD_ROOT%{l_prefix}/etc/snort/ + ) || exit $? + + # install rule update utility + %{l_shtool} install -c -m 755 %{l_value -s -a} \ + -e 's;@V_rules@;%{V_rules};g' \ + %{SOURCE snort-update.sh} \ + $RPM_BUILD_ROOT%{l_prefix}/sbin/snort-update + + # determine installation files + %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \ + %{l_files_std} \ + '%config %{l_prefix}/etc/fsl/*' \ + '%config %{l_prefix}/etc/snort/*' \ + '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort' \ + '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort/rules' \ + '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort/tmp' + +%files -f files + +%clean + +%post + if [ $1 -eq 1 ]; then + # display final hints on initial installation + ( echo "Before starting Snort IDS, please set the configuration variable" + echo "\"snort_if\" in $RPM_INSTALL_PREFIX/etc/rc.conf to the name of the" + echo "used network interface." + ) | %{l_rpmtool} msg -b -t notice + ( echo "To use Snort as an IDS, its rules HAVE to be ALWAYS up to date." + echo "But this package just ships with the latest PUBLIC version of the" + echo "\"Sourcefire VRT Certified Rules\" for UNREGISTERED Snort users." + echo "This means your rules are NOT covering the latest known attacks." + echo "" + echo "Hence, we strongly recommend to become at least a REGISTERED Snort" + echo "user (see http://www.snort.org/ for details). This way you receive" + echo "a so-called \"oinkcode\" (a sequence of 40 hexadecimal numbers)" + echo "which you can configure in the file" + echo " $RPM_INSTALL_PREFIX/etc/rc.conf" + echo "via the directives" + echo " snort_update_time=\"daily\"" + echo " snort_update_source=\"oinkcode:XXXX...\"" + echo "to update your Snort rules in" + echo " $RPM_INSTALL_PREFIX/var/snort/rules/" + echo "automatically once per day with the latest version of the" + echo "\"Sourcefire VRT Certified Rules\" for REGISTERED Snort users." + ) | %{l_rpmtool} msg -b -t notice + fi + + # trigger a ruleset update + snort_update_source=`%{l_rc} -q snort_update_source` + if [ ".$snort_update_source" != . ]; then + su - %{l_rusr} -c "$RPM_INSTALL_PREFIX/sbin/snort-update \"$snort_update_source\"" + fi + + # after upgrade, restart service + [ $1 -eq 2 ] || exit 0 + eval `%{l_rc} snort status 2>/dev/null` + [ ".$snort_active" = .yes ] && %{l_rc} snort restart + exit 0 + +%preun + # before erase, stop service and remove log files + [ $1 -eq 0 ] || exit 0 + %{l_rc} snort stop 2>/dev/null + rm -f $RPM_INSTALL_PREFIX/var/snort/*.pid >/dev/null 2>&1 || true + rm -f $RPM_INSTALL_PREFIX/var/snort/*.log >/dev/null 2>&1 || true + rm -f $RPM_INSTALL_PREFIX/var/snort/*.cap >/dev/null 2>&1 || true + rm -f $RPM_INSTALL_PREFIX/var/snort/rules/* >/dev/null 2>&1 || true + rm -f $RPM_INSTALL_PREFIX/var/snort/tmp/* >/dev/null 2>&1 || true + exit 0 +