diff options
| author | Roman I Khimov <khimov@altell.ru> | 2010-07-30 12:53:41 +0400 |
|---|---|---|
| committer | Roman I Khimov <khimov@altell.ru> | 2010-08-05 08:30:46 +0400 |
| commit | 2f17293d311dfa426a514bd8178401020f34ec88 (patch) | |
| tree | 9d45f43069b3c386d8da9d30267b76bdfe15818c /recipes | |
| parent | 57788916d7a3675260267ac1e043efd367806253 (diff) | |
snort: merge Altell packaging fixes
Snort was independently packaged by Altell some time ago, so merge things
we've done into OE.dev:
* fix packaging of snort dynamic libs
* fix DEPENDS, libnet is not needed is not specifically used
* fix RDEPENDS, no need to specify libs expicitly, barnyard is rather a
RRECOMMENDS than RDEPENDS since snort lives just fine without it
* add libprelude support and configure accordingly
* add some useful configure options
* add init/volatile/default setup which is necessary for the package
* add postinst creating snort/snort user/group
* add logrotate script
Signed-off-by: Roman I Khimov <khimov@altell.ru>
Diffstat (limited to 'recipes')
| -rw-r--r-- | recipes/snort/files/default | 42 | ||||
| -rw-r--r-- | recipes/snort/files/logrotate | 12 | ||||
| -rwxr-xr-x | recipes/snort/files/snort.init | 425 | ||||
| -rw-r--r-- | recipes/snort/files/volatiles | 2 | ||||
| -rw-r--r-- | recipes/snort/snort_2.8.5.3.bb | 73 |
5 files changed, 551 insertions, 3 deletions
diff --git a/recipes/snort/files/default b/recipes/snort/files/default new file mode 100644 index 0000000000..afd3840d36 --- /dev/null +++ b/recipes/snort/files/default @@ -0,0 +1,42 @@ +# Parameters for the daemon +# Add any additional parameteres here. +PARAMS="-m 027 -D -d " +# +# Snort user +# This user will be used to launch snort. Notice that the +# preinst script of the package might do changes to the user +# (home directory, User Name) when the package is upgraded or +# reinstalled. So, do *not* change this to 'root' or to any other user +# unless you are sure there is no problem with those changes being introduced. +# +SNORTUSER="snort" +# +# Logging directory +# Snort logs will be dropped here and this will be the home +# directory for the SNORTUSER. If you change this value you should +# change the /etc/logrotate.d/snort definition too, otherwise logs +# will not be rotated properly. +# +LOGDIR="/var/log/snort" +# +# Snort group +# This is the group that the snort user will be added to. +# +SNORTGROUP="snort" +# +# Allow Snort's init.d script to work if the configured interfaces +# are not available. Set this to yes if you configure Snort with +# multiple interfaces but some might not be available on boot +# (e.g. wireless interfaces) +# +# Note: In order for this to work the 'iproute' package needs to +# be installed. +ALLOW_UNAVAILABLE="no" + +# Local configs +# +LOCAL_SNORT_STARTUP=boot +LOCAL_SNORT_HOME_NET="192.168.0.0/16" +LOCAL_SNORT_INTERFACE="" +LOCAL_SNORT_STATS_RCPT="root" +LOCAL_SNORT_STATS_THRESHOLD="1" diff --git a/recipes/snort/files/logrotate b/recipes/snort/files/logrotate new file mode 100644 index 0000000000..ef3e4afac8 --- /dev/null +++ b/recipes/snort/files/logrotate @@ -0,0 +1,12 @@ +/var/log/snort/*.log /var/log/snort/alert { + size 1M + missingok + compress + delaycompress + rotate 10 + sharedscripts + postrotate + /etc/init.d/snort restart + endscript +} + diff --git a/recipes/snort/files/snort.init b/recipes/snort/files/snort.init new file mode 100755 index 0000000000..af6661933a --- /dev/null +++ b/recipes/snort/files/snort.init @@ -0,0 +1,425 @@ +#!/bin/sh -e +# +# Init.d script for Snort in OpenEmbedded, based on Debian's script +# +# Copyright (c) 2009 Roman I Khimov <khimov@altell.ru> +# +# Copyright (c) 2001 Christian Hammers +# Copyright (c) 2001-2002 Robert van der Meulen +# Copyright (c) 2002-2004 Sander Smeenk <ssmeenk@debian.org> +# Copyright (c) 2004-2007 Javier Fernandez-Sanguino <jfs@debian.org> +# +# This is free software; you may redistribute it and/or modify +# it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, +# or (at your option) any later version. +# +# This is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License with +# the Debian operating system, in /usr/share/common-licenses/GPL; if +# not, write to the Free Software Foundation, Inc., 59 Temple Place, +# Suite 330, Boston, MA 02111-1307 USA +# +### BEGIN INIT INFO +# Provides: snort +# Required-Start: $time $network $local_fs +# Required-Stop: +# Should-Start: $syslog +# Should-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Lightweight network intrusion detection system +# Description: Intrusion detection system that will +# capture traffic from the network cards and will +# match against a set of known attacks. +### END INIT INFO + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin + +test $DEBIAN_SCRIPT_DEBUG && set -v -x + +DAEMON=/usr/bin/snort +NAME=snort +DESC="Network Intrusion Detection System" + +. /etc/default/snort +COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP" + +test -x $DAEMON || exit 0 +test -z "$LOCAL_SNORT_HOME_NET" && LOCAL_SNORT_HOME_NET="192.168.0.0/16" + +# to find the lib files +cd /etc/snort + +running() +{ + PIDFILE=$1 +# No pidfile, probably no daemon present + [ ! -f "$PIDFILE" ] && return 1 + pid=`cat $PIDFILE` +# No pid, probably no daemon present + [ -z "$pid" ] && return 1 + [ ! -d /proc/$pid ] && return 1 + cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1` +# No daemon + [ "$cmd" != "$DAEMON" ] && return 1 + return 0 +} + + +check_log_dir() { +# Does the logging directory belong to Snort? + # If we cannot determine the logdir return without error + # (we will not check it) + # This will only be used by people using /etc/default/snort + [ -n "$LOGDIR" ] || return 0 + [ -n "$SNORTUSER" ] || return 0 + if [ ! -e "$LOGDIR" ] ; then + echo "ERR: logging directory $LOGDIR does not exist" + return 1 + elif [ ! -d "$LOGDIR" ] ; then + echo "ERR: logging directory $LOGDIR does not exist" + return 1 + else + # Don't worry, be happy + true + fi + return 0 +} + +check_root() { + if [ "$(id -u)" != "0" ]; then + echo "You must be root to start, stop or restart $NAME." + exit 4 + fi +} + +case "$1" in + start) + check_root + echo "Starting $DESC " "$NAME" + + if [ -e /etc/snort/db-pending-config ] ; then + echo "/etc/snort/db-pending-config file found" + echo "Snort will not start as its database is not yet configured." + echo "Please configure the database as described in" + echo "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian" + echo "and remove /etc/snort/db-pending-config" + exit 6 + fi + + if ! check_log_dir; then + echo " will not start $DESC!" + exit 5 + fi + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then + shift + set +e + /etc/ppp/ip-up.d/snort "$@" + ret=$? + if [ $ret -eq 0 ] ; then + echo 0 + else + echo 1 + fi + exit $ret + fi + + # Usually, we start all interfaces + interfaces="$LOCAL_SNORT_INTERFACE" + + # If we are requested to start a specific interface... + test "$2" && interfaces="$2" + + # If the interfaces list is empty stop (no error) + if [ -z "$interfaces" ] ; then + echo "no interfaces configured, will not start" + echo 0 + exit 0 + fi + + myret=0 + got_instance=0 + for interface in $interfaces; do + got_instance=1 + echo "($interface" + + # Check if the interface is available: + # - only if iproute is available + # - the interface exists + # - the interface is up + if ! [ -x /sbin/ip ] || ( ip link show dev "$interface" >/dev/null 2>&1 && [ -n "`ip link show up "$interface" 2>/dev/null`" ] ) ; then + + PIDFILE=/var/run/snort_$interface.pid + CONFIGFILE=/etc/snort/snort.$interface.conf + + # Defaults: + fail="failed (check /var/log/syslog and /var/log/snort)" + run="yes" + + if [ -e "$PIDFILE" ] && running $PIDFILE; then + run="no" + # Do not start this instance, it is already runing + fi + + if [ "$run" = "yes" ] ; then + if [ ! -e "$CONFIGFILE" ]; then + echo "no /etc/snort/snort.$interface.conf found, defaulting to snort.conf" + CONFIGFILE=/etc/snort/snort.conf + fi + + set +e + /sbin/start-stop-daemon --start --quiet \ + --pidfile "$PIDFILE" \ + --exec $DAEMON -- $COMMON $LOCAL_SNORT_OPTIONS \ + -c $CONFIGFILE \ + -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \ + -i $interface >/dev/null + ret=$? + case "$ret" in + 0) + echo "...done)" + ;; + *) + echo "...ERROR: $fail)" + myret=$(expr "$myret" + 1) + ;; + esac + set -e + else + echo "...already running)" + fi + + else + # What to do if the interface is not available + # or is not up + if [ "$ALLOW_UNAVAILABLE" != "no" ] ; then + echo "...interface not available)" + else + echo "...ERROR: interface not available)" + myret=$(expr "$myret" + 1) + fi + fi + done + + if [ "$got_instance" = 0 ] && [ "$ALLOW_UNAVAILABLE" = "no" ]; then + echo "No snort instance found to be started!" >&2 + exit 6 + fi + + if [ $myret -eq 0 ] ; then + echo 0 + else + echo 1 + fi + exit $myret + ;; + stop) + check_root + echo "Stopping $DESC " "$NAME" + + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then + shift + set +e + /etc/ppp/ip-down.d/snort "$@" + ret=$? + if [ $ret -eq 0 ] ; then + echo 0 + else + echo 1 + fi + exit $ret + fi + + # Usually, we stop all current running interfaces + pidpattern=/var/run/snort_*.pid + + # If we are requested to stop a specific interface... + test "$2" && pidpattern=/var/run/snort_"$2".pid + + got_instance=0 + myret=0 + for PIDFILE in $pidpattern; do + # This check is also needed, if the above pattern doesn't match + test -f "$PIDFILE" || continue + + got_instance=1 + interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//') + + echo "($interface" + + set +e + if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then +# Change ownership of the pidfile + /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \ + --pidfile "$PIDFILE" --exec $DAEMON >/dev/null + ret=$? + rm -f "$PIDFILE" + rm -f "$PIDFILE.lck" + else + echo "cannot read $PIDFILE" + ret=4 + fi + case "$ret" in + 0) + echo "...done)" + ;; + *) + echo "...ERROR)" + myret=$(expr "$myret" + 1) + ;; + esac + set -e + + done + + if [ "$got_instance" = 0 ]; then + log_warning_msg "No running snort instance found" + exit 0 # LSB demands we don't exit with error here + fi + if [ $myret -eq 0 ] ; then + echo 0 + else + echo 1 + fi + exit $myret + ;; + restart|force-restart|reload|force-reload) + check_root + # Usually, we restart all current running interfaces + pidpattern=/var/run/snort_*.pid + + # If we are requested to restart a specific interface... + test "$2" && pidpattern=/var/run/snort_"$2".pid + + got_instance=0 + for PIDFILE in $pidpattern; do + # This check is also needed, if the above pattern doesn't match + test -f "$PIDFILE" || continue + + got_instance=1 + interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//') + $0 stop $interface || true + $0 start $interface || true + done + + if [ "$got_instance" = 0 ]; then + echo "No snort instance found to be stopped!" >&2 + exit 6 + fi + ;; + status) +# Non-root users can use this (if allowed to) + echo "Status of snort daemon(s)" + interfaces="$LOCAL_SNORT_INTERFACE" + # If we are requested to check for a specific interface... + test "$2" && interfaces="$2" + err=0 + pid=0 + for interface in $interfaces; do + echo " $interface " + pidfile=/var/run/snort_$interface.pid + if [ -f "$pidfile" ] ; then + if [ -r "$pidfile" ] ; then + pidval=`cat $pidfile` + pid=$(expr "$pid" + 1) + if ps -p $pidval | grep -q snort; then + echo "OK" + else + echo "ERROR" + err=$(expr "$err" + 1) + fi + else + echo "ERROR: cannot read status file" + err=$(expr "$err" + 1) + fi + else + echo "ERROR" + err=$(expr "$err" + 1) + fi + done + if [ $err -ne 0 ] ; then + if [ $pid -ne 0 ] ; then +# More than one case where pidfile exists but no snort daemon +# LSB demands a '1' exit value here + echo 1 + exit 1 + else +# No pidfiles at all +# LSB demands a '3' exit value here + echo 3 + exit 3 + fi + fi + echo 0 + ;; + config-check) + echo "Checking $DESC configuration" + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then + echo "Config-check is currently not supported for snort in Dialup configuration" + echo 3 + exit 3 + fi + + # usually, we test all interfaces + interfaces="$LOCAL_SNORT_INTERFACE" + # if we are requested to test a specific interface... + test "$2" && interfaces="$2" + + myret=0 + got_instance=0 + for interface in $interfaces; do + got_instance=1 + echo "interface $interface" + + CONFIGFILE=/etc/snort/snort.$interface.conf + if [ ! -e "$CONFIGFILE" ]; then + CONFIGFILE=/etc/snort/snort.conf + fi + COMMON=`echo $COMMON | sed -e 's/-D//'` + set +e + fail="INVALID" + if [ -r "$CONFIGFILE" ]; then + $DAEMON -T $COMMON $LOCAL_SNORT_OPTIONS \ + -c $CONFIGFILE \ + -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \ + -i $interface >/dev/null 2>&1 + ret=$? + else + fail="cannot read $CONFIGFILE" + ret=4 + fi + set -e + + case "$ret" in + 0) + echo "OK" + ;; + *) + echo "$fail" + myret=$(expr "$myret" + 1) + ;; + esac + done + if [ "$got_instance" = 0 ]; then + echo "no snort instance found to be started!" >&2 + exit 6 + fi + + if [ $myret -eq 0 ] ; then + echo 0 + else + echo 1 + fi + exit $myret + ;; + *) + echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}" + exit 1 + ;; +esac +exit 0 diff --git a/recipes/snort/files/volatiles b/recipes/snort/files/volatiles new file mode 100644 index 0000000000..e3ab51da38 --- /dev/null +++ b/recipes/snort/files/volatiles @@ -0,0 +1,2 @@ +# <type> <owner> <group> <mode> <path> <linksource> +d snort snort 0755 /var/log/snort none
\ No newline at end of file diff --git a/recipes/snort/snort_2.8.5.3.bb b/recipes/snort/snort_2.8.5.3.bb index 5a34ce4470..ac73b70056 100644 --- a/recipes/snort/snort_2.8.5.3.bb +++ b/recipes/snort/snort_2.8.5.3.bb @@ -1,13 +1,16 @@ DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows." HOMEPAGE = "http://www.snort.org/" LICENSE = "GPL" -DEPENDS = "libpcap libnet libpcre" -RDEPENDS_${PN} = "libpcap libnet libpcre barnyard" +DEPENDS = "libpcap libpcre libprelude" -PR = "r2" +PR = "r3" SRC_URI = " ${GENTOO_MIRROR}/${P}.tar.gz;name=tarball \ file://snort.fix.configure.in.HACK;apply=yes \ + file://snort.init \ + file://default \ + file://logrotate \ + file://volatiles \ " SRC_URI[tarball.md5sum] = "ef02aaad54746603f2cb3236fe962128" SRC_URI[tarball.sha256sum] = "a7d9eb16427514d00926e9892c4a92b6ff1fd0f79555d8f8dce91dfa14112e6a" @@ -16,6 +19,15 @@ S = "${WORKDIR}/${P}" #snort does not like parallel make! PARALLEL_MAKE = "" +EXTRA_OECONF = " \ + --enable-decoder-preprocessor-rules \ + --enable-gre \ + --enable-linux-smp-stats \ + --enable-prelude \ + --enable-reload \ + --enable-reload-error-restart \ + --enable-targetbased \ + " inherit autotools pkgconfig @@ -24,3 +36,58 @@ do_install_prepend() { sed -i -e 's:-Wl,-rpath-link,${STAGING_LIBDIR}::g' -e 's:-isystem${STAGING_INCDIR}::g' snort.pc } +do_install_append() { + install -d ${D}/${sysconfdir}/snort/rules + install -d ${D}/${sysconfdir}/snort/preproc_rules + install -d ${D}/${sysconfdir}/default/volatiles + mkdir -p ${D}/${sysconfdir}/init.d + for i in map config conf dtd; do + cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/ + done + cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/ + install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort + install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort + install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort + mkdir -p ${D}/${localstatedir}/log/snort + install -d ${D}${sysconfdir}/logrotate.d + install -m 0644 ${WORKDIR}/logrotate ${D}${sysconfdir}/logrotate.d/snort +} + +pkg_postinst_${PN}() { + grep -q ^snort: /etc/group || addgroup snort + grep -q ^snort: /etc/passwd || \ + adduser --disabled-password --home=/var/log/snort/ --system \ + --ingroup snort --no-create-home -g "snort" snort + ${sysconfdir}/init.d/populate-volatile.sh update +} + +PACKAGES =+ "${PN}-logrotate" +FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort" +FILES_${PN} += " \ + ${libdir}/snort_dynamicengine/*.so.* \ + ${libdir}/snort_dynamicpreprocessor/*.so.* \ + ${libdir}/snort_dynamicrules/*.so.* \ + " +FILES_${PN}-dbg += " \ + ${libdir}/snort_dynamicengine/.debug \ + ${libdir}/snort_dynamicpreprocessor/.debug \ + ${libdir}/snort_dynamicrules/.debug \ + " +FILES_${PN}-static += " \ + ${libdir}/snort_dynamicengine/*.a \ + ${libdir}/snort_dynamicpreprocessor/*.a \ + ${libdir}/snort_dynamicrules/*.a \ + " +FILES_${PN}-dev += " \ + ${libdir}/snort_dynamicengine/*.la \ + ${libdir}/snort_dynamicpreprocessor/*.la \ + ${libdir}/snort_dynamicrules/*.la \ + ${libdir}/snort_dynamicengine/*.so \ + ${libdir}/snort_dynamicpreprocessor/*.so \ + ${libdir}/snort_dynamicrules/*.so \ + ${prefix}/src/snort_dynamicsrc \ + " + +RRECOMMENDS_${PN} += "${PN}-logrotate" +RRECOMMENDS_${PN} += "barnyard" +RSUGGESTS_${PN}-logrotate += "logrotate" |