port snort to -ng
authorNicolas Thill <nico@openwrt.org>
Mon, 13 Nov 2006 08:15:26 +0000 (08:15 +0000)
committerNicolas Thill <nico@openwrt.org>
Mon, 13 Nov 2006 08:15:26 +0000 (08:15 +0000)
SVN-Revision: 5519

net/snort/Makefile [new file with mode: 0644]
net/snort/files/snort.default [new file with mode: 0644]
net/snort/files/snort.init [new file with mode: 0644]
net/snort/patches/500-no-config-search.patch [new file with mode: 0644]
net/snort/patches/750-lightweight-config.patch [new file with mode: 0644]

diff --git a/net/snort/Makefile b/net/snort/Makefile
new file mode 100644 (file)
index 0000000..f482485
--- /dev/null
@@ -0,0 +1,146 @@
+# 
+# Copyright (C) 2006 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+# $Id$
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=snort
+PKG_VERSION:=2.4.4
+PKG_RELEASE:=1
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
+PKG_SOURCE_URL:=http://www.snort.org/dl/current/
+PKG_MD5SUM:=9dc9060d1f2e248663eceffadfc45e7e
+PKG_CAT:=zcat
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
+PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/snort/Default
+  SUBMENU:=snort (Ligthweight Network Intrusion Detection System)
+  SECTION:=net
+  CATEGORY:=Network
+  DEPENDS:=+libnet0 +libpcap +libpcre
+  TITLE:=Ligthweight Network Intrusion Detection System
+  URL:=http://www.snort.org/
+endef
+
+define Package/snort
+  $(call Package/snort/Default)
+endef
+
+define Package/snort-mysql
+  $(call Package/snort/Default)
+  DEPENDS+= +libmysqlclient
+  TITLE+= (MySQL)
+endef
+
+define Package/snort-pgsql
+  $(call Package/snort/Default)
+  DEPENDS+= +libpq
+  TITLE+= (PostgreSQL)
+endef
+
+
+ifneq ($(SDK),)
+  CONFIG_PACKAGE_snort:=m
+  CONFIG_PACKAGE_snort-mysql:=m
+  CONFIG_PACKAGE_snort-pgsql:=m
+endif
+
+define Compile/Template
+
+$(PKG_BUILD_DIR)/snort-$(1): $(PKG_BUILD_DIR)/.configured
+       touch -r $(PKG_BUILD_DIR)/Makefile.am $(PKG_BUILD_DIR)/configure.in 
+       touch -r $(PKG_BUILD_DIR)/Makefile.in $(PKG_BUILD_DIR)/configure
+       -$(MAKE) -C $(PKG_BUILD_DIR) distclean
+       $(call Build/Configure/Default, \
+               --enable-flexresp \
+               --with-libnet-includes="$(STAGING_DIR)/usr/lib/libnet-1.0.x/include" \
+               --with-libnet-libraries="$(STAGING_DIR)/usr/lib/libnet-1.0.x/lib" \
+               --with-libpcap-includes="$(STAGING_DIR)/usr/include" \
+               --with-libpcap-libraries="$(STAGING_DIR)/usr/lib" \
+               --with-libpcre-includes="$(STAGING_DIR)/usr/include" \
+               --with-libpcre-libraries="$(STAGING_DIR)/usr/lib" \
+               $(2) \
+               , \
+               CPPFLAGS="$$$$CPPFLAGS -I$(STAGING_DIR)/usr/include/mysql" \
+               LDFLAGS="$$$$LDFLAGS -L$(STAGING_DIR)/usr/lib/mysql" \
+               PATH="$(STAGING_DIR)/usr/lib/libnet-1.0.x/bin:$$$$PATH" \
+               $(3) \
+       );
+       $(MAKE) -C $(PKG_BUILD_DIR) \
+               extra_incl="" \
+               all
+       mv $(PKG_BUILD_DIR)/src/snort $(PKG_BUILD_DIR)/snort-$(1)
+
+$(PKG_BUILD_DIR)/.built: $(PKG_BUILD_DIR)/snort-$(1)
+
+endef
+
+
+define Install/Template
+
+define Package/$(1)/conffiles
+/etc/default/snort
+/etc/snort/snort.conf
+/etc/snort/threshold.conf
+endef
+
+define Package/$(1)/install
+       install -d -m0755 $$(1)/usr/sbin
+       install -m0755 $(PKG_BUILD_DIR)/snort-$(2) $$(1)/usr/sbin/snort
+       install -d -m0755 $$(1)/etc/snort
+       install -m0644 $(PKG_BUILD_DIR)/etc/snort.conf $$(1)/etc/snort/
+       install -m0644 $(PKG_BUILD_DIR)/etc/classification.config $$(1)/etc/snort/
+       install -m0644 $(PKG_BUILD_DIR)/etc/gen-msg.map $$(1)/etc/snort/
+       install -m0644 $(PKG_BUILD_DIR)/etc/reference.config $$(1)/etc/snort/
+       install -m0644 $(PKG_BUILD_DIR)/etc/sid-msg.map $$(1)/etc/snort/
+       install -m0644 $(PKG_BUILD_DIR)/etc/threshold.conf $$(1)/etc/snort/
+       install -m0644 $(PKG_BUILD_DIR)/etc/unicode.map $$(1)/etc/snort/
+       install -d -m0755 $$(1)/etc/default
+       install -m0644 ./files/snort.default $$(1)/etc/default/snort
+       install -d -m0755 $$(1)/etc/init.d
+       install -m0755 ./files/snort.init $$(1)/etc/init.d/snort
+endef
+
+endef
+
+
+ifneq ($(CONFIG_PACKAGE_snort),)
+  $(eval $(call Compile/Template,basic, \
+               --without-mysql \
+               --without-postgresql \
+  ))
+  $(eval $(call Install/Template,snort,basic))
+endif
+ifneq ($(CONFIG_PACKAGE_snort-mysql),)
+  $(eval $(call Compile/Template,mysql, \
+               --with-mysql="$(STAGING_DIR)/usr" \
+               --without-postgresql \
+  ))
+  $(eval $(call Install/Template,snort-mysql,mysql))
+endif
+ifneq ($(CONFIG_PACKAGE_snort-pgsql),)
+  $(eval $(call Compile/Template,pgsql, \
+               --without-mysql \
+               --with-postgresql="$(STAGING_DIR)/usr" \
+  ))
+  $(eval $(call Install/Template,snort-pgsql,pgsql))
+endif
+
+define Build/Configure
+endef
+
+define Build/Compile
+endef
+
+$(eval $(call BuildPackage,snort))
+$(eval $(call BuildPackage,snort-mysql))
+$(eval $(call BuildPackage,snort-pgsql))
diff --git a/net/snort/files/snort.default b/net/snort/files/snort.default
new file mode 100644 (file)
index 0000000..796a893
--- /dev/null
@@ -0,0 +1,2 @@
+INTERFACE="vlan1" # WAN
+OPTIONS="-i $INTERFACE -c /etc/snort/snort.conf -D -N -q -s"
diff --git a/net/snort/files/snort.init b/net/snort/files/snort.init
new file mode 100644 (file)
index 0000000..8c019c4
--- /dev/null
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+DEFAULT=/etc/default/snort
+LOG_D=/var/log/snort
+RUN_D=/var/run
+[ -f $DEFAULT ] && . $DEFAULT
+PID_F=$RUN_D/snort_$INTERFACE.pid
+
+case $1 in
+ start)
+  [ -d $LOG_D ] || mkdir -p $LOG_D
+  [ -d $RUN_D ] || mkdir -p $RUN_D
+  snort $OPTIONS
+  ;;
+ stop)
+  [ -f $PID_F ] && kill $(cat $PID_F)
+  ;;
+ *)
+  echo "usage: $0 (start|stop)"
+  exit 1
+esac
+
+exit $?
diff --git a/net/snort/patches/500-no-config-search.patch b/net/snort/patches/500-no-config-search.patch
new file mode 100644 (file)
index 0000000..d674ba6
--- /dev/null
@@ -0,0 +1,35 @@
+--- snort-2.3.2-orig/src/snort.c       2005-01-13 21:36:20.000000000 +0100
++++ snort-2.3.2-1/src/snort.c  2005-04-04 20:03:34.000000000 +0200
+@@ -1949,7 +1949,7 @@
+ {
+     struct stat st;
+     int i;
+-    char *conf_files[]={"/etc/snort.conf", "./snort.conf", NULL};
++    char *conf_files[]={"/etc/snort/snort.conf", NULL};
+     char *fname = NULL;
+     char *home_dir = NULL;
+     char *rval = NULL;
+@@ -1970,23 +1970,6 @@
+         i++;
+     }
+-    /* search for .snortrc in the HOMEDIR */
+-    if(!rval)
+-    {
+-        if((home_dir = getenv("HOME")))
+-        {
+-            /* create the full path */
+-            fname = (char *)malloc(strlen(home_dir) + strlen("/.snortrc") + 1);
+-            if(!fname)
+-                FatalError("Out of memory searching for config file\n");
+-
+-            if(stat(fname, &st) != -1)
+-                rval = fname;
+-            else
+-                free(fname);
+-        }
+-    }
+-
+     return rval;
+ }
diff --git a/net/snort/patches/750-lightweight-config.patch b/net/snort/patches/750-lightweight-config.patch
new file mode 100644 (file)
index 0000000..c8bde27
--- /dev/null
@@ -0,0 +1,178 @@
+--- snort-2.3.2-orig/etc/snort.conf    2005-03-10 23:04:38.000000000 +0100
++++ snort-2.3.2-1/etc/snort.conf       2005-04-04 20:01:41.000000000 +0200
+@@ -6,6 +6,7 @@
+ #
+ ###################################################
+ # This file contains a sample snort configuration. 
++# Most preprocessors and rules were disabled to save memory.
+ # You can take the following steps to create your own custom configuration:
+ #
+ #  1) Set the network variables for your network
+@@ -41,10 +42,10 @@
+ # or you can specify the variable to be any IP address
+ # like this:
+-var HOME_NET any
++var HOME_NET 192.168.1.0/24
+ # Set up the external network addresses as well.  A good start may be "any"
+-var EXTERNAL_NET any
++var EXTERNAL_NET !$HOME_NET
+ # Configure your server lists.  This allows snort to only look for attacks to
+ # systems that have a service up.  Why look for HTTP attacks if you are not
+@@ -106,7 +107,7 @@
+ # Path to your rules files (this can be a relative path)
+ # Note for Windows users:  You are advised to make this an absolute path,
+ # such as:  c:\snort\rules
+-var RULE_PATH ../rules
++var RULE_PATH /etc/snort/rules
+ # Configure the snort decoder
+ # ============================
+@@ -297,11 +298,11 @@
+ # lots of options available here. See doc/README.http_inspect.
+ # unicode.map should be wherever your snort.conf lives, or given
+ # a full path to where snort can find it.
+-preprocessor http_inspect: global \
+-    iis_unicode_map unicode.map 1252 
++#preprocessor http_inspect: global \
++#    iis_unicode_map unicode.map 1252 
+-preprocessor http_inspect_server: server default \
+-    profile all ports { 80 8080 8180 } oversize_dir_length 500
++#preprocessor http_inspect_server: server default \
++#    profile all ports { 80 8080 8180 } oversize_dir_length 500
+ #
+ #  Example unique server configuration
+@@ -335,7 +336,7 @@
+ # no_alert_incomplete - don't alert when a single segment
+ #                       exceeds the current packet size
+-preprocessor rpc_decode: 111 32771
++#preprocessor rpc_decode: 111 32771
+ # bo: Back Orifice detector
+ # -------------------------
+@@ -347,7 +348,7 @@
+ # -----   -------------------
+ #   1       Back Orifice traffic detected
+-preprocessor bo
++#preprocessor bo
+ # telnet_decode: Telnet negotiation string normalizer
+ # ---------------------------------------------------
+@@ -359,7 +360,7 @@
+ # This preprocessor requires no arguments.
+ # Portscan uses Generator ID 109 and does not generate any SID currently.
+-preprocessor telnet_decode
++#preprocessor telnet_decode
+ # Flow-Portscan: detect a variety of portscans
+ # ---------------------------------------
+@@ -455,9 +456,9 @@
+ #       are still watched as scanner hosts.  The 'ignore_scanned' option is
+ #       used to tune alerts from very active hosts such as syslog servers, etc.
+ #
+-preprocessor sfportscan: proto  { all } \
+-                         memcap { 10000000 } \
+-                         sense_level { low }
++#preprocessor sfportscan: proto  { all } \
++#                         memcap { 10000000 } \
++#                         sense_level { low }
+ # arpspoof
+ #----------------------------------------
+@@ -642,41 +643,41 @@
+ include $RULE_PATH/bad-traffic.rules
+ include $RULE_PATH/exploit.rules
+ include $RULE_PATH/scan.rules
+-include $RULE_PATH/finger.rules
+-include $RULE_PATH/ftp.rules
+-include $RULE_PATH/telnet.rules
+-include $RULE_PATH/rpc.rules
+-include $RULE_PATH/rservices.rules
+-include $RULE_PATH/dos.rules
+-include $RULE_PATH/ddos.rules
+-include $RULE_PATH/dns.rules
+-include $RULE_PATH/tftp.rules
+-
+-include $RULE_PATH/web-cgi.rules
+-include $RULE_PATH/web-coldfusion.rules
+-include $RULE_PATH/web-iis.rules
+-include $RULE_PATH/web-frontpage.rules
+-include $RULE_PATH/web-misc.rules
+-include $RULE_PATH/web-client.rules
+-include $RULE_PATH/web-php.rules
+-
+-include $RULE_PATH/sql.rules
+-include $RULE_PATH/x11.rules
+-include $RULE_PATH/icmp.rules
+-include $RULE_PATH/netbios.rules
+-include $RULE_PATH/misc.rules
+-include $RULE_PATH/attack-responses.rules
+-include $RULE_PATH/oracle.rules
+-include $RULE_PATH/mysql.rules
+-include $RULE_PATH/snmp.rules
+-
+-include $RULE_PATH/smtp.rules
+-include $RULE_PATH/imap.rules
+-include $RULE_PATH/pop2.rules
+-include $RULE_PATH/pop3.rules
++#include $RULE_PATH/finger.rules
++#include $RULE_PATH/ftp.rules
++#include $RULE_PATH/telnet.rules
++#include $RULE_PATH/rpc.rules
++#include $RULE_PATH/rservices.rules
++#include $RULE_PATH/dos.rules
++#include $RULE_PATH/ddos.rules
++#include $RULE_PATH/dns.rules
++#include $RULE_PATH/tftp.rules
++
++#include $RULE_PATH/web-cgi.rules
++#include $RULE_PATH/web-coldfusion.rules
++#include $RULE_PATH/web-iis.rules
++#include $RULE_PATH/web-frontpage.rules
++#include $RULE_PATH/web-misc.rules
++#include $RULE_PATH/web-client.rules
++#include $RULE_PATH/web-php.rules
++
++#include $RULE_PATH/sql.rules
++#include $RULE_PATH/x11.rules
++#include $RULE_PATH/icmp.rules
++#include $RULE_PATH/netbios.rules
++#include $RULE_PATH/misc.rules
++#include $RULE_PATH/attack-responses.rules
++#include $RULE_PATH/oracle.rules
++#include $RULE_PATH/mysql.rules
++#include $RULE_PATH/snmp.rules
++
++#include $RULE_PATH/smtp.rules
++#include $RULE_PATH/imap.rules
++#include $RULE_PATH/pop2.rules
++#include $RULE_PATH/pop3.rules
+-include $RULE_PATH/nntp.rules
+-include $RULE_PATH/other-ids.rules
++#include $RULE_PATH/nntp.rules
++#include $RULE_PATH/other-ids.rules
+ # include $RULE_PATH/web-attacks.rules
+ # include $RULE_PATH/backdoor.rules
+ # include $RULE_PATH/shellcode.rules
+@@ -684,11 +685,11 @@
+ # include $RULE_PATH/porn.rules
+ # include $RULE_PATH/info.rules
+ # include $RULE_PATH/icmp-info.rules
+- include $RULE_PATH/virus.rules
++# include $RULE_PATH/virus.rules
+ # include $RULE_PATH/chat.rules
+ # include $RULE_PATH/multimedia.rules
+ # include $RULE_PATH/p2p.rules
+-include $RULE_PATH/experimental.rules
++#include $RULE_PATH/experimental.rules
+ # Include any thresholding or suppression commands. See threshold.conf in the
+ # <snort src>/etc directory for details. Commands don't necessarily need to be