From e802fc17ca752d0c9eb9a898a8d6d96ec90197d6 Mon Sep 17 00:00:00 2001 From: Nicolas Thill Date: Mon, 13 Nov 2006 08:15:26 +0000 Subject: [PATCH] port snort to -ng SVN-Revision: 5519 --- net/snort/Makefile | 146 ++++++++++++++ net/snort/files/snort.default | 2 + net/snort/files/snort.init | 23 +++ net/snort/patches/500-no-config-search.patch | 35 ++++ .../patches/750-lightweight-config.patch | 178 ++++++++++++++++++ 5 files changed, 384 insertions(+) create mode 100644 net/snort/Makefile create mode 100644 net/snort/files/snort.default create mode 100644 net/snort/files/snort.init create mode 100644 net/snort/patches/500-no-config-search.patch create mode 100644 net/snort/patches/750-lightweight-config.patch diff --git a/net/snort/Makefile b/net/snort/Makefile new file mode 100644 index 0000000000..f482485d5d --- /dev/null +++ b/net/snort/Makefile @@ -0,0 +1,146 @@ +# +# Copyright (C) 2006 OpenWrt.org +# +# This is free software, licensed under the GNU General Public License v2. +# See /LICENSE for more information. +# +# $Id$ + +include $(TOPDIR)/rules.mk + +PKG_NAME:=snort +PKG_VERSION:=2.4.4 +PKG_RELEASE:=1 + +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz +PKG_SOURCE_URL:=http://www.snort.org/dl/current/ +PKG_MD5SUM:=9dc9060d1f2e248663eceffadfc45e7e +PKG_CAT:=zcat + +PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) +PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install + +include $(INCLUDE_DIR)/package.mk + +define Package/snort/Default + SUBMENU:=snort (Ligthweight Network Intrusion Detection System) + SECTION:=net + CATEGORY:=Network + DEPENDS:=+libnet0 +libpcap +libpcre + TITLE:=Ligthweight Network Intrusion Detection System + URL:=http://www.snort.org/ +endef + +define Package/snort + $(call Package/snort/Default) +endef + +define Package/snort-mysql + $(call Package/snort/Default) + DEPENDS+= +libmysqlclient + TITLE+= (MySQL) +endef + +define Package/snort-pgsql + $(call Package/snort/Default) + DEPENDS+= +libpq + TITLE+= (PostgreSQL) +endef + + +ifneq ($(SDK),) + CONFIG_PACKAGE_snort:=m + CONFIG_PACKAGE_snort-mysql:=m + CONFIG_PACKAGE_snort-pgsql:=m +endif + +define Compile/Template + +$(PKG_BUILD_DIR)/snort-$(1): $(PKG_BUILD_DIR)/.configured + touch -r $(PKG_BUILD_DIR)/Makefile.am $(PKG_BUILD_DIR)/configure.in + touch -r $(PKG_BUILD_DIR)/Makefile.in $(PKG_BUILD_DIR)/configure + -$(MAKE) -C $(PKG_BUILD_DIR) distclean + $(call Build/Configure/Default, \ + --enable-flexresp \ + --with-libnet-includes="$(STAGING_DIR)/usr/lib/libnet-1.0.x/include" \ + --with-libnet-libraries="$(STAGING_DIR)/usr/lib/libnet-1.0.x/lib" \ + --with-libpcap-includes="$(STAGING_DIR)/usr/include" \ + --with-libpcap-libraries="$(STAGING_DIR)/usr/lib" \ + --with-libpcre-includes="$(STAGING_DIR)/usr/include" \ + --with-libpcre-libraries="$(STAGING_DIR)/usr/lib" \ + $(2) \ + , \ + CPPFLAGS="$$$$CPPFLAGS -I$(STAGING_DIR)/usr/include/mysql" \ + LDFLAGS="$$$$LDFLAGS -L$(STAGING_DIR)/usr/lib/mysql" \ + PATH="$(STAGING_DIR)/usr/lib/libnet-1.0.x/bin:$$$$PATH" \ + $(3) \ + ); + $(MAKE) -C $(PKG_BUILD_DIR) \ + extra_incl="" \ + all + mv $(PKG_BUILD_DIR)/src/snort $(PKG_BUILD_DIR)/snort-$(1) + +$(PKG_BUILD_DIR)/.built: $(PKG_BUILD_DIR)/snort-$(1) + +endef + + +define Install/Template + +define Package/$(1)/conffiles +/etc/default/snort +/etc/snort/snort.conf +/etc/snort/threshold.conf +endef + +define Package/$(1)/install + install -d -m0755 $$(1)/usr/sbin + install -m0755 $(PKG_BUILD_DIR)/snort-$(2) $$(1)/usr/sbin/snort + install -d -m0755 $$(1)/etc/snort + install -m0644 $(PKG_BUILD_DIR)/etc/snort.conf $$(1)/etc/snort/ + install -m0644 $(PKG_BUILD_DIR)/etc/classification.config $$(1)/etc/snort/ + install -m0644 $(PKG_BUILD_DIR)/etc/gen-msg.map $$(1)/etc/snort/ + install -m0644 $(PKG_BUILD_DIR)/etc/reference.config $$(1)/etc/snort/ + install -m0644 $(PKG_BUILD_DIR)/etc/sid-msg.map $$(1)/etc/snort/ + install -m0644 $(PKG_BUILD_DIR)/etc/threshold.conf $$(1)/etc/snort/ + install -m0644 $(PKG_BUILD_DIR)/etc/unicode.map $$(1)/etc/snort/ + install -d -m0755 $$(1)/etc/default + install -m0644 ./files/snort.default $$(1)/etc/default/snort + install -d -m0755 $$(1)/etc/init.d + install -m0755 ./files/snort.init $$(1)/etc/init.d/snort +endef + +endef + + +ifneq ($(CONFIG_PACKAGE_snort),) + $(eval $(call Compile/Template,basic, \ + --without-mysql \ + --without-postgresql \ + )) + $(eval $(call Install/Template,snort,basic)) +endif +ifneq ($(CONFIG_PACKAGE_snort-mysql),) + $(eval $(call Compile/Template,mysql, \ + --with-mysql="$(STAGING_DIR)/usr" \ + --without-postgresql \ + )) + $(eval $(call Install/Template,snort-mysql,mysql)) +endif +ifneq ($(CONFIG_PACKAGE_snort-pgsql),) + $(eval $(call Compile/Template,pgsql, \ + --without-mysql \ + --with-postgresql="$(STAGING_DIR)/usr" \ + )) + $(eval $(call Install/Template,snort-pgsql,pgsql)) +endif + +define Build/Configure +endef + +define Build/Compile +endef + +$(eval $(call BuildPackage,snort)) +$(eval $(call BuildPackage,snort-mysql)) +$(eval $(call BuildPackage,snort-pgsql)) diff --git a/net/snort/files/snort.default b/net/snort/files/snort.default new file mode 100644 index 0000000000..796a893b02 --- /dev/null +++ b/net/snort/files/snort.default @@ -0,0 +1,2 @@ +INTERFACE="vlan1" # WAN +OPTIONS="-i $INTERFACE -c /etc/snort/snort.conf -D -N -q -s" diff --git a/net/snort/files/snort.init b/net/snort/files/snort.init new file mode 100644 index 0000000000..8c019c41d4 --- /dev/null +++ b/net/snort/files/snort.init @@ -0,0 +1,23 @@ +#!/bin/sh + +DEFAULT=/etc/default/snort +LOG_D=/var/log/snort +RUN_D=/var/run +[ -f $DEFAULT ] && . $DEFAULT +PID_F=$RUN_D/snort_$INTERFACE.pid + +case $1 in + start) + [ -d $LOG_D ] || mkdir -p $LOG_D + [ -d $RUN_D ] || mkdir -p $RUN_D + snort $OPTIONS + ;; + stop) + [ -f $PID_F ] && kill $(cat $PID_F) + ;; + *) + echo "usage: $0 (start|stop)" + exit 1 +esac + +exit $? diff --git a/net/snort/patches/500-no-config-search.patch b/net/snort/patches/500-no-config-search.patch new file mode 100644 index 0000000000..d674ba66aa --- /dev/null +++ b/net/snort/patches/500-no-config-search.patch @@ -0,0 +1,35 @@ +--- snort-2.3.2-orig/src/snort.c 2005-01-13 21:36:20.000000000 +0100 ++++ snort-2.3.2-1/src/snort.c 2005-04-04 20:03:34.000000000 +0200 +@@ -1949,7 +1949,7 @@ + { + struct stat st; + int i; +- char *conf_files[]={"/etc/snort.conf", "./snort.conf", NULL}; ++ char *conf_files[]={"/etc/snort/snort.conf", NULL}; + char *fname = NULL; + char *home_dir = NULL; + char *rval = NULL; +@@ -1970,23 +1970,6 @@ + i++; + } + +- /* search for .snortrc in the HOMEDIR */ +- if(!rval) +- { +- if((home_dir = getenv("HOME"))) +- { +- /* create the full path */ +- fname = (char *)malloc(strlen(home_dir) + strlen("/.snortrc") + 1); +- if(!fname) +- FatalError("Out of memory searching for config file\n"); +- +- if(stat(fname, &st) != -1) +- rval = fname; +- else +- free(fname); +- } +- } +- + return rval; + } + diff --git a/net/snort/patches/750-lightweight-config.patch b/net/snort/patches/750-lightweight-config.patch new file mode 100644 index 0000000000..c8bde27f51 --- /dev/null +++ b/net/snort/patches/750-lightweight-config.patch @@ -0,0 +1,178 @@ +--- snort-2.3.2-orig/etc/snort.conf 2005-03-10 23:04:38.000000000 +0100 ++++ snort-2.3.2-1/etc/snort.conf 2005-04-04 20:01:41.000000000 +0200 +@@ -6,6 +6,7 @@ + # + ################################################### + # This file contains a sample snort configuration. ++# Most preprocessors and rules were disabled to save memory. + # You can take the following steps to create your own custom configuration: + # + # 1) Set the network variables for your network +@@ -41,10 +42,10 @@ + # or you can specify the variable to be any IP address + # like this: + +-var HOME_NET any ++var HOME_NET 192.168.1.0/24 + + # Set up the external network addresses as well. A good start may be "any" +-var EXTERNAL_NET any ++var EXTERNAL_NET !$HOME_NET + + # Configure your server lists. This allows snort to only look for attacks to + # systems that have a service up. Why look for HTTP attacks if you are not +@@ -106,7 +107,7 @@ + # Path to your rules files (this can be a relative path) + # Note for Windows users: You are advised to make this an absolute path, + # such as: c:\snort\rules +-var RULE_PATH ../rules ++var RULE_PATH /etc/snort/rules + + # Configure the snort decoder + # ============================ +@@ -297,11 +298,11 @@ + # lots of options available here. See doc/README.http_inspect. + # unicode.map should be wherever your snort.conf lives, or given + # a full path to where snort can find it. +-preprocessor http_inspect: global \ +- iis_unicode_map unicode.map 1252 ++#preprocessor http_inspect: global \ ++# iis_unicode_map unicode.map 1252 + +-preprocessor http_inspect_server: server default \ +- profile all ports { 80 8080 8180 } oversize_dir_length 500 ++#preprocessor http_inspect_server: server default \ ++# profile all ports { 80 8080 8180 } oversize_dir_length 500 + + # + # Example unique server configuration +@@ -335,7 +336,7 @@ + # no_alert_incomplete - don't alert when a single segment + # exceeds the current packet size + +-preprocessor rpc_decode: 111 32771 ++#preprocessor rpc_decode: 111 32771 + + # bo: Back Orifice detector + # ------------------------- +@@ -347,7 +348,7 @@ + # ----- ------------------- + # 1 Back Orifice traffic detected + +-preprocessor bo ++#preprocessor bo + + # telnet_decode: Telnet negotiation string normalizer + # --------------------------------------------------- +@@ -359,7 +360,7 @@ + # This preprocessor requires no arguments. + # Portscan uses Generator ID 109 and does not generate any SID currently. + +-preprocessor telnet_decode ++#preprocessor telnet_decode + + # Flow-Portscan: detect a variety of portscans + # --------------------------------------- +@@ -455,9 +456,9 @@ + # are still watched as scanner hosts. The 'ignore_scanned' option is + # used to tune alerts from very active hosts such as syslog servers, etc. + # +-preprocessor sfportscan: proto { all } \ +- memcap { 10000000 } \ +- sense_level { low } ++#preprocessor sfportscan: proto { all } \ ++# memcap { 10000000 } \ ++# sense_level { low } + + # arpspoof + #---------------------------------------- +@@ -642,41 +643,41 @@ + include $RULE_PATH/bad-traffic.rules + include $RULE_PATH/exploit.rules + include $RULE_PATH/scan.rules +-include $RULE_PATH/finger.rules +-include $RULE_PATH/ftp.rules +-include $RULE_PATH/telnet.rules +-include $RULE_PATH/rpc.rules +-include $RULE_PATH/rservices.rules +-include $RULE_PATH/dos.rules +-include $RULE_PATH/ddos.rules +-include $RULE_PATH/dns.rules +-include $RULE_PATH/tftp.rules +- +-include $RULE_PATH/web-cgi.rules +-include $RULE_PATH/web-coldfusion.rules +-include $RULE_PATH/web-iis.rules +-include $RULE_PATH/web-frontpage.rules +-include $RULE_PATH/web-misc.rules +-include $RULE_PATH/web-client.rules +-include $RULE_PATH/web-php.rules +- +-include $RULE_PATH/sql.rules +-include $RULE_PATH/x11.rules +-include $RULE_PATH/icmp.rules +-include $RULE_PATH/netbios.rules +-include $RULE_PATH/misc.rules +-include $RULE_PATH/attack-responses.rules +-include $RULE_PATH/oracle.rules +-include $RULE_PATH/mysql.rules +-include $RULE_PATH/snmp.rules +- +-include $RULE_PATH/smtp.rules +-include $RULE_PATH/imap.rules +-include $RULE_PATH/pop2.rules +-include $RULE_PATH/pop3.rules ++#include $RULE_PATH/finger.rules ++#include $RULE_PATH/ftp.rules ++#include $RULE_PATH/telnet.rules ++#include $RULE_PATH/rpc.rules ++#include $RULE_PATH/rservices.rules ++#include $RULE_PATH/dos.rules ++#include $RULE_PATH/ddos.rules ++#include $RULE_PATH/dns.rules ++#include $RULE_PATH/tftp.rules ++ ++#include $RULE_PATH/web-cgi.rules ++#include $RULE_PATH/web-coldfusion.rules ++#include $RULE_PATH/web-iis.rules ++#include $RULE_PATH/web-frontpage.rules ++#include $RULE_PATH/web-misc.rules ++#include $RULE_PATH/web-client.rules ++#include $RULE_PATH/web-php.rules ++ ++#include $RULE_PATH/sql.rules ++#include $RULE_PATH/x11.rules ++#include $RULE_PATH/icmp.rules ++#include $RULE_PATH/netbios.rules ++#include $RULE_PATH/misc.rules ++#include $RULE_PATH/attack-responses.rules ++#include $RULE_PATH/oracle.rules ++#include $RULE_PATH/mysql.rules ++#include $RULE_PATH/snmp.rules ++ ++#include $RULE_PATH/smtp.rules ++#include $RULE_PATH/imap.rules ++#include $RULE_PATH/pop2.rules ++#include $RULE_PATH/pop3.rules + +-include $RULE_PATH/nntp.rules +-include $RULE_PATH/other-ids.rules ++#include $RULE_PATH/nntp.rules ++#include $RULE_PATH/other-ids.rules + # include $RULE_PATH/web-attacks.rules + # include $RULE_PATH/backdoor.rules + # include $RULE_PATH/shellcode.rules +@@ -684,11 +685,11 @@ + # include $RULE_PATH/porn.rules + # include $RULE_PATH/info.rules + # include $RULE_PATH/icmp-info.rules +- include $RULE_PATH/virus.rules ++# include $RULE_PATH/virus.rules + # include $RULE_PATH/chat.rules + # include $RULE_PATH/multimedia.rules + # include $RULE_PATH/p2p.rules +-include $RULE_PATH/experimental.rules ++#include $RULE_PATH/experimental.rules + + # Include any thresholding or suppression commands. See threshold.conf in the + # /etc directory for details. Commands don't necessarily need to be -- 2.30.2