The Suricata Engine is an Open Source Next Generation Intrusion Detection and

Prevention Engine developed by the Open Information Security Foundation (OISF). This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members. The Suricata Engine and the HTP Library are available to use under the GPLv2. The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine but may also be used independently in a range of applications and tools. WWW: http://openinfosecfoundation.org PR: ports/150191 Submitted by: Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
svn path=/head/; revision=260372
2024-11-23 00:43:28 +00:00 · 2010-09-01 15:31:52 +00:00 · 2010-09-01 15:31:52 +00:00 · a1a4b56363 · 2021-03-31 03:12:20 +00:00
commit a1a4b56363
parent 95f3227edc
8 changed files with 196 additions and 0 deletions
--- a/security/Makefile
+++ b/security/Makefile
@ -847,6 +847,7 @@
    SUBDIR += sudosh2
    SUBDIR += sudosh3
    SUBDIR += super
+    SUBDIR += suricata
    SUBDIR += swatch
    SUBDIR += switzerland
    SUBDIR += symbion-sslproxy
--- a/security/suricata/Makefile
+++ b/security/suricata/Makefile
@ -0,0 +1,71 @@
+# New ports collection makefile for:	suricata
+# Date created:		Sun Aug 29 16:39:08 BRT 2010
+# Whom:			Patrick Tracanelli <eksffa@freebsdbrasil.com.br>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	suricata
+PORTVERSION=	1.0.1
+CATEGORIES=	security
+MASTER_SITES=	http://openinfosecfoundation.org/download/ \
+		http://www6.freebsdbrasil.com.br/~eksffa/l/dev/suricata/
+
+MAINTAINER=	eksffa@freebsdbrasil.com.br
+COMMENT=	Open Source next generation IDS/IPS engine by OISF
+
+LIB_DEPENDS=	pcre.0:${PORTSDIR}/devel/pcre \
+		yaml:${PORTSDIR}/textproc/libyaml \
+		pcap.1:${PORTSDIR}/net/libpcap
+
+BUILD_DEPENDS+=	${LIBNET_CONFIG}:${PORTSDIR}/net/libnet \
+		pkg-config:${PORTSDIR}/devel/pkg-config
+
+USE_AUTOTOOLS=	automake110 autoconf:262 libtool:22
+
+USE_RC_SUBR=	suricata
+
+LIBNET_CONFIG?=	${LOCALBASE}/bin/libnet11-config
+
+OPTIONS=	IPFW "Enable IPFW/IPDIVERT for IPS usage" on \
+		PRELUDE "Enable Prelude NIDS integration" off
+
+SUB_FILES=	pkg-message
+HAS_CONFIGURE=	yes
+USE_GMAKE=	yes
+USE_LDCONFIG=	yes
+
+CONFIG_DIR?=	${PREFIX}/etc/suricata
+CONFIG_FILES=	suricata.yaml classification.config
+RULES_DIR=	${PREFIX}/etc/suricata/rules
+LOGS_DIR=	/var/log/suricata
+
+.include <bsd.port.pre.mk>
+
+.if defined(WITH_PRELUDE)
+LIB_DEPENDS+=		prelude.20:${PORTSDIR}/security/libprelude
+CONFIGURE_ARGS+=	--enable-prelude
+PLIST_SUB+=		PRELUDE=""
+.endif
+
+.if defined(WITH_IPFW)
+CONFIGURE_ARGS+=	--enable-ipfw
+.endif
+
+pre-install:
+	@${REINPLACE_CMD} -e 's|/etc/suricata|${PREFIX}/etc/suricata|g' ${WRKSRC}/suricata.yaml
+
+post-install:
+	[ -d ${CONFIG_DIR} ] || ${MKDIR} ${CONFIG_DIR}
+	[ -d ${RULES_DIR} ] || ${MKDIR} ${RULES_DIR}
+	[ -d ${LOGS_DIR} ] || ${MKDIR} ${LOGS_DIR}
+.for f in ${CONFIG_FILES}
+	${INSTALL_DATA} ${WRKSRC}/${f} ${CONFIG_DIR}/${f}-sample
+	@if [ ! -f ${CONFIG_DIR}/${f} ]; then \
+		${CP} -p ${CONFIG_DIR}/${f}-sample ${CONFIG_DIR}/${f} ; \
+	fi
+.endfor
+
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
--- a/security/suricata/distinfo
+++ b/security/suricata/distinfo
@ -0,0 +1,3 @@
+MD5 (suricata-1.0.1.tar.gz) = ad42b854ef2b44499f0f1d1531b1ca36
+SHA256 (suricata-1.0.1.tar.gz) = 7fbc8fe89a0a30171eddb8b066ab7e6ec811d14a73aa6bc9cea26fc1f36f4be4
+SIZE (suricata-1.0.1.tar.gz) = 1607941
--- a/security/suricata/files/patch-Makefile.in
+++ b/security/suricata/files/patch-Makefile.in
@ -0,0 +1,11 @@
+--- libhtp/Makefile.in.dist	2010-08-30 22:01:03.000000000 -0300
+++ libhtp/Makefile.in	2010-08-30 22:02:08.000000000 -0300
+@@ -250,7 +250,7 @@
+ ACLOCAL_AMFLAGS = -I m4
+ SUBDIRS = $(GENERIC_LIBRARY_NAME) test
+ EXTRA_DIST = ChangeLog COPYING LICENSE LIBHTP_LICENSING_EXCEPTION docs/doxygen.conf docs/QUICK_START
+-pkgconfigdir = $(libdir)/pkgconfig
+pkgconfigdir = $(libdir)/../libdata/pkgconfig
+ pkgconfig_DATA = htp.pc
+ all: config.h
+ 	$(MAKE) $(AM_MAKEFLAGS) all-recursive
--- a/security/suricata/files/pkg-message.in
+++ b/security/suricata/files/pkg-message.in
@ -0,0 +1,31 @@
+=========================================================================
+If you want to run Suricata in IDS mode, add to /etc/rc.conf:
+
+	suricata_enable="YES" 
+	suricata_interface="<if>"
+
+NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode.
+
+However, if you wanna run Suricata in Inline IPS Mode, add to /etc/rc.conf:
+
+	suricata_enable="YES"
+	suricata_divertport="8000"
+
+NOTA BENE:
+	Suricata won't start in IDS mode without an interface configured.
+	Therefore if you omit suricata_interface from rc.conf, FreeBSD's
+	rc.d/suricata will automatically try to start Suricata in IPS Mode
+	(on divert port 8000, by default).
+
+RULES: Suricata IDS/IPS Engine comes without rules by default. You should
+add rules by yourself and set an updating strategy. To do so, please visit:
+
+ http://www.openinfosecfoundation.org/documentation/rules.html
+ http://www.openinfosecfoundation.org/documentation/emerging-threats.html
+
+You may want to try BPF in zerocopy mode to test performance improvements:
+
+	sysctl -w net.bpf.zerocopy_enable=1
+
+Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf
+=========================================================================
--- a/security/suricata/files/suricata.in
+++ b/security/suricata/files/suricata.in
@ -0,0 +1,42 @@
+#!/bin/sh
+# $FreeBSD$
+
+# PROVIDE: suricata
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf to enable suricata:
+# suricata_enable (bool):	Set to YES to enable suricata
+# 				Default: NO
+# suricata_flags (str):		Extra flags passed to suricata
+#				Default: -D -q
+# suricata_interface (str):	Network interface to sniff
+#				Default: "" 
+# suricata_conf (str):		Suricata configuration file
+#				Default: ${PREFIX}/etc/suricata/suricata.yaml
+# suricata_divertport (int):	Port to create divert socket (Inline Mode)
+#				Default: 8000
+
+
+. /etc/rc.subr
+
+name="suricata"
+rcvar=`set_rcvar`
+
+command="%%PREFIX%%/bin/suricata"
+
+load_rc_config $name
+
+[ -z "$suricata_enable" ]	&& suricata_enable="NO"
+[ -z "$suricata_conf" ]		&& suricata_conf="%%PREFIX%%/etc/suricata/suricata.yaml"
+[ -z "$suricata_flags" ]	&& suricata_flags="-D"
+[ -z "$suricata_divertport" ]	&& suricata_divertport="8000"
+
+[ -n "$suricata_interface" ]	&& suricata_flags="$suricata_flags -i $suricata_interface --pidfile /var/run/suricata_${suricata_interface}.pid" \
+				&& pidfile="/var/run/suricata_${suricata_interface}.pid"
+[ -z "$suricata_interface" ]	&& suricata_flags="$suricata_flags -d $suricata_divertport --pidfile /var/run/suricata_inline.pid" \
+				&& pidfile="/var/run/suricata_inline.pid" && info "Inline Mode on divert port $suricata_divertport (suricata_interface not defined)"
+[ -n "$suricata_conf" ]		&& suricata_flags="$suricata_flags -c $suricata_conf"
+
+run_rc_command "$1"
--- a/security/suricata/pkg-descr
+++ b/security/suricata/pkg-descr
@ -0,0 +1,22 @@
+The Suricata Engine is an Open Source Next Generation Intrusion Detection and
+Prevention Engine developed by the Open Information Security Foundation (OISF).
+
+This engine is not intended to just replace or emulate the existing tools in
+the industry, but will bring new ideas and technologies to the field.
+
+OISF is part of and funded by the Department of Homeland Security's Directorate
+for Science and Technology HOST program (Homeland Open Security Technology),
+by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as
+through the very generous support of the members of the OISF Consortium.
+
+More information about the Consortium is available, as well as a list of our
+current Consortium Members. 
+
+The Suricata Engine and the HTP Library are available to use under the GPLv2. 
+
+The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of
+Mod Security fame for the OISF. This integrates and provides very advanced
+processing of HTTP streams for Suricata. The HTP library is required by the
+engine but may also be used independently in a range of applications and tools. 
+
+WWW: http://openinfosecfoundation.org
--- a/security/suricata/pkg-plist
+++ b/security/suricata/pkg-plist
@ -0,0 +1,15 @@
+lib/libhtp.a
+lib/libhtp-0.2.so
+lib/libhtp-0.2.so.1
+libdata/pkgconfig/htp.pc
+lib/libhtp.la
+lib/libhtp.so
+bin/suricata
+etc/suricata/suricata.yaml
+etc/suricata/suricata.yaml-sample
+etc/suricata/classification.config-sample
+etc/suricata/classification.config
+@unexec /bin/rmdir %D/etc/suricata/rules 2>/dev/null || true
+@unexec /bin/rmdir %D/etc/suricata 2>/dev/null || true
+@unexec echo "completely uninstalling %D/include/htp"
+@unexec /bin/rm -rf %D/include/htp 2>/dev/null || true