From a1a4b56363753796c17075dc2c9d5bc262e4b742 Mon Sep 17 00:00:00 2001 From: Jean Milanez Melo Date: Wed, 1 Sep 2010 15:31:52 +0000 Subject: [PATCH] The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine developed by the Open Information Security Foundation (OISF). This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members. The Suricata Engine and the HTP Library are available to use under the GPLv2. The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine but may also be used independently in a range of applications and tools. WWW: http://openinfosecfoundation.org PR: ports/150191 Submitted by: Patrick Tracanelli --- security/Makefile | 1 + security/suricata/Makefile | 71 +++++++++++++++++++++++ security/suricata/distinfo | 3 + security/suricata/files/patch-Makefile.in | 11 ++++ security/suricata/files/pkg-message.in | 31 ++++++++++ security/suricata/files/suricata.in | 42 ++++++++++++++ security/suricata/pkg-descr | 22 +++++++ security/suricata/pkg-plist | 15 +++++ 8 files changed, 196 insertions(+) create mode 100644 security/suricata/Makefile create mode 100644 security/suricata/distinfo create mode 100644 security/suricata/files/patch-Makefile.in create mode 100644 security/suricata/files/pkg-message.in create mode 100644 security/suricata/files/suricata.in create mode 100644 security/suricata/pkg-descr create mode 100644 security/suricata/pkg-plist diff --git a/security/Makefile b/security/Makefile index c5cc4db3104f..ae35f0666c95 100644 --- a/security/Makefile +++ b/security/Makefile @@ -847,6 +847,7 @@ SUBDIR += sudosh2 SUBDIR += sudosh3 SUBDIR += super + SUBDIR += suricata SUBDIR += swatch SUBDIR += switzerland SUBDIR += symbion-sslproxy diff --git a/security/suricata/Makefile b/security/suricata/Makefile new file mode 100644 index 000000000000..9b83b2c79392 --- /dev/null +++ b/security/suricata/Makefile @@ -0,0 +1,71 @@ +# New ports collection makefile for: suricata +# Date created: Sun Aug 29 16:39:08 BRT 2010 +# Whom: Patrick Tracanelli +# +# $FreeBSD$ +# + +PORTNAME= suricata +PORTVERSION= 1.0.1 +CATEGORIES= security +MASTER_SITES= http://openinfosecfoundation.org/download/ \ + http://www6.freebsdbrasil.com.br/~eksffa/l/dev/suricata/ + +MAINTAINER= eksffa@freebsdbrasil.com.br +COMMENT= Open Source next generation IDS/IPS engine by OISF + +LIB_DEPENDS= pcre.0:${PORTSDIR}/devel/pcre \ + yaml:${PORTSDIR}/textproc/libyaml \ + pcap.1:${PORTSDIR}/net/libpcap + +BUILD_DEPENDS+= ${LIBNET_CONFIG}:${PORTSDIR}/net/libnet \ + pkg-config:${PORTSDIR}/devel/pkg-config + +USE_AUTOTOOLS= automake110 autoconf:262 libtool:22 + +USE_RC_SUBR= suricata + +LIBNET_CONFIG?= ${LOCALBASE}/bin/libnet11-config + +OPTIONS= IPFW "Enable IPFW/IPDIVERT for IPS usage" on \ + PRELUDE "Enable Prelude NIDS integration" off + +SUB_FILES= pkg-message +HAS_CONFIGURE= yes +USE_GMAKE= yes +USE_LDCONFIG= yes + +CONFIG_DIR?= ${PREFIX}/etc/suricata +CONFIG_FILES= suricata.yaml classification.config +RULES_DIR= ${PREFIX}/etc/suricata/rules +LOGS_DIR= /var/log/suricata + +.include + +.if defined(WITH_PRELUDE) +LIB_DEPENDS+= prelude.20:${PORTSDIR}/security/libprelude +CONFIGURE_ARGS+= --enable-prelude +PLIST_SUB+= PRELUDE="" +.endif + +.if defined(WITH_IPFW) +CONFIGURE_ARGS+= --enable-ipfw +.endif + +pre-install: + @${REINPLACE_CMD} -e 's|/etc/suricata|${PREFIX}/etc/suricata|g' ${WRKSRC}/suricata.yaml + +post-install: + [ -d ${CONFIG_DIR} ] || ${MKDIR} ${CONFIG_DIR} + [ -d ${RULES_DIR} ] || ${MKDIR} ${RULES_DIR} + [ -d ${LOGS_DIR} ] || ${MKDIR} ${LOGS_DIR} +.for f in ${CONFIG_FILES} + ${INSTALL_DATA} ${WRKSRC}/${f} ${CONFIG_DIR}/${f}-sample + @if [ ! -f ${CONFIG_DIR}/${f} ]; then \ + ${CP} -p ${CONFIG_DIR}/${f}-sample ${CONFIG_DIR}/${f} ; \ + fi +.endfor + + @${CAT} ${PKGMESSAGE} + +.include diff --git a/security/suricata/distinfo b/security/suricata/distinfo new file mode 100644 index 000000000000..088e672d441d --- /dev/null +++ b/security/suricata/distinfo @@ -0,0 +1,3 @@ +MD5 (suricata-1.0.1.tar.gz) = ad42b854ef2b44499f0f1d1531b1ca36 +SHA256 (suricata-1.0.1.tar.gz) = 7fbc8fe89a0a30171eddb8b066ab7e6ec811d14a73aa6bc9cea26fc1f36f4be4 +SIZE (suricata-1.0.1.tar.gz) = 1607941 diff --git a/security/suricata/files/patch-Makefile.in b/security/suricata/files/patch-Makefile.in new file mode 100644 index 000000000000..95b8161a7ba4 --- /dev/null +++ b/security/suricata/files/patch-Makefile.in @@ -0,0 +1,11 @@ +--- libhtp/Makefile.in.dist 2010-08-30 22:01:03.000000000 -0300 ++++ libhtp/Makefile.in 2010-08-30 22:02:08.000000000 -0300 +@@ -250,7 +250,7 @@ + ACLOCAL_AMFLAGS = -I m4 + SUBDIRS = $(GENERIC_LIBRARY_NAME) test + EXTRA_DIST = ChangeLog COPYING LICENSE LIBHTP_LICENSING_EXCEPTION docs/doxygen.conf docs/QUICK_START +-pkgconfigdir = $(libdir)/pkgconfig ++pkgconfigdir = $(libdir)/../libdata/pkgconfig + pkgconfig_DATA = htp.pc + all: config.h + $(MAKE) $(AM_MAKEFLAGS) all-recursive diff --git a/security/suricata/files/pkg-message.in b/security/suricata/files/pkg-message.in new file mode 100644 index 000000000000..7e0b205d8d02 --- /dev/null +++ b/security/suricata/files/pkg-message.in @@ -0,0 +1,31 @@ +========================================================================= +If you want to run Suricata in IDS mode, add to /etc/rc.conf: + + suricata_enable="YES" + suricata_interface="" + +NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode. + +However, if you wanna run Suricata in Inline IPS Mode, add to /etc/rc.conf: + + suricata_enable="YES" + suricata_divertport="8000" + +NOTA BENE: + Suricata won't start in IDS mode without an interface configured. + Therefore if you omit suricata_interface from rc.conf, FreeBSD's + rc.d/suricata will automatically try to start Suricata in IPS Mode + (on divert port 8000, by default). + +RULES: Suricata IDS/IPS Engine comes without rules by default. You should +add rules by yourself and set an updating strategy. To do so, please visit: + + http://www.openinfosecfoundation.org/documentation/rules.html + http://www.openinfosecfoundation.org/documentation/emerging-threats.html + +You may want to try BPF in zerocopy mode to test performance improvements: + + sysctl -w net.bpf.zerocopy_enable=1 + +Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf +========================================================================= diff --git a/security/suricata/files/suricata.in b/security/suricata/files/suricata.in new file mode 100644 index 000000000000..5174657beb11 --- /dev/null +++ b/security/suricata/files/suricata.in @@ -0,0 +1,42 @@ +#!/bin/sh +# $FreeBSD$ + +# PROVIDE: suricata +# REQUIRE: DAEMON +# BEFORE: LOGIN +# KEYWORD: shutdown + +# Add the following lines to /etc/rc.conf to enable suricata: +# suricata_enable (bool): Set to YES to enable suricata +# Default: NO +# suricata_flags (str): Extra flags passed to suricata +# Default: -D -q +# suricata_interface (str): Network interface to sniff +# Default: "" +# suricata_conf (str): Suricata configuration file +# Default: ${PREFIX}/etc/suricata/suricata.yaml +# suricata_divertport (int): Port to create divert socket (Inline Mode) +# Default: 8000 + + +. /etc/rc.subr + +name="suricata" +rcvar=`set_rcvar` + +command="%%PREFIX%%/bin/suricata" + +load_rc_config $name + +[ -z "$suricata_enable" ] && suricata_enable="NO" +[ -z "$suricata_conf" ] && suricata_conf="%%PREFIX%%/etc/suricata/suricata.yaml" +[ -z "$suricata_flags" ] && suricata_flags="-D" +[ -z "$suricata_divertport" ] && suricata_divertport="8000" + +[ -n "$suricata_interface" ] && suricata_flags="$suricata_flags -i $suricata_interface --pidfile /var/run/suricata_${suricata_interface}.pid" \ + && pidfile="/var/run/suricata_${suricata_interface}.pid" +[ -z "$suricata_interface" ] && suricata_flags="$suricata_flags -d $suricata_divertport --pidfile /var/run/suricata_inline.pid" \ + && pidfile="/var/run/suricata_inline.pid" && info "Inline Mode on divert port $suricata_divertport (suricata_interface not defined)" +[ -n "$suricata_conf" ] && suricata_flags="$suricata_flags -c $suricata_conf" + +run_rc_command "$1" diff --git a/security/suricata/pkg-descr b/security/suricata/pkg-descr new file mode 100644 index 000000000000..260cad7dc2a4 --- /dev/null +++ b/security/suricata/pkg-descr @@ -0,0 +1,22 @@ +The Suricata Engine is an Open Source Next Generation Intrusion Detection and +Prevention Engine developed by the Open Information Security Foundation (OISF). + +This engine is not intended to just replace or emulate the existing tools in +the industry, but will bring new ideas and technologies to the field. + +OISF is part of and funded by the Department of Homeland Security's Directorate +for Science and Technology HOST program (Homeland Open Security Technology), +by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as +through the very generous support of the members of the OISF Consortium. + +More information about the Consortium is available, as well as a list of our +current Consortium Members. + +The Suricata Engine and the HTP Library are available to use under the GPLv2. + +The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of +Mod Security fame for the OISF. This integrates and provides very advanced +processing of HTTP streams for Suricata. The HTP library is required by the +engine but may also be used independently in a range of applications and tools. + +WWW: http://openinfosecfoundation.org diff --git a/security/suricata/pkg-plist b/security/suricata/pkg-plist new file mode 100644 index 000000000000..6039f0ae70b6 --- /dev/null +++ b/security/suricata/pkg-plist @@ -0,0 +1,15 @@ +lib/libhtp.a +lib/libhtp-0.2.so +lib/libhtp-0.2.so.1 +libdata/pkgconfig/htp.pc +lib/libhtp.la +lib/libhtp.so +bin/suricata +etc/suricata/suricata.yaml +etc/suricata/suricata.yaml-sample +etc/suricata/classification.config-sample +etc/suricata/classification.config +@unexec /bin/rmdir %D/etc/suricata/rules 2>/dev/null || true +@unexec /bin/rmdir %D/etc/suricata 2>/dev/null || true +@unexec echo "completely uninstalling %D/include/htp" +@unexec /bin/rm -rf %D/include/htp 2>/dev/null || true