From f4470b2f6f9bd6123e7ab2aca903f138da311822 Mon Sep 17 00:00:00 2001 From: Marcelo Góes Date: Sun, 23 Nov 2008 15:29:38 +0000 Subject: 2.8.3.1 version bump with many changes for bug 245752. Thanks to Jason Wallace and Antixrict for the rewrite. Currently in package.mask for testing. (Portage version: 2.1.4.5) --- net-analyzer/snort/ChangeLog | 10 +- .../snort/files/snort-2.8.3.1-libnet.patch | 220 +++++++++++++++ net-analyzer/snort/snort-2.8.3.1.ebuild | 301 +++++++++++++++++++++ 3 files changed, 530 insertions(+), 1 deletion(-) create mode 100644 net-analyzer/snort/files/snort-2.8.3.1-libnet.patch create mode 100644 net-analyzer/snort/snort-2.8.3.1.ebuild diff --git a/net-analyzer/snort/ChangeLog b/net-analyzer/snort/ChangeLog index cbaf8f6913e5..a29c060da2e1 100644 --- a/net-analyzer/snort/ChangeLog +++ b/net-analyzer/snort/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for net-analyzer/snort # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snort/ChangeLog,v 1.134 2008/08/04 20:12:12 jer Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snort/ChangeLog,v 1.135 2008/11/23 15:29:38 vanquirius Exp $ + +*snort-2.8.3.1 (23 Nov 2008) + + 23 Nov 2008; Marcelo Goes + +files/snort-2.8.3.1-libnet.patch, +snort-2.8.3.1.ebuild: + 2.8.3.1 version bump with many changes for bug 245752. Thanks to Jason + Wallace and Antixrict for the rewrite. Currently in package.mask for testing. 04 Aug 2008; Jeroen Roovers metadata.xml: Describe local USE flags for GLEP 56. diff --git a/net-analyzer/snort/files/snort-2.8.3.1-libnet.patch b/net-analyzer/snort/files/snort-2.8.3.1-libnet.patch new file mode 100644 index 000000000000..b51b1531569f --- /dev/null +++ b/net-analyzer/snort/files/snort-2.8.3.1-libnet.patch @@ -0,0 +1,220 @@ +diff -ru snort-2.8.3.1/configure.in snort-2.8.3.1_gentoo/configure.in +--- snort-2.8.3.1/configure.in 2008-09-15 10:45:24.000000000 -0400 ++++ snort-2.8.3.1_gentoo/configure.in 2008-11-03 16:34:41.000000000 -0500 +@@ -1151,19 +1151,19 @@ + else + libnet_dir="/usr/include /usr/local/include /sw/include" + fi +- AC_MSG_CHECKING("for libnet.h version 1.0.x") ++ AC_MSG_CHECKING("for libnet-1.0.h version 1.0.x") + for i in $libnet_dir; do +- if test -r "$i/libnet.h"; then ++ if test -r "$i/libnet-1.0.h"; then + LIBNET_INC_DIR="$i" + fi + done + + if test "$LIBNET_INC_DIR" != ""; then +- if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet.h | grep -v 1.0 >/dev/null"; then +- FAIL_MESSAGE("libnet 1.0.x (libnet.h)", $LIBNET_INC_DIR) ++ if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet-1.0.h | grep -v 1.0 >/dev/null"; then ++ FAIL_MESSAGE("libnet 1.0.x (libnet-1.0.h)", $LIBNET_INC_DIR) + fi +- CFLAGS="${CFLAGS} `libnet-config --defines` `libnet-config --cflags`" +- LIBS="${LIBS} `libnet-config --libs`" ++ CFLAGS="${CFLAGS} `libnet-1.0-config --defines` `libnet-1.0-config --cflags`" ++ LIBS="${LIBS} `libnet-1.0-config --libs`" + CPPFLAGS="${CPPFLAGS} -I${LIBNET_INC_DIR}" + AC_MSG_RESULT($i) + else +@@ -1185,8 +1185,8 @@ + [ --enable-flexresp Flexible Responses on hostile connection attempts], + enable_flexresp="$enableval", enable_flexresp="no") + if test "x$enable_flexresp" = "xyes"; then +- CPPFLAGS="${CPPFLAGS} -DENABLE_RESPONSE `libnet-config --defines --cflags`" +- LDFLAGS="${LDFLAGS} `libnet-config --libs`" ++ CPPFLAGS="${CPPFLAGS} -DENABLE_RESPONSE `libnet-1.0-config --defines --cflags`" ++ LDFLAGS="${LDFLAGS} `libnet-1.0-config --libs`" + fi + + if test "x$enable_flexresp" != "xno" -a "x$enable_flexresp" = "xyes"; then +@@ -1196,21 +1196,21 @@ + exit + fi + +- if test `libnet-config --cflags | wc -c` = "1"; then ++ if test `libnet-1.0-config --cflags | wc -c` = "1"; then + CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include" + LIBNET_CONFIG_BROKEN_CFLAGS="yes" + fi + +- if test `libnet-config --libs | wc -c` = "1"; then +- AC_MSG_WARN(libnet-config --libs is broken on your system. If you) ++ if test `libnet-1.0-config --libs | wc -c` = "1"; then ++ AC_MSG_WARN(libnet-1.0-config --libs is broken on your system. If you) + AC_MSG_WARN(are using a precompiled package please notify the) + AC_MSG_WARN(maintainer.) + LDFLAGS="${LDFLAGS} -L/usr/local/lib -L/sw/lib" +- LIBS="${LIBS} -lnet" ++ LIBS="${LIBS} -lnet-1.0" + fi + + LNET="" +- AC_CHECK_HEADERS(libnet.h,, LNET="no") ++ AC_CHECK_HEADERS(libnet-1.0.h,, LNET="no") + if test "x$LNET" = "xno"; then + echo + echo " ERROR! Libnet header not found, go get it from" +@@ -1228,33 +1228,33 @@ + libnet_dir="/usr/include /usr/local/include /sw/include" + fi + else +- libnet_dir=`libnet-config --cflags | cut -dI -f2` ++ libnet_dir=`libnet-1.0-config --cflags | cut -dI -f2` + fi + + LIBNET_INC_DIR="" + for i in $libnet_dir; do +- if test -r "$i/libnet.h"; then ++ if test -r "$i/libnet-1.0.h"; then + LIBNET_INC_DIR="$i" + fi + done + + if test "x$LIBNET_INC_DIR" != "x"; then +- if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet.h | grep -v 1.0.2a >/dev/null"; then ++ if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet-1.0.h | grep -v 1.0.2a >/dev/null"; then + AC_MSG_RESULT(no) + echo + echo " ERROR! Snort with --enable-flexresp will *only* work with" + echo " libnet version 1.0.2a, go get it from" + echo " http://www.packetfactory.net/projects/libnet/" +- FAIL_MESSAGE("libnet 1.0.2a (libnet.h)", $LIBNET_INC_DIR) ++ FAIL_MESSAGE("libnet 1.0.2a (libnet-1.0.h)", $LIBNET_INC_DIR) + fi + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no) +- FAIL_MESSAGE("libnet 1.0.2a (libnet.h)", $libnet_dir) ++ FAIL_MESSAGE("libnet 1.0.2a (libnet-1.0.h)", $libnet_dir) + fi + + LNET="" +- AC_CHECK_LIB(net, libnet_build_ip,, LNET="no") ++ AC_CHECK_LIB(net-1.0, libnet_build_ip,, LNET="no") + if test "x$LNET" = "xno"; then + echo + echo " ERROR! Libnet library not found, go get it from" +@@ -1305,8 +1305,8 @@ + [ --enable-react Intercept and terminate offending HTTP accesses], + enable_react="$enableval", enable_react="no") + if test "x$enable_react" = "xyes"; then +- CPPFLAGS="${CPPFLAGS} -DENABLE_REACT `libnet-config --defines --cflags`" +- LDFLAGS="${LDFLAGS} `libnet-config --libs`" ++ CPPFLAGS="${CPPFLAGS} -DENABLE_REACT `libnet-1.0-config --defines --cflags`" ++ LDFLAGS="${LDFLAGS} `libnet-1.0-config --libs`" + fi + + if test "x$enable_react" != "xno" -a "x$enable_react" = "xyes"; then +@@ -1317,13 +1317,13 @@ + exit + fi + +- if test `libnet-config --cflags | wc -c` = "1"; then ++ if test `libnet-1.0-config --cflags | wc -c` = "1"; then + CPPFLAGS="${CPPFLAGS} -I/usr/local/include -I/sw/include" + LIBNET_CONFIG_BROKEN_CFLAGS="yes" + fi + +- if test `libnet-config --libs | wc -c` = "1"; then +- AC_MSG_WARN(libnet-config --libs is broken on your system. If you) ++ if test `libnet-1.0-config --libs | wc -c` = "1"; then ++ AC_MSG_WARN(libnet-1.0-config --libs is broken on your system. If you) + AC_MSG_WARN(are using a precompiled package please notify the) + AC_MSG_WARN(maintainer.) + LDFLAGS="${LDFLAGS} -L/usr/local/lib -L/sw/lib" +@@ -1331,7 +1331,7 @@ + fi + + LNET="" +- AC_CHECK_HEADERS(libnet.h,, LNET="no") ++ AC_CHECK_HEADERS(libnet-1.0.h,, LNET="no") + if test "x$LNET" = "xno"; then + echo + echo " ERROR! Libnet header not found, go get it from" +@@ -1349,33 +1349,33 @@ + libnet_dir="/usr/include /usr/local/include /sw/include" + fi + else +- libnet_dir=`libnet-config --cflags | cut -dI -f2` ++ libnet_dir=`libnet-1.0-config --cflags | cut -dI -f2` + fi + + LIBNET_INC_DIR="" + for i in $libnet_dir; do +- if test -r "$i/libnet.h"; then ++ if test -r "$i/libnet-1.0.h"; then + LIBNET_INC_DIR="$i" + fi + done + + if test "x$LIBNET_INC_DIR" != "x"; then +- if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet.h | grep -v 1.0.2a >/dev/null"; then ++ if eval "grep LIBNET_VERSION $LIBNET_INC_DIR/libnet-1.0.h | grep -v 1.0.2a >/dev/null"; then + AC_MSG_RESULT(no) + echo + echo " ERROR! Snort with --enable-react will *only* work with" + echo " libnet version 1.0.2a, go get it from" + echo " http://www.packetfactory.net/projects/libnet/" +- FAIL_MESSAGE("libnet 1.0.2a (libnet.h)", $LIBNET_INC_DIR) ++ FAIL_MESSAGE("libnet 1.0.2a (libnet-1.0.h)", $LIBNET_INC_DIR) + fi + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no) +- FAIL_MESSAGE("libnet 1.0.2a (libnet.h)", $libnet_dir) ++ FAIL_MESSAGE("libnet 1.0.2a (libnet-1.0.h)", $libnet_dir) + fi + + LNET="" +- AC_CHECK_LIB(net, libnet_build_ip,, LNET="no") ++ AC_CHECK_LIB(net-1.0, libnet_build_ip,, LNET="no") + if test "x$LNET" = "xno"; then + echo + echo " ERROR! Libnet library not found, go get it from" +diff -ru snort-2.8.3.1/src/detection-plugins/sp_react.c snort-2.8.3.1_gentoo/src/detection-plugins/sp_react.c +--- snort-2.8.3.1/src/detection-plugins/sp_react.c 2008-07-11 16:56:00.000000000 -0400 ++++ snort-2.8.3.1_gentoo/src/detection-plugins/sp_react.c 2008-11-03 16:39:16.000000000 -0500 +@@ -59,7 +59,7 @@ + #include + #include + #include +-#include ++#include + + #include "rules.h" + #include "decode.h" +diff -ru snort-2.8.3.1/src/detection-plugins/sp_respond.c snort-2.8.3.1_gentoo/src/detection-plugins/sp_respond.c +--- snort-2.8.3.1/src/detection-plugins/sp_respond.c 2008-07-11 16:56:00.000000000 -0400 ++++ snort-2.8.3.1_gentoo/src/detection-plugins/sp_respond.c 2008-11-03 16:38:50.000000000 -0500 +@@ -36,7 +36,7 @@ + + + #if defined(ENABLE_RESPONSE) && !defined(ENABLE_RESPONSE2) +-#include ++#include + + #include "decode.h" + #include "rules.h" +diff -ru snort-2.8.3.1/src/inline.c snort-2.8.3.1_gentoo/src/inline.c +--- snort-2.8.3.1/src/inline.c 2008-02-25 16:34:56.000000000 -0500 ++++ snort-2.8.3.1_gentoo/src/inline.c 2008-11-03 16:39:44.000000000 -0500 +@@ -20,7 +20,7 @@ + #include + #include + #include +-#include ++#include + + #include "decode.h" + #include "inline.h" diff --git a/net-analyzer/snort/snort-2.8.3.1.ebuild b/net-analyzer/snort/snort-2.8.3.1.ebuild new file mode 100644 index 000000000000..16ac79b3903d --- /dev/null +++ b/net-analyzer/snort/snort-2.8.3.1.ebuild @@ -0,0 +1,301 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snort/snort-2.8.3.1.ebuild,v 1.1 2008/11/23 15:29:38 vanquirius Exp $ + +WANT_AUTOCONF="latest" +WANT_AUTOMAKE="latest" +AT_M4DIR=m4 + +inherit eutils autotools + +DESCRIPTION="The de facto standard for intrusion detection/prevention" +HOMEPAGE="http://www.snort.org/" +SRC_URI="http://www.snort.org/dl/${P}.tar.gz + community-rules? ( http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz )" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~ppc ~ppc64 -sparc ~x86" +IUSE="static debug pthreads prelude stream4udp memory-cleanup decoder-preprocessor-rules ipv6 targetbased dynamicplugin timestats ruleperf ppm perfprofiling linux-smp-stats inline inline-init-failopen flexresp flexresp2 react aruba gre mpls pic postgres mysql odbc selinux community-rules" + +#flexresp, react, and inline _ONLY_ work with net-libs/libnet-1.0.2a +DEPEND="virtual/libc + virtual/libpcap + >=sys-devel/libtool-1.4 + >=dev-libs/libpcre-6.0 + flexresp2? ( dev-libs/libdnet ) + flexresp? ( ~net-libs/libnet-1.0.2a ) + react? ( ~net-libs/libnet-1.0.2a ) + postgres? ( || ( dev-db/postgresql dev-db/libpq ) ) + mysql? ( virtual/mysql ) + odbc? ( dev-db/unixODBC ) + prelude? ( >=dev-libs/libprelude-0.9.0 ) + inline? ( ~net-libs/libnet-1.0.2a + net-firewall/iptables )" + +RDEPEND="${DEPEND} + dev-lang/perl + selinux? ( sec-policy/selinux-snort )" + +pkg_setup() { + enewgroup snort + enewuser snort -1 -1 /dev/null snort + + if use flexresp && use flexresp2 ; then + ewarn + ewarn + ewarn "You have both the 'flexresp' and 'flexresp2' USE" + ewarn "flags set. You can use 'flexresp' OR 'flexresp2'" + ewarn "but not both." + ewarn + ewarn "Defaulting to flexresp2..." + ewarn + ewarn + epause + fi + + if use memory-cleanup && ! use dynamicplugin; then + ewarn + ewarn + ewarn "You have enabled 'memory-cleanup' but not 'dynamicplugin'." + ewarn "'memory-cleanup' requires 'dynamicplugin' to compile." + ewarn + ewarn "Enabling dynamicplugin..." + ewarn + ewarn + epause + fi + + if use ruleperf && ! use dynamicplugin; then + ewarn + ewarn + ewarn "You have enabled 'ruleperf' but not 'dynamicplugin'." + ewarn "'ruleperf' requires 'dynamicplugin' to compile." + ewarn + ewarn "Enabling dynamicplugin..." + ewarn + ewarn + epause + fi + + if use inline-init-failopen && ! use inline; then + ewarn + ewarn + ewarn "You have enabled 'inline-init-failopen' but not 'inline'." + ewarn "'inline-init-failopen' is an 'inline' only function." + ewarn + ewarn "Enabling inline mode..." + ewarn + ewarn + epause + fi + +} + + +src_unpack() { + unpack ${A} + cd "${S}" + + #Dont monkey with the original source if you don't need to. + if use flexresp || use react || use inline; then + epatch "${FILESDIR}/${PN}-2.8.3.1-libnet.patch" + fi + + if use prelude ; then + sed -i -e "s:AC_PROG_RANLIB:AC_PROG_LIBTOOL:" configure.in + fi + + einfo "Regenerating autoconf/automake files" + eautoreconf +} + +src_compile() { + + local myconf + + #Both shared and static are enable by defaut so we need to be specific + if use static; then + myconf="${myconf} --enable-static --disable-shared" + else + myconf="${myconf} --disable-static --enable-shared" + fi + + #Added in ebuild version snort-2.8.3.1. Should be rechecked in updated versions. + #Use 'die' because ./configure will die any ways with the same error message... + if use ipv6 && use targetbased; then + die "Support for target-based and IPv6 cannot be enabled simultaneously in this version." + fi + + #Sourcefire is often not clear about what is and is not enabled by default + #To avoid undesired results we should be very specific + if use flexresp && ! use flexresp2; then + myconf="${myconf} --enable-flexresp --disable-flexresp2" + elif use flexresp2 && ! use flexresp; then + myconf="${myconf} --disable-flexresp --enable-flexresp2" + elif use flexresp && use flexresp2; then + myconf="${myconf} --disable-flexresp --enable-flexresp2" + fi + + # USE flages memory-cleanup and ruleperf require dynamicplugin + #Only 'dynamicplugin' is set here. 'ruleperf' and 'memory-cleanup' are set below via econf. + if use memory-cleanup || use ruleperf || use dynamicplugin; then + myconf="${myconf} --enable-dynamicplugin" + else + myconf="${myconf} --disable-dynamicplugin" + fi + + # USE flages 'targetbased' and 'inline-init-failopen' require pthreads + #Only 'pthreads' is set here. 'targetbased' and 'inline-init-failopen' are set below via econf. + if use targetbased || use inline-init-failopen || use pthreads; then + myconf="${myconf} --enable-pthread" + else + myconf="${myconf} --disable-pthread" + fi + + #Only needed if... + if use flexresp || use react || use inline; then + myconf="${myconf} --with-libipq-includes=/usr/include/libipq" + fi + + #'inline-init-failopen' requires 'inline' + if use inline-init-failopen || use inline; then + myconf="${myconf} --enable-inline" + else + myconf="${myconf} --disable-inline" + fi + + +#The --enable- options... 'static' 'dynamicplugin' 'pthreads' 'flexresp' 'flexresp2' 'inline' +# are configured above due to dependancy/conflict issues. +#All others are handled the standard ebuild way via econf + + econf \ + --without-oracle \ + $(use_with postgres postgresql) \ + $(use_with mysql) \ + $(use_with odbc) \ + $(use_with pic) \ + --disable-ipfw \ + --disable-profile \ + --disable-ppm-test \ + $(use_enable debug) \ + $(use_enable prelude) \ + $(use_enable stream4udp) \ + $(use_enable memory-cleanup) \ + $(use_enable decoder-preprocessor-rules) \ + $(use_enable ipv6) \ + $(use_enable targetbased) \ + $(use_enable timestats) \ + $(use_enable ruleperf) \ + $(use_enable ppm) \ + $(use_enable perfprofiling) \ + $(use_enable linux-smp-stats) \ + $(use_enable inline-init-failopen) \ + $(use_enable react) \ + $(use_enable aruba) \ + $(use_enable gre) \ + $(use_enable mpls) \ + ${myconf} || die "econf failed" + + # limit to single as reported by jforman on irc + emake -j1 || die "emake failed" +} + +src_install() { + emake DESTDIR="${D}" install || die "make install failed" + + keepdir /var/log/snort/ + + dodoc doc/* + dodoc ./RELEASE.NOTES + docinto schemas ; dodoc schemas/* + + insinto /etc/snort + doins etc/reference.config \ + etc/classification.config \ + etc/*.map \ + etc/threshold.conf \ + etc/attribute_table.dtd \ + etc/unicode.map + + # Make some changes to snort.conf depending on the users feature selection + if use memory-cleanup || use ruleperf || use dynamicplugin; then + sed -e "s:/usr/local/lib:/usr/$(get_libdir):g" \ + etc/snort.conf > "${D}"/etc/snort/snort.conf.distrib + else + sed -e "s:^dynamic:# dynamic:g" \ + etc/snort.conf > "${D}"/etc/snort/snort.conf.distrib + fi + + sed -i -e "s:RULE_PATH ../rules:RULE_PATH /etc/snort/rules:g" \ + "${D}"/etc/snort/snort.conf.distrib + + sed -i -e "s:PREPROC_RULE_PATH ../preproc_rules:PREPROC_RULE_PATH /etc/snort/preproc_rules:g" \ + "${D}"/etc/snort/snort.conf.distrib + + sed -i -e "s:^include $RULE_PATH:#include $RULE_PATH:g" \ + "${D}"/etc/snort/snort.conf.distrib + + newinitd "${FILESDIR}/snort.rc8" snort + newconfd "${FILESDIR}/snort.confd" snort + + fowners snort:snort /var/log/snort + fperms 0770 /var/log/snort + + # Install Community rules if enabled + if use community-rules; then + insinto /etc/snort/rules + doins -r "${WORKDIR}"/rules/* + fi + + # Install preproc_rules if enabled + if use decoder-preprocessor-rules; then + insinto /etc/snort/preproc_rules + doins -r "${WORKDIR}"/${P}/preproc_rules/*.rules + fi +} + +pkg_postinst() { + elog + elog "If you find that snort is using too much memory, your system" + elog "freezes, or snort crashes after a few minutes try adding the" + elog "following to your snort.conf..." + elog + elog "'config detection: search-method ac-sparsebands'" + elog + elog "To use a database backend with snort you will have to create" + elog "a database, a database user, and import the snort schema." + elog "The schema files are located in..." + elog + elog "/usr/share/doc/${PF}/schemas/" + elog + elog "Instructions for seting up your database, user, and schema imports" + elog "can be found in the README.database file located in..." + elog + elog "/usr/share/doc/${PF}" + elog + elog "Users using the unified output plugin and barnyard do not need to" + elog "compile database support into snort, but still need to set up their" + elog "database as documented in README.database." + elog + if use community-rules; then + elog + elog "The COMMUNITY ruleset has been installed." + elog + else + elog + elog "The COMMUNITY ruleset has NOT been installed." + elog + fi + elog "To learn how to manage updates to your rulesets please visit..." + elog + elog "http://oinkmaster.sourceforge.net/" + elog + elog "and then 'emerge oinkmaster'. Once oinkmaster is configured," + elog "you may want to disable the 'community-rules' USE flag." + elog + elog "It is HIGHLY recomended that you also download Sourcefire's VRT" + elog "ruleset also. For more information on obtaining the VRT ruleset," + elog "please visit... http://www.snort.org/vrt/" + elog +} -- cgit v1.2.3-65-gdbad