Date: Mon, 12 Nov 2012 17:06:55 +0000 (UTC) From: Paul Schmehl <pauls@utdallas.edu> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/173581: new port submission, security/sagan Message-ID: <20121112170655.BE1FCDCA82A@buttercup4.utdallas.edu> Resent-Message-ID: <201211121710.qACHA0FS021221@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 173581 >Category: ports >Synopsis: new port submission, security/sagan >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Nov 12 17:10:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Paul Schmehl >Release: FreeBSD 8.3-PRERELEASE amd64 >Organization: The University of Texas at Dallas >Environment: System: FreeBSD hostname.utdallas.edu 8.3-PRERELEASE FreeBSD 8.3-PRERELEASE #1: Wed Mar 7 18:01:57 UTC 2012 root@hostname.utdallas.edu:/usr/obj/usr/src/sys/GENERIC amd64 >Description: ports, new port submission, security/sagan PLEASE NOTE: this port submission depends on another new port submission which must be accepted into the tree either beforehand or with this one. The PR for that submission is 173544. The port is devel/liblognorm. >How-To-Repeat: >Fix: --- sagan.shar begins here --- # This is a shell archive. Save it in a file, remove anything before # this line, and then unpack it by entering "sh file". Note, it may # create directories; files and directories will be owned by you and # have default permissions. # # This archive contains: # # sagan # sagan/Makefile # sagan/distinfo # sagan/pkg-descr # sagan/files # sagan/files/sagan.in # sagan/files/patch-sagan.conf # sagan/pkg-plist # sagan/pkg-message # echo c - sagan mkdir -p sagan > /dev/null 2>&1 echo x - sagan/Makefile sed 's/^X//' >sagan/Makefile << 'b56f1d469d3632db92241e71561bcbf5' X# $FreeBSD$ X XPORTNAME= sagan XPORTVERSION= 0.2.2 XCATEGORIES= security XMASTER_SITES= http://sagan.quadrantsec.com/download/ X XMAINTAINER= pauls@utdallas.edu XCOMMENT= Sagan is a real time system and event log monitoring system X XLICENSE= GPLv2 XLICENSE_FILE= ${WRKSRC}/COPYING X XLIB_DEPENDS= pcre:${PORTSDIR}/devel/pcre X XRSYSLOG_VER=6 X XOPTIONS_DEFINE= ESMTP LIBDNET LIBPCAP LOGNORM MYSQL POSTGRESQL \ X PRELUDE PULLEDPORK RSYSLOG SNORTSAM SYSLOG-NG OINKMASTER XESMTP_DESC= Configure support for email alerts XLIBDNET_DESC= Configure support for unified2 output XLIBPCAP_DESC= Configure support for packet captures XLOGNORM_DESC= Configure support for log normalization XMYSQL_DESC= Configure support for mysql XPOSTGRESQL_DESC= Configure support for postgresql XPRELUDE_DESC= Configure support for prelude XPULLEDPORK_DESC= Install pulledpork to fetch rules XRSYSLOG_DESC= Install rsyslog${RSYSLOG_VER} to use with sagan XSNORTSAM_DESC= Install snortsam to use with sagan XSYSLOG-NG_DESC= Install syslog-ng to use with sagan XOINKMASTER_DESC= Install oinkmaster to fetch rules X XGNU_CONFIGURE= yes XUSE_RC_SUBR= sagan XMAKE_JOBS_SAFE= yes X XMAN8= sagan.8 X XUSERS= sagan XGROUPS= sagan X X.include <bsd.port.options.mk> X X.if ${PORT_OPTIONS:MESMTP} XBUILD_DEPENDS+= esmtp:${PORTSDIR}/mail/esmtp XCONFIGURE_ARGS+= --with-esmtp-includes=${LOCALBASE}/include \ X --with-esmtp-libraries=${LOCALBASE}/lib XSUB_LIST+= ESMTP=" esmtp" X.else XCONFIGURE_ARGS+= --disable-esmtp XSUB_LIST+= ESMTP="" X.endif X X.if ${PORT_OPTIONS:MLIBDNET} XLIB_DEPENDS+= dnet:${PORTSDIR}/net/libdnet XCONFIGURE_ARGS+= --with-libdnet-includes=${LOCALBASE}/include/dnet \ X --with-libdnet-libraries=${LOCALBASE}/lib XSUB_LIST+= LIBDNET=" libdnet" X.else XCONFIGURE_ARGS+= --disable-libdnet XSUB_LIST+= LIBDNET="" X.endif X X.if ${PORT_OPTIONS:MLIBPCAP} XLIB_DEPENDS+= pcap:${PORTSDIR}/net/libpcap XCONFIGURE_ARGS+= --with-libpcap-includes=${LOCALBASE}/include/pcap \ X --with-libpcap-libraries=${LOCALBASE}/lib XSUB_LIST+= LIBPCAP=" libpcap" X.else XCONFIGURE_ARGS+= --disable-libpcap XSUB_LIST+= LIBPCAP="" X.endif X X.if ${PORT_OPTIONS:MLOGNORM} XBUILD_DEPENDS+= lognormalizer:${PORTSDIR}/devel/liblognorm XCONFIGURE_ARGS+= --with-lognorm-includes=${LOCALBASE}/include \ X --with-lognorm-libraries=${LOCALBASE}/lib XSUB_LIST+= LOGNORM=" lognorm" X.else XCONFIGURE_ARGS+= --disable-lognorm XSUB_LIST+= LOGNORM="" X.endif X X.if ${PORT_OPTIONS:MMYSQL} XUSE_MYSQL= yes XCONFIGURE_ARGS+= --with-mysql-includes=${LOCALBASE}/include/mysql \ X --with-mysql-libraries=${LOCALBASE}/lib/mysql XSUB_LIST+= MYSQL=" mysql" X.else XCONFIGURE_ARGS+= --disable-mysql XSUB_LIST+= MYSQL="" X.endif X X.if ${PORT_OPTIONS:MPOSTGRESQL} XUSE_PGSQL= yes XCONFIGURE_ARGS+= --with-postgresql-includes=${LOCALBASE}/include \ X --with-postgresql-libraries=${LOCALBASE}/lib XSUB_LIST+= POSTGRESQL=" postgresql" X.else XCONFIGURE_ARGS+= --disable-postgresql XSUB_LIST+= POSTGRESQL="" X.endif X X.if ${PORT_OPTIONS:MPRELUDE} XBUILD_DEPENDS+= libprelude-config:${PORTSDIR}/security/libprelude XCONFIGURE_ARGS+= --with-prelude-includes=${LOCALBASE}/include/prelude \ X --with-prelude-libraries=${LOCALBASE}/lib XSUB_LIST+= PRELUDE=" prelude" X.else XCONFIGURE_ARGS+= --disable-prelude XSUB_LIST+= PRELUDE="" X.endif X X.if ${PORT_OPTIONS:MPULLEDPORK} XRUN_DEPENDS+= pulledpork.pl:${PORTSDIR}/security/pulledpork X.endif X X.if ${PORT_OPTIONS:MRSYSLOG} XRUN_DEPENDS+= rsyslogd:${PORTSDIR}/sysutils/rsyslog${RSYSLOG_VER} X.endif X X.if ${PORT_OPTIONS:MSNORTSAM} XRUN_DEPENDS+= snortsam:${PORTSDIR}/security/snortsam X.endif X X.if ${PORT_OPTIONS:MSYSLOG-NG} XRUN_DEPENDS+= syslog-ng:${PORTSDIR}/sysutils/syslog-ng X.endif X X.if ${PORT_OPTIONS:MOINKMASTER} XRUN_DEPENDS+= oinkmaster:${PORTSDIR}/security/oinkmaster X.endif X Xpost-install: X ${MKDIR} ${PREFIX}/etc/sagan ${PREFIX}/etc/sagan/rules X ${INSTALL_DATA} ${WRKSRC}/etc/sagan.conf ${PREFIX}/etc/sagan/sagan.conf-sample X if [ ! -f ${PREFIX}/etc/sagan/sagan.conf ]; then \ X ${CP} -p ${PREFIX}/etc/sagan/sagan.conf-sample ${PREFIX}/etc/sagan/sagan.conf; \ X fi X X ${MKDIR} /var/account/sagan /var/run/sagan /var/log/sagan X X ${CHOWN} -R sagan:sagan /var/account/sagan /var/run/sagan /var/log/sagan ${PREFIX}/etc/sagan X X ${RM} ${PREFIX}/etc/sagan.conf X X @${CAT} ${PKGMESSAGE} X X.include <bsd.port.mk> b56f1d469d3632db92241e71561bcbf5 echo x - sagan/distinfo sed 's/^X//' >sagan/distinfo << '860e81e0f201f15ded3a34ee19859117' XSHA256 (sagan-0.2.2.tar.gz) = f3580be0b18b5837d68151d1cb75e5d73f6f0b53f8f4a5d03e5495f6239a933b XSIZE (sagan-0.2.2.tar.gz) = 247047 860e81e0f201f15ded3a34ee19859117 echo x - sagan/pkg-descr sed 's/^X//' >sagan/pkg-descr << 'eb557add3b9643fd8df919a76a82a59f' XSagan is an open source (GNU/GPLv2) high performance, real-time log Xanalysis & correlation engine. It is written in C and uses a Xmulti-threaded architecture to deliver high performance log & event Xanalysis. The Sagan structure and Sagan rules work similarly to the XSourcefire "Snort" IDS engine. This was intentionally done to maintain Xcompatibility with rule management software (oinkmaster/pulledpork/etc) Xand allows Sagan to correlate log events with your Snort IDS/IPS Xsystem. Since Sagan can write to Snort IDS/IPS databases via Xunified2/barnyard2 or direct SQL access, it is compatible with all XSnort "consoles". For example, Sagan is compatible with Snorby X[http://www.snorby.org], Sguil [http://sguil.sourceforge.net], BASE, X and the Prelude IDS framework! (to name a few). X XSagan supports many different output formats, log normalization X(via liblognorm), script execution on event and automatic firewall Xsupport via "Snortsam" (see http://www.snortsam.net). X XFor more information, please visit the Sagan wiki site: Xhttps://wiki.quadrantsec.com/bin/view XWWW: http://sagan.quadrantsec.com. eb557add3b9643fd8df919a76a82a59f echo c - sagan/files mkdir -p sagan/files > /dev/null 2>&1 echo x - sagan/files/sagan.in sed 's/^X//' >sagan/files/sagan.in << '1f6003c74818d418d25fde1859f93ea1' X#!/bin/sh X X# $FreeBSD$ X# X# PROVIDE: sagan X# REQUIRE: LOGIN X# KEYWORD: shutdown X# X# Add the following lines to /etc/rc.conf.local or /etc/rc.conf X# to enable this service: X# X# sagan_enable (bool): Set to NO by default. X# Set it to YES to enable sagan. X# sagan_config (path): Set to %%PREFIX%%/etc/sagan/sagan.conf X# by default. X X. /etc/rc.subr X Xname=sagan Xrcvar=sagan_enable X Xload_rc_config $name X X: ${sagan_enable:="NO"} X: ${sagan_config="%%PREFIX%%/etc/sagan/sagan.conf"} X Xcommand=%%PREFIX%%/sbin/${name} Xpidfile=/var/run/sagan/${name}.pid X Xcommand_args="-f $sagan_config -D" X Xrun_rc_command "$1" 1f6003c74818d418d25fde1859f93ea1 echo x - sagan/files/patch-sagan.conf sed 's/^X//' >sagan/files/patch-sagan.conf << '9632059165e5878952fdb0654e7b2801' X--- etc/sagan.conf.orig 2012-11-12 16:55:38.000000000 +0000 X+++ etc/sagan.conf 2012-11-12 16:58:13.000000000 +0000 X@@ -15,13 +15,13 @@ X # X # [Required] X X-var FIFO /var/run/sagan.fifo X+var FIFO /var/run/sagan/sagan.fifo X X # This variable contains the path of the Sagan rule sets. It is required. X # X # [Required] X X-var RULE_PATH /usr/local/etc/sagan-rules X+var RULE_PATH %%PREFIX%%/etc/sagan/rules X X # Where Sagan should store it's lock file. X # 9632059165e5878952fdb0654e7b2801 echo x - sagan/pkg-plist sed 's/^X//' >sagan/pkg-plist << '199cf886b5505c9939cd43009eebc940' Xbin/sagan Xsbin/sagan X@unexec if cmp -s %D/etc/sagan/sagan.conf-sample %D/etc/sagan/sagan.conf; then rm -f %D/etc/sagan/sagan.conf; fi Xetc/sagan/sagan.conf-sample X@exec if [ ! -f %D/etc/sagan/sagan.conf ] ; then cp -p %D/%F %B/etc/sagan/sagan.conf; fi X@dirrmtry etc/sagan/rules X@dirrmtry etc/sagan X@dirrmtry /var/run/sagan X@dirrmtry /var/log/sagan X@dirrmtry /var/account/sagan 199cf886b5505c9939cd43009eebc940 echo x - sagan/pkg-message sed 's/^X//' >sagan/pkg-message << 'db90f6ff91587acf8b97e29e9466e7eb' X======================================================================= XThe user and group 'sagan' were created to run the daemon and log to Xits directories. Directories were created for sagan in /var/account, X/var/run and /var/log. The /var/account directory is used for temp Xfiles for esmtp, if you're using it. The log directory is where the Xsagan "alert" logs and the sagan.log are stored. The run directory is Xwhere the sagan.pid file is stored. X XIF YOU UNINSTALL SAGAN, the directories are not deleted because they Xmay contain files created while sagan was running. If you don't Xwant those directories, you will need to delete them manually. You Xshould also delete the sagan user and group. (E.g. pw userdel sagan Xand pw groupdel sagan) X XYou still need to do a few more things before you're up and running. XSee https://wiki.quadrantsec.com/bin/view/Main/SaganHOWTO for more Xinformation on configuring sagan for unified2 output support, prelude, Xsnort, logzilla, libesmtp and other supported programs. X XYou will also need to download the sagan rules. They can be found at Xhttp://sagan.softwink.com/rules. The process can be automated by using Xpulledpork or oinkmaster to fetch them. X======================================================================= db90f6ff91587acf8b97e29e9466e7eb exit --- sagan.shar ends here --- --- UIDs.diff begins here --- --- UIDs.orig 2012-11-11 04:21:42.000000000 +0000 +++ UIDs 2012-11-11 06:29:02.000000000 +0000 @@ -155,6 +155,7 @@ drweb:*:426:426::0:0:Dr.Web Mail Scanner:/nonexistent:/usr/sbin/nologin quasselcore:*:442:442::0:0:Quassel IRC User:/nonexistent:/usr/sbin/nologin callweaver:*:444:444::0:0:Callweaver account:/var/lib/callweaver:/usr/sbin/nologin +sagan:*:450:450::0:0:Sagan account:/var/account/sagan:/usr/sbin/nologin courier:*:465:465::0:0:Courier Mail Server:/nonexistent:/usr/sbin/nologin condor:*:466:466::0:0:& user:/var/db/condor:/usr/sbin/nologin netmon:*:467:467::0:0:Network monitor account:/var/netmon:/usr/sbin/nologin --- UIDs.diff ends here --- --- GIDs.diff begins here --- --- GIDs.orig 2012-11-11 04:22:00.000000000 +0000 +++ GIDs 2012-11-11 06:29:34.000000000 +0000 @@ -148,6 +148,7 @@ drweb:*:426: quasselcore:*:442: callweaver:*:444: +sagan:*:450: courier:*:465: condor:*:466: netmon:*:467: --- GIDs.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121112170655.BE1FCDCA82A>