Date: Fri, 25 Dec 2009 21:30:07 GMT From: olli hauer <ohauer@gmx.de> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/140881: [patch] port security/snortsam update to version 2.68 Message-ID: <200912252130.nBPLU7is087466@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/140881; it has been noted by GNATS. From: olli hauer <ohauer@gmx.de> To: bug-followup@FreeBSD.org, ohauer@gmx.de Cc: ohauer@gmx.de Subject: Re: ports/140881: [patch] port security/snortsam update to version 2.68 Date: Fri, 25 Dec 2009 22:20:43 +0100 (CET) This patch updates snortsam from version 2.63 to version 2.69 Since the snortsam config files/directory contains sensitive data like passwords for FW/routers ... the config file is moved to a own config directory and the mode of this directory is set to 700 with owner root:wheel If the Maintainer times out I will be happy to take over the port, since I rewrote the ssp_pf(2) modules and buildscripts (upstream). -- olli hauer --- patch_snortsam-2.69_v2.txt begins here --- --- snortsam/Makefile +++ snortsam/Makefile @@ -6,62 +6,85 @@ # PORTNAME= snortsam -PORTVERSION= 2.63 +PORTVERSION= 2.69 CATEGORIES= security -MASTER_SITES= http://www.snortsam.net/files/snortsam/ \ - http://www.freebsdbrasil.com.br/~urisso/files/snortsam/ +MASTER_SITES= http://www.snortsam.net/files/snortsam/ DISTNAME= ${PORTNAME}-src-${PORTVERSION} MAINTAINER= urisso@bsd.com.br COMMENT= SnortSam is a output plugin for Snort -WRKSRC= ${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME} +OPTIONS= IPFW "checks if configured tables are available" on \ + SAMTOOL "install samtool" on \ + DEBUG "build with verbose messages" off -HAS_CONFIGURE= yes -NO_BUILD= yes +.include <bsd.port.pre.mk> -SYSCONFDIR= ${PREFIX}/etc/snortsam +USE_RC_SUBR= snortsam.sh +SUB_FILES= pkg-message \ + pkg-install -CONFIGURE_SCRIPT= makesnortsam.sh +HAS_CONFIGURE= yes +NO_BUILD= yes +CONFIGURE_SCRIPT= src/Makefile +WRKSRC= ${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME} -USE_RC_SUBR= snortsam.sh +CONFIG_DIR?= ${PREFIX}/etc/snortsam PLIST_DIRS= etc/snortsam -PLIST_FILES= etc/snortsam/rootservers.cfg etc/snortsam/snortsam.conf.sample sbin/snortsam sbin/snortsam-debug -PORTDOCS= INSTALL README README.conf README.snmp_interface_down +PLIST_FILES= sbin/snortsam \ + etc/snortsam/snortsam.conf.sample \ + etc/snortsam/country-rootservers.conf.sample \ + etc/snortsam/rootservers.cfg.sample -OPTIONS= IPFW "Enable IPFW table checking if it set deny rules" on +.if defined(WITH_SAMTOOL) +PLIST_FILES+= sbin/samtool +.endif -.include <bsd.port.pre.mk> +PORTDOCS= AUTHORS BUGS CREDITS FAQ INSTALL LICENSE README README.ciscoacl \ + README.conf README.iptables README.netscreen README.pf README.pf2 \ + README.rules README.slackware README.snmp_interface_down README.wgrd \ + README_8signs.rtf TODO .if defined(WITHOUT_IPFW) -PATCH_SITES+=http://www.freebsdbrasil.com.br/~urisso/files/snortsam/:ipfw -PATCHFILES+=ssp_ipfw2.c.diff:ipfw +EXTRA_PATCHES+= ${FILESDIR}/ssp_ipfw2_no_table_check.patch .endif -post-extract: - @${CAT} ${PATCHDIR}/pkg-message-snortsam - @sleep 5 +.if defined(WITH_DEBUG) +DEBUG=-DDEBUG +.endif pre-configure: - ${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/conf/snortsam.conf.sample - ${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/docs/README.conf - ${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/src/snortsam.c - ${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/contrib/snortsam-state.c - ${CHMOD} +x ${WRKSRC}/makesnortsam.sh + @${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/conf/snortsam.conf.sample + @${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/docs/README.conf + @${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/src/snortsam.h + @${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/contrib/snortsam-state.c + @${CHMOD} +x ${WRKSRC}/makesnortsam.sh + +do-configure: + @cd ${WRKSRC}/src && ${MAKE} ${DEBUG} + @cd ${WRKSRC}/src && ${MAKE} samtool ${DEBUG} +# no access to snortsam.conf and samtool for non root users! do-install: - ${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin - ${INSTALL_PROGRAM} ${WRKSRC}/snortsam-debug ${PREFIX}/sbin - ${MKDIR} ${SYSCONFDIR} - ${INSTALL_DATA} ${WRKSRC}/conf/snortsam.conf.sample ${SYSCONFDIR}/snortsam.conf.sample - ${INSTALL_DATA} ${WRKSRC}/conf/*rootservers.cfg ${SYSCONFDIR}/ + @${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin +.if defined(WITH_SAMTOOL) + @${INSTALL} -o root -g wheel -m 500 ${WRKSRC}/samtool ${PREFIX}/sbin +.endif + @${MKDIR} -m 700 ${CONFIG_DIR} + @${INSTALL_DATA} -m 600 ${WRKSRC}/conf/snortsam.conf.sample ${CONFIG_DIR}/snortsam.conf.sample + @${INSTALL_DATA} ${WRKSRC}/conf/rootservers.cfg ${CONFIG_DIR}/rootservers.cfg.sample + @${INSTALL_DATA} ${WRKSRC}/conf/country-rootservers.conf ${CONFIG_DIR}/country-rootservers.conf.sample .if !defined(NOPORTDOCS) + @${MKDIR} ${DOCSDIR} .for f in ${PORTDOCS} - ${MKDIR} ${DOCSDIR} - ${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR} + @${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR} .endfor .endif +post-install: + @${SH} ${PKGINSTALL} ${DISTNAME} POST-INSTALL + @${CAT} ${PKGMESSAGE} + .include <bsd.port.post.mk> --- snortsam/distinfo +++ snortsam/distinfo @@ -1,3 +1,3 @@ -MD5 (snortsam-src-2.63.tar.gz) = d74f5e744358bc9da85ad9d4fb393f76 -SHA256 (snortsam-src-2.63.tar.gz) = f56208e2cba56c55bb97c09582b71e3d9c1c05c551df2cc59f493910e9f403a3 -SIZE (snortsam-src-2.63.tar.gz) = 1967776 +MD5 (snortsam-src-2.69.tar.gz) = 7663ce82956a97c5f725028716d66140 +SHA256 (snortsam-src-2.69.tar.gz) = eb0dc0ebd65b6d15e3adabd7be2720221005683eefb7ca5986b9ca0284d55f92 +SIZE (snortsam-src-2.69.tar.gz) = 1971579 --- snortsam/files/patch-snortsam.h +++ snortsam/files/patch-snortsam.h @@ -1,16 +0,0 @@ ---- src/snortsam.h.old 2008-08-03 00:08:34.000000000 -0300 -+++ src/snortsam.h 2008-08-03 00:10:58.000000000 -0300 -@@ -178,10 +178,10 @@ - #define safecopy(dst,src) _safecp(dst,sizeof(dst),src) - - #ifdef WIN32 --#define FWSAMCONFIGFILE "snortsam.cfg" --#define FWSAMHISTORYFILE "snortsam.sta" -+#define FWSAMCONFIGFILE "/usr/local/etc/snortsam.cfg" -+#define FWSAMHISTORYFILE "/var/db/snortsam.sta" - #else --#define FWSAMCONFIGFILE "/etc/snortsam.conf" -+#define FWSAMCONFIGFILE "/usr/local/etc/snortsam.conf" - #define FWSAMHISTORYFILE "/var/db/snortsam.state" - #endif - --- snortsam/files/pkg-install.in +++ snortsam/files/pkg-install.in @@ -0,0 +1,17 @@ +#!/bin/sh +# +# $FreeBSD$ + +ETCDIR=${ETCDIR:=%%ETCDIR%%} + +# snortsam config file contain sensitive data like +# passwords needed to block IP's on the firewalls. +# Set permission of the config dir to 700 so only +# root:wheel can access this directory. +if [ "$2" = "POST-INSTALL" ]; then + if [ -d ${ETCDIR} ]; then + /usr/sbin/chown root:wheel ${ETCDIR} + /bin/chmod 700 ${ETCDIR} + fi +fi + --- snortsam/files/pkg-message-snortsam +++ snortsam/files/pkg-message-snortsam @@ -1,10 +0,0 @@ - -============================================================ -NOTE: Make sure that your SNORT installation it is defined - output plugin SNORTSAM for don't cause errors while - building SNORTSAM system. If exists some OLD SNORT - installation WITHOUT supports for interaction between - SNORT and SNORTSAM. PLEASE reconfigure WITH that this - feature and rebuild a new installation. -============================================================= - --- snortsam/files/pkg-message.in +++ snortsam/files/pkg-message.in @@ -0,0 +1,18 @@ +================================================================ +NOTE: SNORT have to be build with OPTION SNORTSAM. + + To enable snortsam as output plugin for snort a config + line like the following should be present in snort.conf + + output alert_fwsam: <snortsambox>:<port>/<password> + + With samtool it is possible to send alerts to snortsam, + this way you can test and adjust your FW rules. + + For more information read the INSTALL, FAQ, README + files in %%DOCSDIR%% + + Additional consolidate http://snortsam.net + +============================================================== + --- snortsam/files/snortsam.sh.in +++ snortsam/files/snortsam.sh.in @@ -1,31 +1,30 @@ #!/bin/sh -# $FreeBSD: +# $FreeBSD$ # PROVIDE: snortsam # REQUIRE: DAEMON -# BEFORE: LOGIN +# BEFORE: LOGIN # KEYWORD: shutdown -# Add the following lines to /etc/rc.conf to enable snortsam: -# snortsam_enable (bool): Set to YES to enable snortsam -# Default: NO -# snortsam_flags (str): Extra flags passed to snortsam -# Default: "" -# snortsam_conf (str): Snortsam configuration file -# Default: ${PREFIX}/etc/snortsam/snortsam.conf # - +# Add the following line to /etc/rc.conf to enable snortsam: +# +# snortsam_enable="YES" +# +# # optional Snortsam configuration file: +# snortsam_conf="%%ETCDIR%%/snortsam.conf" +# +# DO NOT CHANGE THE DEFAULT VALUES HERE +# . %%RC_SUBR%% name="snortsam" rcvar=`set_rcvar` +load_rc_config snortsam +# defaults command="%%PREFIX%%/sbin/snortsam" - -load_rc_config $name - -[ -z "$snortsam_enable" ] && snortsam_enable="NO" -[ -z "$snortsam_conf" ] && snortsam_conf="%%PREFIX%%/etc/snortsam/snortsam.conf" -[ -n "$snortsam_conf" ] && snortsam_flags="$snortsam_flags $snortsam_conf" +snortsam_enable=${snortsam_enable:-"NO"} +snortsam_flags=${snortsam_conf:-"%%ETCDIR%%/snortsam.conf"} run_rc_command "$1" --- snortsam/files/ssp_ipfw2_no_table_check.patch +++ snortsam/files/ssp_ipfw2_no_table_check.patch @@ -0,0 +1,18 @@ +--- src/ssp_ipfw2.c.orig 2008-04-26 21:53:21.000000000 +0200 ++++ src/ssp_ipfw2.c 2009-11-14 22:03:41.000000000 +0100 +@@ -91,6 +91,7 @@ + } + } + } ++#if defined(ENABLE_IPFW_TABLE_CHECK) + /* Check if inbound table exists */ + snprintf(chk,sizeof(chk)-1,"/sbin/ipfw show | grep -q \"deny ip from any to table(%u) via %s\"",ipfw2p->in_table,ipfw2p->interface); + if(system(chk)) +@@ -110,6 +111,7 @@ + } + } + ++#endif /* ENABLE_IPFW_TABLE_CHECK */ + #ifdef FWSAMDEBUG + if(plugindatalist->data) + printf("Debug: [ipfw2] Adding IPFW2: i/f '%s', tables %u (in) and %u (out)\n", ipfw2p->interface, ipfw2p->in_table,ipfw2p->out_table); --- snortsam/pkg-descr +++ snortsam/pkg-descr @@ -1,5 +1,6 @@ -SnortSam is a plugin for Snort, an open-source light-weight -Intrusion Detection System (IDS). The plugin allows for -automated blocking of IP addresses on many firewalls. +SnortSam is an intelligent agent that allows the popular +open-source Intrusion Detection System called Snort to block +intruding connections by reconfiguration of many firewalls +and Cisco devices. WWW: http://www.snortsam.net --- patch_snortsam-2.69_v2.txt ends here ---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912252130.nBPLU7is087466>