Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 25 Dec 2009 21:30:07 GMT
From:      olli hauer <ohauer@gmx.de>
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   Re: ports/140881: [patch] port security/snortsam update to version 2.68
Message-ID:  <200912252130.nBPLU7is087466@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/140881; it has been noted by GNATS.

From: olli hauer <ohauer@gmx.de>
To: bug-followup@FreeBSD.org, ohauer@gmx.de
Cc: ohauer@gmx.de
Subject: Re: ports/140881: [patch] port security/snortsam update to version 2.68
Date: Fri, 25 Dec 2009 22:20:43 +0100 (CET)

 This patch updates snortsam from version 2.63 to version 2.69
 
 Since the snortsam config files/directory contains sensitive
 data like passwords for FW/routers ... the config file is moved
 to a own config directory and the mode of this directory is set 
 to 700 with owner root:wheel
 
 If the Maintainer times out I will be happy to take over the port,
 since I rewrote the ssp_pf(2) modules and buildscripts (upstream).
 
 --
 olli hauer
 
 --- patch_snortsam-2.69_v2.txt begins here ---
 --- snortsam/Makefile
 +++ snortsam/Makefile
 @@ -6,62 +6,85 @@
  #
  
  PORTNAME=	snortsam
 -PORTVERSION=	2.63
 +PORTVERSION=	2.69
  CATEGORIES=	security
 -MASTER_SITES=	http://www.snortsam.net/files/snortsam/ \
 -		http://www.freebsdbrasil.com.br/~urisso/files/snortsam/
 +MASTER_SITES=	http://www.snortsam.net/files/snortsam/
  DISTNAME=	${PORTNAME}-src-${PORTVERSION}
  
  MAINTAINER=	urisso@bsd.com.br
  COMMENT=	SnortSam is a output plugin for Snort
  
 -WRKSRC=		${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME}
 +OPTIONS=	IPFW	"checks if configured tables are available" on \
 +		SAMTOOL "install samtool" on \
 +		DEBUG	"build with verbose messages" off
  
 -HAS_CONFIGURE=	yes
 -NO_BUILD=	yes
 +.include <bsd.port.pre.mk>
  
 -SYSCONFDIR=	${PREFIX}/etc/snortsam
 +USE_RC_SUBR=	snortsam.sh
 +SUB_FILES=	pkg-message \
 +		pkg-install
  
 -CONFIGURE_SCRIPT=	makesnortsam.sh
 +HAS_CONFIGURE=	yes
 +NO_BUILD=	yes
 +CONFIGURE_SCRIPT=	src/Makefile
 +WRKSRC=		${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME}
  
 -USE_RC_SUBR=	snortsam.sh
 +CONFIG_DIR?=	${PREFIX}/etc/snortsam
  
  PLIST_DIRS=	etc/snortsam
 -PLIST_FILES=	etc/snortsam/rootservers.cfg etc/snortsam/snortsam.conf.sample sbin/snortsam sbin/snortsam-debug
 -PORTDOCS=	INSTALL README README.conf README.snmp_interface_down
 +PLIST_FILES=	sbin/snortsam \
 +		etc/snortsam/snortsam.conf.sample \
 +		etc/snortsam/country-rootservers.conf.sample \
 +		etc/snortsam/rootservers.cfg.sample
  
 -OPTIONS=	IPFW	"Enable IPFW table checking if it set deny rules" on
 +.if defined(WITH_SAMTOOL)
 +PLIST_FILES+=	sbin/samtool
 +.endif
  
 -.include <bsd.port.pre.mk>
 +PORTDOCS=	AUTHORS BUGS CREDITS FAQ INSTALL LICENSE README README.ciscoacl \
 +		README.conf README.iptables README.netscreen README.pf README.pf2 \
 +		README.rules README.slackware README.snmp_interface_down README.wgrd \
 +		README_8signs.rtf TODO
  
  .if defined(WITHOUT_IPFW)
 -PATCH_SITES+=http://www.freebsdbrasil.com.br/~urisso/files/snortsam/:ipfw
 -PATCHFILES+=ssp_ipfw2.c.diff:ipfw
 +EXTRA_PATCHES+=	${FILESDIR}/ssp_ipfw2_no_table_check.patch
  .endif
  
 -post-extract:
 -	@${CAT} ${PATCHDIR}/pkg-message-snortsam
 -	@sleep 5
 +.if defined(WITH_DEBUG)
 +DEBUG=-DDEBUG
 +.endif
  
  pre-configure:
 -	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/conf/snortsam.conf.sample
 -	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/docs/README.conf
 -	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/src/snortsam.c
 -	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/contrib/snortsam-state.c
 -	${CHMOD} +x ${WRKSRC}/makesnortsam.sh
 +	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/conf/snortsam.conf.sample
 +	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/docs/README.conf
 +	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/src/snortsam.h
 +	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/contrib/snortsam-state.c
 +	@${CHMOD} +x ${WRKSRC}/makesnortsam.sh
 +
 +do-configure:
 +	@cd ${WRKSRC}/src && ${MAKE} ${DEBUG}
 +	@cd ${WRKSRC}/src && ${MAKE} samtool ${DEBUG}
  
 +# no access to snortsam.conf and samtool for non root users!
  do-install:
 -	${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin
 -	${INSTALL_PROGRAM} ${WRKSRC}/snortsam-debug ${PREFIX}/sbin
 -	${MKDIR} ${SYSCONFDIR}
 -	${INSTALL_DATA} ${WRKSRC}/conf/snortsam.conf.sample ${SYSCONFDIR}/snortsam.conf.sample
 -	${INSTALL_DATA} ${WRKSRC}/conf/*rootservers.cfg ${SYSCONFDIR}/
 +	@${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin
 +.if defined(WITH_SAMTOOL)
 +	@${INSTALL} -o root -g wheel -m 500 ${WRKSRC}/samtool ${PREFIX}/sbin
 +.endif
 +	@${MKDIR} -m 700 ${CONFIG_DIR}
 +	@${INSTALL_DATA} -m 600 ${WRKSRC}/conf/snortsam.conf.sample ${CONFIG_DIR}/snortsam.conf.sample
 +	@${INSTALL_DATA} ${WRKSRC}/conf/rootservers.cfg ${CONFIG_DIR}/rootservers.cfg.sample
 +	@${INSTALL_DATA} ${WRKSRC}/conf/country-rootservers.conf ${CONFIG_DIR}/country-rootservers.conf.sample
  
  .if !defined(NOPORTDOCS)
 +	@${MKDIR} ${DOCSDIR}
  .for f in ${PORTDOCS}
 -	${MKDIR} ${DOCSDIR}
 -	${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR}
 +	@${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR}
  .endfor
  .endif
  
 +post-install:
 +	@${SH} ${PKGINSTALL} ${DISTNAME} POST-INSTALL
 +	@${CAT} ${PKGMESSAGE}
 +
  .include <bsd.port.post.mk>
 --- snortsam/distinfo
 +++ snortsam/distinfo
 @@ -1,3 +1,3 @@
 -MD5 (snortsam-src-2.63.tar.gz) = d74f5e744358bc9da85ad9d4fb393f76
 -SHA256 (snortsam-src-2.63.tar.gz) = f56208e2cba56c55bb97c09582b71e3d9c1c05c551df2cc59f493910e9f403a3
 -SIZE (snortsam-src-2.63.tar.gz) = 1967776
 +MD5 (snortsam-src-2.69.tar.gz) = 7663ce82956a97c5f725028716d66140
 +SHA256 (snortsam-src-2.69.tar.gz) = eb0dc0ebd65b6d15e3adabd7be2720221005683eefb7ca5986b9ca0284d55f92
 +SIZE (snortsam-src-2.69.tar.gz) = 1971579
 --- snortsam/files/patch-snortsam.h
 +++ snortsam/files/patch-snortsam.h
 @@ -1,16 +0,0 @@
 ---- src/snortsam.h.old	2008-08-03 00:08:34.000000000 -0300
 -+++ src/snortsam.h	2008-08-03 00:10:58.000000000 -0300
 -@@ -178,10 +178,10 @@
 - #define safecopy(dst,src)		_safecp(dst,sizeof(dst),src)
 - 
 - #ifdef WIN32
 --#define FWSAMCONFIGFILE			"snortsam.cfg"
 --#define FWSAMHISTORYFILE			"snortsam.sta"
 -+#define FWSAMCONFIGFILE			"/usr/local/etc/snortsam.cfg"
 -+#define FWSAMHISTORYFILE			"/var/db/snortsam.sta"
 - #else
 --#define FWSAMCONFIGFILE			"/etc/snortsam.conf"
 -+#define FWSAMCONFIGFILE			"/usr/local/etc/snortsam.conf"
 - #define FWSAMHISTORYFILE			"/var/db/snortsam.state"  
 - #endif
 - 
 --- snortsam/files/pkg-install.in
 +++ snortsam/files/pkg-install.in
 @@ -0,0 +1,17 @@
 +#!/bin/sh
 +#
 +# $FreeBSD$
 +
 +ETCDIR=${ETCDIR:=%%ETCDIR%%}
 +
 +# snortsam config file contain sensitive data like 
 +# passwords needed to block IP's on the firewalls.
 +# Set permission of the config dir to 700 so only
 +# root:wheel can access this directory.
 +if [ "$2" = "POST-INSTALL" ]; then
 +    if [ -d ${ETCDIR} ]; then
 +        /usr/sbin/chown root:wheel ${ETCDIR}
 +        /bin/chmod 700 ${ETCDIR}
 +    fi
 +fi
 +
 --- snortsam/files/pkg-message-snortsam
 +++ snortsam/files/pkg-message-snortsam
 @@ -1,10 +0,0 @@
 -
 -============================================================
 -NOTE:	Make sure that your SNORT installation it is defined
 -	output plugin SNORTSAM for don't cause errors while
 -	building SNORTSAM system. If exists some OLD SNORT
 -	installation WITHOUT supports for interaction between
 -	SNORT and SNORTSAM. PLEASE reconfigure WITH that this
 -	feature and rebuild a new installation.
 -=============================================================
 -
 --- snortsam/files/pkg-message.in
 +++ snortsam/files/pkg-message.in
 @@ -0,0 +1,18 @@
 +================================================================
 +NOTE:   SNORT have to be build with OPTION SNORTSAM.
 +
 +	To enable snortsam as output plugin for snort a config
 +	line like the following should be present in snort.conf
 +
 +	  output alert_fwsam: <snortsambox>:<port>/<password>
 +
 +	With samtool it is possible to send alerts to snortsam,
 +	this way you can test and adjust your FW rules.
 +
 +        For more information read the INSTALL, FAQ, README 
 +        files in %%DOCSDIR%%
 +
 +        Additional consolidate http://snortsam.net
 +
 +==============================================================
 +
 --- snortsam/files/snortsam.sh.in
 +++ snortsam/files/snortsam.sh.in
 @@ -1,31 +1,30 @@
  #!/bin/sh
 -# $FreeBSD:
 +# $FreeBSD$
  
  # PROVIDE: snortsam
  # REQUIRE: DAEMON
 -# BEFORE: LOGIN
 +# BEFORE:  LOGIN
  # KEYWORD: shutdown
  
 -# Add the following lines to /etc/rc.conf to enable snortsam:
 -# snortsam_enable (bool):		Set to YES to enable snortsam
 -# 				Default: NO
 -# snortsam_flags (str):		Extra flags passed to snortsam
 -#				Default: ""
 -# snortsam_conf (str):		Snortsam configuration file
 -#				Default: ${PREFIX}/etc/snortsam/snortsam.conf
  #
 -
 +# Add the following line to /etc/rc.conf to enable snortsam:
 +#
 +#  snortsam_enable="YES"
 +#
 +#  # optional Snortsam configuration file:
 +#  snortsam_conf="%%ETCDIR%%/snortsam.conf"
 +#
 +# DO NOT CHANGE THE DEFAULT VALUES HERE
 +#
  . %%RC_SUBR%%
  
  name="snortsam"
  rcvar=`set_rcvar`
 +load_rc_config snortsam
  
 +# defaults
  command="%%PREFIX%%/sbin/snortsam"
 -
 -load_rc_config $name
 -
 -[ -z "$snortsam_enable" ]    && snortsam_enable="NO"
 -[ -z "$snortsam_conf" ]      && snortsam_conf="%%PREFIX%%/etc/snortsam/snortsam.conf"
 -[ -n "$snortsam_conf" ]      && snortsam_flags="$snortsam_flags $snortsam_conf"
 +snortsam_enable=${snortsam_enable:-"NO"}
 +snortsam_flags=${snortsam_conf:-"%%ETCDIR%%/snortsam.conf"}
  
  run_rc_command "$1"
 --- snortsam/files/ssp_ipfw2_no_table_check.patch
 +++ snortsam/files/ssp_ipfw2_no_table_check.patch
 @@ -0,0 +1,18 @@
 +--- src/ssp_ipfw2.c.orig	2008-04-26 21:53:21.000000000 +0200
 ++++ src/ssp_ipfw2.c	2009-11-14 22:03:41.000000000 +0100
 +@@ -91,6 +91,7 @@
 + 				}
 + 			}
 + 		}
 ++#if defined(ENABLE_IPFW_TABLE_CHECK)
 + 		/* Check if inbound table exists */
 + 		snprintf(chk,sizeof(chk)-1,"/sbin/ipfw show | grep -q \"deny ip from any to table(%u) via %s\"",ipfw2p->in_table,ipfw2p->interface);
 + 		if(system(chk))
 +@@ -110,6 +111,7 @@
 + 			}
 + 		}
 + 				
 ++#endif	/* ENABLE_IPFW_TABLE_CHECK */
 + #ifdef FWSAMDEBUG
 + 		if(plugindatalist->data)
 + 			printf("Debug: [ipfw2] Adding IPFW2: i/f '%s', tables %u (in) and %u (out)\n", ipfw2p->interface, ipfw2p->in_table,ipfw2p->out_table);
 --- snortsam/pkg-descr
 +++ snortsam/pkg-descr
 @@ -1,5 +1,6 @@
 -SnortSam is a plugin for Snort, an open-source light-weight
 -Intrusion Detection System (IDS). The plugin allows for
 -automated blocking of IP addresses on many firewalls.
 +SnortSam is an intelligent agent that allows the popular
 +open-source Intrusion Detection System called Snort to block
 +intruding connections by reconfiguration of many firewalls
 +and Cisco devices.
  
  WWW: http://www.snortsam.net
 --- patch_snortsam-2.69_v2.txt ends here ---



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912252130.nBPLU7is087466>