opnsense/suricata-devel: upcoming version test

opnsense/suricata-devel/Makefile

@@ -0,0 +1,157 @@
+# $FreeBSD$
+
+PORTNAME=	suricata
+PKGNAMESUFFIX=	-devel
+DISTVERSION=	4.1.0-beta1
+CATEGORIES=	security
+MASTER_SITES=	http://www.openinfosecfoundation.org/download/
+
+MAINTAINER=	franco@opnsense.org
+COMMENT=	High Performance Network IDS, IPS and Security Monitoring engine
+
+LICENSE=	GPLv2
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+CONFLICTS_INSTALL=libhtp suricata
+
+LIB_DEPENDS=	libpcre.so:devel/pcre \
+		libnet.so:net/libnet \
+		libyaml.so:textproc/libyaml
+
+USES=		autoreconf cpe gmake iconv:translit libtool pathfix pkgconfig
+USE_LDCONFIG=	yes
+USE_RC_SUBR=	${PORTNAME}
+
+GNU_CONFIGURE=	yes
+
+USE_HARDENING=	pie:configure safestack
+
+CPE_VENDOR=	openinfosecfoundation
+
+INSTALL_TARGET=		install-strip
+TEST_TARGET=		check
+
+OPTIONS_DEFINE=		GEOIP IPFW JSON NETMAP NSS PORTS_PCAP PRELUDE \
+			REDIS SC TESTS
+OPTIONS_DEFINE_amd64=	HYPERSCAN
+OPTIONS_DEFAULT=	IPFW JSON NETMAP PRELUDE
+OPTIONS_SUB=		yes
+
+OPTIONS_RADIO=		SCRIPTS
+OPTIONS_RADIO_SCRIPTS=	LUA LUAJIT
+
+SCRIPTS_DESC=		Scripting
+
+GEOIP_DESC=		GeoIP support
+HYPERSCAN_DESC=		Hyperscan support
+IPFW_DESC=		IPFW and IP Divert support for inline IDP
+JSON_DESC=		JSON output support
+LUA_DESC=		LUA scripting support
+LUAJIT_DESC=		LuaJIT scripting support
+NETMAP_DESC=		Netmap support for inline IDP
+NSS_DESC=		File checksums and SSL/TLS fingerprinting
+PORTS_PCAP_DESC=	Use libpcap from ports
+PRELUDE_DESC=		Prelude support for NIDS alerts
+REDIS_DESC=		Redis output support
+SC_DESC=		Suricata socket client (suricatasc)
+TESTS_DESC=		Unit tests in suricata binary
+
+GEOIP_LIB_DEPENDS=		libGeoIP.so:net/GeoIP
+GEOIP_CONFIGURE_ON=		--enable-geoip
+
+HYPERSCAN_LIB_DEPENDS=		libhs.so:devel/hyperscan
+HYPERSCAN_CONFIGURE_ON=		--with-libhs-includes=${LOCALBASE}/include \
+				--with-libhs-libraries=${LOCALBASE}/lib
+
+IPFW_CONFIGURE_ON=		--enable-ipfw
+
+JSON_LIB_DEPENDS=		libjansson.so:devel/jansson
+JSON_CONFIGURE_ON=		--with-libjansson-includes=${LOCALBASE}/include \
+				--with-libjansson-libraries=${LOCALBASE}/lib
+
+LUA_USES=			lua:51
+LUA_CONFIGURE_ON=		--enable-lua \
+				--with-liblua-includes=${LUA_INCDIR} \
+				--with-liblua-libraries=${LUA_LIBDIR}
+
+LUAJIT_LIB_DEPENDS=		libluajit-5.1.so:lang/luajit
+LUAJIT_CONFIGURE_ON=		--enable-luajit
+
+NSS_LIB_DEPENDS=		libnss3.so:security/nss \
+				libnspr4.so:devel/nspr
+NSS_CONFIGURE_ON=		--with-libnss-includes=${LOCALBASE}/include/nss/nss \
+				--with-libnss-libraries=${LOCALBASE}/lib \
+				--with-libnspr-libraries=${LOCALBASE}/lib \
+				--with-libnspr-includes=${LOCALBASE}/include/nspr
+
+NETMAP_CONFIGURE_ENABLE=	netmap
+
+PORTS_PCAP_LIB_DEPENDS=		libpcap.so.1:net/libpcap
+PORTS_PCAP_CONFIGURE_ON=	--with-libpcap-includes=${LOCALBASE}/include \
+				--with-libpcap-libraries=${LOCALBASE}/lib
+PORTS_PCAP_CONFIGURE_OFF=	--with-libpcap-includes=/usr/include \
+				--with-libpcap-libraries=/usr/lib
+
+PRELUDE_LIB_DEPENDS=		libprelude.so:security/libprelude \
+				libgnutls.so:security/gnutls \
+				libgcrypt.so:security/libgcrypt \
+				libgpg-error.so:security/libgpg-error \
+				libltdl.so:devel/libltdl
+PRELUDE_CONFIGURE_ENABLE=	prelude
+PRELUDE_CONFIGURE_ON=		--with-libprelude-prefix=${LOCALBASE}
+
+REDIS_LIB_DEPENDS=		libhiredis.so:databases/hiredis
+REDIS_CONFIGURE_ON=		--enable-hiredis \
+				--with-libhiredis-includes=${LOCALBASE}/include \
+				--with-libhiredis-libraries=${LOCALBASE}/lib
+
+SC_USES=			python:2.7
+SC_CONFIGURE_ENABLE=		python
+
+TESTS_CONFIGURE_ENABLE=		unittests
+
+SUB_FILES=	pkg-message
+
+CONFIGURE_ARGS+=--enable-gccprotect \
+		--enable-bundled-htp \
+		--with-libpcre-includes=${LOCALBASE}/include \
+		--with-libpcre-libraries=${LOCALBASE}/lib \
+		--with-libyaml-includes=${LOCALBASE}/include \
+		--with-libyaml-libraries=${LOCALBASE}/lib \
+		--with-libnet-includes=${LOCALBASE}/include \
+		--with-libnet-libraries=${LOCALBASE}/lib \
+		--with-libhtp-includes=${LOCALBASE}/include/ \
+		--with-libhtp-libraries=${LOCALBASE}/lib \
+	        --disable-gccmarch-native
+
+CONFIG_DIR?=	${ETCDIR}
+CONFIG_FILES=	suricata.yaml classification.config reference.config threshold.config
+RULES_DIR=	${CONFIG_DIR}/rules
+RULES_FILES=	app-layer-events.rules decoder-events.rules dns-events.rules files.rules \
+		http-events.rules modbus-events.rules smtp-events.rules stream-events.rules \
+		tls-events.rules
+LOGS_DIR?=	/var/log/${PORTNAME}
+
+pre-patch:
+	@${CP} ${FILESDIR}/ax_check_compile_flag.m4 ${WRKSRC}/m4
+
+post-patch-NSS-off:
+	@${REINPLACE_CMD} -e 's|PKG_CHECK_MODULES(\[libnspr\]|#&| ; s|AC_CHECK_HEADER(sechash.h,NSS="yes",NSS="no")|#&|' ${WRKSRC}/configure.ac
+
+post-install:
+	@${MKDIR} ${STAGEDIR}${CONFIG_DIR}
+	@${MKDIR} ${STAGEDIR}${RULES_DIR}
+	@${MKDIR} ${STAGEDIR}${LOGS_DIR}
+.for f in ${CONFIG_FILES}
+	${INSTALL_DATA} ${WRKSRC}/${f} ${STAGEDIR}${CONFIG_DIR}/${f}.sample
+.endfor
+.for f in ${RULES_FILES}
+	${INSTALL_DATA} ${WRKSRC}/rules/${f} ${STAGEDIR}${RULES_DIR}/${f}
+.endfor
+
+post-install-SC-on:
+	(cd ${STAGEDIR}${PREFIX} \
+	&& ${PYTHON_CMD} ${PYTHON_LIBDIR}/compileall.py \
+	-d ${PYTHONPREFIX_SITELIBDIR} -f ${PYTHONPREFIX_SITELIBDIR:S;${PREFIX}/;;})
+
+.include <bsd.port.mk>

opnsense/suricata-devel/distinfo

@@ -0,0 +1,3 @@
+TIMESTAMP = 1522204137
+SHA256 (suricata-4.1.0-beta1.tar.gz) = 9ce646c98e63f925146176b7dd3a7c8de060ae2784e8336e1f1cfa0a16a2903c
+SIZE (suricata-4.1.0-beta1.tar.gz) = 14922072

opnsense/suricata-devel/files/ax_check_compile_flag.m4

@@ -0,0 +1,74 @@
+# ===========================================================================
+#   http://www.gnu.org/software/autoconf-archive/ax_check_compile_flag.html
+# ===========================================================================
+#
+# SYNOPSIS
+#
+#   AX_CHECK_COMPILE_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
+#
+# DESCRIPTION
+#
+#   Check whether the given FLAG works with the current language's compiler
+#   or gives an error.  (Warnings, however, are ignored)
+#
+#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
+#   success/failure.
+#
+#   If EXTRA-FLAGS is defined, it is added to the current language's default
+#   flags (e.g. CFLAGS) when the check is done.  The check is thus made with
+#   the flags: "CFLAGS EXTRA-FLAGS FLAG".  This can for example be used to
+#   force the compiler to issue an error when a bad flag is given.
+#
+#   INPUT gives an alternative input source to AC_COMPILE_IFELSE.
+#
+#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
+#   macro in sync with AX_CHECK_{PREPROC,LINK}_FLAG.
+#
+# LICENSE
+#
+#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
+#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
+#
+#   This program is free software: you can redistribute it and/or modify it
+#   under the terms of the GNU General Public License as published by the
+#   Free Software Foundation, either version 3 of the License, or (at your
+#   option) any later version.
+#
+#   This program is distributed in the hope that it will be useful, but
+#   WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
+#   Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License along
+#   with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+#   As a special exception, the respective Autoconf Macro's copyright owner
+#   gives unlimited permission to copy, distribute and modify the configure
+#   scripts that are the output of Autoconf when processing the Macro. You
+#   need not follow the terms of the GNU General Public License when using
+#   or distributing such scripts, even though portions of the text of the
+#   Macro appear in them. The GNU General Public License (GPL) does govern
+#   all other use of the material that constitutes the Autoconf Macro.
+#
+#   This special exception to the GPL applies to versions of the Autoconf
+#   Macro released by the Autoconf Archive. When you make and distribute a
+#   modified version of the Autoconf Macro, you may extend this special
+#   exception to the GPL to apply to your modified version as well.
+
+#serial 3
+
+AC_DEFUN([AX_CHECK_COMPILE_FLAG],
+[AC_PREREQ(2.59)dnl for _AC_LANG_PREFIX
+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_[]_AC_LANG_ABBREV[]flags_$4_$1])dnl
+AC_CACHE_CHECK([whether _AC_LANG compiler accepts $1], CACHEVAR, [
+  ax_check_save_flags=$[]_AC_LANG_PREFIX[]FLAGS
+  _AC_LANG_PREFIX[]FLAGS="$[]_AC_LANG_PREFIX[]FLAGS $4 $1"
+  AC_COMPILE_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
+    [AS_VAR_SET(CACHEVAR,[yes])],
+    [AS_VAR_SET(CACHEVAR,[no])])
+  _AC_LANG_PREFIX[]FLAGS=$ax_check_save_flags])
+AS_IF([test x"AS_VAR_GET(CACHEVAR)" = xyes],
+  [m4_default([$2], :)],
+  [m4_default([$3], :)])
+AS_VAR_POPDEF([CACHEVAR])dnl
+])dnl AX_CHECK_COMPILE_FLAGS

opnsense/suricata-devel/files/patch-configure.ac

@@ -0,0 +1,15 @@
+--- configure.ac.orig	2017-02-15 07:54:17 UTC
++++ configure.ac
+@@ -935,8 +935,10 @@
+             AS_HELP_STRING([--enable-prelude], [Enable Prelude support for alerts]),,[enable_prelude=no])
+     # Prelude doesn't work with -Werror
+     STORECFLAGS="${CFLAGS}"
+-    CFLAGS="${CFLAGS} -Wno-error=unused-result"
+-
++    AX_CHECK_COMPILE_FLAG([-Wno-error=unused-result], 
++        [CFLAGS="${CFLAGS} -Wno-error=unused-result"],
++        [])
++       
+     AS_IF([test "x$enable_prelude" = "xyes"], [
+         AM_PATH_LIBPRELUDE(0.9.9, , AC_MSG_ERROR(Cannot find libprelude: Is libprelude-config in the path?), no)
+         if test "x${LIBPRELUDE_CFLAGS}" != "x"; then

opnsense/suricata-devel/files/pkg-message.in

@@ -0,0 +1,44 @@
+===========================================================================
+
+If you want to run Suricata in IDS mode, add to /etc/rc.conf:
+
+	suricata_enable="YES"
+	suricata_interface="<if>"
+
+NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode.
+
+However, if you want to run Suricata in Inline IPS Mode in divert(4) mode,
+add to /etc/rc.conf:
+
+	suricata_enable="YES"
+	suricata_divertport="8000"
+
+NOTE:
+	Suricata won't start in IDS mode without an interface configured.
+	Therefore if you omit suricata_interface from rc.conf, FreeBSD's
+	rc.d/suricata will automatically try to start Suricata in IPS Mode
+	(on divert port 8000, by default).
+
+Alternatively, if you want to run Suricata in Inline IPS Mode in high-speed
+netmap(4) mode, add to /etc/rc.conf:
+
+	suricata_enable="YES"
+	suricata_netmap="YES"
+
+NOTE:
+	Suricata requires additional interface settings in the configuration
+	file to run in netmap(4) mode.
+
+RULES: Suricata IDS/IPS Engine comes without rules by default. You should
+add rules by yourself and set an updating strategy. To do so, please visit:
+
+ http://www.openinfosecfoundation.org/documentation/rules.html
+ http://www.openinfosecfoundation.org/documentation/emerging-threats.html
+
+You may want to try BPF in zerocopy mode to test performance improvements:
+
+	sysctl -w net.bpf.zerocopy_enable=1
+
+Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf
+
+===========================================================================

opnsense/suricata-devel/files/suricata.in

@@ -0,0 +1,68 @@
+#!/bin/sh
+# $FreeBSD$
+
+# PROVIDE: suricata
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+
+# Add the following lines to /etc/rc.conf to enable suricata:
+# suricata_enable (bool):	Set to YES to enable suricata
+# 				Default: NO
+# suricata_flags (str):		Extra flags passed to suricata
+#				Default: -D
+# suricata_interface (str):	Network interface(s) to sniff
+#				Default: "" 
+# suricata_conf (str):		Suricata configuration file
+#				Default: ${PREFIX}/etc/suricata/suricata.yaml
+# suricata_divertport (int):	Port to create divert socket (Inline Mode)
+#				Default: 8000
+# suricata_netmap (str):	Set to YES to enable netmap (Inline Mode)
+#				Default: NO
+# suricata_user (str):		Set the user to run suricata as
+#				Default: root
+# suricata_pidfile (str):	Pidfile to store pid of suricata process
+#				Default: /var/run/suricata.pid
+
+. /etc/rc.subr
+
+name="suricata"
+rcvar=suricata_enable
+
+start_precmd="suricata_prestart"
+command="%%PREFIX%%/bin/suricata"
+
+load_rc_config $name
+
+[ -z "$suricata_enable" ]	&& suricata_enable="NO"
+[ -z "$suricata_conf" ]		&& suricata_conf="%%PREFIX%%/etc/suricata/suricata.yaml"
+[ -z "$suricata_flags" ]	&& suricata_flags="-D"
+[ -z "$suricata_divertport" ]	&& suricata_divertport="8000"
+[ -z "$suricata_netmap" ]	&& suricata_netmap="NO"
+[ -z "$suricata_user" ]		&& suricata_user="root"
+[ -z "$suricata_pidfile" ]	&& suricata_pidfile="/var/run/suricata.pid"
+
+if [ -n "$suricata_interface" ]; then
+	for interface in $suricata_interface; do
+		suricata_flags="$suricata_flags --pcap=$interface"
+	done
+elif [ "$suricata_netmap" != "NO" ]; then
+	suricata_flags="$suricata_flags --netmap"
+else
+	suricata_flags="$suricata_flags -d $suricata_divertport"
+	info "Inline Mode on divert port $suricata_divertport (suricata_interface not defined)"
+fi
+
+pidfile=$suricata_pidfile
+suricata_flags="$suricata_flags --pidfile $pidfile"
+
+[ -n "$suricata_conf" ]	&& suricata_flags="$suricata_flags -c $suricata_conf"
+
+suricata_prestart()
+{
+	if ! run_rc_command status > /dev/null; then
+		rm -f "$pidfile"
+	fi
+}
+
+run_rc_command "$1"

opnsense/suricata-devel/pkg-descr

@@ -0,0 +1,15 @@
+The Suricata Engine is an Open Source Next Generation Intrusion Detection and
+Prevention Engine developed by the Open Information Security Foundation (OISF).
+
+This engine is not intended to just replace or emulate the existing tools in
+the industry, but will bring new ideas and technologies to the field.
+
+OISF is part of and funded by the Department of Homeland Security's Directorate
+for Science and Technology HOST program (Homeland Open Security Technology),
+by the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as
+through the very generous support of the members of the OISF Consortium.
+
+More information about the Consortium is available, as well as a list of our
+current Consortium Members.
+
+WWW: http://openinfosecfoundation.org