packages/snort: various fixes

* use basic, mysql & pgsql VARIANTs * add a build dependency on librpc when building against uClibc (closes: #10132) * ship empty, useless, but working config & ruleset * ship dynamic engine & preprocessors, disabled by default * make it listen on loopback by default git-svn-id: svn://svn.openwrt.org/openwrt/packages@28667 3c298f89-4303-0410-b956-a3cf2f4a3e73
2011-10-29 13:40:14 +00:00 · 2011-10-29 13:40:14 +00:00 · 2db62eb97e
commit 2db62eb97e
parent 1ec1d9ff29
4 changed files with 133 additions and 93 deletions
--- a/net/snort/Makefile
+++ b/net/snort/Makefile
@ -1,5 +1,5 @@
 #
-# Copyright (C) 2006-2010 OpenWrt.org
+# Copyright (C) 2006-2011 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@ -9,13 +9,16 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=snort
 PKG_VERSION:=2.8.4.1
-PKG_RELEASE:=2
+PKG_RELEASE:=3

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://dl.snort.org/snort-current/
 PKG_MD5SUM:=63f4e76ae96a2d133f4c7b741bad5458

-PKG_FIXUP:=libtool
+PKG_BUILD_DEPENDS:=USE_UCLIBC:librpc
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+PKG_FIXUP:=autoreconf
+PKG_INSTALL:=1

 include $(INCLUDE_DIR)/package.mk

@ -38,6 +41,7 @@ endef

 define Package/snort
  $(call Package/snort/Default)
+  VARIANT:=basic
 endef

 define Package/snort/description
@ -48,6 +52,7 @@ define Package/snort-mysql
  $(call Package/snort/Default)
  DEPENDS+= +libmysqlclient
  TITLE+= (MySQL)
+  VARIANT:=mysql
 endef

 define Package/snort-mysql/description
@ -59,6 +64,7 @@ define Package/snort-pgsql
  $(call Package/snort/Default)
  DEPENDS+= +libpq
  TITLE+= (PostgreSQL)
+  VARIANT:=pgsql
 endef

 define Package/snort-pgsql/description
@ -66,104 +72,83 @@ define Package/snort-pgsql/description
  This package contains snort with support for logging to a PostgreSQL database.
 endef

-define Compile/Template

-$(PKG_BUILD_DIR)/snort$(1): $(STAMP_CONFIGURED)
-	touch -r $(PKG_BUILD_DIR)/Makefile.am $(PKG_BUILD_DIR)/configure.in 
-	touch -r $(PKG_BUILD_DIR)/Makefile.in $(PKG_BUILD_DIR)/configure
-	-$(MAKE) -C $(PKG_BUILD_DIR) distclean
-	$(call Build/Configure/Default, \
-		--enable-flexresp \
-		--with-libnet-includes="$(STAGING_DIR)/usr/lib/libnet-1.0.x/include" \
-		--with-libnet-libraries="$(STAGING_DIR)/usr/lib/libnet-1.0.x/lib" \
-		--with-libpcap-includes="$(STAGING_DIR)/usr/include" \
-		--with-libpcap-libraries="$(STAGING_DIR)/usr/lib" \
-		--with-libpcre-includes="$(STAGING_DIR)/usr/include" \
-		--with-libpcre-libraries="$(STAGING_DIR)/usr/lib" \
-		$(2) \
-		, \
-		CPPFLAGS="$$$$CPPFLAGS -I$(STAGING_DIR)/usr/include/mysql" \
-		LDFLAGS="$$$$LDFLAGS -L$(STAGING_DIR)/usr/lib/mysql" \
-		PATH="$(STAGING_DIR)/usr/lib/libnet-1.0.x/bin:$$$$PATH" \
-		$(3) \
-	);
-	$(MAKE) -C $(PKG_BUILD_DIR) \
-		extra_incl="" \
-		all
-	mv $(PKG_BUILD_DIR)/src/snort $(PKG_BUILD_DIR)/snort$(1)
+CONFIGURE_ARGS += \
+	--enable-flexresp \
+	--with-libnet-includes="$(STAGING_DIR)/usr/lib/libnet-1.0.x/include" \
+	--with-libnet-libraries="$(STAGING_DIR)/usr/lib/libnet-1.0.x/lib" \
+	--with-libpcap-includes="$(STAGING_DIR)/usr/include" \
+	--with-libpcap-libraries="$(STAGING_DIR)/usr/lib" \
+	--with-libpcre-includes="$(STAGING_DIR)/usr/include" \
+	--with-libpcre-libraries="$(STAGING_DIR)/usr/lib" \

-$(PKG_BUILD_DIR)/.built: $(PKG_BUILD_DIR)/snort$(1)
+CONFIGURE_VARS += \
+	CPPFLAGS="$$$$CPPFLAGS -I$(STAGING_DIR)/usr/include/mysql" \
+	LDFLAGS="$$$$LDFLAGS -L$(STAGING_DIR)/usr/lib/mysql" \
+	PATH="$(STAGING_DIR)/usr/lib/libnet-1.0.x/bin:$$$$PATH" \

-endef
+MAKE_FLAGS += \
+	extra_incl="" \
+
+ifeq ($(BUILD_VARIANT),basic)
+
+  CONFIGURE_ARGS += \
+	--without-mysql \
+	--without-postgresql \
+
+endif
+ifeq ($(BUILD_VARIANT),mysql)
+
+  CONFIGURE_ARGS += \
+	--with-mysql="$(STAGING_DIR)/usr" \
+	--without-postgresql \
+
+endif
+ifeq ($(BUILD_VARIANT),pgsql)
+
+  CONFIGURE_ARGS += \
+	--without-mysql \
+	--with-postgresql="$(STAGING_DIR)/usr" \
+
+endif


-define Install/Template
-
-define Package/snort$(1)/conffiles
+define Package/snort/conffiles
 /etc/default/snort
 /etc/snort/snort.conf
 /etc/snort/threshold.conf
 endef

-define Package/snort$(1)/install
-	$(INSTALL_DIR) $$(1)/usr/sbin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/snort$(1) $$(1)/usr/sbin/snort
-	$(INSTALL_DIR) $$(1)/etc/snort
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/snort.conf $$(1)/etc/snort/
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/classification.config $$(1)/etc/snort/
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/gen-msg.map $$(1)/etc/snort/
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/reference.config $$(1)/etc/snort/
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/sid-msg.map $$(1)/etc/snort/
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/threshold.conf $$(1)/etc/snort/
-	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/unicode.map $$(1)/etc/snort/
-	$(INSTALL_DIR) $$(1)/etc/default
-	$(INSTALL_DATA) ./files/snort.default $$(1)/etc/default/snort
-	$(INSTALL_DIR) $$(1)/etc/init.d
-	$(INSTALL_BIN) ./files/snort.init $$(1)/etc/init.d/snort
+define Package/snort/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(CP) $(PKG_INSTALL_DIR)/usr/bin/snort $(1)/usr/bin/
+	$(INSTALL_DIR) $(1)/usr/lib/snort_dynamicengine
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/snort_dynamicengine/libsf_engine.so* $(1)/usr/lib/snort_dynamicengine/
+	$(INSTALL_DIR) $(1)/usr/lib/snort_dynamicpreprocessor
+	$(CP) $(PKG_INSTALL_DIR)/usr/lib/snort_dynamicpreprocessor/libsf_{dce2,dcerpc,dns,ftptelnet,smtp,ssh,ssl}_preproc.so* $(1)/usr/lib/snort_dynamicpreprocessor/
+	$(INSTALL_DIR) $(1)/etc/snort
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/snort.conf $(1)/etc/snort/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/classification.config $(1)/etc/snort/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/gen-msg.map $(1)/etc/snort/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/reference.config $(1)/etc/snort/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/sid-msg.map $(1)/etc/snort/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/threshold.conf $(1)/etc/snort/
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/etc/unicode.map $(1)/etc/snort/
+	$(INSTALL_DIR) $(1)/etc/snort/preproc_rules
+	$(INSTALL_DATA) $(PKG_BUILD_DIR)/preproc_rules/*.rules $(1)/etc/snort/preproc_rules/
+	$(INSTALL_DIR) $(1)/etc/snort/rules
+	$(INSTALL_DATA) ./files/snort.local.rules $(1)/etc/snort/rules/local.rules
+	$(INSTALL_DIR) $(1)/etc/default
+	$(INSTALL_DATA) ./files/snort.default $(1)/etc/default/snort
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/snort.init $(1)/etc/init.d/snort
 endef

-endef
+Package/snort-mysql/conffiles = $(Package/snort/conffiles)
+Package/snort-mysql/install = $(Package/snort/install)

-
-ifneq ($(SDK)$(CONFIG_PACKAGE_snort),)
-  define Compile/snort
-    $(call Compile/Template,, \
-		--without-mysql \
-		--without-postgresql \
-    )
-    $(call Install/Template,)
-  endef
-endif
-$(eval $(Compile/snort))
-
-ifneq ($(SDK)$(CONFIG_PACKAGE_snort-mysql),)
-  define Compile/snort-mysql
-    $(call Compile/Template,-mysql, \
-		--with-mysql="$(STAGING_DIR)/usr" \
-		--without-postgresql \
-    )
-    $(call Install/Template,-mysql)
-  endef
-endif
-$(eval $(Compile/snort-mysql))
-
-
-ifneq ($(SDK)$(CONFIG_PACKAGE_snort-pgsql),)
-  define Compile/snort-pgsql
-    $(call Compile/Template,-pgsql, \
-		--without-mysql \
-		--with-postgresql="$(STAGING_DIR)/usr" \
-    )
-    $(call Install/Template,-pgsql)
-  endef
-endif
-$(eval $(Compile/snort-pgsql))
-
-define Build/Configure
-endef
-
-define Build/Compile
-endef
+Package/snort-pgsql/conffiles = $(Package/snort/conffiles)
+Package/snort-pgsql/install = $(Package/snort/install)

 $(eval $(call BuildPackage,snort))
 $(eval $(call BuildPackage,snort-mysql))
--- a/net/snort/files/snort.default
+++ b/net/snort/files/snort.default
@ -1,2 +1,2 @@
-INTERFACE="vlan1" # WAN
+INTERFACE="lo"
 OPTIONS="-i $INTERFACE -c /etc/snort/snort.conf -D -N -q -s"
--- a/net/snort/files/snort.local.rules
+++ b/net/snort/files/snort.local.rules
@ -0,0 +1,5 @@
+# ----------------
+# LOCAL RULES
+# ----------------
+# This file intentionally does not come with signatures.  Put your local
+# additions here.
--- a/net/snort/patches/750-lightweight-config.patch
+++ b/net/snort/patches/750-lightweight-config.patch
@ -32,6 +32,39 @@
 
 # Configure the snort decoder
 # ============================
+@@ -191,27 +192,27 @@ var PREPROC_RULE_PATH ../preproc_rules
+ # Load all dynamic preprocessors from the install path
+ # (same as command line option --dynamic-preprocessor-lib-dir)
+ #
+-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
+#dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
+ #
+ # Load a specific dynamic preprocessor library from the install path
+ # (same as command line option --dynamic-preprocessor-lib)
+ #
+-# dynamicpreprocessor file /usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
+# dynamicpreprocessor file /usr/lib/snort_dynamicpreprocessor/lib_sfdynamic_preprocessor_example.so
+ #
+ # Load a dynamic engine from the install path
+ # (same as command line option --dynamic-engine-lib)
+ #
+-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+#dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
+ #
+ # Load all dynamic rules libraries from the install path
+ # (same as command line option --dynamic-detection-lib-dir)
+ #
+-# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
+# dynamicdetection directory /usr/lib/snort_dynamicrules/
+ #
+ # Load a specific dynamic rule library from the install path
+ # (same as command line option --dynamic-detection-lib)
+ #
+-# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
+# dynamicdetection file /usr/lib/snort_dynamicrules/lib_sfdynamic_example_rule.so
+ #
+ 
+ ###################################################
@@ -307,11 +308,11 @@ preprocessor stream5_tcp: policy first, 
 # lots of options available here. See doc/README.http_inspect.
 # unicode.map should be wherever your snort.conf lives, or given
@ -157,6 +190,17 @@
 
 # arpspoof
 #----------------------------------------
+@@ -605,8 +606,8 @@ preprocessor sfportscan: proto  { all } 
+ # See doc/README.dcerpc2 for explanations of what the
+ # preprocessor does and how to configure it.
+ #
+-preprocessor dcerpc2
+-preprocessor dcerpc2_server: default
+#preprocessor dcerpc2
+#preprocessor dcerpc2_server: default
+ 
+ 
+ # DNS
@@ -623,9 +624,9 @@ preprocessor dcerpc2_server: default
 # or use commandline option
 # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
@ -179,10 +223,13 @@
 
 
 ####################################################################
-@@ -811,41 +812,41 @@ include $RULE_PATH/local.rules
- include $RULE_PATH/bad-traffic.rules
- include $RULE_PATH/exploit.rules
- include $RULE_PATH/scan.rules
+@@ -808,44 +809,44 @@ include reference.config
+ #=========================================
+ 
+ include $RULE_PATH/local.rules
+-include $RULE_PATH/bad-traffic.rules
+-include $RULE_PATH/exploit.rules
+-include $RULE_PATH/scan.rules
 -include $RULE_PATH/finger.rules
 -include $RULE_PATH/ftp.rules
 -include $RULE_PATH/telnet.rules
@ -215,6 +262,9 @@
 -include $RULE_PATH/imap.rules
 -include $RULE_PATH/pop2.rules
 -include $RULE_PATH/pop3.rules
+#include $RULE_PATH/bad-traffic.rules
+#include $RULE_PATH/exploit.rules
+#include $RULE_PATH/scan.rules
 +#include $RULE_PATH/finger.rules
 +#include $RULE_PATH/ftp.rules
 +#include $RULE_PATH/telnet.rules