From: "Marek Szuba" <marecki@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
Date: Mon, 16 Dec 2019 16:05:17 +0000 (UTC) [thread overview]
Message-ID: <1576512306.da28437322994c655e77d94dcd82d01d575fce58.marecki@gentoo> (raw)
commit: da28437322994c655e77d94dcd82d01d575fce58
Author: Marek Szuba <marecki <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 16 15:56:33 2019 +0000
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 16:05:06 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da284373
net-analyzer/suricata: bump to 5.0.0 and EAPI 7
Package-Manager: Portage-2.3.79, Repoman-2.3.16
Signed-off-by: Marek Szuba <marecki <AT> gentoo.org>
net-analyzer/suricata/Manifest | 1 +
.../files/suricata-5.0.0_configure-lua-flags.patch | 16 ++
...suricata-5.0.0_configure-no-lz4-automagic.patch | 23 +++
.../files/suricata-5.0.0_default-config.patch | 61 +++++++
net-analyzer/suricata/files/suricata.service | 21 +++
net-analyzer/suricata/files/suricata.tmpfiles | 1 +
net-analyzer/suricata/metadata.xml | 6 +-
net-analyzer/suricata/suricata-5.0.0.ebuild | 185 +++++++++++++++++++++
8 files changed, 313 insertions(+), 1 deletion(-)
diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index fe67675774d..72532b86510 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -1 +1,2 @@
DIST suricata-4.0.4.tar.gz 12511121 BLAKE2B d9dfb00a45c2e9810409a8ce91a83e23ebce20eb28492bf24f9688d292b5805dca932c39cc673cf1148325fe5ef7936dda7f6c7819605753cb2e2ddc1cf5dba0 SHA512 6e158aa6d3edb9d11e0df3f986392ee2ae49ab4dfb978288ced4484dbe5c08ae061db2a566be6d22cf14bd0b88f87f9cb9c0a657d7fc44e099b8783d933c771e
+DIST suricata-5.0.0.tar.gz 23689051 BLAKE2B 701625d50dacbeb846d7ea1c3aad3980969c1c0124c007d843353fe25b7e579378d2cd125db4660e33fff1f8cf20eac4bbafe280ba6ff31f988fb6c42b29b6aa SHA512 0dc8941fdf29d615531eeda6f6076052cca79fda6dda3c96300c08b343a64a1700fd23dd83a03507009ab7c9b19c91b65ee65e704f55ddee17764b71e9e2911e
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch b/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch
new file mode 100644
index 00000000000..be956fd94d4
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch
@@ -0,0 +1,16 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -1749,11 +1749,11 @@
+ # liblua
+ AC_ARG_ENABLE(lua,
+ AS_HELP_STRING([--enable-lua],[Enable Lua support]),
+- [ enable_lua="$enableval"],
++ [],
+ [ enable_lua="no"])
+ AC_ARG_ENABLE(luajit,
+ AS_HELP_STRING([--enable-luajit],[Enable Luajit support]),
+- [ enable_luajit="$enableval"],
++ [],
+ [ enable_luajit="no"])
+ if test "$enable_lua" = "yes"; then
+ if test "$enable_luajit" = "yes"; then
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch b/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch
new file mode 100644
index 00000000000..5efce46f6d9
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch
@@ -0,0 +1,23 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -2292,7 +2292,11 @@
+ fi
+
+ # Check for lz4
+-enable_liblz4="yes"
++AC_ARG_ENABLE(lz4,
++ AS_HELP_STRING([--enable-lz4], [Enable compressed pcap logging using liblz4]),
++ [enable_liblz4=$enableval],
++ [enable_liblz4=yes])
++if test "x$enable_liblz4" != "xno"; then
+ AC_CHECK_LIB(lz4, LZ4F_createCompressionContext, , enable_liblz4="no")
+
+ if test "$enable_liblz4" = "no"; then
+@@ -2306,6 +2310,7 @@
+ echo " yum install lz4-devel"
+ echo
+ fi
++fi
+
+ # get cache line size
+ AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no")
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch b/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch
new file mode 100644
index 00000000000..07a45c9a574
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch
@@ -0,0 +1,61 @@
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -203,8 +203,9 @@
+ # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
+
+ # As of Suricata 5.0, version 2 of the eve dns output
+- # format is the default.
+- #version: 2
++ # format is the default - but the daemon produces a warning to that effect
++ # at start-up if this isn't explicitly set.
++ version: 2
+
+ # Enable/disable this logger. Default: enabled.
+ #enabled: yes
+@@ -978,9 +979,9 @@
+ ##
+
+ # Run suricata as user and group.
+-#run-as:
+-# user: suri
+-# group: suri
++run-as:
++ user: suricata
++ group: suricata
+
+ # Some logging module will use that name in event as identifier. The default
+ # value is the hostname
+@@ -1806,16 +1807,28 @@
+ hashmode: hash5tuplesorted
+
+ ##
+-## Configure Suricata to load Suricata-Update managed rules.
+-##
+-## If this section is completely commented out move down to the "Advanced rule
+-## file configuration".
++## Configure Suricata to load default rules it comes with.
+ ##
+
+ default-rule-path: @e_defaultruledir@
+
+ rule-files:
+- - suricata.rules
++ - /etc/suricata/rules/app-layer-events.rules
++ - /etc/suricata/rules/decoder-events.rules
++ - /etc/suricata/rules/dhcp-events.rules
++ - /etc/suricata/rules/dnp3-events.rules
++ - /etc/suricata/rules/dns-events.rules
++ - /etc/suricata/rules/files.rules
++ - /etc/suricata/rules/http-events.rules
++ - /etc/suricata/rules/ipsec-events.rules
++ - /etc/suricata/rules/kerberos-events.rules
++ - /etc/suricata/rules/modbus-events.rules
++ - /etc/suricata/rules/nfs-events.rules
++ - /etc/suricata/rules/ntp-events.rules
++ - /etc/suricata/rules/smb-events.rules
++ - /etc/suricata/rules/smtp-events.rules
++ - /etc/suricata/rules/stream-events.rules
++ - /etc/suricata/rules/tls-events.rules
+
+ ##
+ ## Auxiliary configuration files.
diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service
new file mode 100644
index 00000000000..5e617388018
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Suricata IDS/IDP daemon
+After=network.target
+Requires=network.target
+Documentation=man:suricata(8) man:suricatasc(8)
+Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
+
+[Service]
+Type=forking
+Environment=OPTIONS='-c /etc/suricata/suricata.yaml'
+CapabilityBoundingSet=CAP_NET_ADMIN
+PIDFile=/var/run/suricata/suricata.pid
+ExecStart=/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill $MAINPID
+PrivateTmp=yes
+ProtectHome=yes
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/net-analyzer/suricata/files/suricata.tmpfiles b/net-analyzer/suricata/files/suricata.tmpfiles
new file mode 100644
index 00000000000..46fe5084297
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata.tmpfiles
@@ -0,0 +1 @@
+d /var/run/suricata - - - -
diff --git a/net-analyzer/suricata/metadata.xml b/net-analyzer/suricata/metadata.xml
index 0afee5625d1..bc25d72f088 100644
--- a/net-analyzer/suricata/metadata.xml
+++ b/net-analyzer/suricata/metadata.xml
@@ -6,13 +6,17 @@
</maintainer>
<use>
<flag name="af-packet">Enable AF_PACKET support</flag>
+ <flag name="bpf">Enable support for eBPF (as well as XDP if supported by the kernel and the NIC driver)
+ for low-level, high-speed packet processing</flag>
<flag name="control-socket">Enable unix socket</flag>
<flag name="cuda">Enable NVIDIA Cuda computations support</flag>
<flag name="detection">Enable detection modules</flag>
+ <flag name="logrotate">Install logrotate rule</flag>
+ <flag name="lz4">Enable support for compressed pcap logging using the LZ4 algorithm</flag>
<flag name="nflog">Enable libnetfilter_log support</flag>
<flag name="nfqueue">Enable NFQUEUE support for inline IDP</flag>
<flag name="redis">Enable Redis support</flag>
<flag name="rules">Install default ruleset</flag>
- <flag name="logrotate">Install logrotate rule</flag>
+ <flag name="tools">Install suricatactl, suricatasc and suricata-update</flag>
</use>
</pkgmetadata>
diff --git a/net-analyzer/suricata/suricata-5.0.0.ebuild b/net-analyzer/suricata/suricata-5.0.0.ebuild
new file mode 100644
index 00000000000..05f328b973b
--- /dev/null
+++ b/net-analyzer/suricata/suricata-5.0.0.ebuild
@@ -0,0 +1,185 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6,7,8} )
+
+inherit autotools linux-info python-single-r1 systemd
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="https://suricata-ids.org/"
+SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet bpf control-socket cuda debug +detection geoip hardened logrotate lua luajit lz4 nflog +nfqueue redis +rules systemd test tools"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="?? ( lua luajit )
+ bpf? ( af-packet )
+ tools? ( ${PYTHON_REQUIRED_USE} )"
+
+CDEPEND="acct-group/suricata
+ acct-user/suricata
+ dev-libs/jansson
+ dev-libs/libpcre
+ dev-libs/libyaml
+ net-libs/libnet:*
+ net-libs/libnfnetlink
+ dev-libs/nspr
+ dev-libs/nss
+ >=net-libs/libhtp-0.5.31
+ net-libs/libpcap
+ sys-apps/file
+ sys-libs/libcap-ng
+ bpf? ( >=dev-libs/libbpf-0.0.5 )
+ cuda? ( dev-util/nvidia-cuda-toolkit )
+ geoip? ( dev-libs/libmaxminddb )
+ logrotate? ( app-admin/logrotate )
+ lua? ( dev-lang/lua:* )
+ luajit? ( dev-lang/luajit:* )
+ lz4? ( app-arch/lz4 )
+ nflog? ( net-libs/libnetfilter_log )
+ nfqueue? ( net-libs/libnetfilter_queue )
+ redis? ( dev-libs/hiredis )
+ tools? ( dev-python/pyyaml[${PYTHON_USEDEP}] )"
+DEPEND="${CDEPEND}
+ dev-lang/rust"
+# Not confirmed that it works yet
+# test? ( dev-util/coccinelle )"
+RDEPEND="${CDEPEND}
+ tools? ( ${PYTHON_DEPS} )"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-5.0.0_configure-lua-flags.patch"
+ "${FILESDIR}/${PN}-5.0.0_configure-no-lz4-automagic.patch"
+ "${FILESDIR}/${PN}-5.0.0_default-config.patch"
+)
+
+pkg_pretend() {
+ if use bpf && use kernel_linux; then
+ if kernel_is -lt 4 15; then
+ ewarn "Kernel 4.15 or newer is necessary to use all XDP features like the CPU redirect map"
+ fi
+
+ CONFIG_CHECK="~XDP_SOCKETS"
+ ERROR_XDP_SOCKETS="CONFIG_XDP_SOCKETS is not set, making it impossible for Suricata will to load XDP programs. "
+ ERROR_XDP_SOCKETS+="Other eBPF features should work normally."
+ check_extra_config
+ fi
+}
+
+src_prepare() {
+ default
+ sed -ie 's/docdir =.*/docdir = ${datarootdir}\/doc\/'${PF}'\//' "${S}/doc/Makefile.am"
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ "--localstatedir=/var" \
+ "--enable-non-bundled-htp" \
+ "--enable-gccmarch-native=no" \
+ $(use_enable af-packet) \
+ $(use_enable bpf ebpf) \
+ $(use_enable control-socket unix-socket) \
+ $(use_enable cuda) \
+ $(use_enable detection) \
+ $(use_enable geoip) \
+ $(use_enable hardened gccprotect) \
+ $(use_enable hardened pie) \
+ $(use_enable lua) \
+ $(use_enable luajit) \
+ $(use_enable lz4) \
+ $(use_enable nflog) \
+ $(use_enable nfqueue) \
+ $(use_enable redis hiredis) \
+ $(use_enable test coccinelle) \
+ $(use_enable test unittests) \
+ $(use_enable tools python)
+ )
+
+ if use debug; then
+ myeconfargs+=( $(use_enable debug) )
+ # so we can get a backtrace according to "reporting bugs" on upstream web site
+ CFLAGS="-ggdb -O0" econf ${myeconfargs[@]}
+ else
+ econf ${myeconfargs[@]}
+ fi
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ if use bpf; then
+ rm -f ebpf/Makefile.{am,in}
+ dodoc -r ebpf/
+ keepdir /usr/libexec/suricata/ebpf
+ fi
+
+ insinto "/etc/${PN}"
+ doins etc/{classification,reference}.config threshold.config suricata.yaml
+
+ if use rules; then
+ insinto "/etc/${PN}/rules"
+ doins rules/*.rules
+ fi
+
+ keepdir "/var/lib/${PN}"
+ keepdir "/var/log/${PN}"
+
+ fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+
+ newinitd "${FILESDIR}/${PN}-4.0.4-init" ${PN}
+ newconfd "${FILESDIR}/${PN}-4.0.4-conf" ${PN}
+ systemd_dounit "${FILESDIR}"/${PN}.service
+ systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
+
+ if use logrotate; then
+ insopts -m0644
+ insinto /etc/logrotate.d
+ newins etc/${PN}.logrotate ${PN}
+ fi
+}
+
+pkg_postinst() {
+ if ! use systemd; then
+ elog "The ${PN} init script expects to find the path to the configuration"
+ elog "file as well as extra options in /etc/conf.d."
+ elog ""
+ elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+ elog "then create a symlink to the init script from a link called"
+ elog "${PN}.foo - like so"
+ elog " cd /etc/${PN}"
+ elog " ${EDITOR##*/} suricata-foo.yaml"
+ elog " cd /etc/init.d"
+ elog " ln -s ${PN} ${PN}.foo"
+ elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+ elog ""
+ elog "You can create as many ${PN}.foo* services as you wish."
+ fi
+
+ if use bpf; then
+ elog "eBPF/XDP files must be compiled (using sys-devel/clang[llvm_targets_BPF]) before use"
+ elog "because their configuration is hard-coded. You can find the default ones in"
+ elog " ${EPREFIX}/usr/share/doc/${PF}"
+ elog "and the common location for eBPF bytecode is"
+ elog " ${EPREFIX}/usr/libexec/${PN}"
+ elog "For more information, see https://${PN}.readthedocs.io/en/${P}/capture-hardware/ebpf-xdp.html"
+ fi
+
+ if use logrotate; then
+ elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
+ fi
+
+ if use debug; then
+ elog "You enabled the debug USE flag. Please read this link to report bugs upstream:"
+ elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+ elog "You need to also ensure the FEATURES variable in make.conf contains the"
+ elog "'nostrip' option to produce useful core dumps or back traces."
+ fi
+}
next reply other threads:[~2019-12-16 16:05 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-16 16:05 Marek Szuba [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-02-28 21:46 [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/ Marek Szuba
2024-02-28 21:46 Marek Szuba
2020-10-09 12:14 Marek Szuba
2019-12-18 14:22 Marek Szuba
2019-09-08 19:25 Slawek Lis
2018-06-11 14:04 Marek Szuba
2016-12-28 13:10 Slawek Lis
2016-12-28 9:34 Slawek Lis
2016-12-27 7:33 Slawek Lis
2015-11-30 6:10 Slawek Lis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1576512306.da28437322994c655e77d94dcd82d01d575fce58.marecki@gentoo \
--to=marecki@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox