* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2015-11-30 6:10 Slawek Lis
0 siblings, 0 replies; 11+ messages in thread
From: Slawek Lis @ 2015-11-30 6:10 UTC (permalink / raw
To: gentoo-commits
commit: 1cccc7fc24794b31f27225822e9017bdf39187e5
Author: Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Mon Nov 30 06:13:41 2015 +0000
Commit: Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Mon Nov 30 06:13:41 2015 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1cccc7fc
Added suricata ebuild (#437564)
Package-Manager: portage-2.2.26
net-analyzer/suricata/Manifest | 1 +
.../suricata/files/fortify_source-numeric.patch | 11 ++
net-analyzer/suricata/files/json.patch | 10 ++
net-analyzer/suricata/files/magic-location.patch | 13 +++
net-analyzer/suricata/metadata.xml | 16 +++
net-analyzer/suricata/suricata-2.0.10.ebuild | 119 +++++++++++++++++++++
6 files changed, 170 insertions(+)
diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
new file mode 100644
index 0000000..77f17d0
--- /dev/null
+++ b/net-analyzer/suricata/Manifest
@@ -0,0 +1 @@
+DIST suricata-2.0.10.tar.gz 3090730 SHA256 c8d1d3b6ce3d2a56577fca224424071afd921739d3859efc8a62229556d4beef SHA512 fa3683a93d85b26166b0f67a85f1a498941aadf4372ef98bd7fe62fcdef150af46b65456e3a764e054c385abbf44138ae6f70882c68ba320508eade6e181f2c6 WHIRLPOOL b867003e76df2b0b1b56c89415ed96acbf9d8966739d77aa303055d29ae5cdad8ad0b58e969336f0c1fc2e5d9990941622c19c062828dae58bf062f5662225f3
diff --git a/net-analyzer/suricata/files/fortify_source-numeric.patch b/net-analyzer/suricata/files/fortify_source-numeric.patch
new file mode 100644
index 0000000..0a7f482
--- /dev/null
+++ b/net-analyzer/suricata/files/fortify_source-numeric.patch
@@ -0,0 +1,11 @@
+--- a/src/suricata.c 2015-10-02 00:21:55.634213646 +0200
++++ b/src/suricata.c 2015-10-02 00:22:39.143940007 +0200
+@@ -774,7 +774,7 @@
+ printf("compiled with -fstack-protector-all\n");
+ #endif
+ #ifdef _FORTIFY_SOURCE
+- printf("compiled with _FORTIFY_SOURCE=%d\n", _FORTIFY_SOURCE);
++ printf("compiled with _FORTIFY_SOURCE\n");
+ #endif
+ #ifdef CLS
+ printf("L1 cache line size (CLS)=%d\n", CLS);
diff --git a/net-analyzer/suricata/files/json.patch b/net-analyzer/suricata/files/json.patch
new file mode 100644
index 0000000..a542f35
--- /dev/null
+++ b/net-analyzer/suricata/files/json.patch
@@ -0,0 +1,10 @@
+--- src/output-json.h.orig 2015-11-21 21:56:24.996289587 +0100
++++ src/output-json.h 2015-11-21 21:57:11.419622642 +0100
+@@ -28,6 +28,7 @@
+
+ #ifdef HAVE_LIBJANSSON
+
++#include <jansson.h>
+ #include "suricata-common.h"
+ #include "util-buffer.h"
+ #include "util-logopenfile.h"
diff --git a/net-analyzer/suricata/files/magic-location.patch b/net-analyzer/suricata/files/magic-location.patch
new file mode 100644
index 0000000..02681f9
--- /dev/null
+++ b/net-analyzer/suricata/files/magic-location.patch
@@ -0,0 +1,13 @@
+diff --git a/configure.ac b/configure.ac
+index 8b41eb0..3cdf0e7 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -182,7 +182,7 @@
+ fi
+ echo -n "installation for $host OS... "
+
+- e_magic_file="/usr/share/file/magic"
++ e_magic_file="/usr/share/misc/magic.mgc"
+ case "$host" in
+ *-*-*freebsd*)
+ LUA_PC_NAME="lua-5.1"
diff --git a/net-analyzer/suricata/metadata.xml b/net-analyzer/suricata/metadata.xml
new file mode 100644
index 0000000..34c1b31
--- /dev/null
+++ b/net-analyzer/suricata/metadata.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer>
+ <email>slis@gentoo.org</email>
+ </maintainer>
+ <use>
+ <flag name="af-packet">Enable AF_PACKET support</flag>
+ <flag name="control-socket">Enable unix socket</flag>
+ <flag name="cuda">Enable NVIDIA Cuda computations support</flag>
+ <flag name="luajit">Enable Luajit support</flag>
+ <flag name="nflog">Enable libnetfilter_log support</flag>
+ <flag name="nfqueue">Enable AF_PACKET support</flag>
+ <flag name="rules">Enable AF_PACKET support</flag>
+ </use>
+</pkgmetadata>
diff --git a/net-analyzer/suricata/suricata-2.0.10.ebuild b/net-analyzer/suricata/suricata-2.0.10.ebuild
new file mode 100644
index 0000000..40b2740
--- /dev/null
+++ b/net-analyzer/suricata/suricata-2.0.10.ebuild
@@ -0,0 +1,119 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit autotools eutils user
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="http://suricata-ids.org/"
+SRC_URI="http://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet control-socket cuda debug geoip hardened lua luajit nflog +nfqueue +rules test"
+
+DEPEND="
+ >=dev-libs/jansson-2.2
+ dev-libs/libpcre
+ dev-libs/libyaml
+ net-libs/libnet:*
+ net-libs/libnfnetlink
+ dev-libs/nspr
+ dev-libs/nss
+ net-libs/libpcap
+ sys-apps/file
+ cuda? ( dev-util/nvidia-cuda-toolkit )
+ geoip? ( dev-libs/geoip )
+ lua? ( dev-lang/lua:* )
+ luajit? ( dev-lang/luajit:* )
+ nflog? ( net-libs/libnetfilter_log )
+ nfqueue? ( net-libs/libnetfilter_queue )
+"
+# #446814
+# prelude? ( dev-libs/libprelude )
+# pfring? ( sys-process/numactl net-libs/pf_ring)
+# system-htp? ( >=net-analyzer/htp-0.5.5 )
+RDEPEND="${DEPEND}"
+
+pkg_setup() {
+ enewgroup ${PN}
+ enewuser ${PN} -1 -1 /var/lib/${PN} "${PN}"
+}
+
+src_prepare() {
+ epatch "${FILESDIR}/fortify_source-numeric.patch"
+ epatch "${FILESDIR}/magic-location.patch"
+ epatch "${FILESDIR}/json.patch"
+
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ "--localstatedir=/var/" \
+ "--disable-detection" \
+ $(use_enable af-packet) \
+ $(use_enable nfqueue) \
+ $(use_enable test coccinelle) \
+ $(use_enable test unittests) \
+ $(use_enable control-socket unix-socket)
+ )
+
+ if use cuda ; then
+ myeconfargs+=( $(use_enable cuda) )
+ fi
+ if use debug ; then
+ myeconfargs+=( $(use_enable debug) )
+ fi
+ if use geoip ; then
+ myeconfargs+=( $(use_enable geoip) )
+ fi
+ if use hardened ; then
+ myeconfargs+=( $(use_enable hardened gccprotect) )
+ fi
+ if use nflog ; then
+ myeconfargs+=( $(use_enable nflog) )
+ fi
+ # not supported yet (no pfring in portage)
+# if use pfring ; then
+# myeconfargs+=( $(use_enable pfring) )
+# fi
+ # no libprelude in portage
+# if use prelude ; then
+# myeconfargs+=( $(use_enable prelude) )
+# fi
+ # htp not added into portage yet
+# if use system-htp ; then
+# myeconfargs+=( $(use_enable system-htp non-bundled-htp) )
+# fi
+ if use lua ; then
+ myeconfargs+=( $(use_enable lua) )
+ fi
+ if use luajit ; then
+ myeconfargs+=( $(use_enable luajit) )
+ fi
+
+ LIBS+="-lrt -lnuma"
+
+ econf LIBS="${LIBS}" ${myeconfargs[@]}
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ insinto "/etc/${PN}"
+ doins {classification,reference,threshold}.config suricata.yaml
+
+ if use rules ; then
+ insinto "/etc/${PN}/rules"
+ doins rules/*.rules
+ fi
+
+ dodir "/var/lib/${PN}"
+ dodir "/var/log/${PN}"
+ fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+}
\ No newline at end of file
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2016-12-27 7:33 Slawek Lis
0 siblings, 0 replies; 11+ messages in thread
From: Slawek Lis @ 2016-12-27 7:33 UTC (permalink / raw
To: gentoo-commits
commit: a43050c1456321619ef97dfdeb5a158593fef58d
Author: Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Tue Dec 27 07:33:10 2016 +0000
Commit: Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Tue Dec 27 07:33:10 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a43050c1
net-analyzer/suricata: updated init script and config file
Updated way the script starts suricata, it allows to define config values
inline now.
Details in bug 602590.
Package-Manager: Portage-2.3.3, Repoman-2.3.1
net-analyzer/suricata/files/suricata-3.2-conf | 4 ++--
net-analyzer/suricata/files/suricata-3.2-init | 26 ++++++++++++--------------
net-analyzer/suricata/suricata-3.2.ebuild | 2 --
3 files changed, 14 insertions(+), 18 deletions(-)
diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf
index bc6e281..61715ba 100644
--- a/net-analyzer/suricata/files/suricata-3.2-conf
+++ b/net-analyzer/suricata/files/suricata-3.2-conf
@@ -23,8 +23,8 @@
#
# You can then define the following options here:
-# SURICATA_OPTS_q0="-i eth0"
-# SURICATA_OPTS_q1="-i eth1"
+# SURICATA_OPTS_q0="-q 0"
+# SURICATA_OPTS_q1="-q 1"
# If you want to use ${SURICATA_DIR}/suricata.yaml and start the service with /etc/init.d/suricata
# then you can set:
diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init
index 3a9c356..d612815 100644
--- a/net-analyzer/suricata/files/suricata-3.2-init
+++ b/net-analyzer/suricata/files/suricata-3.2-init
@@ -16,6 +16,7 @@ else
SURICATAPID="/var/run/suricata/suricata.pid"
SURICATAOPTS=${SURICATA_OPTS}
fi
+[ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}"
extra_commands="checkconfig"
extra_started_commands="reload relog"
@@ -28,8 +29,9 @@ depend() {
checkconfig() {
if [ ! -e ${SURICATACONF} ] ; then
- eerror "You need to create ${SURICATACONF} to run ${SVCNAME}."
- return 1
+ einfo "The configuration file ${SURICATACONF} was not found."
+ einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
+ einfo "Take a look at the suricata arguments --set and --dump-config."
fi
if [ ! -d "/var/run/suricata" ] ; then
checkpath -d /var/run/suricata
@@ -37,7 +39,7 @@ checkconfig() {
}
initpidinfo() {
- [ -f ${SURICATAPID} ] && SUR_PID="$(cat ${SURICATAPID})"
+ [ -e ${SURICATAPID} ] && SUR_PID="$(cat ${SURICATAPID})"
if [ ${#SUR_PID} -gt 0 ]; then
SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
SUR_USER="$(ps -p ${SUR_PID} --no-headers -o user)"
@@ -46,7 +48,7 @@ initpidinfo() {
checkpidinfo() {
initpidinfo
- if [ ! -f ${SURICATAPID} ]; then
+ if [ ! -e ${SURICATAPID} ]; then
eerror "${SVCNAME} isn't running"
return 1
elif [ ${#SUR_PID} -eq 0 ] || [ $((SUR_PID_CHECK)) -ne 1 ]; then
@@ -65,12 +67,11 @@ start() {
checkconfig || return 1
ebegin "Starting ${SVCNAME}"
start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \
- -- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} \
- -c ${SURICATACONF} >/dev/null 2>&1
+ -- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} >/dev/null 2>&1
local SUR_EXIT=$?
if [ $((SUR_EXIT)) -ne 0 ]; then
einfo "Could not start ${SURICATA_BIN} with:"
- einfo "--pidfile ${SURICATAPID} -D ${SURICATAOPTS} -c ${SURICATACONF}"
+ einfo "--pidfile ${SURICATAPID} -D ${SURICATAOPTS}"
einfo "Exit code ${SUR_EXIT}"
fi
eend ${SUR_EXIT}
@@ -80,14 +81,13 @@ stop() {
ebegin "Stopping ${SVCNAME}"
initpidinfo
start-stop-daemon --stop --quiet --pidfile ${SURICATAPID} >/dev/null 2>&1
- einfon "Waiting for ${SVCNAME} to shut down. This can take a while..."
- echo
+ einfo "Waiting for ${SVCNAME} to shut down. This can take a while..."
# max wait: 5 minutes as it can take quite a while on some systems with heavy traffic
local cnt=300
- while [ -f ${SURICATAPID} ] && [ $cnt -gt 0 ]; do
+ while [ -e ${SURICATAPID} ] && [ $cnt -gt 0 ]; do
cnt=$(expr $cnt - 1)
sleep 1
- echo -ne "$cnt seconds left before we give up checking the PID file...\r"
+ einfo -ne "$cnt seconds left before we give up checking the PID file...\r"
done
# under certain conditions suricata can be pretty slow and the PID can persist long after the pidfile has been removed
# max wait for process to terminate: 1 minute
@@ -95,19 +95,17 @@ stop() {
cnt=60
SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
if [ $((SUR_PID_CHECK)) -ne 0 ]; then
- echo
einfo "The PID file ${SURICATAPID} is gone but the ${SVCNAME} PID ${SUR_PID} is still running."
einfo "Waiting for process to shut down on its own. This can take a while..."
fi
while [ $((SUR_PID_CHECK)) -ne 0 ]; do
cnt=$(expr $cnt - 1)
if [ $cnt -lt 1 ] ; then
- echo
eend 1 "Failed. You might need to kill PID ${SUR_PID} or find out why it can't be stopped."
break
fi
sleep 1
- echo -ne "$cnt seconds left before we give up checking PID ${SUR_PID}...\r"
+ einfo -ne "$cnt seconds left before we give up checking PID ${SUR_PID}...\r"
SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
done
fi
diff --git a/net-analyzer/suricata/suricata-3.2.ebuild b/net-analyzer/suricata/suricata-3.2.ebuild
index 078186b..ba4903c 100644
--- a/net-analyzer/suricata/suricata-3.2.ebuild
+++ b/net-analyzer/suricata/suricata-3.2.ebuild
@@ -118,8 +118,6 @@ src_install() {
dodir "/var/lib/${PN}"
dodir "/var/log/${PN}"
- dodir "/var/log/${PN}" \
- "/var/lib/${PN}"
fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2016-12-28 9:34 Slawek Lis
0 siblings, 0 replies; 11+ messages in thread
From: Slawek Lis @ 2016-12-28 9:34 UTC (permalink / raw
To: gentoo-commits
commit: a382935f837f6a18529793813228cb2731e9d36f
Author: Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 28 09:34:11 2016 +0000
Commit: Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Wed Dec 28 09:34:11 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a382935f
net-analyzer/suricata: Updated suricata logging and added logrotate file
I've also bumped revision number, as there are many changes, and those fixes
should finally close bug 602590.
Thanks to Vieri <rentorbuy <AT> yahoo.com> for support.
Package-Manager: Portage-2.3.3, Repoman-2.3.1
net-analyzer/suricata/files/suricata-3.2-conf | 11 +-
net-analyzer/suricata/files/suricata-3.2-init | 28 +++--
net-analyzer/suricata/files/suricata-logrotate | 6 +
net-analyzer/suricata/metadata.xml | 1 +
net-analyzer/suricata/suricata-3.2-r1.ebuild | 161 +++++++++++++++++++++++++
5 files changed, 189 insertions(+), 18 deletions(-)
diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf
index d900ade..fc6885d 100644
--- a/net-analyzer/suricata/files/suricata-3.2-conf
+++ b/net-analyzer/suricata/files/suricata-3.2-conf
@@ -41,11 +41,6 @@ SURICATA_OPTS="-i eth0"
# Log paths listed here will be created by the init script and will override the log path
# set in the yaml file, if present.
-# SURICATA_LOG_PATH_q0="/var/log/suricata/q0"
-# SURICATA_LOG_PATH_q1="/var/log/suricata/q1"
-# SURICATA_LOG_PATH="/var/log/suricata"
-# SURICATA_LOG_FILE="suricata.log"
-
-# You can view all the available options you can set with --set
-# and check the full config settings in an easily parsable format.
-# SURICATA_DUMP=1
+# SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log"
+# SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log"
+# SURICATA_LOG_FILE="/var/log/suricata/suricata.log"
diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init
index 3ec6afd..1717dbb 100644
--- a/net-analyzer/suricata/files/suricata-3.2-init
+++ b/net-analyzer/suricata/files/suricata-3.2-init
@@ -12,18 +12,23 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
[ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid"
eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
- eval SURICATALOGPATH=\$SURICATA_LOG_PATH_${SURICATAID}
+ eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
else
SURICATACONF=${SURICATA_CONF}
[ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
SURICATAPID="/var/run/suricata/suricata.pid"
SURICATAOPTS=${SURICATA_OPTS}
- SURICATALOGPATH=${SURICATA_LOG_PATH}
+ SURICATALOGPATH=${SURICATA_LOG_FILE}
fi
[ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}"
-extra_commands="checkconfig"
+description="Suricata IDS/IPS"
+extra_commands="checkconfig dump"
+description_checkconfig="Check config for ${SVCNAME}"
+description_dump="List all config values that can be used with --set"
extra_started_commands="reload relog"
+description_reload="Live rule and config reload"
+description_relog="Close and re-open all log files"
depend() {
need net
@@ -41,10 +46,12 @@ checkconfig() {
checkpath -d /var/run/suricata
fi
if [ ${#SURICATALOGPATH} -gt 0 ]; then
+ SURICATALOGFILE=$( basename ${SURICATA_LOG_FILE} )
+ SURICATALOGFILE=${SURICATALOGFILE:-suricata.log}
+ SURICATALOGPATH=$( dirname ${SURICATALOGPATH} )
if [ ! -d "${SURICATALOGPATH}" ] ; then
checkpath -d "${SURICATALOGPATH}"
fi
- SURICATALOGFILE=${SURICATA_LOG_FILE:-suricata.log}
SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
SURICATALOGPATH="-l ${SURICATALOGPATH}"
fi
@@ -77,12 +84,6 @@ checkpidinfo() {
start() {
checkconfig || return 1
- if [ $((SURICATA_DUMP)) -eq 1 ]; then
- einfo "Dumping ${SVCNAME} config values and quitting."
- ${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH}
- einfo "You need to disable SURICATA_DUMP to start ${SVCNAME}."
- return 1
- fi
ebegin "Starting ${SVCNAME}"
start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \
-- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH} >/dev/null 2>&1
@@ -145,3 +146,10 @@ relog() {
start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
eend $?
}
+
+dump() {
+ checkconfig || return 1
+ ebegin "Dumping ${SVCNAME} config values and quitting."
+ ${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH}
+ eend $?
+}
diff --git a/net-analyzer/suricata/files/suricata-logrotate b/net-analyzer/suricata/files/suricata-logrotate
new file mode 100644
index 00000000..0dc145b
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-logrotate
@@ -0,0 +1,6 @@
+/var/log/suricata/* {
+ missingok
+ postrotate
+ /etc/init.d/suricata reload
+ endscript
+}
diff --git a/net-analyzer/suricata/metadata.xml b/net-analyzer/suricata/metadata.xml
index e538ae1..58878c6 100644
--- a/net-analyzer/suricata/metadata.xml
+++ b/net-analyzer/suricata/metadata.xml
@@ -14,5 +14,6 @@
<flag name="nfqueue">Enable NFQUEUE support for inline IDP</flag>
<flag name="redis">Enable Redis support</flag>
<flag name="rules">Install default ruleset</flag>
+ <flag name="logrotate">Install logrotate rule</flag>
</use>
</pkgmetadata>
diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild b/net-analyzer/suricata/suricata-3.2-r1.ebuild
new file mode 100644
index 00000000..816a69d
--- /dev/null
+++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild
@@ -0,0 +1,161 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit autotools eutils user
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="http://suricata-ids.org/"
+SRC_URI="http://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet control-socket cuda debug +detection geoip hardened logrotate lua luajit nflog +nfqueue redis +rules test"
+
+DEPEND="
+ >=dev-libs/jansson-2.2
+ dev-libs/libpcre
+ dev-libs/libyaml
+ net-libs/libnet:*
+ net-libs/libnfnetlink
+ dev-libs/nspr
+ dev-libs/nss
+ >=net-libs/libhtp-0.5.20
+ net-libs/libpcap
+ sys-apps/file
+ cuda? ( dev-util/nvidia-cuda-toolkit )
+ geoip? ( dev-libs/geoip )
+ lua? ( dev-lang/lua:* )
+ luajit? ( dev-lang/luajit:* )
+ nflog? ( net-libs/libnetfilter_log )
+ nfqueue? ( net-libs/libnetfilter_queue )
+ redis? ( dev-libs/hiredis )
+ logrotate? ( app-admin/logrotate )
+"
+# #446814
+# prelude? ( dev-libs/libprelude )
+# pfring? ( sys-process/numactl net-libs/pf_ring)
+RDEPEND="${DEPEND}"
+
+pkg_setup() {
+ enewgroup ${PN}
+ enewuser ${PN} -1 -1 /var/lib/${PN} "${PN}"
+}
+
+src_prepare() {
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ "--localstatedir=/var/" \
+ "--enable-non-bundled-htp" \
+ $(use_enable af-packet) \
+ $(use_enable detection) \
+ $(use_enable nfqueue) \
+ $(use_enable test coccinelle) \
+ $(use_enable test unittests) \
+ $(use_enable control-socket unix-socket)
+ )
+
+ if use cuda ; then
+ myeconfargs+=( $(use_enable cuda) )
+ fi
+ if use geoip ; then
+ myeconfargs+=( $(use_enable geoip) )
+ fi
+ if use hardened ; then
+ myeconfargs+=( $(use_enable hardened gccprotect) )
+ fi
+ if use nflog ; then
+ myeconfargs+=( $(use_enable nflog) )
+ fi
+ if use redis ; then
+ myeconfargs+=( $(use_enable redis hiredis) )
+ fi
+ # not supported yet (no pfring in portage)
+# if use pfring ; then
+# myeconfargs+=( $(use_enable pfring) )
+# fi
+ # no libprelude in portage
+# if use prelude ; then
+# myeconfargs+=( $(use_enable prelude) )
+# fi
+ if use lua ; then
+ myeconfargs+=( $(use_enable lua) )
+ fi
+ if use luajit ; then
+ myeconfargs+=( $(use_enable luajit) )
+ fi
+
+# this should be used when pf_ring use flag support will be added
+# LIBS+="-lrt -lnuma"
+
+ # avoid upstream configure script trying to add -march=native to CFLAGS
+ myeconfargs+=( --enable-gccmarch-native=no )
+
+ if use debug ; then
+ myeconfargs+=( $(use_enable debug) )
+ # so we can get a backtrace according to "reporting bugs" on upstream web site
+ CFLAGS="-ggdb -O0" econf LIBS="${LIBS}" ${myeconfargs[@]}
+ else
+ econf LIBS="${LIBS}" ${myeconfargs[@]}
+ fi
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ insinto "/etc/${PN}"
+ doins {classification,reference,threshold}.config suricata.yaml
+
+ if use rules ; then
+ insinto "/etc/${PN}/rules"
+ doins rules/*.rules
+ fi
+
+ dodir "/var/lib/${PN}"
+ dodir "/var/log/${PN}"
+ dodir "/var/log/${PN}" \
+ "/var/lib/${PN}"
+
+ fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+
+ newinitd "${FILESDIR}/${P}-init" ${PN}
+ newconfd "${FILESDIR}/${P}-conf" ${PN}
+
+ if use logrotate; then
+ insopts -m0644
+ insinto /etc/logrotate.d
+ newins "${FILESDIR}"/${PN}.logrotate ${PN}
+ fi
+}
+
+pkg_postinst() {
+ elog "The ${PN} init script expects to find the path to the configuration"
+ elog "file as well as extra options in /etc/conf.d."
+ elog ""
+ elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+ elog "then create a symlink to the init script from a link called"
+ elog "${PN}.foo - like so"
+ elog " cd /etc/${PN}"
+ elog " ${EDITOR##*/} suricata-foo.yaml"
+ elog " cd /etc/init.d"
+ elog " ln -s ${PN} ${PN}.foo"
+ elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+ elog ""
+ elog "You can create as many ${PN}.foo* services as you wish."
+
+ if use logrotate; then
+ elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logortate config file in /etc/logrotate.d/."
+ fi
+
+ if use debug; then
+ elog "You enabled the debug USE flag. Please read this link to report bugs upstream:"
+ elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+ fi
+}
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2016-12-28 13:10 Slawek Lis
0 siblings, 0 replies; 11+ messages in thread
From: Slawek Lis @ 2016-12-28 13:10 UTC (permalink / raw
To: gentoo-commits
commit: 2c174cb604c2c99f9d9e8ac4fab438d0aedf7ab1
Author: Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 28 12:59:11 2016 +0000
Commit: Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Wed Dec 28 12:59:11 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c174cb6
net-analyzer/suricata: Dropping user privs in init script
Bug #602590
Package-Manager: Portage-2.3.3, Repoman-2.3.1
net-analyzer/suricata/files/suricata-3.2-conf | 12 ++++++++-
net-analyzer/suricata/files/suricata-3.2-init | 39 ++++++++++++++++++++-------
net-analyzer/suricata/suricata-3.2-r1.ebuild | 5 ++--
3 files changed, 43 insertions(+), 13 deletions(-)
diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf
index fc6885d..d8466b4 100644
--- a/net-analyzer/suricata/files/suricata-3.2-conf
+++ b/net-analyzer/suricata/files/suricata-3.2-conf
@@ -29,7 +29,7 @@
# SURICATA_CONF="suricata.yaml"
# You can define the options here:
-# NB: avoid using -l, -c and setting logging.outputs.1.file.filename as the init script will try to set them for you.
+# NB: avoid using -l, -c, --user, --group and setting logging.outputs.1.file.filename as the init script will try to set them for you.
# SURICATA_OPTS_q0="-q 0"
# SURICATA_OPTS_q1="-q 1"
@@ -44,3 +44,13 @@ SURICATA_OPTS="-i eth0"
# SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log"
# SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log"
# SURICATA_LOG_FILE="/var/log/suricata/suricata.log"
+
+# Run as user/group.
+# Do not define if you want to run as root or as the user defined in the yaml config file (run-as).
+# The ebuild should have created the dedicated user/group suricata:suricata for you to specify here below.
+# SURICATA_USER_q0="suricata"
+# SURICATA_GROUP_q0="suricata"
+# SURICATA_USER_q1="suricata"
+# SURICATA_GROUP_q1="suricata"
+# SURICATA_USER="suricata"
+# SURICATA_GROUP="suricata"
diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init
index 1717dbb..b276f49 100644
--- a/net-analyzer/suricata/files/suricata-3.2-init
+++ b/net-analyzer/suricata/files/suricata-3.2-init
@@ -13,13 +13,19 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid"
eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
+ eval SURICATAUSER=\$SURICATA_USER_${SURICATAID}
+ eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID}
else
SURICATACONF=${SURICATA_CONF}
[ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
SURICATAPID="/var/run/suricata/suricata.pid"
SURICATAOPTS=${SURICATA_OPTS}
SURICATALOGPATH=${SURICATA_LOG_FILE}
+ SURICATAUSER=${SURICATA_USER}
+ SURICATAGROUP=${SURICATA_GROUP}
fi
+SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}}
+SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}}
[ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}"
description="Suricata IDS/IPS"
@@ -37,11 +43,6 @@ depend() {
}
checkconfig() {
- if [ ! -e ${SURICATACONF} ] ; then
- einfo "The configuration file ${SURICATACONF} was not found."
- einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
- einfo "Take a look at the suricata arguments --set and --dump-config."
- fi
if [ ! -d "/var/run/suricata" ] ; then
checkpath -d /var/run/suricata
fi
@@ -52,9 +53,22 @@ checkconfig() {
if [ ! -d "${SURICATALOGPATH}" ] ; then
checkpath -d "${SURICATALOGPATH}"
fi
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then
+ chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1
+ chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1
+ fi
SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
SURICATALOGPATH="-l ${SURICATALOGPATH}"
fi
+ if [ ! -e ${SURICATACONF} ] ; then
+ einfo "The configuration file ${SURICATACONF} was not found."
+ einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
+ einfo "Take a look at the suricata arguments --set and --dump-config."
+ fi
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}."
+ SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}"
+ fi
}
initpidinfo() {
@@ -77,8 +91,7 @@ checkpidinfo() {
eerror "Unable to determine user running ${SVCNAME}!"
return 1
elif [ "x${SUR_USER}" != "xroot" ]; then
- eerror "${SVCNAME} must be running as root for reload or relog to work!"
- return 1
+ ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work."
fi
}
@@ -135,7 +148,11 @@ reload() {
checkpidinfo || return 1
checkconfig || return 1
ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload."
- start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID}
+ else
+ start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+ fi
eend $?
}
@@ -143,7 +160,11 @@ relog() {
checkpidinfo || return 1
checkconfig || return 1
ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files."
- start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID}
+ else
+ start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+ fi
eend $?
}
diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild b/net-analyzer/suricata/suricata-3.2-r1.ebuild
index 816a69d..ee724a5 100644
--- a/net-analyzer/suricata/suricata-3.2-r1.ebuild
+++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild
@@ -34,6 +34,7 @@ DEPEND="
nfqueue? ( net-libs/libnetfilter_queue )
redis? ( dev-libs/hiredis )
logrotate? ( app-admin/logrotate )
+ sys-libs/libcap-ng
"
# #446814
# prelude? ( dev-libs/libprelude )
@@ -119,8 +120,6 @@ src_install() {
dodir "/var/lib/${PN}"
dodir "/var/log/${PN}"
- dodir "/var/log/${PN}" \
- "/var/lib/${PN}"
fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
@@ -151,7 +150,7 @@ pkg_postinst() {
elog "You can create as many ${PN}.foo* services as you wish."
if use logrotate; then
- elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logortate config file in /etc/logrotate.d/."
+ elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
fi
if use debug; then
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2018-06-11 14:04 Marek Szuba
0 siblings, 0 replies; 11+ messages in thread
From: Marek Szuba @ 2018-06-11 14:04 UTC (permalink / raw
To: gentoo-commits
commit: c35f490c5944f47bdcc633d70056ee8f433c3a44
Author: Marek Szuba <marecki <AT> gentoo <DOT> org>
AuthorDate: Mon Jun 11 14:02:10 2018 +0000
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org>
CommitDate: Mon Jun 11 14:04:06 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c35f490c
net-analyzer/suricata: bump to 4.0.4 + fix Lua USE flags
Invoking maintainer timeout on both issues.
Closes: https://bugs.gentoo.org/652344
Package-Manager: Portage-2.3.40, Repoman-2.3.9
net-analyzer/suricata/Manifest | 1 +
.../files/suricata-4.0.4_configure-lua-flags.patch | 16 ++
net-analyzer/suricata/suricata-4.0.4.ebuild | 168 +++++++++++++++++++++
3 files changed, 185 insertions(+)
diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index b3ab446f9d9..cc70d0f7283 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -1 +1,2 @@
DIST suricata-4.0.3.tar.gz 12392388 BLAKE2B 9b6338b343ff85f070d61608ff9dc7f25df868fdffbc13b5a8d245cb3db5cd757cb1785c827c388653b2f8a7977129259671900bc1abfebeb878a668b4058bdf SHA512 aa6b6d1ae86efad0184ba4fa06375f34334e07c22b7b1f82bf17fcb0ae48ad7f867bced57ab4f713de01583965e1260cb82e1355f78002071b689dddd3b53892
+DIST suricata-4.0.4.tar.gz 12511121 BLAKE2B d9dfb00a45c2e9810409a8ce91a83e23ebce20eb28492bf24f9688d292b5805dca932c39cc673cf1148325fe5ef7936dda7f6c7819605753cb2e2ddc1cf5dba0 SHA512 6e158aa6d3edb9d11e0df3f986392ee2ae49ab4dfb978288ced4484dbe5c08ae061db2a566be6d22cf14bd0b88f87f9cb9c0a657d7fc44e099b8783d933c771e
diff --git a/net-analyzer/suricata/files/suricata-4.0.4_configure-lua-flags.patch b/net-analyzer/suricata/files/suricata-4.0.4_configure-lua-flags.patch
new file mode 100644
index 00000000000..bad66359afa
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-4.0.4_configure-lua-flags.patch
@@ -0,0 +1,16 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -1749,11 +1749,11 @@
+ # liblua
+ AC_ARG_ENABLE(lua,
+ AS_HELP_STRING([--enable-lua],[Enable Lua support]),
+- [ enable_lua="yes"],
++ [],
+ [ enable_lua="no"])
+ AC_ARG_ENABLE(luajit,
+ AS_HELP_STRING([--enable-luajit],[Enable Luajit support]),
+- [ enable_luajit="yes"],
++ [],
+ [ enable_luajit="no"])
+ if test "$enable_lua" = "yes"; then
+ if test "$enable_luajit" = "yes"; then
diff --git a/net-analyzer/suricata/suricata-4.0.4.ebuild b/net-analyzer/suricata/suricata-4.0.4.ebuild
new file mode 100644
index 00000000000..2622dccdb3b
--- /dev/null
+++ b/net-analyzer/suricata/suricata-4.0.4.ebuild
@@ -0,0 +1,168 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=5
+
+inherit autotools eutils user
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="https://suricata-ids.org/"
+SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet control-socket cuda debug +detection geoip hardened logrotate lua luajit nflog +nfqueue redis +rules test"
+
+DEPEND="
+ >=dev-libs/jansson-2.2
+ dev-libs/libpcre
+ dev-libs/libyaml
+ net-libs/libnet:*
+ net-libs/libnfnetlink
+ dev-libs/nspr
+ dev-libs/nss
+ >=net-libs/libhtp-0.5.20
+ net-libs/libpcap
+ sys-apps/file
+ cuda? ( dev-util/nvidia-cuda-toolkit )
+ geoip? ( dev-libs/geoip )
+ lua? ( dev-lang/lua:* )
+ luajit? ( dev-lang/luajit:* )
+ nflog? ( net-libs/libnetfilter_log )
+ nfqueue? ( net-libs/libnetfilter_queue )
+ redis? ( dev-libs/hiredis )
+ logrotate? ( app-admin/logrotate )
+ sys-libs/libcap-ng
+"
+# #446814
+# prelude? ( dev-libs/libprelude )
+# pfring? ( sys-process/numactl net-libs/pf_ring)
+RDEPEND="${DEPEND}"
+
+pkg_setup() {
+ enewgroup ${PN}
+ enewuser ${PN} -1 -1 /var/lib/${PN} "${PN}"
+}
+
+src_prepare() {
+ epatch "${FILESDIR}"/${P}_configure-lua-flags.patch
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ "--localstatedir=/var/" \
+ "--enable-non-bundled-htp" \
+ $(use_enable af-packet) \
+ $(use_enable detection) \
+ $(use_enable nfqueue) \
+ $(use_enable test coccinelle) \
+ $(use_enable test unittests) \
+ $(use_enable control-socket unix-socket)
+ )
+
+ if use cuda ; then
+ myeconfargs+=( $(use_enable cuda) )
+ fi
+ if use geoip ; then
+ myeconfargs+=( $(use_enable geoip) )
+ fi
+ if use hardened ; then
+ myeconfargs+=( $(use_enable hardened gccprotect) )
+ fi
+ if use nflog ; then
+ myeconfargs+=( $(use_enable nflog) )
+ fi
+ if use redis ; then
+ myeconfargs+=( $(use_enable redis hiredis) )
+ fi
+ # not supported yet (no pfring in portage)
+# if use pfring ; then
+# myeconfargs+=( $(use_enable pfring) )
+# fi
+ # no libprelude in portage
+# if use prelude ; theng
+# myeconfargs+=( $(use_enable prelude) )
+# fi
+ if use lua ; then
+ myeconfargs+=( $(use_enable lua) )
+ fi
+ if use luajit ; then
+ myeconfargs+=( $(use_enable luajit) )
+ fi
+ if (use !lua) && (use !luajit) ; then
+ myeconfargs+=(
+ --disable-lua
+ --disable-luajit
+ )
+ fi
+
+# this should be used when pf_ring use flag support will be added
+# LIBS+="-lrt -lnuma"
+
+ # avoid upstream configure script trying to add -march=native to CFLAGS
+ myeconfargs+=( --enable-gccmarch-native=no )
+
+ if use debug ; then
+ myeconfargs+=( $(use_enable debug) )
+ # so we can get a backtrace according to "reporting bugs" on upstream web site
+ CFLAGS="-ggdb -O0" econf LIBS="${LIBS}" ${myeconfargs[@]}
+ else
+ econf LIBS="${LIBS}" ${myeconfargs[@]}
+ fi
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ insinto "/etc/${PN}"
+ doins {classification,reference,threshold}.config suricata.yaml
+
+ if use rules ; then
+ insinto "/etc/${PN}/rules"
+ doins rules/*.rules
+ fi
+
+ dodir "/var/lib/${PN}"
+ dodir "/var/log/${PN}"
+
+ fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+
+ newinitd "${FILESDIR}/${PN}-4.0.3-init" ${PN}
+ newconfd "${FILESDIR}/${PN}-4.0.3-conf" ${PN}
+
+ if use logrotate; then
+ insopts -m0644
+ insinto /etc/logrotate.d
+ newins "${FILESDIR}"/${PN}-logrotate ${PN}
+ fi
+}
+
+pkg_postinst() {
+ elog "The ${PN} init script expects to find the path to the configuration"
+ elog "file as well as extra options in /etc/conf.d."
+ elog ""
+ elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+ elog "then create a symlink to the init script from a link called"
+ elog "${PN}.foo - like so"
+ elog " cd /etc/${PN}"
+ elog " ${EDITOR##*/} suricata-foo.yaml"
+ elog " cd /etc/init.d"
+ elog " ln -s ${PN} ${PN}.foo"
+ elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+ elog ""
+ elog "You can create as many ${PN}.foo* services as you wish."
+
+ if use logrotate; then
+ elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
+ fi
+
+ if use debug; then
+ elog "You enabled the debug USE flag. Please read this link to report bugs upstream:"
+ elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+ elog "You need to also ensure the FEATURES variable in make.conf contains the"
+ elog "'nostrip' option to produce useful core dumps or back traces."
+ fi
+}
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2019-09-08 19:25 Slawek Lis
0 siblings, 0 replies; 11+ messages in thread
From: Slawek Lis @ 2019-09-08 19:25 UTC (permalink / raw
To: gentoo-commits
commit: bbf4c30078e27adf7f6af90223cf03a333b2eb28
Author: Slawomir Lis <slis <AT> gentoo <DOT> org>
AuthorDate: Sun Sep 8 19:02:22 2019 +0000
Commit: Slawek Lis <slis <AT> gentoo <DOT> org>
CommitDate: Sun Sep 8 19:24:41 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bbf4c300
net-analyzer/suricata: Updated init.d and conf.d default pathes
Package-Manager: Portage-2.3.75, Repoman-2.3.17
Signed-off-by: Slawek Lis <slis <AT> gentoo.org>
.../suricata/files/{suricata-4.0.3-conf => suricata-4.0.4-conf} | 0
.../suricata/files/{suricata-4.0.3-init => suricata-4.0.4-init} | 2 +-
net-analyzer/suricata/suricata-4.0.4.ebuild | 4 ++--
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/net-analyzer/suricata/files/suricata-4.0.3-conf b/net-analyzer/suricata/files/suricata-4.0.4-conf
similarity index 100%
rename from net-analyzer/suricata/files/suricata-4.0.3-conf
rename to net-analyzer/suricata/files/suricata-4.0.4-conf
diff --git a/net-analyzer/suricata/files/suricata-4.0.3-init b/net-analyzer/suricata/files/suricata-4.0.4-init
similarity index 99%
rename from net-analyzer/suricata/files/suricata-4.0.3-init
rename to net-analyzer/suricata/files/suricata-4.0.4-init
index f54ba3a5e23..1db8137f31a 100644
--- a/net-analyzer/suricata/files/suricata-4.0.3-init
+++ b/net-analyzer/suricata/files/suricata-4.0.4-init
@@ -1,5 +1,5 @@
#!/sbin/openrc-run
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
SURICATA_BIN=/usr/bin/suricata
diff --git a/net-analyzer/suricata/suricata-4.0.4.ebuild b/net-analyzer/suricata/suricata-4.0.4.ebuild
index f476bfe2ae2..eea47cd01bd 100644
--- a/net-analyzer/suricata/suricata-4.0.4.ebuild
+++ b/net-analyzer/suricata/suricata-4.0.4.ebuild
@@ -131,8 +131,8 @@ src_install() {
fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
- newinitd "${FILESDIR}/${PN}-4.0.3-init" ${PN}
- newconfd "${FILESDIR}/${PN}-4.0.3-conf" ${PN}
+ newinitd "${FILESDIR}/${P}-init" ${PN}
+ newconfd "${FILESDIR}/${P}-conf" ${PN}
if use logrotate; then
insopts -m0644
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2019-12-16 16:05 Marek Szuba
0 siblings, 0 replies; 11+ messages in thread
From: Marek Szuba @ 2019-12-16 16:05 UTC (permalink / raw
To: gentoo-commits
commit: da28437322994c655e77d94dcd82d01d575fce58
Author: Marek Szuba <marecki <AT> gentoo <DOT> org>
AuthorDate: Mon Dec 16 15:56:33 2019 +0000
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 16:05:06 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da284373
net-analyzer/suricata: bump to 5.0.0 and EAPI 7
Package-Manager: Portage-2.3.79, Repoman-2.3.16
Signed-off-by: Marek Szuba <marecki <AT> gentoo.org>
net-analyzer/suricata/Manifest | 1 +
.../files/suricata-5.0.0_configure-lua-flags.patch | 16 ++
...suricata-5.0.0_configure-no-lz4-automagic.patch | 23 +++
.../files/suricata-5.0.0_default-config.patch | 61 +++++++
net-analyzer/suricata/files/suricata.service | 21 +++
net-analyzer/suricata/files/suricata.tmpfiles | 1 +
net-analyzer/suricata/metadata.xml | 6 +-
net-analyzer/suricata/suricata-5.0.0.ebuild | 185 +++++++++++++++++++++
8 files changed, 313 insertions(+), 1 deletion(-)
diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index fe67675774d..72532b86510 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -1 +1,2 @@
DIST suricata-4.0.4.tar.gz 12511121 BLAKE2B d9dfb00a45c2e9810409a8ce91a83e23ebce20eb28492bf24f9688d292b5805dca932c39cc673cf1148325fe5ef7936dda7f6c7819605753cb2e2ddc1cf5dba0 SHA512 6e158aa6d3edb9d11e0df3f986392ee2ae49ab4dfb978288ced4484dbe5c08ae061db2a566be6d22cf14bd0b88f87f9cb9c0a657d7fc44e099b8783d933c771e
+DIST suricata-5.0.0.tar.gz 23689051 BLAKE2B 701625d50dacbeb846d7ea1c3aad3980969c1c0124c007d843353fe25b7e579378d2cd125db4660e33fff1f8cf20eac4bbafe280ba6ff31f988fb6c42b29b6aa SHA512 0dc8941fdf29d615531eeda6f6076052cca79fda6dda3c96300c08b343a64a1700fd23dd83a03507009ab7c9b19c91b65ee65e704f55ddee17764b71e9e2911e
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch b/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch
new file mode 100644
index 00000000000..be956fd94d4
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch
@@ -0,0 +1,16 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -1749,11 +1749,11 @@
+ # liblua
+ AC_ARG_ENABLE(lua,
+ AS_HELP_STRING([--enable-lua],[Enable Lua support]),
+- [ enable_lua="$enableval"],
++ [],
+ [ enable_lua="no"])
+ AC_ARG_ENABLE(luajit,
+ AS_HELP_STRING([--enable-luajit],[Enable Luajit support]),
+- [ enable_luajit="$enableval"],
++ [],
+ [ enable_luajit="no"])
+ if test "$enable_lua" = "yes"; then
+ if test "$enable_luajit" = "yes"; then
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch b/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch
new file mode 100644
index 00000000000..5efce46f6d9
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch
@@ -0,0 +1,23 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -2292,7 +2292,11 @@
+ fi
+
+ # Check for lz4
+-enable_liblz4="yes"
++AC_ARG_ENABLE(lz4,
++ AS_HELP_STRING([--enable-lz4], [Enable compressed pcap logging using liblz4]),
++ [enable_liblz4=$enableval],
++ [enable_liblz4=yes])
++if test "x$enable_liblz4" != "xno"; then
+ AC_CHECK_LIB(lz4, LZ4F_createCompressionContext, , enable_liblz4="no")
+
+ if test "$enable_liblz4" = "no"; then
+@@ -2306,6 +2310,7 @@
+ echo " yum install lz4-devel"
+ echo
+ fi
++fi
+
+ # get cache line size
+ AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no")
diff --git a/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch b/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch
new file mode 100644
index 00000000000..07a45c9a574
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch
@@ -0,0 +1,61 @@
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -203,8 +203,9 @@
+ # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
+
+ # As of Suricata 5.0, version 2 of the eve dns output
+- # format is the default.
+- #version: 2
++ # format is the default - but the daemon produces a warning to that effect
++ # at start-up if this isn't explicitly set.
++ version: 2
+
+ # Enable/disable this logger. Default: enabled.
+ #enabled: yes
+@@ -978,9 +979,9 @@
+ ##
+
+ # Run suricata as user and group.
+-#run-as:
+-# user: suri
+-# group: suri
++run-as:
++ user: suricata
++ group: suricata
+
+ # Some logging module will use that name in event as identifier. The default
+ # value is the hostname
+@@ -1806,16 +1807,28 @@
+ hashmode: hash5tuplesorted
+
+ ##
+-## Configure Suricata to load Suricata-Update managed rules.
+-##
+-## If this section is completely commented out move down to the "Advanced rule
+-## file configuration".
++## Configure Suricata to load default rules it comes with.
+ ##
+
+ default-rule-path: @e_defaultruledir@
+
+ rule-files:
+- - suricata.rules
++ - /etc/suricata/rules/app-layer-events.rules
++ - /etc/suricata/rules/decoder-events.rules
++ - /etc/suricata/rules/dhcp-events.rules
++ - /etc/suricata/rules/dnp3-events.rules
++ - /etc/suricata/rules/dns-events.rules
++ - /etc/suricata/rules/files.rules
++ - /etc/suricata/rules/http-events.rules
++ - /etc/suricata/rules/ipsec-events.rules
++ - /etc/suricata/rules/kerberos-events.rules
++ - /etc/suricata/rules/modbus-events.rules
++ - /etc/suricata/rules/nfs-events.rules
++ - /etc/suricata/rules/ntp-events.rules
++ - /etc/suricata/rules/smb-events.rules
++ - /etc/suricata/rules/smtp-events.rules
++ - /etc/suricata/rules/stream-events.rules
++ - /etc/suricata/rules/tls-events.rules
+
+ ##
+ ## Auxiliary configuration files.
diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service
new file mode 100644
index 00000000000..5e617388018
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Suricata IDS/IDP daemon
+After=network.target
+Requires=network.target
+Documentation=man:suricata(8) man:suricatasc(8)
+Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
+
+[Service]
+Type=forking
+Environment=OPTIONS='-c /etc/suricata/suricata.yaml'
+CapabilityBoundingSet=CAP_NET_ADMIN
+PIDFile=/var/run/suricata/suricata.pid
+ExecStart=/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid $OPTIONS
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStop=/bin/kill $MAINPID
+PrivateTmp=yes
+ProtectHome=yes
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/net-analyzer/suricata/files/suricata.tmpfiles b/net-analyzer/suricata/files/suricata.tmpfiles
new file mode 100644
index 00000000000..46fe5084297
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata.tmpfiles
@@ -0,0 +1 @@
+d /var/run/suricata - - - -
diff --git a/net-analyzer/suricata/metadata.xml b/net-analyzer/suricata/metadata.xml
index 0afee5625d1..bc25d72f088 100644
--- a/net-analyzer/suricata/metadata.xml
+++ b/net-analyzer/suricata/metadata.xml
@@ -6,13 +6,17 @@
</maintainer>
<use>
<flag name="af-packet">Enable AF_PACKET support</flag>
+ <flag name="bpf">Enable support for eBPF (as well as XDP if supported by the kernel and the NIC driver)
+ for low-level, high-speed packet processing</flag>
<flag name="control-socket">Enable unix socket</flag>
<flag name="cuda">Enable NVIDIA Cuda computations support</flag>
<flag name="detection">Enable detection modules</flag>
+ <flag name="logrotate">Install logrotate rule</flag>
+ <flag name="lz4">Enable support for compressed pcap logging using the LZ4 algorithm</flag>
<flag name="nflog">Enable libnetfilter_log support</flag>
<flag name="nfqueue">Enable NFQUEUE support for inline IDP</flag>
<flag name="redis">Enable Redis support</flag>
<flag name="rules">Install default ruleset</flag>
- <flag name="logrotate">Install logrotate rule</flag>
+ <flag name="tools">Install suricatactl, suricatasc and suricata-update</flag>
</use>
</pkgmetadata>
diff --git a/net-analyzer/suricata/suricata-5.0.0.ebuild b/net-analyzer/suricata/suricata-5.0.0.ebuild
new file mode 100644
index 00000000000..05f328b973b
--- /dev/null
+++ b/net-analyzer/suricata/suricata-5.0.0.ebuild
@@ -0,0 +1,185 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6,7,8} )
+
+inherit autotools linux-info python-single-r1 systemd
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="https://suricata-ids.org/"
+SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet bpf control-socket cuda debug +detection geoip hardened logrotate lua luajit lz4 nflog +nfqueue redis +rules systemd test tools"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="?? ( lua luajit )
+ bpf? ( af-packet )
+ tools? ( ${PYTHON_REQUIRED_USE} )"
+
+CDEPEND="acct-group/suricata
+ acct-user/suricata
+ dev-libs/jansson
+ dev-libs/libpcre
+ dev-libs/libyaml
+ net-libs/libnet:*
+ net-libs/libnfnetlink
+ dev-libs/nspr
+ dev-libs/nss
+ >=net-libs/libhtp-0.5.31
+ net-libs/libpcap
+ sys-apps/file
+ sys-libs/libcap-ng
+ bpf? ( >=dev-libs/libbpf-0.0.5 )
+ cuda? ( dev-util/nvidia-cuda-toolkit )
+ geoip? ( dev-libs/libmaxminddb )
+ logrotate? ( app-admin/logrotate )
+ lua? ( dev-lang/lua:* )
+ luajit? ( dev-lang/luajit:* )
+ lz4? ( app-arch/lz4 )
+ nflog? ( net-libs/libnetfilter_log )
+ nfqueue? ( net-libs/libnetfilter_queue )
+ redis? ( dev-libs/hiredis )
+ tools? ( dev-python/pyyaml[${PYTHON_USEDEP}] )"
+DEPEND="${CDEPEND}
+ dev-lang/rust"
+# Not confirmed that it works yet
+# test? ( dev-util/coccinelle )"
+RDEPEND="${CDEPEND}
+ tools? ( ${PYTHON_DEPS} )"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-5.0.0_configure-lua-flags.patch"
+ "${FILESDIR}/${PN}-5.0.0_configure-no-lz4-automagic.patch"
+ "${FILESDIR}/${PN}-5.0.0_default-config.patch"
+)
+
+pkg_pretend() {
+ if use bpf && use kernel_linux; then
+ if kernel_is -lt 4 15; then
+ ewarn "Kernel 4.15 or newer is necessary to use all XDP features like the CPU redirect map"
+ fi
+
+ CONFIG_CHECK="~XDP_SOCKETS"
+ ERROR_XDP_SOCKETS="CONFIG_XDP_SOCKETS is not set, making it impossible for Suricata will to load XDP programs. "
+ ERROR_XDP_SOCKETS+="Other eBPF features should work normally."
+ check_extra_config
+ fi
+}
+
+src_prepare() {
+ default
+ sed -ie 's/docdir =.*/docdir = ${datarootdir}\/doc\/'${PF}'\//' "${S}/doc/Makefile.am"
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ "--localstatedir=/var" \
+ "--enable-non-bundled-htp" \
+ "--enable-gccmarch-native=no" \
+ $(use_enable af-packet) \
+ $(use_enable bpf ebpf) \
+ $(use_enable control-socket unix-socket) \
+ $(use_enable cuda) \
+ $(use_enable detection) \
+ $(use_enable geoip) \
+ $(use_enable hardened gccprotect) \
+ $(use_enable hardened pie) \
+ $(use_enable lua) \
+ $(use_enable luajit) \
+ $(use_enable lz4) \
+ $(use_enable nflog) \
+ $(use_enable nfqueue) \
+ $(use_enable redis hiredis) \
+ $(use_enable test coccinelle) \
+ $(use_enable test unittests) \
+ $(use_enable tools python)
+ )
+
+ if use debug; then
+ myeconfargs+=( $(use_enable debug) )
+ # so we can get a backtrace according to "reporting bugs" on upstream web site
+ CFLAGS="-ggdb -O0" econf ${myeconfargs[@]}
+ else
+ econf ${myeconfargs[@]}
+ fi
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+
+ if use bpf; then
+ rm -f ebpf/Makefile.{am,in}
+ dodoc -r ebpf/
+ keepdir /usr/libexec/suricata/ebpf
+ fi
+
+ insinto "/etc/${PN}"
+ doins etc/{classification,reference}.config threshold.config suricata.yaml
+
+ if use rules; then
+ insinto "/etc/${PN}/rules"
+ doins rules/*.rules
+ fi
+
+ keepdir "/var/lib/${PN}"
+ keepdir "/var/log/${PN}"
+
+ fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+
+ newinitd "${FILESDIR}/${PN}-4.0.4-init" ${PN}
+ newconfd "${FILESDIR}/${PN}-4.0.4-conf" ${PN}
+ systemd_dounit "${FILESDIR}"/${PN}.service
+ systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
+
+ if use logrotate; then
+ insopts -m0644
+ insinto /etc/logrotate.d
+ newins etc/${PN}.logrotate ${PN}
+ fi
+}
+
+pkg_postinst() {
+ if ! use systemd; then
+ elog "The ${PN} init script expects to find the path to the configuration"
+ elog "file as well as extra options in /etc/conf.d."
+ elog ""
+ elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+ elog "then create a symlink to the init script from a link called"
+ elog "${PN}.foo - like so"
+ elog " cd /etc/${PN}"
+ elog " ${EDITOR##*/} suricata-foo.yaml"
+ elog " cd /etc/init.d"
+ elog " ln -s ${PN} ${PN}.foo"
+ elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+ elog ""
+ elog "You can create as many ${PN}.foo* services as you wish."
+ fi
+
+ if use bpf; then
+ elog "eBPF/XDP files must be compiled (using sys-devel/clang[llvm_targets_BPF]) before use"
+ elog "because their configuration is hard-coded. You can find the default ones in"
+ elog " ${EPREFIX}/usr/share/doc/${PF}"
+ elog "and the common location for eBPF bytecode is"
+ elog " ${EPREFIX}/usr/libexec/${PN}"
+ elog "For more information, see https://${PN}.readthedocs.io/en/${P}/capture-hardware/ebpf-xdp.html"
+ fi
+
+ if use logrotate; then
+ elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/."
+ fi
+
+ if use debug; then
+ elog "You enabled the debug USE flag. Please read this link to report bugs upstream:"
+ elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+ elog "You need to also ensure the FEATURES variable in make.conf contains the"
+ elog "'nostrip' option to produce useful core dumps or back traces."
+ fi
+}
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2019-12-18 14:22 Marek Szuba
0 siblings, 0 replies; 11+ messages in thread
From: Marek Szuba @ 2019-12-18 14:22 UTC (permalink / raw
To: gentoo-commits
commit: 4bbf99b0dbf76f352c0b123cba32cfbd90080fb3
Author: Marek Szuba <marecki <AT> gentoo <DOT> org>
AuthorDate: Wed Dec 18 14:17:32 2019 +0000
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org>
CommitDate: Wed Dec 18 14:21:49 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4bbf99b0
net-analyzer/suricata: bump to 5.0.1
Further clean-up of old ebuilds, tools are no longer optional, there is
now a config phase to download an initial rule set using
suricata-update.
Closes: https://bugs.gentoo.org/703184
Package-Manager: Portage-2.3.79, Repoman-2.3.16
Signed-off-by: Marek Szuba <marecki <AT> gentoo.org>
net-analyzer/suricata/Manifest | 1 +
net-analyzer/suricata/files/suricata-5.0.1-conf | 62 +++++++
net-analyzer/suricata/files/suricata-5.0.1-init | 147 ++++++++++++++++
...suricata-5.0.1_configure-no-lz4-automagic.patch | 23 +++
.../files/suricata-5.0.1_default-config.patch | 27 +++
net-analyzer/suricata/files/suricata.service | 2 +-
net-analyzer/suricata/files/suricata.tmpfiles | 2 +-
net-analyzer/suricata/suricata-5.0.1.ebuild | 196 +++++++++++++++++++++
8 files changed, 458 insertions(+), 2 deletions(-)
diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index 16a7c6ae731..9247b853f30 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -1 +1,2 @@
DIST suricata-5.0.0.tar.gz 23689051 BLAKE2B 701625d50dacbeb846d7ea1c3aad3980969c1c0124c007d843353fe25b7e579378d2cd125db4660e33fff1f8cf20eac4bbafe280ba6ff31f988fb6c42b29b6aa SHA512 0dc8941fdf29d615531eeda6f6076052cca79fda6dda3c96300c08b343a64a1700fd23dd83a03507009ab7c9b19c91b65ee65e704f55ddee17764b71e9e2911e
+DIST suricata-5.0.1.tar.gz 23721536 BLAKE2B 529837e8e4d6c33d2093df8208bf03519e0d60deef92eadf9d0a44b7416eae2f900b2f72349815acb86d9bdd9d4253bbc5d7c4c1a34157f544982b0788291624 SHA512 db0797a7992abf0ddf170cb603fdac06b0ff92278bb91343860bccbbe029ea0e83131dfb9805ca44bcbbe3925502119259e350a17e94209b21d1f8b610d965a6
diff --git a/net-analyzer/suricata/files/suricata-5.0.1-conf b/net-analyzer/suricata/files/suricata-5.0.1-conf
new file mode 100644
index 00000000000..7f22113dbf0
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.1-conf
@@ -0,0 +1,62 @@
+# Config file for /etc/init.d/suricata*
+
+# Where config files are stored. Default:
+
+# SURICATA_DIR="/etc/suricata"
+
+# Pass options to each suricata service.
+#
+# You can launch more than one service at the same time with different options.
+# This can be useful in a multi-queue gateway, for example.
+# You can expand on the Suricata inline example found at:
+# http://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html
+# Instead of configuring iptables to send traffic to just one queue, you can configure it to "load balance"
+# on several queues. You can then have a Suricata instance processing traffic for each queue.
+# This should help improve performance on the gateway/firewall.
+#
+# Suppose you configured iptables to use queues 0 and 1 named q0 and q1. You can now do the following:
+# ln -s /etc/init.d/suricata /etc/init.d/suricata.q0
+# ln -s /etc/init.d/suricata /etc/init.d/suricata.q1
+# cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q0.yaml
+# cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q1.yaml
+#
+# Edit both suricata-q{0,1}.yaml files and set values accordingly.
+# You can override these yaml config file names with SURICATA_CONF* below (optional).
+# This allows you to use the same yaml config file for multiple instances as long as you override
+# sensible options such as the log file paths.
+# SURICATA_CONF_q0="suricata-queues.yaml"
+# SURICATA_CONF_q1="suricata-queues.yaml"
+# SURICATA_CONF="suricata.yaml"
+
+# You can define the options here:
+# NB: avoid using -l, -c, --user, --group and setting logging.outputs.1.file.filename as the init script will try to set them for you.
+
+# SURICATA_OPTS_q0="-q 0"
+# SURICATA_OPTS_q1="-q 1"
+
+# If you want to use ${SURICATA_DIR}/suricata.yaml and start the service with /etc/init.d/suricata
+# then you can set:
+
+SURICATA_OPTS="--af-packet"
+
+# Log paths listed here will be created by the init script and will override the log path
+# set in the yaml file, if present.
+# SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log"
+# SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log"
+# SURICATA_LOG_FILE="/var/log/suricata/suricata.log"
+
+# Run as user/group.
+# Do not define if you want to run as root or as the user defined in the yaml config file (run-as).
+# The ebuild should have created the dedicated user/group suricata:suricata for you to specify here below.
+# SURICATA_USER_q0="suricata"
+# SURICATA_GROUP_q0="suricata"
+# SURICATA_USER_q1="suricata"
+# SURICATA_GROUP_q1="suricata"
+# SURICATA_USER="suricata"
+# SURICATA_GROUP="suricata"
+
+# Suricata processes can take a long time to shut down.
+# If necessary, adjust timeout in seconds to be used when calling stop from the init script.
+# Examples:
+# SURICATA_MAX_WAIT_ON_STOP="300"
+# SURICATA_MAX_WAIT_ON_STOP="SIGTERM/30"
diff --git a/net-analyzer/suricata/files/suricata-5.0.1-init b/net-analyzer/suricata/files/suricata-5.0.1-init
new file mode 100644
index 00000000000..89f92803ced
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.1-init
@@ -0,0 +1,147 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+SURICATA_BIN=/usr/bin/suricata
+SURICATA_DIR=${SURICATA_DIR:-/etc/suricata}
+SURICATA=${SVCNAME#*.}
+SURICATAID=$(shell_var "${SURICATA}")
+if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
+ eval SURICATACONF=\$SURICATA_CONF_${SURICATAID}
+ [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
+ SURICATAPID="/run/suricata/suricata.${SURICATA}.pid"
+ eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
+ eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
+ eval SURICATAUSER=\$SURICATA_USER_${SURICATAID}
+ eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID}
+else
+ SURICATACONF=${SURICATA_CONF}
+ [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
+ SURICATAPID="/run/suricata/suricata.pid"
+ SURICATAOPTS=${SURICATA_OPTS}
+ SURICATALOGPATH=${SURICATA_LOG_FILE}
+ SURICATAUSER=${SURICATA_USER}
+ SURICATAGROUP=${SURICATA_GROUP}
+fi
+SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}}
+SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}}
+[ -e ${SURICATACONF} ] && SURICATAOPTS="-c ${SURICATACONF} ${SURICATAOPTS}"
+[[ -z "${SURICATA_MAX_WAIT_ON_STOP// }" ]] || SURICATA_RETRY="--retry ${SURICATA_MAX_WAIT_ON_STOP}"
+
+description="Suricata IDS/IPS"
+extra_commands="checkconfig dump"
+description_checkconfig="Check config for ${SVCNAME}"
+description_dump="List all config values that can be used with --set"
+extra_started_commands="reload relog"
+description_reload="Live rule and config reload"
+description_relog="Close and re-open all log files"
+
+depend() {
+ need net
+ after mysql
+ after postgresql
+}
+
+checkconfig() {
+ if [ ! -d "/run/suricata" ] ; then
+ checkpath -d /run/suricata
+ fi
+ if [ ${#SURICATALOGPATH} -gt 0 ]; then
+ SURICATALOGFILE=$( basename ${SURICATALOGPATH} )
+ SURICATALOGFILE=${SURICATALOGFILE:-suricata.log}
+ SURICATALOGPATH=$( dirname ${SURICATALOGPATH} )
+ if [ ! -d "${SURICATALOGPATH}" ] ; then
+ checkpath -d "${SURICATALOGPATH}"
+ fi
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then
+ chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1
+ chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1
+ fi
+ SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
+ SURICATALOGPATH="-l ${SURICATALOGPATH}"
+ fi
+ if [ ! -e ${SURICATACONF} ] ; then
+ einfo "The configuration file ${SURICATACONF} was not found."
+ einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
+ einfo "Take a look at the suricata arguments --set and --dump-config."
+ fi
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}."
+ SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}"
+ fi
+}
+
+initpidinfo() {
+ [ -e ${SURICATAPID} ] && SUR_PID="$(cat ${SURICATAPID})"
+ if [ ${#SUR_PID} -gt 0 ]; then
+ SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
+ SUR_USER="$(ps -p ${SUR_PID} --no-headers -o user)"
+ fi
+}
+
+checkpidinfo() {
+ initpidinfo
+ if [ ! -e ${SURICATAPID} ]; then
+ eerror "${SVCNAME} isn't running"
+ return 1
+ elif [ ${#SUR_PID} -eq 0 ] || [ $((SUR_PID_CHECK)) -ne 1 ]; then
+ eerror "Could not determine PID of ${SVCNAME}! Did the service crash?"
+ return 1
+ elif [ ${#SUR_USER} -eq 0 ]; then
+ eerror "Unable to determine user running ${SVCNAME}!"
+ return 1
+ elif [ "x${SUR_USER}" != "xroot" ]; then
+ ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work."
+ fi
+}
+
+start() {
+ checkconfig || return 1
+ ebegin "Starting ${SVCNAME}"
+ start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \
+ -- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH} >/dev/null 2>&1
+ local SUR_EXIT=$?
+ if [ $((SUR_EXIT)) -ne 0 ]; then
+ einfo "Could not start ${SURICATA_BIN} with:"
+ einfo "--pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH}"
+ einfo "Exit code ${SUR_EXIT}"
+ fi
+ eend ${SUR_EXIT}
+}
+
+stop() {
+ ebegin "Stopping ${SVCNAME}"
+ start-stop-daemon --stop ${SURICATA_RETRY} --quiet --pidfile ${SURICATAPID} >/dev/null 2>&1
+ eend $?
+}
+
+reload() {
+ checkpidinfo || return 1
+ checkconfig || return 1
+ ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload."
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID}
+ else
+ start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+ fi
+ eend $?
+}
+
+relog() {
+ checkpidinfo || return 1
+ checkconfig || return 1
+ ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files."
+ if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+ start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID}
+ else
+ start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+ fi
+ eend $?
+}
+
+dump() {
+ checkconfig || return 1
+ ebegin "Dumping ${SVCNAME} config values and quitting."
+ ${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH}
+ eend $?
+}
diff --git a/net-analyzer/suricata/files/suricata-5.0.1_configure-no-lz4-automagic.patch b/net-analyzer/suricata/files/suricata-5.0.1_configure-no-lz4-automagic.patch
new file mode 100644
index 00000000000..5efce46f6d9
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.1_configure-no-lz4-automagic.patch
@@ -0,0 +1,23 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -2292,7 +2292,11 @@
+ fi
+
+ # Check for lz4
+-enable_liblz4="yes"
++AC_ARG_ENABLE(lz4,
++ AS_HELP_STRING([--enable-lz4], [Enable compressed pcap logging using liblz4]),
++ [enable_liblz4=$enableval],
++ [enable_liblz4=yes])
++if test "x$enable_liblz4" != "xno"; then
+ AC_CHECK_LIB(lz4, LZ4F_createCompressionContext, , enable_liblz4="no")
+
+ if test "$enable_liblz4" = "no"; then
+@@ -2306,6 +2310,7 @@
+ echo " yum install lz4-devel"
+ echo
+ fi
++fi
+
+ # get cache line size
+ AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no")
diff --git a/net-analyzer/suricata/files/suricata-5.0.1_default-config.patch b/net-analyzer/suricata/files/suricata-5.0.1_default-config.patch
new file mode 100644
index 00000000000..ef1b1f63ad4
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.1_default-config.patch
@@ -0,0 +1,27 @@
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -203,8 +203,9 @@
+ # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
+
+ # As of Suricata 5.0, version 2 of the eve dns output
+- # format is the default.
+- #version: 2
++ # format is the default - but the daemon produces a warning to that effect
++ # at start-up if this isn't explicitly set.
++ version: 2
+
+ # Enable/disable this logger. Default: enabled.
+ #enabled: yes
+@@ -978,9 +979,9 @@
+ ##
+
+ # Run suricata as user and group.
+-#run-as:
+-# user: suri
+-# group: suri
++run-as:
++ user: suricata
++ group: suricata
+
+ # Some logging module will use that name in event as identifier. The default
+ # value is the hostname
diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service
index 294ec637348..1fb056957ec 100644
--- a/net-analyzer/suricata/files/suricata.service
+++ b/net-analyzer/suricata/files/suricata.service
@@ -3,7 +3,7 @@ Description=Suricata IDS/IDP daemon
After=network.target
Requires=network.target
Documentation=man:suricata(8) man:suricatasc(8)
-Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
+Documentation=https://suricata.readthedocs.io/
[Service]
Environment=OPTIONS='-c /etc/suricata/suricata.yaml --af-packet'
diff --git a/net-analyzer/suricata/files/suricata.tmpfiles b/net-analyzer/suricata/files/suricata.tmpfiles
index 46fe5084297..a6e784cc37c 100644
--- a/net-analyzer/suricata/files/suricata.tmpfiles
+++ b/net-analyzer/suricata/files/suricata.tmpfiles
@@ -1 +1 @@
-d /var/run/suricata - - - -
+d /run/suricata - - - -
diff --git a/net-analyzer/suricata/suricata-5.0.1.ebuild b/net-analyzer/suricata/suricata-5.0.1.ebuild
new file mode 100644
index 00000000000..ecb34b71784
--- /dev/null
+++ b/net-analyzer/suricata/suricata-5.0.1.ebuild
@@ -0,0 +1,196 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6,7,8} )
+
+inherit autotools linux-info python-single-r1 systemd
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="https://suricata-ids.org/"
+SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet bpf control-socket cuda debug +detection geoip hardened logrotate lua luajit lz4 nflog +nfqueue redis systemd test"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="${PYTHON_REQUIRED_USE}
+ ?? ( lua luajit )
+ bpf? ( af-packet )"
+
+CDEPEND="acct-group/suricata
+ acct-user/suricata
+ dev-libs/jansson
+ dev-libs/libpcre
+ dev-libs/libyaml
+ net-libs/libnet:*
+ net-libs/libnfnetlink
+ dev-libs/nspr
+ dev-libs/nss
+ dev-python/pyyaml[${PYTHON_USEDEP}]
+ >=net-libs/libhtp-0.5.32
+ net-libs/libpcap
+ sys-apps/file
+ sys-libs/libcap-ng
+ bpf? ( >=dev-libs/libbpf-0.0.6 )
+ cuda? ( dev-util/nvidia-cuda-toolkit )
+ geoip? ( dev-libs/libmaxminddb )
+ logrotate? ( app-admin/logrotate )
+ lua? ( dev-lang/lua:* )
+ luajit? ( dev-lang/luajit:* )
+ lz4? ( app-arch/lz4 )
+ nflog? ( net-libs/libnetfilter_log )
+ nfqueue? ( net-libs/libnetfilter_queue )
+ redis? ( dev-libs/hiredis )"
+DEPEND="${CDEPEND}
+ >=sys-devel/autoconf-2.69-r5
+ dev-lang/rust"
+RDEPEND="${CDEPEND}
+ ${PYTHON_DEPS}"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-5.0.1_configure-no-lz4-automagic.patch"
+ "${FILESDIR}/${PN}-5.0.1_default-config.patch"
+)
+
+pkg_pretend() {
+ if use bpf && use kernel_linux; then
+ if kernel_is -lt 4 15; then
+ ewarn "Kernel 4.15 or newer is necessary to use all XDP features like the CPU redirect map"
+ fi
+
+ CONFIG_CHECK="~XDP_SOCKETS"
+ ERROR_XDP_SOCKETS="CONFIG_XDP_SOCKETS is not set, making it impossible for Suricata will to load XDP programs. "
+ ERROR_XDP_SOCKETS+="Other eBPF features should work normally."
+ check_extra_config
+ fi
+}
+
+src_prepare() {
+ default
+ sed -ie 's/docdir =.*/docdir = ${datarootdir}\/doc\/'${PF}'\//' "${S}/doc/Makefile.am"
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ "--localstatedir=/var" \
+ "--runstatedir=/run" \
+ "--enable-non-bundled-htp" \
+ "--enable-gccmarch-native=no" \
+ "--enable-python" \
+ $(use_enable af-packet) \
+ $(use_enable bpf ebpf) \
+ $(use_enable control-socket unix-socket) \
+ $(use_enable cuda) \
+ $(use_enable detection) \
+ $(use_enable geoip) \
+ $(use_enable hardened gccprotect) \
+ $(use_enable hardened pie) \
+ $(use_enable lua) \
+ $(use_enable luajit) \
+ $(use_enable lz4) \
+ $(use_enable nflog) \
+ $(use_enable nfqueue) \
+ $(use_enable redis hiredis) \
+ $(use_enable test unittests) \
+ "--disable-coccinelle"
+ )
+
+ if use debug; then
+ myeconfargs+=( $(use_enable debug) )
+ # so we can get a backtrace according to "reporting bugs" on upstream web site
+ CFLAGS="-ggdb -O0" econf ${myeconfargs[@]}
+ else
+ econf ${myeconfargs[@]}
+ fi
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+ python_optimize
+
+ if use bpf; then
+ rm -f ebpf/Makefile.{am,in}
+ dodoc -r ebpf/
+ keepdir /usr/libexec/suricata/ebpf
+ fi
+
+ insinto "/etc/${PN}"
+ doins etc/{classification,reference}.config threshold.config suricata.yaml
+
+ keepdir "/var/lib/${PN}/rules" "/var/lib/${PN}/update"
+ keepdir "/var/log/${PN}"
+
+ fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 2750 "/var/lib/${PN}/rules" "/var/lib/${PN}/update"
+
+ newinitd "${FILESDIR}/${PN}-5.0.1-init" ${PN}
+ newconfd "${FILESDIR}/${PN}-5.0.1-conf" ${PN}
+ systemd_dounit "${FILESDIR}"/${PN}.service
+ systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
+
+ if use logrotate; then
+ insopts -m0644
+ insinto /etc/logrotate.d
+ newins etc/${PN}.logrotate ${PN}
+ fi
+}
+
+pkg_postinst() {
+ elog ""
+ if use systemd; then
+ elog "Suricata requires either the mode of operation (e.g. --af-packet) or the interface to listen on (e.g. -i eth0)"
+ elog "to be specified on the command line. The provided systemd unit launches Suricata in af-packet mode and relies"
+ elog "on file configuration to specify interfaces, should you prefer to run it different you will have to customise"
+ elog "said unit. The simplest way of doing it is to override the Environment=OPTIONS='...' line using a .conf file"
+ elog "placed in the directory ${EPREFIX}/etc/systemd/system/suricata.service.d/ ."
+ elog "For details, see the section on drop-in directories in systemd.unit(5)."
+ else
+ elog "The ${PN} init script expects to find the path to the configuration"
+ elog "file as well as extra options in /etc/conf.d."
+ elog ""
+ elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+ elog "then create a symlink to the init script from a link called"
+ elog "${PN}.foo - like so"
+ elog " cd /etc/${PN}"
+ elog " ${EDITOR##*/} suricata-foo.yaml"
+ elog " cd /etc/init.d"
+ elog " ln -s ${PN} ${PN}.foo"
+ elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+ elog ""
+ elog "You can create as many ${PN}.foo* services as you wish."
+ fi
+
+ if use bpf; then
+ elog ""
+ elog "eBPF/XDP files must be compiled (using sys-devel/clang[llvm_targets_BPF]) before use"
+ elog "because their configuration is hard-coded. You can find the default ones in"
+ elog " ${EPREFIX}/usr/share/doc/${PF}/ebpf"
+ elog "and the common location for eBPF bytecode is"
+ elog " ${EPREFIX}/usr/libexec/${PN}"
+ elog "For more information, see https://${PN}.readthedocs.io/en/${P}/capture-hardware/ebpf-xdp.html"
+ fi
+
+ if use debug; then
+ elog ""
+ elog "You have enabled the debug USE flag. Please read this link to report bugs upstream:"
+ elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+ elog "You need to also ensure the FEATURES variable in make.conf contains the"
+ elog "'nostrip' option to produce useful core dumps or back traces."
+ fi
+
+ elog ""
+ elog "To download and install an initial set of rules, run:"
+ elog " emerge --config =${CATEGORY}/${PF}"
+ elog ""
+}
+
+pkg_config() {
+ suricata-update
+}
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2020-10-09 12:14 Marek Szuba
0 siblings, 0 replies; 11+ messages in thread
From: Marek Szuba @ 2020-10-09 12:14 UTC (permalink / raw
To: gentoo-commits
commit: a8e82003db4b6ef62cf260263bafc1cc32f33acc
Author: Marek Szuba <marecki <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 9 12:09:22 2020 +0000
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org>
CommitDate: Fri Oct 9 12:14:16 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8e82003
net-analyzer/suricata: bump to 6.0.0
Okay, this has turned out to be easier than I thought it might be.
Note to self: since suricata-6 no longer supports unified2 output and
suricata-5 is still supported upstream (even 4 will only reach end of
life on 2020-12-31), keep the latter around for at least a bit longer.
Signed-off-by: Marek Szuba <marecki <AT> gentoo.org>
net-analyzer/suricata/Manifest | 1 +
.../files/suricata-6.0.0_default-config.patch | 27 +++
net-analyzer/suricata/suricata-6.0.0.ebuild | 203 +++++++++++++++++++++
3 files changed, 231 insertions(+)
diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index 06edb9b7cc8..fde179dd2cb 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -1 +1,2 @@
DIST suricata-5.0.4.tar.gz 29091046 BLAKE2B 38526ca39d2460d630fdd9e804f36c74bfcde54a529748896779b549ed1b55174d6080ddad8933ddfd26004f4e78748a503832f47ee5f52d84a133643aef482b SHA512 e5da14f80b628968e146839b828971e888fd0158b2ecbbcc15c0f42fda2bdcc8ad89632ba05cc45c88d88e537452e77f8e2f3a5e09ecd038d0d38b1a8cf8cea6
+DIST suricata-6.0.0.tar.gz 30832555 BLAKE2B 9cea05b07520924706e961efed6a45b9ba73388a25777f43c1a90497aa00ec200bad15863b7b17b84e622c79309365596853423776da9c3d103c2a8c1126a0d2 SHA512 3c30f6f57c0e8a24992ff2b4ce8ce166d3c0d4b28c8f5e79434d04de9f2016773be01a1689fedfc9e54ff1c8bc9838206bc28f3ff2e47d60102a7016f1062ec3
diff --git a/net-analyzer/suricata/files/suricata-6.0.0_default-config.patch b/net-analyzer/suricata/files/suricata-6.0.0_default-config.patch
new file mode 100644
index 00000000000..03e0f1cda94
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-6.0.0_default-config.patch
@@ -0,0 +1,27 @@
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -209,8 +209,9 @@
+ # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
+
+ # As of Suricata 5.0, version 2 of the eve dns output
+- # format is the default.
+- #version: 2
++ # format is the default - but the daemon produces a warning to that effect
++ # at start-up if this isn't explicitly set.
++ version: 2
+
+ # Enable/disable this logger. Default: enabled.
+ #enabled: yes
+@@ -988,9 +989,9 @@
+ ##
+
+ # Run Suricata with a specific user-id and group-id:
+-#run-as:
+-# user: suri
+-# group: suri
++run-as:
++ user: suricata
++ group: suricata
+
+ # Some logging modules will use that name in event as identifier. The default
+ # value is the hostname
diff --git a/net-analyzer/suricata/suricata-6.0.0.ebuild b/net-analyzer/suricata/suricata-6.0.0.ebuild
new file mode 100644
index 00000000000..5f5d14e3eec
--- /dev/null
+++ b/net-analyzer/suricata/suricata-6.0.0.ebuild
@@ -0,0 +1,203 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python3_{6..9} )
+
+inherit autotools flag-o-matic linux-info python-single-r1 systemd
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="https://suricata-ids.org/"
+SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet bpf control-socket cuda debug +detection geoip hardened logrotate lua luajit lz4 nflog +nfqueue redis systemd test"
+
+RESTRICT="!test? ( test )"
+
+REQUIRED_USE="${PYTHON_REQUIRED_USE}
+ ?? ( lua luajit )
+ bpf? ( af-packet )"
+
+RDEPEND="${PYTHON_DEPS}
+ acct-group/suricata
+ acct-user/suricata
+ dev-libs/jansson
+ dev-libs/libpcre
+ dev-libs/libyaml
+ net-libs/libnet:*
+ net-libs/libnfnetlink
+ dev-libs/nspr
+ dev-libs/nss
+ $(python_gen_cond_dep '
+ dev-python/pyyaml[${PYTHON_USEDEP}]
+ ')
+ >=net-libs/libhtp-0.5.35
+ net-libs/libpcap
+ sys-apps/file
+ sys-libs/libcap-ng
+ bpf? ( >=dev-libs/libbpf-0.1.0 )
+ cuda? ( dev-util/nvidia-cuda-toolkit )
+ geoip? ( dev-libs/libmaxminddb )
+ logrotate? ( app-admin/logrotate )
+ lua? ( dev-lang/lua:* )
+ luajit? ( dev-lang/luajit:* )
+ lz4? ( app-arch/lz4 )
+ nflog? ( net-libs/libnetfilter_log )
+ nfqueue? ( net-libs/libnetfilter_queue )
+ redis? ( dev-libs/hiredis )"
+DEPEND="${RDEPEND}
+ >=sys-devel/autoconf-2.69-r5
+ virtual/rust"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-5.0.1_configure-no-lz4-automagic.patch"
+ "${FILESDIR}/${PN}-6.0.0_default-config.patch"
+)
+
+pkg_pretend() {
+ if use bpf && use kernel_linux; then
+ if kernel_is -lt 4 15; then
+ ewarn "Kernel 4.15 or newer is necessary to use all XDP features like the CPU redirect map"
+ fi
+
+ CONFIG_CHECK="~XDP_SOCKETS"
+ ERROR_XDP_SOCKETS="CONFIG_XDP_SOCKETS is not set, making it impossible for Suricata to load XDP programs. "
+ ERROR_XDP_SOCKETS+="Other eBPF features should work normally."
+ check_extra_config
+ fi
+}
+
+src_prepare() {
+ default
+ sed -ie 's/docdir =.*/docdir = ${datarootdir}\/doc\/'${PF}'\//' "${S}/doc/Makefile.am" || die
+ eautoreconf
+}
+
+src_configure() {
+ local myeconfargs=(
+ "--localstatedir=/var" \
+ "--runstatedir=/run" \
+ "--enable-non-bundled-htp" \
+ "--enable-gccmarch-native=no" \
+ "--enable-python" \
+ $(use_enable af-packet) \
+ $(use_enable bpf ebpf) \
+ $(use_enable control-socket unix-socket) \
+ $(use_enable cuda) \
+ $(use_enable detection) \
+ $(use_enable geoip) \
+ $(use_enable hardened gccprotect) \
+ $(use_enable hardened pie) \
+ $(use_enable lua) \
+ $(use_enable luajit) \
+ $(use_enable lz4) \
+ $(use_enable nflog) \
+ $(use_enable nfqueue) \
+ $(use_enable redis hiredis) \
+ $(use_enable test unittests) \
+ "--disable-coccinelle"
+ )
+
+ if use debug; then
+ myeconfargs+=( $(use_enable debug) )
+ # so we can get a backtrace according to "reporting bugs" on upstream web site
+ CFLAGS="-ggdb -O0" econf ${myeconfargs[@]}
+ else
+ econf ${myeconfargs[@]}
+ fi
+}
+
+src_install() {
+ emake DESTDIR="${D}" install
+ python_optimize
+
+ if use bpf; then
+ rm -f ebpf/Makefile.{am,in}
+ dodoc -r ebpf/
+ keepdir /usr/libexec/suricata/ebpf
+ fi
+
+ insinto "/etc/${PN}"
+ doins etc/{classification,reference}.config threshold.config suricata.yaml
+
+ keepdir "/var/lib/${PN}/rules" "/var/lib/${PN}/update"
+ keepdir "/var/log/${PN}"
+
+ fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+ fperms 2750 "/var/lib/${PN}/rules" "/var/lib/${PN}/update"
+
+ newinitd "${FILESDIR}/${PN}-5.0.1-init" ${PN}
+ newconfd "${FILESDIR}/${PN}-5.0.1-conf" ${PN}
+ systemd_dounit "${FILESDIR}"/${PN}.service
+ systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
+
+ if use logrotate; then
+ insopts -m0644
+ insinto /etc/logrotate.d
+ newins etc/${PN}.logrotate ${PN}
+ fi
+}
+
+pkg_postinst() {
+ elog
+ if use systemd; then
+ elog "Suricata requires either the mode of operation (e.g. --af-packet) or the interface to listen on (e.g. -i eth0)"
+ elog "to be specified on the command line. The provided systemd unit launches Suricata in af-packet mode and relies"
+ elog "on file configuration to specify interfaces, should you prefer to run it differently you will have to customise"
+ elog "said unit. The simplest way of doing it is to override the Environment=OPTIONS='...' line using a .conf file"
+ elog "placed in the directory ${EPREFIX}/etc/systemd/system/suricata.service.d/ ."
+ elog "For details, see the section on drop-in directories in systemd.unit(5)."
+ else
+ elog "The ${PN} init script expects to find the path to the configuration"
+ elog "file as well as extra options in /etc/conf.d."
+ elog
+ elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+ elog "then create a symlink to the init script from a link called"
+ elog "${PN}.foo - like so"
+ elog " cd /etc/${PN}"
+ elog " ${EDITOR##*/} suricata-foo.yaml"
+ elog " cd /etc/init.d"
+ elog " ln -s ${PN} ${PN}.foo"
+ elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+ elog
+ elog "You can create as many ${PN}.foo* services as you wish."
+ fi
+
+ if use bpf; then
+ elog
+ elog "eBPF/XDP files must be compiled (using sys-devel/clang[llvm_targets_BPF]) before use"
+ elog "because their configuration is hard-coded. You can find the default ones in"
+ elog " ${EPREFIX}/usr/share/doc/${PF}/ebpf"
+ elog "and the common location for eBPF bytecode is"
+ elog " ${EPREFIX}/usr/libexec/${PN}"
+ elog "For more information, see https://${PN}.readthedocs.io/en/${P}/capture-hardware/ebpf-xdp.html"
+ fi
+
+ if use debug; then
+ elog
+ elog "You have enabled the debug USE flag. Please read this link to report bugs upstream:"
+ elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+ elog "You need to also ensure the FEATURES variable in make.conf contains the"
+ elog "'nostrip' option to produce useful core dumps or back traces."
+ fi
+
+ elog
+ if [[ -n "${REPLACING_VERSIONS}" ]]; then
+ ewarn "Since version 6.0.0 Suricata no longer supports the unified2 output format commonly used"
+ ewarn "in legacy, Snort-compatible IDS solutions, e.g. ones based on net-analyzer/barnyard2."
+ ewarn "If you need unified2 support, please continue to use suricata-5."
+ else
+ elog "To download and install an initial set of rules, run:"
+ elog " emerge --config =${CATEGORY}/${PF}"
+ fi
+ elog
+}
+
+pkg_config() {
+ suricata-update
+}
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2024-02-28 21:46 Marek Szuba
0 siblings, 0 replies; 11+ messages in thread
From: Marek Szuba @ 2024-02-28 21:46 UTC (permalink / raw
To: gentoo-commits
commit: 07e1f3e359b3cfe01d8ef3a1e263af2f8acc23b4
Author: Marek Szuba <marecki <AT> gentoo <DOT> org>
AuthorDate: Wed Feb 28 21:34:39 2024 +0000
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org>
CommitDate: Wed Feb 28 21:46:10 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=07e1f3e3
net-analyzer/suricata: drop 6.0.15
No versions affected by the latest batch of CVEs left in the tree.
Signed-off-by: Marek Szuba <marecki <AT> gentoo.org>
net-analyzer/suricata/Manifest | 2 -
....6_configure-no-sphinx-pdflatex-automagic.patch | 26 ---
net-analyzer/suricata/suricata-6.0.15.ebuild | 212 ---------------------
3 files changed, 240 deletions(-)
diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index 241154b314b8..9e0bba5db148 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -1,4 +1,2 @@
-DIST suricata-6.0.15.tar.gz 27903106 BLAKE2B cf5c2d5760e52f0b4eb0276feb89e056d74ef5478e3158a047fbdec14022aa6e0ba986b7ee9f9ec49e2ebb3f206c7d71ad8ce8dc4eb9a6b48b4ba38c96c2f1c6 SHA512 ec9904fdc57e594653e3f48794c602429412fc85377630600b96081cfeb21361c353ce54d564c01ef0400885c508b49bd8c7a5d8b4482d45155b2007907107a9
-DIST suricata-6.0.15.tar.gz.sig 566 BLAKE2B f9f5fd9df55c9854f4da3765673df094a3979324714b0f81f787abc3eaa811d01e42cf8b892c5ae558e5f453b82f84dcebd4548a0cfafca00582adc595a11bbf SHA512 e938715fe22699b623d70bcd70e69d3acb2bfa322ecb9a8a19b272eb5ba378b34974c3114419bbb07fb46b805bc160344d0bdb567acb887832e4c18734fef9a8
DIST suricata-7.0.3.tar.gz 23599903 BLAKE2B b42044428ae5ac4ecd6b41d083f0f3ac5839bf9a0734c3a64bb5e9a6f1a0ffe0c1f5da262f4e167461836bd26ebf9238ec9c0c213ba61f6419b6af1314f3becb SHA512 5a19a00118b86cd9c9b8a4b8399d8deda23beb19a6a6ed49e82240a1a5d4549490f3ce72743f5990c200850e8a64e3a51f45b8c1b8088bdd16aa12341dbf64aa
DIST suricata-7.0.3.tar.gz.sig 566 BLAKE2B 3befe75463a26493b660dc21721e2628a4889d5397d0ada6aa51bd9c748487130dfb56f3fa25b5514411adeaf0b385ee7e9d664ab0af9b6b0a2bef719bdc904f SHA512 a08274708f3aee891b018da613fa60cf66ca09b41f70ed1e89b57d5e778bf97058d71c6ad8c529926783287ddd0f20337957e03ff59b3500c207a4ef7936bfdf
diff --git a/net-analyzer/suricata/files/suricata-5.0.6_configure-no-sphinx-pdflatex-automagic.patch b/net-analyzer/suricata/files/suricata-5.0.6_configure-no-sphinx-pdflatex-automagic.patch
deleted file mode 100644
index be5805e67f87..000000000000
--- a/net-analyzer/suricata/files/suricata-5.0.6_configure-no-sphinx-pdflatex-automagic.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-No configure options to disable looking for these, redundant for releases
-because the tarballs already contain both PDF documentation and man pages,
-and as of 2021-05-11 doc generation is not compatible with sphinx-4.0.0+
-due to conf.py calling long-deprecated app.add_stylesheet() rather
-than app.add_css_file().
-
---- a/configure.ac
-+++ b/configure.ac
-@@ -2423,7 +2423,7 @@
- fi
-
- # sphinx for documentation
-- AC_PATH_PROG(HAVE_SPHINXBUILD, sphinx-build, "no")
-+ HAVE_SPHINXBUILD="no"
- if test "$HAVE_SPHINXBUILD" = "no"; then
- enable_sphinxbuild=no
- if test -e "$srcdir/doc/userguide/suricata.1"; then
-@@ -2434,7 +2434,7 @@
- AM_CONDITIONAL([HAVE_SURICATA_MAN], [test "x$have_suricata_man" = "xyes"])
-
- # pdflatex for the pdf version of the user manual
-- AC_PATH_PROG(HAVE_PDFLATEX, pdflatex, "no")
-+ HAVE_PDFLATEX="no"
- if test "$HAVE_PDFLATEX" = "no"; then
- enable_pdflatex=no
- fi
diff --git a/net-analyzer/suricata/suricata-6.0.15.ebuild b/net-analyzer/suricata/suricata-6.0.15.ebuild
deleted file mode 100644
index 045ebbc38788..000000000000
--- a/net-analyzer/suricata/suricata-6.0.15.ebuild
+++ /dev/null
@@ -1,212 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-LUA_COMPAT=( lua5-1 luajit )
-PYTHON_COMPAT=( python3_{10..12} )
-
-inherit autotools flag-o-matic linux-info lua-single python-single-r1 systemd tmpfiles verify-sig
-
-DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
-HOMEPAGE="https://suricata.io/"
-SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz
- verify-sig? ( https://www.openinfosecfoundation.org/download/${P}.tar.gz.sig )"
-
-LICENSE="GPL-2"
-SLOT="0/6"
-KEYWORDS="~amd64 ~riscv ~x86"
-IUSE="+af-packet bpf control-socket cuda debug +detection geoip hardened hyperscan lua lz4 nflog +nfqueue redis systemd test"
-VERIFY_SIG_OPENPGP_KEY_PATH="/usr/share/openpgp-keys/openinfosecfoundation.org.asc"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="${PYTHON_REQUIRED_USE}
- bpf? ( af-packet )
- lua? ( ${LUA_REQUIRED_USE} )"
-
-RDEPEND="${PYTHON_DEPS}
- acct-group/suricata
- acct-user/suricata
- dev-libs/jansson:=
- dev-libs/libpcre
- dev-libs/libyaml
- net-libs/libnet:*
- net-libs/libnfnetlink
- dev-libs/nspr
- dev-libs/nss
- $(python_gen_cond_dep '
- dev-python/pyyaml[${PYTHON_USEDEP}]
- ')
- >=net-libs/libhtp-0.5.45
- net-libs/libpcap
- sys-apps/file
- sys-libs/libcap-ng
- bpf? ( <dev-libs/libbpf-1.0.0 )
- cuda? ( dev-util/nvidia-cuda-toolkit )
- geoip? ( dev-libs/libmaxminddb:= )
- hyperscan? ( dev-libs/hyperscan )
- lua? ( ${LUA_DEPS} )
- lz4? ( app-arch/lz4 )
- nflog? ( net-libs/libnetfilter_log )
- nfqueue? ( net-libs/libnetfilter_queue )
- redis? ( dev-libs/hiredis:= )"
-DEPEND="${RDEPEND}
- >=dev-build/autoconf-2.69-r5
- virtual/rust"
-BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-oisf-20200807 )"
-
-PATCHES=(
- "${FILESDIR}/${PN}-5.0.1_configure-no-lz4-automagic.patch"
- "${FILESDIR}/${PN}-5.0.6_configure-no-sphinx-pdflatex-automagic.patch"
- "${FILESDIR}/${PN}-5.0.7_configure-no-hyperscan-automagic.patch"
- "${FILESDIR}/${PN}-6.0.0_default-config.patch"
-)
-
-pkg_pretend() {
- if use bpf && use kernel_linux; then
- if kernel_is -lt 4 15; then
- ewarn "Kernel 4.15 or newer is necessary to use all XDP features like the CPU redirect map"
- fi
-
- CONFIG_CHECK="~XDP_SOCKETS"
- ERROR_XDP_SOCKETS="CONFIG_XDP_SOCKETS is not set, making it impossible for Suricata to load XDP programs. "
- ERROR_XDP_SOCKETS+="Other eBPF features should work normally."
- check_extra_config
- fi
-}
-
-src_prepare() {
- default
- sed -ie 's/docdir =.*/docdir = ${datarootdir}\/doc\/'${PF}'\//' "${S}/doc/Makefile.am" || die
- eautoreconf
-}
-
-src_configure() {
- # Bug #861242
- filter-lto
-
- local myeconfargs=(
- "--localstatedir=/var" \
- "--runstatedir=/run" \
- "--enable-non-bundled-htp" \
- "--enable-gccmarch-native=no" \
- "--enable-python" \
- $(use_enable af-packet) \
- $(use_enable bpf ebpf) \
- $(use_enable control-socket unix-socket) \
- $(use_enable cuda) \
- $(use_enable detection) \
- $(use_enable geoip) \
- $(use_enable hardened gccprotect) \
- $(use_enable hardened pie) \
- $(use_enable hyperscan) \
- $(use_enable lz4) \
- $(use_enable nflog) \
- $(use_enable nfqueue) \
- $(use_enable redis hiredis) \
- $(use_enable test unittests) \
- "--disable-coccinelle"
- )
- if use lua; then
- if use lua_single_target_luajit; then
- myeconfargs+=( --enable-luajit )
- else
- myeconfargs+=( --enable-lua )
- fi
- fi
-
- if use debug; then
- myeconfargs+=( $(use_enable debug) )
- # so we can get a backtrace according to "reporting bugs" on upstream web site
- QA_FLAGS_IGNORED="usr/bin/${PN}"
- CFLAGS="-ggdb -O0" econf ${myeconfargs[@]}
- else
- econf ${myeconfargs[@]}
- fi
-}
-
-src_install() {
- emake DESTDIR="${D}" install
- python_optimize
- # Bug #878855
- python_fix_shebang "${ED}"/usr/bin/
-
- if use bpf; then
- rm -f ebpf/Makefile.{am,in} || die
- dodoc -r ebpf/
- keepdir /usr/libexec/suricata/ebpf
- fi
-
- insinto "/etc/${PN}"
- doins etc/{classification,reference}.config threshold.config suricata.yaml
-
- keepdir "/var/lib/${PN}/rules" "/var/lib/${PN}/update"
- keepdir "/var/log/${PN}"
-
- fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
- fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
- fperms 6750 "/var/lib/${PN}/rules" "/var/lib/${PN}/update"
-
- newinitd "${FILESDIR}/${PN}.initd" ${PN}
- newconfd "${FILESDIR}/${PN}.confd" ${PN}
- systemd_dounit "${FILESDIR}"/${PN}.service
- newtmpfiles "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
-
- insopts -m0644
- insinto /etc/logrotate.d
- newins etc/${PN}.logrotate ${PN}
-}
-
-pkg_postinst() {
- tmpfiles_process ${PN}.conf
-
- elog
- if use systemd; then
- elog "Suricata requires either the mode of operation (e.g. --af-packet) or the interface to listen on (e.g. -i eth0)"
- elog "to be specified on the command line. The provided systemd unit launches Suricata in af-packet mode and relies"
- elog "on file configuration to specify interfaces, should you prefer to run it differently you will have to customise"
- elog "said unit. The simplest way of doing it is to override the Environment=OPTIONS='...' line using a .conf file"
- elog "placed in the directory ${EPREFIX}/etc/systemd/system/suricata.service.d/ ."
- elog "For details, see the section on drop-in directories in systemd.unit(5)."
- else
- elog "The ${PN} init script expects to find the path to the configuration"
- elog "file as well as extra options in /etc/conf.d."
- elog
- elog "To create more than one ${PN} service, simply create a new .yaml file for it"
- elog "then create a symlink to the init script from a link called"
- elog "${PN}.foo - like so"
- elog " cd /etc/${PN}"
- elog " ${EDITOR##*/} suricata-foo.yaml"
- elog " cd /etc/init.d"
- elog " ln -s ${PN} ${PN}.foo"
- elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
- elog
- elog "You can create as many ${PN}.foo* services as you wish."
- fi
-
- if use bpf; then
- elog
- elog "eBPF/XDP files must be compiled (using sys-devel/clang[llvm_targets_BPF]) before use"
- elog "because their configuration is hard-coded. You can find the default ones in"
- elog " ${EPREFIX}/usr/share/doc/${PF}/ebpf"
- elog "and the common location for eBPF bytecode is"
- elog " ${EPREFIX}/usr/libexec/${PN}"
- elog "For more information, see https://${PN}.readthedocs.io/en/${P}/capture-hardware/ebpf-xdp.html"
- fi
-
- if use debug; then
- elog
- elog "You have enabled the debug USE flag. Please read this link to report bugs upstream:"
- elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
- elog "You need to also ensure the FEATURES variable in make.conf contains the"
- elog "'nostrip' option to produce useful core dumps or back traces."
- fi
-
- elog
- if [[ -z "${REPLACING_VERSIONS}" ]]; then
- elog "To download and install an initial set of rules, run:"
- elog " suricata-update"
- fi
- elog
-}
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/
@ 2024-02-28 21:46 Marek Szuba
0 siblings, 0 replies; 11+ messages in thread
From: Marek Szuba @ 2024-02-28 21:46 UTC (permalink / raw
To: gentoo-commits
commit: 4c54d76e8fab4063a74490103bace21d972a4d9d
Author: Marek Szuba <marecki <AT> gentoo <DOT> org>
AuthorDate: Wed Feb 28 21:25:33 2024 +0000
Commit: Marek Szuba <marecki <AT> gentoo <DOT> org>
CommitDate: Wed Feb 28 21:46:09 2024 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c54d76e
net-analyzer/suricata: add 7.0.3, remove 7.0.2 and 7.0.2-r1
Includes Brahmajit's patch for the gcc-14 issue, as it is yet to be
fixed upstream.
Closes: https://bugs.gentoo.org/925011
Signed-off-by: Marek Szuba <marecki <AT> gentoo.org>
net-analyzer/suricata/Manifest | 4 +-
.../suricata-7.0.3_fix-build-with-gcc14.patch | 39 ++++
net-analyzer/suricata/suricata-7.0.2.ebuild | 221 ---------------------
...icata-7.0.2-r1.ebuild => suricata-7.0.3.ebuild} | 3 +-
4 files changed, 43 insertions(+), 224 deletions(-)
diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest
index adabc7aa76bc..241154b314b8 100644
--- a/net-analyzer/suricata/Manifest
+++ b/net-analyzer/suricata/Manifest
@@ -1,4 +1,4 @@
DIST suricata-6.0.15.tar.gz 27903106 BLAKE2B cf5c2d5760e52f0b4eb0276feb89e056d74ef5478e3158a047fbdec14022aa6e0ba986b7ee9f9ec49e2ebb3f206c7d71ad8ce8dc4eb9a6b48b4ba38c96c2f1c6 SHA512 ec9904fdc57e594653e3f48794c602429412fc85377630600b96081cfeb21361c353ce54d564c01ef0400885c508b49bd8c7a5d8b4482d45155b2007907107a9
DIST suricata-6.0.15.tar.gz.sig 566 BLAKE2B f9f5fd9df55c9854f4da3765673df094a3979324714b0f81f787abc3eaa811d01e42cf8b892c5ae558e5f453b82f84dcebd4548a0cfafca00582adc595a11bbf SHA512 e938715fe22699b623d70bcd70e69d3acb2bfa322ecb9a8a19b272eb5ba378b34974c3114419bbb07fb46b805bc160344d0bdb567acb887832e4c18734fef9a8
-DIST suricata-7.0.2.tar.gz 23445403 BLAKE2B 5af50f6f0d91ba233b1cc373c073e72824f10d6df20c27041d5fd11d25c7be6b1941beccf0fb18612d6277eaa7bb1d47d8fedbd34f580ba87d352c45d4d51725 SHA512 bca6eb64495d36fcc83522e29a8ec24653752930d001191fca1d72de5513537fdb8c1805fc45afe55b5fb3a68cf3747af609eec46070505dcd5d9e53c0ed9b95
-DIST suricata-7.0.2.tar.gz.sig 566 BLAKE2B 8a931361acfa5e945fe9a3a03b38c65ff7f59da88a9af9c3f5a4b15ec880de6f22038a45d27c480c75489df0a90373f3cee44c48a266226fae89c00ed78b6e5f SHA512 0a46c8fef1d68f76c08c314613e558027dc7700a72628b5708dbc36c5c1943d816120c569692103d75d284cd7027cdda0d4ef9ab436992d7d2ec101e18aa5056
+DIST suricata-7.0.3.tar.gz 23599903 BLAKE2B b42044428ae5ac4ecd6b41d083f0f3ac5839bf9a0734c3a64bb5e9a6f1a0ffe0c1f5da262f4e167461836bd26ebf9238ec9c0c213ba61f6419b6af1314f3becb SHA512 5a19a00118b86cd9c9b8a4b8399d8deda23beb19a6a6ed49e82240a1a5d4549490f3ce72743f5990c200850e8a64e3a51f45b8c1b8088bdd16aa12341dbf64aa
+DIST suricata-7.0.3.tar.gz.sig 566 BLAKE2B 3befe75463a26493b660dc21721e2628a4889d5397d0ada6aa51bd9c748487130dfb56f3fa25b5514411adeaf0b385ee7e9d664ab0af9b6b0a2bef719bdc904f SHA512 a08274708f3aee891b018da613fa60cf66ca09b41f70ed1e89b57d5e778bf97058d71c6ad8c529926783287ddd0f20337957e03ff59b3500c207a4ef7936bfdf
diff --git a/net-analyzer/suricata/files/suricata-7.0.3_fix-build-with-gcc14.patch b/net-analyzer/suricata/files/suricata-7.0.3_fix-build-with-gcc14.patch
new file mode 100644
index 000000000000..7ebacf76852c
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-7.0.3_fix-build-with-gcc14.patch
@@ -0,0 +1,39 @@
+Bug: From b5280929c58559c178415ce199157b5c87171258 Mon Sep 17 00:00:00 2001
+From: Brahmajit Das <brahmajit.xyz@gmail.com>
+Date: Tue, 20 Feb 2024 12:05:57 +0530
+Subject: [PATCH 1/1] Fix passing incompatible pointer type with GCC 14
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+GCC 14 (and newer compilers like Clang 16) enables
+-Wincompatible-pointer-types by default, along with some other flags.
+Thus resulting in build errors such as
+
+util-host-info.c: In function ‘SCKernelVersionIsAtLeast’:
+util-host-info.c:94:31: error: passing argument 1 of ‘pcre2_substring_list_free_8’ from incompatible pointer type [-Wincompatible-pointer-types]
+ 94 | pcre2_substring_list_free((PCRE2_SPTR *)list);
+ | ^~~~~~~~~~~~~~~~~~
+ | |
+ | const PCRE2_UCHAR8 ** {aka const unsigned char **}
+
+Removing the casting make suricata build with GCC 14.
+
+First discovered on Gentoo Linux with GCC 14
+
+Bug: https://bugs.gentoo.org/925011
+Signed-off-by: Brahmajit Das <brahmajit.xyz@gmail.com>
+--- a/src/util-host-info.c
++++ b/src/util-host-info.c
+@@ -91,7 +91,7 @@ int SCKernelVersionIsAtLeast(int major, int minor)
+ err = true;
+ }
+
+- pcre2_substring_list_free((PCRE2_SPTR *)list);
++ pcre2_substring_list_free(list);
+ pcre2_match_data_free(version_regex_match);
+ pcre2_code_free(version_regex);
+
+--
+2.43.2
+
diff --git a/net-analyzer/suricata/suricata-7.0.2.ebuild b/net-analyzer/suricata/suricata-7.0.2.ebuild
deleted file mode 100644
index 93fe2558be37..000000000000
--- a/net-analyzer/suricata/suricata-7.0.2.ebuild
+++ /dev/null
@@ -1,221 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-LUA_COMPAT=( lua5-1 luajit )
-PYTHON_COMPAT=( python3_{10..12} )
-
-inherit autotools flag-o-matic linux-info lua-single python-single-r1 systemd tmpfiles verify-sig
-
-DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
-HOMEPAGE="https://suricata.io/"
-SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz
- verify-sig? ( https://www.openinfosecfoundation.org/download/${P}.tar.gz.sig )"
-
-LICENSE="GPL-2"
-SLOT="0/7"
-KEYWORDS="~amd64 ~riscv ~x86"
-IUSE="+af-packet af-xdp bpf control-socket cuda debug +detection geoip hardened hyperscan lua lz4 nflog +nfqueue redis systemd test"
-VERIFY_SIG_OPENPGP_KEY_PATH="/usr/share/openpgp-keys/openinfosecfoundation.org.asc"
-
-RESTRICT="!test? ( test )"
-
-REQUIRED_USE="${PYTHON_REQUIRED_USE}
- af-xdp? ( bpf )
- bpf? ( af-packet )
- lua? ( ${LUA_REQUIRED_USE} )"
-
-RDEPEND="${PYTHON_DEPS}
- acct-group/suricata
- acct-user/suricata
- dev-libs/jansson:=
- dev-libs/libpcre2
- dev-libs/libyaml
- net-libs/libnet:*
- net-libs/libnfnetlink
- dev-libs/nspr
- dev-libs/nss
- $(python_gen_cond_dep '
- dev-python/pyyaml[${PYTHON_USEDEP}]
- ')
- >=net-libs/libhtp-0.5.45
- net-libs/libpcap
- sys-apps/file
- sys-libs/libcap-ng
- af-xdp? ( net-libs/xdp-tools )
- bpf? ( dev-libs/libbpf )
- cuda? ( dev-util/nvidia-cuda-toolkit )
- geoip? ( dev-libs/libmaxminddb:= )
- hyperscan? ( dev-libs/hyperscan )
- lua? ( ${LUA_DEPS} )
- lz4? ( app-arch/lz4 )
- nflog? ( net-libs/libnetfilter_log )
- nfqueue? ( net-libs/libnetfilter_queue )
- redis? ( dev-libs/hiredis:= )"
-DEPEND="${RDEPEND}
- >=dev-build/autoconf-2.69-r5
- virtual/rust"
-BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-oisf-20200807 )"
-
-PATCHES=(
- "${FILESDIR}/${PN}-5.0.1_configure-no-lz4-automagic.patch"
- "${FILESDIR}/${PN}-5.0.7_configure-no-hyperscan-automagic.patch"
- "${FILESDIR}/${PN}-6.0.0_default-config.patch"
- "${FILESDIR}/${PN}-7.0.2_configure-no-sphinx-pdflatex-automagic.patch"
-)
-
-pkg_pretend() {
- if use af-xdp && use kernel_linux; then
- if kernel_is -lt 4 18; then
- ewarn "Kernel 4.18 or newer is required for AF_XDP"
- fi
- fi
-
- if use bpf && use kernel_linux; then
- if kernel_is -lt 4 15; then
- ewarn "Kernel 4.15 or newer is necessary to use all XDP features like the CPU redirect map"
- fi
-
- CONFIG_CHECK="~XDP_SOCKETS"
- ERROR_XDP_SOCKETS="CONFIG_XDP_SOCKETS is not set, making it impossible for Suricata to load XDP programs. "
- ERROR_XDP_SOCKETS+="Other eBPF features should work normally."
- check_extra_config
- fi
-}
-
-src_prepare() {
- default
- sed -ie 's/docdir =.*/docdir = ${datarootdir}\/doc\/'${PF}'\//' "${S}/doc/Makefile.am" || die
- eautoreconf
-}
-
-src_configure() {
- # Bug #861242
- filter-lto
-
- local myeconfargs=(
- "--localstatedir=/var" \
- "--runstatedir=/run" \
- "--enable-non-bundled-htp" \
- "--enable-gccmarch-native=no" \
- "--enable-python" \
- $(use_enable af-packet) \
- $(use_enable af-xdp) \
- $(use_enable bpf ebpf) \
- $(use_enable control-socket unix-socket) \
- $(use_enable cuda) \
- $(use_enable detection) \
- $(use_enable geoip) \
- $(use_enable hardened gccprotect) \
- $(use_enable hardened pie) \
- $(use_enable hyperscan) \
- $(use_enable lz4) \
- $(use_enable nflog) \
- $(use_enable nfqueue) \
- $(use_enable redis hiredis) \
- $(use_enable test unittests) \
- "--disable-coccinelle"
- )
- if use lua; then
- if use lua_single_target_luajit; then
- myeconfargs+=( --enable-luajit )
- else
- myeconfargs+=( --enable-lua )
- fi
- fi
-
- if use debug; then
- myeconfargs+=( $(use_enable debug) )
- # so we can get a backtrace according to "reporting bugs" on upstream web site
- QA_FLAGS_IGNORED="usr/bin/${PN}"
- CFLAGS="-ggdb -O0" econf ${myeconfargs[@]}
- else
- econf ${myeconfargs[@]}
- fi
-}
-
-src_install() {
- emake DESTDIR="${D}" install
- python_optimize
- # Bug #878855
- python_fix_shebang "${ED}"/usr/bin/
-
- if use bpf; then
- rm -f ebpf/Makefile.{am,in} || die
- dodoc -r ebpf/
- keepdir /usr/libexec/suricata/ebpf
- fi
-
- insinto "/etc/${PN}"
- doins etc/{classification,reference}.config threshold.config suricata.yaml
-
- keepdir "/var/lib/${PN}/rules" "/var/lib/${PN}/update"
- keepdir "/var/log/${PN}"
-
- fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
- fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
- fperms 6750 "/var/lib/${PN}/rules" "/var/lib/${PN}/update"
-
- newinitd "${FILESDIR}/${PN}.initd" ${PN}
- newconfd "${FILESDIR}/${PN}.confd" ${PN}
- systemd_dounit "${FILESDIR}"/${PN}.service
- newtmpfiles "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf
-
- insopts -m0644
- insinto /etc/logrotate.d
- newins etc/${PN}.logrotate ${PN}
-}
-
-pkg_postinst() {
- tmpfiles_process ${PN}.conf
-
- elog
- if use systemd; then
- elog "Suricata requires either the mode of operation (e.g. --af-packet) or the interface to listen on (e.g. -i eth0)"
- elog "to be specified on the command line. The provided systemd unit launches Suricata in af-packet mode and relies"
- elog "on file configuration to specify interfaces, should you prefer to run it differently you will have to customise"
- elog "said unit. The simplest way of doing it is to override the Environment=OPTIONS='...' line using a .conf file"
- elog "placed in the directory ${EPREFIX}/etc/systemd/system/suricata.service.d/ ."
- elog "For details, see the section on drop-in directories in systemd.unit(5)."
- else
- elog "The ${PN} init script expects to find the path to the configuration"
- elog "file as well as extra options in /etc/conf.d."
- elog
- elog "To create more than one ${PN} service, simply create a new .yaml file for it"
- elog "then create a symlink to the init script from a link called"
- elog "${PN}.foo - like so"
- elog " cd /etc/${PN}"
- elog " ${EDITOR##*/} suricata-foo.yaml"
- elog " cd /etc/init.d"
- elog " ln -s ${PN} ${PN}.foo"
- elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
- elog
- elog "You can create as many ${PN}.foo* services as you wish."
- fi
-
- if use bpf; then
- elog
- elog "eBPF/XDP files must be compiled (using sys-devel/clang[llvm_targets_BPF]) before use"
- elog "because their configuration is hard-coded. You can find the default ones in"
- elog " ${EPREFIX}/usr/share/doc/${PF}/ebpf"
- elog "and the common location for eBPF bytecode is"
- elog " ${EPREFIX}/usr/libexec/${PN}"
- elog "For more information, see https://${PN}.readthedocs.io/en/${P}/capture-hardware/ebpf-xdp.html"
- fi
-
- if use debug; then
- elog
- elog "You have enabled the debug USE flag. Please read this link to report bugs upstream:"
- elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
- elog "You need to also ensure the FEATURES variable in make.conf contains the"
- elog "'nostrip' option to produce useful core dumps or back traces."
- fi
-
- elog
- if [[ -z "${REPLACING_VERSIONS}" ]]; then
- elog "To download and install an initial set of rules, run:"
- elog " suricata-update"
- fi
- elog
-}
diff --git a/net-analyzer/suricata/suricata-7.0.2-r1.ebuild b/net-analyzer/suricata/suricata-7.0.3.ebuild
similarity index 98%
rename from net-analyzer/suricata/suricata-7.0.2-r1.ebuild
rename to net-analyzer/suricata/suricata-7.0.3.ebuild
index 897087d2c82d..31a877d45e4f 100644
--- a/net-analyzer/suricata/suricata-7.0.2-r1.ebuild
+++ b/net-analyzer/suricata/suricata-7.0.3.ebuild
@@ -39,7 +39,7 @@ RDEPEND="${PYTHON_DEPS}
$(python_gen_cond_dep '
dev-python/pyyaml[${PYTHON_USEDEP}]
')
- >=net-libs/libhtp-0.5.45
+ >=net-libs/libhtp-0.5.46
net-libs/libpcap
sys-apps/file
sys-libs/libcap-ng
@@ -63,6 +63,7 @@ PATCHES=(
"${FILESDIR}/${PN}-5.0.7_configure-no-hyperscan-automagic.patch"
"${FILESDIR}/${PN}-6.0.0_default-config.patch"
"${FILESDIR}/${PN}-7.0.2_configure-no-sphinx-pdflatex-automagic.patch"
+ "${FILESDIR}/${PN}-7.0.3_fix-build-with-gcc14.patch"
)
pkg_pretend() {
^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2024-02-28 21:46 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-09 12:14 [gentoo-commits] repo/gentoo:master commit in: net-analyzer/suricata/, net-analyzer/suricata/files/ Marek Szuba
-- strict thread matches above, loose matches on Subject: below --
2024-02-28 21:46 Marek Szuba
2024-02-28 21:46 Marek Szuba
2019-12-18 14:22 Marek Szuba
2019-12-16 16:05 Marek Szuba
2019-09-08 19:25 Slawek Lis
2018-06-11 14:04 Marek Szuba
2016-12-28 13:10 Slawek Lis
2016-12-28 9:34 Slawek Lis
2016-12-27 7:33 Slawek Lis
2015-11-30 6:10 Slawek Lis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox