From da28437322994c655e77d94dcd82d01d575fce58 Mon Sep 17 00:00:00 2001 From: Marek Szuba Date: Mon, 16 Dec 2019 15:56:33 +0000 Subject: [PATCH] net-analyzer/suricata: bump to 5.0.0 and EAPI 7 Package-Manager: Portage-2.3.79, Repoman-2.3.16 Signed-off-by: Marek Szuba --- net-analyzer/suricata/Manifest | 1 + .../suricata-5.0.0_configure-lua-flags.patch | 16 ++ ...ata-5.0.0_configure-no-lz4-automagic.patch | 23 +++ .../files/suricata-5.0.0_default-config.patch | 61 ++++++ net-analyzer/suricata/files/suricata.service | 21 ++ net-analyzer/suricata/files/suricata.tmpfiles | 1 + net-analyzer/suricata/metadata.xml | 6 +- net-analyzer/suricata/suricata-5.0.0.ebuild | 185 ++++++++++++++++++ 8 files changed, 313 insertions(+), 1 deletion(-) create mode 100644 net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch create mode 100644 net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch create mode 100644 net-analyzer/suricata/files/suricata-5.0.0_default-config.patch create mode 100644 net-analyzer/suricata/files/suricata.service create mode 100644 net-analyzer/suricata/files/suricata.tmpfiles create mode 100644 net-analyzer/suricata/suricata-5.0.0.ebuild diff --git a/net-analyzer/suricata/Manifest b/net-analyzer/suricata/Manifest index fe67675774df..72532b86510d 100644 --- a/net-analyzer/suricata/Manifest +++ b/net-analyzer/suricata/Manifest @@ -1 +1,2 @@ DIST suricata-4.0.4.tar.gz 12511121 BLAKE2B d9dfb00a45c2e9810409a8ce91a83e23ebce20eb28492bf24f9688d292b5805dca932c39cc673cf1148325fe5ef7936dda7f6c7819605753cb2e2ddc1cf5dba0 SHA512 6e158aa6d3edb9d11e0df3f986392ee2ae49ab4dfb978288ced4484dbe5c08ae061db2a566be6d22cf14bd0b88f87f9cb9c0a657d7fc44e099b8783d933c771e +DIST suricata-5.0.0.tar.gz 23689051 BLAKE2B 701625d50dacbeb846d7ea1c3aad3980969c1c0124c007d843353fe25b7e579378d2cd125db4660e33fff1f8cf20eac4bbafe280ba6ff31f988fb6c42b29b6aa SHA512 0dc8941fdf29d615531eeda6f6076052cca79fda6dda3c96300c08b343a64a1700fd23dd83a03507009ab7c9b19c91b65ee65e704f55ddee17764b71e9e2911e diff --git a/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch b/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch new file mode 100644 index 000000000000..be956fd94d40 --- /dev/null +++ b/net-analyzer/suricata/files/suricata-5.0.0_configure-lua-flags.patch @@ -0,0 +1,16 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -1749,11 +1749,11 @@ + # liblua + AC_ARG_ENABLE(lua, + AS_HELP_STRING([--enable-lua],[Enable Lua support]), +- [ enable_lua="$enableval"], ++ [], + [ enable_lua="no"]) + AC_ARG_ENABLE(luajit, + AS_HELP_STRING([--enable-luajit],[Enable Luajit support]), +- [ enable_luajit="$enableval"], ++ [], + [ enable_luajit="no"]) + if test "$enable_lua" = "yes"; then + if test "$enable_luajit" = "yes"; then diff --git a/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch b/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch new file mode 100644 index 000000000000..5efce46f6d9f --- /dev/null +++ b/net-analyzer/suricata/files/suricata-5.0.0_configure-no-lz4-automagic.patch @@ -0,0 +1,23 @@ +--- a/configure.ac ++++ b/configure.ac +@@ -2292,7 +2292,11 @@ + fi + + # Check for lz4 +-enable_liblz4="yes" ++AC_ARG_ENABLE(lz4, ++ AS_HELP_STRING([--enable-lz4], [Enable compressed pcap logging using liblz4]), ++ [enable_liblz4=$enableval], ++ [enable_liblz4=yes]) ++if test "x$enable_liblz4" != "xno"; then + AC_CHECK_LIB(lz4, LZ4F_createCompressionContext, , enable_liblz4="no") + + if test "$enable_liblz4" = "no"; then +@@ -2306,6 +2310,7 @@ + echo " yum install lz4-devel" + echo + fi ++fi + + # get cache line size + AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no") diff --git a/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch b/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch new file mode 100644 index 000000000000..07a45c9a5747 --- /dev/null +++ b/net-analyzer/suricata/files/suricata-5.0.0_default-config.patch @@ -0,0 +1,61 @@ +--- a/suricata.yaml.in ++++ b/suricata.yaml.in +@@ -203,8 +203,9 @@ + # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format + + # As of Suricata 5.0, version 2 of the eve dns output +- # format is the default. +- #version: 2 ++ # format is the default - but the daemon produces a warning to that effect ++ # at start-up if this isn't explicitly set. ++ version: 2 + + # Enable/disable this logger. Default: enabled. + #enabled: yes +@@ -978,9 +979,9 @@ + ## + + # Run suricata as user and group. +-#run-as: +-# user: suri +-# group: suri ++run-as: ++ user: suricata ++ group: suricata + + # Some logging module will use that name in event as identifier. The default + # value is the hostname +@@ -1806,16 +1807,28 @@ + hashmode: hash5tuplesorted + + ## +-## Configure Suricata to load Suricata-Update managed rules. +-## +-## If this section is completely commented out move down to the "Advanced rule +-## file configuration". ++## Configure Suricata to load default rules it comes with. + ## + + default-rule-path: @e_defaultruledir@ + + rule-files: +- - suricata.rules ++ - /etc/suricata/rules/app-layer-events.rules ++ - /etc/suricata/rules/decoder-events.rules ++ - /etc/suricata/rules/dhcp-events.rules ++ - /etc/suricata/rules/dnp3-events.rules ++ - /etc/suricata/rules/dns-events.rules ++ - /etc/suricata/rules/files.rules ++ - /etc/suricata/rules/http-events.rules ++ - /etc/suricata/rules/ipsec-events.rules ++ - /etc/suricata/rules/kerberos-events.rules ++ - /etc/suricata/rules/modbus-events.rules ++ - /etc/suricata/rules/nfs-events.rules ++ - /etc/suricata/rules/ntp-events.rules ++ - /etc/suricata/rules/smb-events.rules ++ - /etc/suricata/rules/smtp-events.rules ++ - /etc/suricata/rules/stream-events.rules ++ - /etc/suricata/rules/tls-events.rules + + ## + ## Auxiliary configuration files. diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service new file mode 100644 index 000000000000..5e617388018f --- /dev/null +++ b/net-analyzer/suricata/files/suricata.service @@ -0,0 +1,21 @@ +[Unit] +Description=Suricata IDS/IDP daemon +After=network.target +Requires=network.target +Documentation=man:suricata(8) man:suricatasc(8) +Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki + +[Service] +Type=forking +Environment=OPTIONS='-c /etc/suricata/suricata.yaml' +CapabilityBoundingSet=CAP_NET_ADMIN +PIDFile=/var/run/suricata/suricata.pid +ExecStart=/usr/bin/suricata --pidfile /var/run/suricata/suricata.pid $OPTIONS +ExecReload=/bin/kill -HUP $MAINPID +ExecStop=/bin/kill $MAINPID +PrivateTmp=yes +ProtectHome=yes + +[Install] +WantedBy=multi-user.target + diff --git a/net-analyzer/suricata/files/suricata.tmpfiles b/net-analyzer/suricata/files/suricata.tmpfiles new file mode 100644 index 000000000000..46fe50842978 --- /dev/null +++ b/net-analyzer/suricata/files/suricata.tmpfiles @@ -0,0 +1 @@ +d /var/run/suricata - - - - diff --git a/net-analyzer/suricata/metadata.xml b/net-analyzer/suricata/metadata.xml index 0afee5625d1a..bc25d72f0887 100644 --- a/net-analyzer/suricata/metadata.xml +++ b/net-analyzer/suricata/metadata.xml @@ -6,13 +6,17 @@ Enable AF_PACKET support + Enable support for eBPF (as well as XDP if supported by the kernel and the NIC driver) + for low-level, high-speed packet processing Enable unix socket Enable NVIDIA Cuda computations support Enable detection modules + Install logrotate rule + Enable support for compressed pcap logging using the LZ4 algorithm Enable libnetfilter_log support Enable NFQUEUE support for inline IDP Enable Redis support Install default ruleset - Install logrotate rule + Install suricatactl, suricatasc and suricata-update diff --git a/net-analyzer/suricata/suricata-5.0.0.ebuild b/net-analyzer/suricata/suricata-5.0.0.ebuild new file mode 100644 index 000000000000..05f328b973b3 --- /dev/null +++ b/net-analyzer/suricata/suricata-5.0.0.ebuild @@ -0,0 +1,185 @@ +# Copyright 1999-2019 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +PYTHON_COMPAT=( python3_{6,7,8} ) + +inherit autotools linux-info python-single-r1 systemd + +DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine" +HOMEPAGE="https://suricata-ids.org/" +SRC_URI="https://www.openinfosecfoundation.org/download/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="+af-packet bpf control-socket cuda debug +detection geoip hardened logrotate lua luajit lz4 nflog +nfqueue redis +rules systemd test tools" + +RESTRICT="!test? ( test )" + +REQUIRED_USE="?? ( lua luajit ) + bpf? ( af-packet ) + tools? ( ${PYTHON_REQUIRED_USE} )" + +CDEPEND="acct-group/suricata + acct-user/suricata + dev-libs/jansson + dev-libs/libpcre + dev-libs/libyaml + net-libs/libnet:* + net-libs/libnfnetlink + dev-libs/nspr + dev-libs/nss + >=net-libs/libhtp-0.5.31 + net-libs/libpcap + sys-apps/file + sys-libs/libcap-ng + bpf? ( >=dev-libs/libbpf-0.0.5 ) + cuda? ( dev-util/nvidia-cuda-toolkit ) + geoip? ( dev-libs/libmaxminddb ) + logrotate? ( app-admin/logrotate ) + lua? ( dev-lang/lua:* ) + luajit? ( dev-lang/luajit:* ) + lz4? ( app-arch/lz4 ) + nflog? ( net-libs/libnetfilter_log ) + nfqueue? ( net-libs/libnetfilter_queue ) + redis? ( dev-libs/hiredis ) + tools? ( dev-python/pyyaml[${PYTHON_USEDEP}] )" +DEPEND="${CDEPEND} + dev-lang/rust" +# Not confirmed that it works yet +# test? ( dev-util/coccinelle )" +RDEPEND="${CDEPEND} + tools? ( ${PYTHON_DEPS} )" + +PATCHES=( + "${FILESDIR}/${PN}-5.0.0_configure-lua-flags.patch" + "${FILESDIR}/${PN}-5.0.0_configure-no-lz4-automagic.patch" + "${FILESDIR}/${PN}-5.0.0_default-config.patch" +) + +pkg_pretend() { + if use bpf && use kernel_linux; then + if kernel_is -lt 4 15; then + ewarn "Kernel 4.15 or newer is necessary to use all XDP features like the CPU redirect map" + fi + + CONFIG_CHECK="~XDP_SOCKETS" + ERROR_XDP_SOCKETS="CONFIG_XDP_SOCKETS is not set, making it impossible for Suricata will to load XDP programs. " + ERROR_XDP_SOCKETS+="Other eBPF features should work normally." + check_extra_config + fi +} + +src_prepare() { + default + sed -ie 's/docdir =.*/docdir = ${datarootdir}\/doc\/'${PF}'\//' "${S}/doc/Makefile.am" + eautoreconf +} + +src_configure() { + local myeconfargs=( + "--localstatedir=/var" \ + "--enable-non-bundled-htp" \ + "--enable-gccmarch-native=no" \ + $(use_enable af-packet) \ + $(use_enable bpf ebpf) \ + $(use_enable control-socket unix-socket) \ + $(use_enable cuda) \ + $(use_enable detection) \ + $(use_enable geoip) \ + $(use_enable hardened gccprotect) \ + $(use_enable hardened pie) \ + $(use_enable lua) \ + $(use_enable luajit) \ + $(use_enable lz4) \ + $(use_enable nflog) \ + $(use_enable nfqueue) \ + $(use_enable redis hiredis) \ + $(use_enable test coccinelle) \ + $(use_enable test unittests) \ + $(use_enable tools python) + ) + + if use debug; then + myeconfargs+=( $(use_enable debug) ) + # so we can get a backtrace according to "reporting bugs" on upstream web site + CFLAGS="-ggdb -O0" econf ${myeconfargs[@]} + else + econf ${myeconfargs[@]} + fi +} + +src_install() { + emake DESTDIR="${D}" install + + if use bpf; then + rm -f ebpf/Makefile.{am,in} + dodoc -r ebpf/ + keepdir /usr/libexec/suricata/ebpf + fi + + insinto "/etc/${PN}" + doins etc/{classification,reference}.config threshold.config suricata.yaml + + if use rules; then + insinto "/etc/${PN}/rules" + doins rules/*.rules + fi + + keepdir "/var/lib/${PN}" + keepdir "/var/log/${PN}" + + fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" + fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" + + newinitd "${FILESDIR}/${PN}-4.0.4-init" ${PN} + newconfd "${FILESDIR}/${PN}-4.0.4-conf" ${PN} + systemd_dounit "${FILESDIR}"/${PN}.service + systemd_newtmpfilesd "${FILESDIR}"/${PN}.tmpfiles ${PN}.conf + + if use logrotate; then + insopts -m0644 + insinto /etc/logrotate.d + newins etc/${PN}.logrotate ${PN} + fi +} + +pkg_postinst() { + if ! use systemd; then + elog "The ${PN} init script expects to find the path to the configuration" + elog "file as well as extra options in /etc/conf.d." + elog "" + elog "To create more than one ${PN} service, simply create a new .yaml file for it" + elog "then create a symlink to the init script from a link called" + elog "${PN}.foo - like so" + elog " cd /etc/${PN}" + elog " ${EDITOR##*/} suricata-foo.yaml" + elog " cd /etc/init.d" + elog " ln -s ${PN} ${PN}.foo" + elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo." + elog "" + elog "You can create as many ${PN}.foo* services as you wish." + fi + + if use bpf; then + elog "eBPF/XDP files must be compiled (using sys-devel/clang[llvm_targets_BPF]) before use" + elog "because their configuration is hard-coded. You can find the default ones in" + elog " ${EPREFIX}/usr/share/doc/${PF}" + elog "and the common location for eBPF bytecode is" + elog " ${EPREFIX}/usr/libexec/${PN}" + elog "For more information, see https://${PN}.readthedocs.io/en/${P}/capture-hardware/ebpf-xdp.html" + fi + + if use logrotate; then + elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logrotate config file in /etc/logrotate.d/." + fi + + if use debug; then + elog "You enabled the debug USE flag. Please read this link to report bugs upstream:" + elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs" + elog "You need to also ensure the FEATURES variable in make.conf contains the" + elog "'nostrip' option to produce useful core dumps or back traces." + fi +} -- 2.26.2