Bugzilla Bug 245752

New Ebuild for snort-2.8.3.1

Reproducible: Always

Steps to Reproduce:

Created an attachment (id=170845) [edit]
snort-2.8.3.1.ebuild

Rewrite of the snort ebuild

Created an attachment (id=170846) [edit]
snort-2.8.3.1-libnet.patch

libnet patch for flexresp, react, and inline

This is practically a complete rewrite of the snort ebuild. 

This ebuild is written for the current version of snort (2.8.3.1) 
and includes USE flags for all current -–enable-* and -–with-* statements 
that are relevant for Linux systems.

This ebuild also solves a number of snort bugs...
bug #223217
bug #198205
bug #235033
bug #207778

Sourcefire is not very good at documenting what is and is not enabled by
default durring ./configure. This is the root cause of some of the problems in
bug #198205.
I designed the ebuild such that if the user does not specifically enabled or
require (based on USE settings) a feature than the feature is disabled. This
prevents a number of compile time problems and makes for a faster snort binary,
which in-turn helps reduce packet loss.

This ebuild is ready for ~x86 testing. I have tested most of the standard
options.

Testers needed for:
-------------------
Prelude
inline
ipv6
selinux

Developers needed for
---------------------
other ~arch users

I do not have a 64bit system, so this ebuild has no 64bit build logic.


Changes:
* Combined all the libnet patches for inline, react, and flexresp 
into a single patch since they are all libnet related.

* Added an if statement for the libnet patch, so that the patch is only
applied if it is actually needed. 

* Made installing the COMMUNITY rule set optional with the 'community-rules'
USE flag. This should be used solely for a user's initial install! 

Portage is NOT the correct tool to manage snort rules, because...

1. The tarball for the current COMMUNITY rule set is not versioned. The current
tarball is always named "Community-Rules-CURRENT.tar.gz".
2. Users enable/disable rules by commenting/uncommenting the rule files, so
this would mean managing changes using etc-update...not really a good idea
IMHO. 
3. Portage can not handle updating sid-msg.map when new rules are added.

Oinkmaster is the standard tool a user should use for managing their rulesets. 

* Removed the VRT rules download, because 

1. They are not GPL
2. They requires registration and as such would require the user to
pre-download the rules.
3. Again, portage is not the correct tool to manage snort rules.

* Changed the discription
1. "lightweight IDS" was not very accurate...

* Added numerous sanity checks to insure interdependent USE flags are properly
set and unneeded features are disabled by default.

* Hardcoded the following --disable-* and --without-* options
--without-oracle ... I can't test this
--disable-ipfw ... This is for *BSD only
--disable-profile ... This is for developers only
--disable-ppm-test ... This is an undocumented "feature"

* Added install steps for the preproc rules if the 'decoder-preprocessor-rules'
is enabled.

* Added attribute_table.dtd and unicode.map to the config files installed in
/etc/snort

* Disabled include statements for the snort rule files. The default setting are
only for the VRT signature set. If the VRT set is not present then snort will
not start.

* Updated the ending statements to resolve bug #207778 and bring the info
up-to-date


Please remove all snort entries from use.local.desc and use the following
------------------------------

net-analyzer/snort:prelude - Enable Prelude Hybrid IDS support
net-analyzer/snort:stream4udp - Enable UDP session tracking in Stream4
net-analyzer/snort:memory-cleanup - Enable cleanup of Memory at Snort exit
net-analyzer/snort:decoder-preprocessor-rules - Enable rule actions for
deocoder and preprocessor events
net-analyzer/snort:targetbased - Enable Target-Based Support in Stream, Frag,
and Rules (adds pthread support implicitly)
net-analyzer/snort:dynamicplugin - Enable Ability to dynamically load
preprocessors, detection engine, and rules lib
net-analyzer/snort:timestats - Enable TimeStats functionality
net-analyzer/snort:ruleperf - Enable rule option performance changes
net-analyzer/snort:ppm - Enable packet/rule performance monitor
net-analyzer/snort:perfprofiling - Enable preprocessor and rule performance
profiling
net-analyzer/snort:linux-smp-stats - Enable statistics reporting through proc
net-analyzer/snort:inline - Use the libipq interface for inline snort
net-analyzer/snort:inline-init-failopen - Enable Fail Open during
initialization for Inline Mode (adds pthread support implicitly)
net-analyzer/snort:flexresp - Flexible Responses on hostile connection attempts
net-analyzer/snort:flexresp2 - NEW Flexible Responses on hostile connection
attempts
net-analyzer/snort:react - Intercept and terminate offending HTTP accesses
net-analyzer/snort:aruba - Enable Aruba output plugin
net-analyzer/snort:gre - Enable GRE and IP in IP encapsulation support
net-analyzer/snort:mpls - Enable MPLS support
net-analyzer/snort:community-rules - Install community ruleset 

The only USE flag that should be enabled by default is 'dynamicplugin'. 
Most options are unneeded by the everyday user and can result in 
undesired results and cause performance issue. Users should have to 
make a conscious decision about what features they enable.

Created an attachment (id=170848) [edit]
snort-2.8.3.1.ebuild

Just noticed that flag-o-matic was in inherit. Not sure why but it is not
needed so I removed it.

Created an attachment (id=170851) [edit]
snort-2.8.3.1.ebuild

Sorry, minor fix for the preproc_rules installation into
/etc/snort/preproc_rules

Created an attachment (id=172325) [edit]
snortsam patch

snortsam 2.8.3 patch for snort

Created an attachment (id=172329) [edit]
snort-2.8.3.1 + snortsam

add in ebuild snortsam patch.

(In reply to comment #7)
> Created an attachment (id=172329) [edit]
> snort-2.8.3.1 + snortsam
> 
> add in ebuild snortsam patch.
> 

excellent...thx!

Hi guys!

Added in cvs for testing. It is currently in package.mask.

Thanks!

(In reply to comment #9)
> Hi guys!
> 
> Added in cvs for testing. It is currently in package.mask.
> 
> Thanks!
> 
I use an AMD64x2 multilib environment:  When attempting to emerge (USE=inline),
I receive the following error:

/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/../../../../x86_64-pc-linux-gnu/bin/ld:
.libs/bmh.o: relocation R_X86_64_32 against `a local symbol' can not be used
when making a shared object; recompile with -fPIC
.libs/bmh.o: could not read symbols: Bad value
collect2: ld returned 1 exit status

(In reply to comment #9)
> Hi guys!
> 
> Added in cvs for testing. It is currently in package.mask.
> 
> Thanks!
> 

tobias@homer ~/cvs/gentoo-x86/net-analyzer/snort $ repoman full

RepoMan scours the neighborhood...
  IUSE.invalid                  11
   net-analyzer/snort/snort-2.8.3.1.ebuild: pthreads
   net-analyzer/snort/snort-2.8.3.1.ebuild: stream4udp
   net-analyzer/snort/snort-2.8.3.1.ebuild: memory-cleanup
   net-analyzer/snort/snort-2.8.3.1.ebuild: decoder-preprocessor-rules
   net-analyzer/snort/snort-2.8.3.1.ebuild: targetbased
   net-analyzer/snort/snort-2.8.3.1.ebuild: ruleperf
   net-analyzer/snort/snort-2.8.3.1.ebuild: ppm
   net-analyzer/snort/snort-2.8.3.1.ebuild: inline-init-failopen
   net-analyzer/snort/snort-2.8.3.1.ebuild: aruba
   net-analyzer/snort/snort-2.8.3.1.ebuild: mpls
   net-analyzer/snort/snort-2.8.3.1.ebuild: community-rules
  RDEPEND.suspect               4
   net-analyzer/snort/snort-2.6.1.3-r1.ebuild: '>=sys-devel/libtool-1.4'
   net-analyzer/snort/snort-2.6.1.4.ebuild: '>=sys-devel/libtool-1.4'
   net-analyzer/snort/snort-2.7.0.1.ebuild: '>=sys-devel/libtool-1.4'
   net-analyzer/snort/snort-2.8.3.1.ebuild: '>=sys-devel/libtool-1.4'
  upstream.workaround           4
   net-analyzer/snort/snort-2.6.1.3-r1.ebuild: Upstream parallel compilation
bug (ebuild calls emake -j1 on line: 116)
   net-analyzer/snort/snort-2.6.1.4.ebuild: Upstream parallel compilation bug
(ebuild calls emake -j1 on line: 117)
   net-analyzer/snort/snort-2.7.0.1.ebuild: Upstream parallel compilation bug
(ebuild calls emake -j1 on line: 116)
   net-analyzer/snort/snort-2.8.3.1.ebuild: Upstream parallel compilation bug
(ebuild calls emake -j1 on line: 201)
  ebuild.minorsyn               52
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 25
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 28
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 29
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 30
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 68
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 69
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 71
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 72
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 73
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 74
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 78
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 80
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 81
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 83
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 84
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 85
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 86
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 90
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 114
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 147
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 149
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 150
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 151
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 152
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 153
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 156
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 160
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 161
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 162
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 165
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 174
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 175
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 176
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 177
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 182
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 183
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 184
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 185
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 188
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 189
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 190
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 191
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 192
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 193
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 194
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 195
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 196
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 197
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 230
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 286
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 287
   net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on
line: 288
  KEYWORDS.dropped              2
   net-analyzer/snort/snort-2.7.0.1.ebuild: sparc
   net-analyzer/snort/snort-2.8.3.1.ebuild: sparc
Note: use --without-mask to check KEYWORDS on dependencies of masked packages
Note: use --include-dev (-d) to check dependencies for 'dev' profiles
Please fix these important QA issues first.
RepoMan sez: "Make your QA payment on time and you'll never see the likes of
me."



so, yeah ... at least it's p.masked. *sigh*

I did fix mostly all of these repoman warnings (as requested by Mr_Bones_) and
also switched the pthreads use-flag to just threads. Plus i described the local
use-flags in metadata.xml, i used some standard phrasing - it's *your* job to
lookup the use-flag descriptions and make the descriptions a tad more usefull
and accurate.

And for the next please use repoman || die. Thanks ...

It appears that this ebuild, which is now outdated (1), doesn't include the
server stats patch, which is still necessary (2).

(1) http://www.snort.org/dl/snort-2.8.3.2.tar.gz

(2) http://bugs.gentoo.org/show_bug.cgi?id=258487

There is a new ebuild for snort-2.8.4 at the following bug...

#266288

Please close this bug.

(In reply to comment #13)
> There is a new ebuild for snort-2.8.4 at the following bug...
> 
> #266288
> 
> Please close this bug.
> 

bug#266288