3 days ago, the prelude team released a rc version of the new prelude software. The new version have much more new features... :) so, i think it's a need. I anything information is needed from upstream, you can ping me on irc 'cause i talk to the guys everyday :) Reproducible: Always Steps to Reproduce:
tsk tsk you should know better than submitting to bug-wranglers :)
buah :/ sorry.... forgot to change that.... :) anyway, libprelude and libpreludedb -rc2 will be released tonight so if anyone is working on this bug, that should be taken in atention. (prewikka is already rc2)
So far I have bumped: app-admin/prelude-lml app-admin/prelude-manager dev-libs/libprelude TODO: Look into other packages in the prelude suite prelude flag for Snort prelude flag for PAM (will probably open a bug with pam guys)
Created attachment 55047 [details, diff] snort-2.3.2-r1.ebuild.diff Can people give their opinions on this modification of the snort ebuild? Basically, it should drop current prelude patches, and use the snort version from prelude-ids.org if the USE flag prelude is set.
Added dev-libs/libpreludedb
Prelude suite: net-analyzer/prewikka is an interesting package to complete prelude's suite. All other important packages are in Portage, with the exception of prelude-pflogger. I will add the last if there is enough demand. I think it may also be interesting to create a meta ebuild to pull everything prelude-related, a la nessus.
I agree with that :)
re #6: "I think it may also be interesting to create a meta ebuild to pull everything prelude-related, a la nessus." I'm not sure this would be a wise idea - what'd you put in such a meta ebuild? preludelib, snort, prelude-manager, prelude-lml, prewikka, ...? Every prelude setup I've made so far had different components intalled (there are different sensor hosts, manager hosts and manager hosts with web interface). I'm not sure that there is some general setup that most people would use (as there is with nessus). Correct me if I'm wrong...
re #8 Makes sense. Maybe it would be just bloat after all. My current plan is not to do it anymore.
Short note on current prelude-* ebuild: * prelude-manager: - The "ssl" use flag should be dropped: SSL support is not optional. - The "mysql" and "postgresql" use flag should be dropped, these are obsoleted by libpreludedb. - a "database" use flags should be added (which should trigger a dependencie on libpreludedb). - an "xml" use flag should be added (for optional compilation of the xmlmod plugin). * libprelude: - the "pcre" use flag should be dropped. PCRE support has been dropped due to several PCRE bugs when using libpcre from another library.
Please add a new version of prelude-nids as the current ~arch version of prelude-nids (0.8.6) cannot compile against the current ~arch version of libprelude (0.9.0_rc5-r1) on both ~x86 and ~sparc.
prelude-manager: got it fixed, waiting for ~sparc keyword for libpreludedb before committing. libprelude: pcre flag dropped. prelude-nids: couldn't get a recent snapshot, so I changed DEPEND to <dev-libs/libprelude-0.9.0_rc1 for now.
Added the ~sparc keyword to dev-libs/libpreludedb
prelude-manager fixed. Thanks Jason.
Prelude-NIDS is deprecated. Snort is now the 'official' Prelude NIDS sensor. We are currently distributing a Snort tarball including Prelude support on the prelude-ids.org website. Future Snort version (starting at 2.4.0) will officialy include Prelude support.
Then any SPARC box or SPARC64 box running a 32 bit userland will no longer be able to run the network sensor portion of Prelude. Snort has a known runtime crashing issue when being built with gcc in 32 bits on SPARC and SPARC64 architectures that cannot be fixed short of some major reworking of gcc's C compiler. You can view bug #29661 for more information if you like.
The Snort Solaris crash has been known for a long time and is even what resulted in some people switching to Prelude-NIDS (which suffered, at that time from the same problem - but we were quick to correct it). The problem in question, as I remember it, is an alignement issue in header capture, and AFAICT it is not related to a GCC bug. I'd be interested to read any paper demonstrating this stuff to be a GCC problem. Prelude-NIDS will for sure stay deprecated, and won't be ported to version 0.9 of the framework unless someone volunteer to do it. However, I might take some time to look at that Snort issue (so if you have pointers about this specific Snort issue, don't hesitate to send them to me).
Just finished reading #29661. This definitly is not a GCC issue. Prelude-NIDS used to suffer from the exact same problem. You might want to have a look to https://trac.prelude-ids.org/file/trunk/libprelude/src/include/prelude-extract.h One of the reason for this code was to be able to align network data in Prelude-NIDS. The unaligned access used as an example in #29661 could, for example, be corrected to use these macro.
OK, I'll take a look at it, thanks for the info. The INSTALL file from Snort was the one that specifically referenced the problem I mentioned with regards to GCC.
Okies, 0.9.0 made it to the tree, might as well close this bug :-). pam version bump request remains in bug 87577. Please re-open if necessary.
