--- sguil-sensor-0.9.0.ebuild 2016-06-15 00:25:35.778426464 +0200 +++ sguil-sensor-0.9.0-r1.ebuild 2016-06-15 00:26:13.294663271 +0200 @@ -14,7 +14,7 @@ LICENSE="GPL-2 QPL" SLOT="0" KEYWORDS="~x86" -IUSE="" +IUSE="-sancp" RDEPEND=" >=dev-lang/tcl-8.3:0=[-threads] @@ -22,7 +22,7 @@ >=net-analyzer/barnyard-0.2.0-r1 >=net-analyzer/snort-2.4.1-r1 dev-ml/pcre-ocaml - net-analyzer/sancp + sancp? ( net-analyzer/sancp:0[sguil] ) " S="${WORKDIR}/sguil-${MY_PV}" @@ -33,27 +33,64 @@ } src_prepare() { - sed -i \ - -e "s:gateway:${HOSTNAME}:" \ + local -a CONFIG_FILES=( + sensor/pads_agent.conf + sensor/pcap_agent.conf + sensor/pcap_agent-sancp.conf + sensor/sancp_agent.conf + sensor/snort_agent.conf + ) + + sed -i -r \ + -e "s:^set HOSTNAME.*$:set HOSTNAME ${HOSTNAME}:" \ -e 's:/snort_data:/var/lib/sguil:' \ + -e 's:/nsm:/var/lib/sguil:' \ -e 's:DAEMON 0:DAEMON 1:' \ -e 's:DEBUG 1:DEBUG 0:g' \ - sensor/sensor_agent.conf || die - sed -i \ - -e 's:/var/run/sensor_agent.pid:/run/sguil-sensor.pid:' \ - sensor/sensor_agent.tcl || die + "${CONFIG_FILES[@]}" \ + || die + + for CONFIG_FILE in ${CONFIG_FILES[@]}; do + local AGENT_NAME=$(basename "${CONFIG_FILE//.conf/}") + echo -e "\nset PID_FILE /run/sguil/${AGENT_NAME}.pid\n" \ + >> "${CONFIG_FILE}" + done } src_install() { dodoc doc/* dobin sensor/sensor_agent.tcl + dobin sensor/pads_agent.tcl + dobin sensor/snort_agent.tcl newinitd "${FILESDIR}/log_packets.initd" log_packets - newinitd "${FILESDIR}/sensor_agent.initd" sensor_agent + newinitd "${FILESDIR}/pads_agent.initd" pads_agent + newinitd "${FILESDIR}/pcap_agent.initd" pcap_agent + newinitd "${FILESDIR}/snort_agent.initd" snort_agent newconfd "${FILESDIR}/log_packets.confd" log_packets + insinto /etc/sguil - doins sensor/sensor_agent.conf + doins sensor/pads_agent.conf + doins sensor/snort_agent.conf + + if use sancp; then + dodoc sensor/README.sancp_indexed_pcap + + dobin sensor/sancp_agent.tcl + newbin sensor/pcap_agent-sancp.tcl pcap_agent.tcl + + newinitd "${FILESDIR}/sancp_agent.initd" sancp_agent + + insinto /etc/sguil + doins sensor/sancp_agent.conf + doins sensor/sancp-indexed.conf + newins sensor/pcap_agent-sancp.conf pcap_agent.conf + else + dobin sensor/pcap_agent.tcl + + insinto /etc/sguil + fi # Create the directory structure diropts -g sguil -o sguil @@ -63,19 +100,30 @@ "/var/lib/sguil/${HOSTNAME}/ssn_logs" \ "/var/lib/sguil/${HOSTNAME}/dailylogs" \ "/var/lib/sguil/${HOSTNAME}/sancp" - } pkg_postinst() { elog - elog "You should check /etc/sguil/sensor_agent.conf and" - elog "/etc/init.d/logpackets and ensure that they are accurate" + elog "You should check the /etc/sguil/*_agent.conf files and" + elog "/etc/conf.d/logpackets and ensure that they are accurate" elog "for your environment. They should work providing that you" elog "are running the sensor on the same machine as the server." + elog elog "This ebuild assumes that you are running a single sensor" elog "environment, if this is not the case then you must make sure" - elog "to modify /etc/sguil/sensor_agent.conf and change the HOSTNAME variable." - elog "You should crontab the /etc/init.d/log_packets script to restart" - elog "each hour." + elog "to modify /etc/sguil/*_agent.conf and change the SERVER_HOST variable." + elog + elog "If you use openrc as your init, you should crontab the" + elog "/etc/init.d/log_packets script to restart each hour." elog + elog "As of version 0.9.0 the former sguil_agent has been split up" + elog "into multiple agents. If you are upgrading, you must review" + elog "the agent config files in /etc/sguil and enable some or all" + elog "of the following init scripts / systemd units:" + elog + elog "You should read /usr/share/doc/sguil-sensor-${PVR}/INSTALL.bz2" + elog "to learn about the interaction between the different agents" + elog "and how to set up a working sguil stack." + elog + }