|
Lines 14-20
Link Here
|
| 14 |
LICENSE="GPL-2 QPL" |
14 |
LICENSE="GPL-2 QPL" |
| 15 |
SLOT="0" |
15 |
SLOT="0" |
| 16 |
KEYWORDS="~x86" |
16 |
KEYWORDS="~x86" |
| 17 |
IUSE="" |
17 |
IUSE="-sancp" |
| 18 |
|
18 |
|
| 19 |
RDEPEND=" |
19 |
RDEPEND=" |
| 20 |
>=dev-lang/tcl-8.3:0=[-threads] |
20 |
>=dev-lang/tcl-8.3:0=[-threads] |
|
Lines 22-28
Link Here
|
| 22 |
>=net-analyzer/barnyard-0.2.0-r1 |
22 |
>=net-analyzer/barnyard-0.2.0-r1 |
| 23 |
>=net-analyzer/snort-2.4.1-r1 |
23 |
>=net-analyzer/snort-2.4.1-r1 |
| 24 |
dev-ml/pcre-ocaml |
24 |
dev-ml/pcre-ocaml |
| 25 |
net-analyzer/sancp |
25 |
sancp? ( net-analyzer/sancp:0[sguil] ) |
| 26 |
" |
26 |
" |
| 27 |
|
27 |
|
| 28 |
S="${WORKDIR}/sguil-${MY_PV}" |
28 |
S="${WORKDIR}/sguil-${MY_PV}" |
|
Lines 33-59
Link Here
|
| 33 |
} |
33 |
} |
| 34 |
|
34 |
|
| 35 |
src_prepare() { |
35 |
src_prepare() { |
| 36 |
sed -i \ |
36 |
local -a CONFIG_FILES=( |
| 37 |
-e "s:gateway:${HOSTNAME}:" \ |
37 |
sensor/pads_agent.conf |
|
|
38 |
sensor/pcap_agent.conf |
| 39 |
sensor/pcap_agent-sancp.conf |
| 40 |
sensor/sancp_agent.conf |
| 41 |
sensor/snort_agent.conf |
| 42 |
) |
| 43 |
|
| 44 |
sed -i -r \ |
| 45 |
-e "s:^set HOSTNAME.*$:set HOSTNAME ${HOSTNAME}:" \ |
| 38 |
-e 's:/snort_data:/var/lib/sguil:' \ |
46 |
-e 's:/snort_data:/var/lib/sguil:' \ |
|
|
47 |
-e 's:/nsm:/var/lib/sguil:' \ |
| 39 |
-e 's:DAEMON 0:DAEMON 1:' \ |
48 |
-e 's:DAEMON 0:DAEMON 1:' \ |
| 40 |
-e 's:DEBUG 1:DEBUG 0:g' \ |
49 |
-e 's:DEBUG 1:DEBUG 0:g' \ |
| 41 |
sensor/sensor_agent.conf || die |
50 |
"${CONFIG_FILES[@]}" \ |
| 42 |
sed -i \ |
51 |
|| die |
| 43 |
-e 's:/var/run/sensor_agent.pid:/run/sguil-sensor.pid:' \ |
52 |
|
| 44 |
sensor/sensor_agent.tcl || die |
53 |
for CONFIG_FILE in ${CONFIG_FILES[@]}; do |
|
|
54 |
local AGENT_NAME=$(basename "${CONFIG_FILE//.conf/}") |
| 55 |
echo -e "\nset PID_FILE /run/sguil/${AGENT_NAME}.pid\n" \ |
| 56 |
>> "${CONFIG_FILE}" |
| 57 |
done |
| 45 |
} |
58 |
} |
| 46 |
|
59 |
|
| 47 |
src_install() { |
60 |
src_install() { |
| 48 |
dodoc doc/* |
61 |
dodoc doc/* |
| 49 |
|
62 |
|
| 50 |
dobin sensor/sensor_agent.tcl |
63 |
dobin sensor/sensor_agent.tcl |
|
|
64 |
dobin sensor/pads_agent.tcl |
| 65 |
dobin sensor/snort_agent.tcl |
| 51 |
|
66 |
|
| 52 |
newinitd "${FILESDIR}/log_packets.initd" log_packets |
67 |
newinitd "${FILESDIR}/log_packets.initd" log_packets |
| 53 |
newinitd "${FILESDIR}/sensor_agent.initd" sensor_agent |
68 |
newinitd "${FILESDIR}/pads_agent.initd" pads_agent |
|
|
69 |
newinitd "${FILESDIR}/pcap_agent.initd" pcap_agent |
| 70 |
newinitd "${FILESDIR}/snort_agent.initd" snort_agent |
| 54 |
newconfd "${FILESDIR}/log_packets.confd" log_packets |
71 |
newconfd "${FILESDIR}/log_packets.confd" log_packets |
|
|
72 |
|
| 55 |
insinto /etc/sguil |
73 |
insinto /etc/sguil |
| 56 |
doins sensor/sensor_agent.conf |
74 |
doins sensor/pads_agent.conf |
|
|
75 |
doins sensor/snort_agent.conf |
| 76 |
|
| 77 |
if use sancp; then |
| 78 |
dodoc sensor/README.sancp_indexed_pcap |
| 79 |
|
| 80 |
dobin sensor/sancp_agent.tcl |
| 81 |
newbin sensor/pcap_agent-sancp.tcl pcap_agent.tcl |
| 82 |
|
| 83 |
newinitd "${FILESDIR}/sancp_agent.initd" sancp_agent |
| 84 |
|
| 85 |
insinto /etc/sguil |
| 86 |
doins sensor/sancp_agent.conf |
| 87 |
doins sensor/sancp-indexed.conf |
| 88 |
newins sensor/pcap_agent-sancp.conf pcap_agent.conf |
| 89 |
else |
| 90 |
dobin sensor/pcap_agent.tcl |
| 91 |
|
| 92 |
insinto /etc/sguil |
| 93 |
fi |
| 57 |
|
94 |
|
| 58 |
# Create the directory structure |
95 |
# Create the directory structure |
| 59 |
diropts -g sguil -o sguil |
96 |
diropts -g sguil -o sguil |
|
Lines 63-81
Link Here
|
| 63 |
"/var/lib/sguil/${HOSTNAME}/ssn_logs" \ |
100 |
"/var/lib/sguil/${HOSTNAME}/ssn_logs" \ |
| 64 |
"/var/lib/sguil/${HOSTNAME}/dailylogs" \ |
101 |
"/var/lib/sguil/${HOSTNAME}/dailylogs" \ |
| 65 |
"/var/lib/sguil/${HOSTNAME}/sancp" |
102 |
"/var/lib/sguil/${HOSTNAME}/sancp" |
| 66 |
|
|
|
| 67 |
} |
103 |
} |
| 68 |
|
104 |
|
| 69 |
pkg_postinst() { |
105 |
pkg_postinst() { |
| 70 |
elog |
106 |
elog |
| 71 |
elog "You should check /etc/sguil/sensor_agent.conf and" |
107 |
elog "You should check the /etc/sguil/*_agent.conf files and" |
| 72 |
elog "/etc/init.d/logpackets and ensure that they are accurate" |
108 |
elog "/etc/conf.d/logpackets and ensure that they are accurate" |
| 73 |
elog "for your environment. They should work providing that you" |
109 |
elog "for your environment. They should work providing that you" |
| 74 |
elog "are running the sensor on the same machine as the server." |
110 |
elog "are running the sensor on the same machine as the server." |
|
|
111 |
elog |
| 75 |
elog "This ebuild assumes that you are running a single sensor" |
112 |
elog "This ebuild assumes that you are running a single sensor" |
| 76 |
elog "environment, if this is not the case then you must make sure" |
113 |
elog "environment, if this is not the case then you must make sure" |
| 77 |
elog "to modify /etc/sguil/sensor_agent.conf and change the HOSTNAME variable." |
114 |
elog "to modify /etc/sguil/*_agent.conf and change the SERVER_HOST variable." |
| 78 |
elog "You should crontab the /etc/init.d/log_packets script to restart" |
115 |
elog |
| 79 |
elog "each hour." |
116 |
elog "If you use openrc as your init, you should crontab the" |
|
|
117 |
elog "/etc/init.d/log_packets script to restart each hour." |
| 80 |
elog |
118 |
elog |
|
|
119 |
elog "As of version 0.9.0 the former sguil_agent has been split up" |
| 120 |
elog "into multiple agents. If you are upgrading, you must review" |
| 121 |
elog "the agent config files in /etc/sguil and enable some or all" |
| 122 |
elog "of the following init scripts / systemd units:" |
| 123 |
elog |
| 124 |
elog "You should read /usr/share/doc/sguil-sensor-${PVR}/INSTALL.bz2" |
| 125 |
elog "to learn about the interaction between the different agents" |
| 126 |
elog "and how to set up a working sguil stack." |
| 127 |
elog |
| 128 |
|
| 81 |
} |
129 |
} |
