Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 155168

Summary: net-analyzer/snort-2.6.0.2.ebuild (Update)
Product: Gentoo Linux Reporter: Jason Wallace <jason.r.wallace>
Component: New packagesAssignee: Gentoo Netmon project <netmon>
Status: RESOLVED TEST-REQUEST    
Severity: enhancement    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: snort-2.6.0.2.ebuild
snort-2.6.0-genpatches.tar.bz2
2.6.0-libnet-1.0.patch
snort-2.6.0.2.ebuild
snort-2.6.0.2.ebuild

Description Jason Wallace 2006-11-14 13:50:40 UTC
Please find attached snort-2.6.0.2.ebuild and snort-2.6.0-genpatches.tar.bz2 which contains a new 2.6.0-libnet-1.0.patch.

This ebuild will update snort to the current stable version of 2.6.0.2. The 2.6.0-libnet-1.0.patch file will fix the inline and flexresp problems from

http://bugs.gentoo.org/show_bug.cgi?id=143998

Known Issues:

1. snortsam is broken. I tried all versions currently in portage but all of them cause snort-2.6.0.2 to fail to compile. I think this is snortsam issue. I'll work on this some more later if I get time.

2. sguil does not work with snort-2.6.0.2. I believe this problem is related to sguil not keeping pace with snort-2.6.x based on this post to the sguil list...

"Both of those patches are optional. The stream4 one has been depreciated for sancp. You can use the sfportscan processor in snort 2.6 for now. I'll put a new spp_portscan patch out for the next Sguil release." -- Bammkkkk

http://article.gmane.org/gmane.comp.security.sguil.general/942

I added a note for people enabling sguil that they should use snort-2.4.5 until sguil catches up. I left the sguil USE flag and only commented out the sguil stuff. Should make it easer to update this ebuild when sguil catches up.

--Wallace
Comment 1 Jason Wallace 2006-11-14 13:52:15 UTC
Created attachment 101949 [details]
snort-2.6.0.2.ebuild
Comment 2 Jason Wallace 2006-11-14 13:52:52 UTC
Created attachment 101950 [details]
snort-2.6.0-genpatches.tar.bz2
Comment 3 Jason Wallace 2006-11-14 13:54:24 UTC
Created attachment 101951 [details, diff]
2.6.0-libnet-1.0.patch


This is the file contained in snort-2.6.0-genpatches.tar.bz2 for anyone that wants to look at it.
Comment 4 Jason Wallace 2006-11-16 10:54:35 UTC
Created attachment 102129 [details]
snort-2.6.0.2.ebuild

Please find attached a new snort-2.6.0.2.ebuild.

Changes:

1. I have fixed the snortsam problem. There was a missing ,
in their snortpatch9 file when patching snort's plugin_enum.h file. 
Should work for any current versions of snortsam now.
I sent a patch to the snortsam folks and I have added some logic 
to the ebuild to check for the problem and correct it if it is 
present. 

2. Added the following USE flags...

flexresp2
react

use.local.desc should be updated with the following...

net-analyzer/snort:flexresp2 - NEW Flexible Responses on hostile connection attempts (if you don't know what this is don't use it)
net-analyzer/snort:react - Intercept and terminate offending HTTP accesses (if you don't know what this is don't use it)

Also the net-analyzer/snort:flexresp entry should be changed to say..

net-analyzer/snort:flexresp - Flexible Responses on hostile connection attempts (if you don't know what this is don't use it)

3. Added checks to insure that both the 'flexresp' and 'flexresp2' USE
flags are not enabled. If both are enabled it shows a warning and 
defaults to flexresp2.

4. Changed the check for inline mode to use --with-libipq-includes=/usr/include/libipq
at ./configure time instaead of using append-flags. ./configure is the 
right way to do this.

5. Cleaned up the src_compile() section. There were use_with's where there should have been use_enable's

The only thing I've not tested is selinux and prelude. I don't use either of these.


--Wallace
Comment 5 Jason Wallace 2006-11-16 11:18:07 UTC
Created attachment 102138 [details]
snort-2.6.0.2.ebuild


Started looking at the other snort bugs and found Bug 150796. The reporter is correct there is no ssl/openssl usage in snort as of 2003-03-27, so I have removed the ssl USE flag.

--Wallace
Comment 6 Cédric Krier gentoo-dev 2006-11-25 08:40:35 UTC
Version 2.6.1.1 in cvs