New Ebuild for snort-2.8.3.1 Reproducible: Always Steps to Reproduce:
Created attachment 170845 [details] snort-2.8.3.1.ebuild Rewrite of the snort ebuild
Created attachment 170846 [details, diff] snort-2.8.3.1-libnet.patch libnet patch for flexresp, react, and inline
This is practically a complete rewrite of the snort ebuild. This ebuild is written for the current version of snort (2.8.3.1) and includes USE flags for all current -–enable-* and -–with-* statements that are relevant for Linux systems. This ebuild also solves a number of snort bugs... bug #223217 bug #198205 bug #235033 bug #207778 Sourcefire is not very good at documenting what is and is not enabled by default durring ./configure. This is the root cause of some of the problems in bug #198205. I designed the ebuild such that if the user does not specifically enabled or require (based on USE settings) a feature than the feature is disabled. This prevents a number of compile time problems and makes for a faster snort binary, which in-turn helps reduce packet loss. This ebuild is ready for ~x86 testing. I have tested most of the standard options. Testers needed for: ------------------- Prelude inline ipv6 selinux Developers needed for --------------------- other ~arch users I do not have a 64bit system, so this ebuild has no 64bit build logic. Changes: * Combined all the libnet patches for inline, react, and flexresp into a single patch since they are all libnet related. * Added an if statement for the libnet patch, so that the patch is only applied if it is actually needed. * Made installing the COMMUNITY rule set optional with the 'community-rules' USE flag. This should be used solely for a user's initial install! Portage is NOT the correct tool to manage snort rules, because... 1. The tarball for the current COMMUNITY rule set is not versioned. The current tarball is always named "Community-Rules-CURRENT.tar.gz". 2. Users enable/disable rules by commenting/uncommenting the rule files, so this would mean managing changes using etc-update...not really a good idea IMHO. 3. Portage can not handle updating sid-msg.map when new rules are added. Oinkmaster is the standard tool a user should use for managing their rulesets. * Removed the VRT rules download, because 1. They are not GPL 2. They requires registration and as such would require the user to pre-download the rules. 3. Again, portage is not the correct tool to manage snort rules. * Changed the discription 1. "lightweight IDS" was not very accurate... * Added numerous sanity checks to insure interdependent USE flags are properly set and unneeded features are disabled by default. * Hardcoded the following --disable-* and --without-* options --without-oracle ... I can't test this --disable-ipfw ... This is for *BSD only --disable-profile ... This is for developers only --disable-ppm-test ... This is an undocumented "feature" * Added install steps for the preproc rules if the 'decoder-preprocessor-rules' is enabled. * Added attribute_table.dtd and unicode.map to the config files installed in /etc/snort * Disabled include statements for the snort rule files. The default setting are only for the VRT signature set. If the VRT set is not present then snort will not start. * Updated the ending statements to resolve bug #207778 and bring the info up-to-date Please remove all snort entries from use.local.desc and use the following ------------------------------ net-analyzer/snort:prelude - Enable Prelude Hybrid IDS support net-analyzer/snort:stream4udp - Enable UDP session tracking in Stream4 net-analyzer/snort:memory-cleanup - Enable cleanup of Memory at Snort exit net-analyzer/snort:decoder-preprocessor-rules - Enable rule actions for deocoder and preprocessor events net-analyzer/snort:targetbased - Enable Target-Based Support in Stream, Frag, and Rules (adds pthread support implicitly) net-analyzer/snort:dynamicplugin - Enable Ability to dynamically load preprocessors, detection engine, and rules lib net-analyzer/snort:timestats - Enable TimeStats functionality net-analyzer/snort:ruleperf - Enable rule option performance changes net-analyzer/snort:ppm - Enable packet/rule performance monitor net-analyzer/snort:perfprofiling - Enable preprocessor and rule performance profiling net-analyzer/snort:linux-smp-stats - Enable statistics reporting through proc net-analyzer/snort:inline - Use the libipq interface for inline snort net-analyzer/snort:inline-init-failopen - Enable Fail Open during initialization for Inline Mode (adds pthread support implicitly) net-analyzer/snort:flexresp - Flexible Responses on hostile connection attempts net-analyzer/snort:flexresp2 - NEW Flexible Responses on hostile connection attempts net-analyzer/snort:react - Intercept and terminate offending HTTP accesses net-analyzer/snort:aruba - Enable Aruba output plugin net-analyzer/snort:gre - Enable GRE and IP in IP encapsulation support net-analyzer/snort:mpls - Enable MPLS support net-analyzer/snort:community-rules - Install community ruleset The only USE flag that should be enabled by default is 'dynamicplugin'. Most options are unneeded by the everyday user and can result in undesired results and cause performance issue. Users should have to make a conscious decision about what features they enable.
Created attachment 170848 [details] snort-2.8.3.1.ebuild Just noticed that flag-o-matic was in inherit. Not sure why but it is not needed so I removed it.
Created attachment 170851 [details] snort-2.8.3.1.ebuild Sorry, minor fix for the preproc_rules installation into /etc/snort/preproc_rules
Created attachment 172325 [details, diff] snortsam patch snortsam 2.8.3 patch for snort
Created attachment 172329 [details, diff] snort-2.8.3.1 + snortsam add in ebuild snortsam patch.
(In reply to comment #7) > Created an attachment (id=172329) [edit] > snort-2.8.3.1 + snortsam > > add in ebuild snortsam patch. > excellent...thx!
Hi guys! Added in cvs for testing. It is currently in package.mask. Thanks!
(In reply to comment #9) > Hi guys! > > Added in cvs for testing. It is currently in package.mask. > > Thanks! > I use an AMD64x2 multilib environment: When attempting to emerge (USE=inline), I receive the following error: /usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/../../../../x86_64-pc-linux-gnu/bin/ld: .libs/bmh.o: relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC .libs/bmh.o: could not read symbols: Bad value collect2: ld returned 1 exit status
(In reply to comment #9) > Hi guys! > > Added in cvs for testing. It is currently in package.mask. > > Thanks! > tobias@homer ~/cvs/gentoo-x86/net-analyzer/snort $ repoman full RepoMan scours the neighborhood... IUSE.invalid 11 net-analyzer/snort/snort-2.8.3.1.ebuild: pthreads net-analyzer/snort/snort-2.8.3.1.ebuild: stream4udp net-analyzer/snort/snort-2.8.3.1.ebuild: memory-cleanup net-analyzer/snort/snort-2.8.3.1.ebuild: decoder-preprocessor-rules net-analyzer/snort/snort-2.8.3.1.ebuild: targetbased net-analyzer/snort/snort-2.8.3.1.ebuild: ruleperf net-analyzer/snort/snort-2.8.3.1.ebuild: ppm net-analyzer/snort/snort-2.8.3.1.ebuild: inline-init-failopen net-analyzer/snort/snort-2.8.3.1.ebuild: aruba net-analyzer/snort/snort-2.8.3.1.ebuild: mpls net-analyzer/snort/snort-2.8.3.1.ebuild: community-rules RDEPEND.suspect 4 net-analyzer/snort/snort-2.6.1.3-r1.ebuild: '>=sys-devel/libtool-1.4' net-analyzer/snort/snort-2.6.1.4.ebuild: '>=sys-devel/libtool-1.4' net-analyzer/snort/snort-2.7.0.1.ebuild: '>=sys-devel/libtool-1.4' net-analyzer/snort/snort-2.8.3.1.ebuild: '>=sys-devel/libtool-1.4' upstream.workaround 4 net-analyzer/snort/snort-2.6.1.3-r1.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 116) net-analyzer/snort/snort-2.6.1.4.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 117) net-analyzer/snort/snort-2.7.0.1.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 116) net-analyzer/snort/snort-2.8.3.1.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 201) ebuild.minorsyn 52 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 25 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 28 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 29 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 30 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 68 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 69 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 71 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 72 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 73 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 74 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 78 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 80 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 81 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 83 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 84 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 85 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 86 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 90 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 114 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 147 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 149 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 150 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 151 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 152 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 153 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 156 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 160 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 161 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 162 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 165 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 174 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 175 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 176 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 177 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 182 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 183 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 184 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 185 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 188 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 189 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 190 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 191 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 192 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 193 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 194 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 195 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 196 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 197 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 230 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 286 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 287 net-analyzer/snort/snort-2.8.3.1.ebuild: Ebuild contains leading spaces on line: 288 KEYWORDS.dropped 2 net-analyzer/snort/snort-2.7.0.1.ebuild: sparc net-analyzer/snort/snort-2.8.3.1.ebuild: sparc Note: use --without-mask to check KEYWORDS on dependencies of masked packages Note: use --include-dev (-d) to check dependencies for 'dev' profiles Please fix these important QA issues first. RepoMan sez: "Make your QA payment on time and you'll never see the likes of me." so, yeah ... at least it's p.masked. *sigh* I did fix mostly all of these repoman warnings (as requested by Mr_Bones_) and also switched the pthreads use-flag to just threads. Plus i described the local use-flags in metadata.xml, i used some standard phrasing - it's *your* job to lookup the use-flag descriptions and make the descriptions a tad more usefull and accurate. And for the next please use repoman || die. Thanks ...
It appears that this ebuild, which is now outdated (1), doesn't include the server stats patch, which is still necessary (2). (1) http://www.snort.org/dl/snort-2.8.3.2.tar.gz (2) http://bugs.gentoo.org/show_bug.cgi?id=258487
There is a new ebuild for snort-2.8.4 at the following bug... #266288 Please close this bug.
(In reply to comment #13) > There is a new ebuild for snort-2.8.4 at the following bug... > > #266288 > > Please close this bug. > bug#266288