PLEASE READ THE FOLLOWING BEFORE POSTING TO THIS BUG! Please do not post patches for additional functionality not included in the standard snort source code to this bug (snortsam comes to mind). Please, open a separate bug for this. This will help move this ebuild to stable portage for the majority of Gentoo/Snort users. This ebuild is for the latest stable version of Snort (snort-2.8.4). This build includes the patch for the spo_database bug. The goal of this bug is to finally get snort-2.6.x (which is no longer supported) removed from portage, close the old 2.6 bugs, and get 2.8.4 added as stable for at least x86 and amd64. If you use this ebuild, please post the results of your test to this bug. That will help move this into stable portage for your arch. I have tested this extensively on x86 (hardened and non-hardened). It has also been tested on amd64 by others. CHANGES -------------- The major changes included in this ebuild are as follows: 1)The 'community-rules' USE flag has been removed. We are no longer distributing rule files via the snort ebuild. There are a couple of reasons for this change... a.Rule files are not versioned making it impossible to use portage to update them properly. If you do not get the latest rules, snort can break. b.Although some of the rules are still useful, the Community Rules are quite old (RELEASED: 2007-04-27) and should only be used to supplement the VRT rule set. c.Sourcefire's VRT rule set requires users to register (for free) to download them. d.Certain versions of Snort require specific rule set versions (as is the case for 2.8.4) for proper detection and to prevent Snort from breaking. Since the rule tarballs have no version numbers, if you downloaded an older set of rules they will not be downloaded again on your next emerge, which will cause snort to break. 2)The 'ruleperf' USE flag has been removed. The Snort Dev's have included it in the build by default now. 3)The 'stream4udp' USE flag has been removed. It is no longer a valid compile time option. If you are still using Stream4, you should switch to using Stream5. 4)/etc/init.d/snort and /etc/conf.d/snort have been updated to resolve some bugs with starting and stopping snort. It is important that you update these when you run 'etc-update' Reproducible: Always Steps to Reproduce: Actual Results: I paid the repoman, but he still complains about the emake -j1 on line: 203. I tested without it and can confirm that it is still required. # repoman full RepoMan scours the neighborhood... ebuild.allmasked 1 net-analyzer/snort upstream.workaround 1 net-analyzer/snort/snort-2.8.4.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 203) Note: use --without-mask to check KEYWORDS on dependencies of masked packages Note: use --include-dev (-d) to check dependencies for 'dev' profiles RepoMan sez: "You're only giving me a partial QA payment? I'll take it this time, but I'm not happy." Full Changelog --------------- *snort-2.8.4 (15 Apr 2009) 15 Apr 2009; Jason Wallace <jason.r.wallace@gamil.com> snort-2.8.4.ebuild: Updated ebuild for snort-2.8.4 Removed 'ruleperf', 'community-rules', and 'stream4udp' USE flags Removed runtime-dep to reslove #221625 Updated 'flexresp' and 'flexresp2' USE flag logic Added correct 'react' USE flag logic Update econf section for USE flag changes Added dodoc and keepdir for /var/log/snort and set proper owner:group Added dodoc for /var/run/snort/ and set proper owner:group to resolve an error where snort reported that it could not remove the PID file Updated doins for config files Added dodir and keepdir for /etc/snort/rules Updated newinitd for new init script Added pkg_preinst section to clean up snort.conf.distrib Updated sed's to clean up the snort.conf.dstrib Removed example SO rule from being installed Updated pkg_postinst with new info +files/snort-2.8.4-libnet.patch: Updated libnet patch for new source tarball +spo_database_fix.patch Patch to fix bug in database output plugin. This was found after the stable tarball was released. The fix will be included in the next release of snort. +pcap_memory.patch Patch to print the environment variable PCAP_MEMORY when snort starts. Patch has been submitted upstream. +files/snort.confd: Added PIDPATH to resolve #217937 +files/snort.rc9: Updated start() and stop() to work with new confd file to resolve #217937 Added sleep 15 to stop() to give snort time to fully shutdown +metadata.xml Removed ruleperf, community-rules, and stream4udp USE flags Happy Snorting, Wally
Created attachment 188462 [details] snort-2.8.4.ebuild snort-2.8.4.ebuild
Created attachment 188464 [details, diff] pcap_memory.patch Patch to print the environment variable PCAP_MEMORY when snort starts. Patch has been submitted upstream.
Created attachment 188465 [details, diff] snort-2.8.4-libnet.patch Updated libnet patch for new source tarball
Created attachment 188467 [details, diff] spo_database_fix.patch Patch to fix bug in database output plugin. This was found after the stable tarball was released. The fix will be included in the next release of snort.
Created attachment 188469 [details] snort.confd Added PIDPATH to resolve #217937
Created attachment 188471 [details] snort.rc9 Updated start() and stop() to work with new confd file to resolve #217937 Added sleep 15 to stop() to give snort time to fully shutdown
Created attachment 188473 [details] Manifest New Manifest for USE flag updates
Created attachment 188474 [details] metadata.xml metadata.xml
Comment on attachment 188474 [details] metadata.xml New Manifest for USE flag updates
Comment on attachment 188473 [details] Manifest Manafest is obviously not for USE flag updates. Sorry
Using this on a hardened AMD64 box (Stable) and it compiles and runs fine!
x86 [stable] box running! >>> Verifying ebuild manifests !!! Digest verification failed: !!! /usr/local/portage/net-analyzer/snort/metadata.xml !!! Reason: Filesize does not match recorded size !!! Got: 1529 !!! Expected: 1504 ~ # repoman manifest diff -au ... --- ./Manifest 2009-04-15 14:31:13.000000000 -0400 +++ /usr/local/portage/net-analyzer/snort/Manifest 2009-04-16 19:15:28.000000000 -0400 @@ -5,5 +5,4 @@ AUX spo_database_fix.patch 597 RMD160 fdde2eeede5ea32b79fbf16c49419874e37f5a37 SHA1 ab3210b047a253de8a2b83b33a627356ac88281c SHA256 1f76a2aed7839bb49e8ec4652ad41999c54fcba2788b971264e69b7d89bb7acf DIST snort-2.8.4.tar.gz 4603710 RMD160 3fae1b0a472a5ae73eea323f312364bc9d7e1e2a SHA1 2e400f34728613f0e285f28dc38a0ae38733ea22 SHA256 ccf182121277730b3c5dab2ddcac15d78e00a092c7741546fc2ed9d54bd3836c EBUILD snort-2.8.4.ebuild 12031 RMD160 1f7544e368e1e3223ecfe8915d348f88dc5f7769 SHA1 c250b663530aa0308a51e4d51fb21b58e8d86ee1 SHA256 2f6f2dc4a38013db21335acda1e9920dea9d7035327bcce5c3c226fb19360064 -MISC ChangeLog 26248 RMD160 69c432abdd79799015fc3917df0ba6ee0db60622 SHA1 c591da9993f0a169358b0a64aa78bf3f2eaf96bd SHA256 69ae3c48f9d93eedc70b9b5738c06c31dcece5b7d17b6dced11b4e86edcb10da -MISC metadata.xml 1504 RMD160 63907b3cbbfe44580cc6c67d8b80e986502e9fb9 SHA1 29fcbd71ae2eca2054d0a3b51bafcf3d03eec2e9 SHA256 dfd82fef805f1812192fea301ec92c4827c9b41302710edd8ad72ef46b6ea4f9 +MISC metadata.xml 1529 RMD160 d6f2c761d4a25ffffabef5ae29f9685c0da3105a SHA1 ba46d78bc2fcd16a31b81461b2827296c2aad8cf SHA256 02ca962eb94ecf9e15f09a5b653b92349e7158acb091dbfd9b3906b500670542 Loaded VRT Rules Listening and logging directly to mysql over the network. BarnYard in RnD.
Let's see if we can get this into the tree soon :)
Looks quite good so far. I did remove the pic useflag because it caused build failures for me and seems to be the wrong way of doing things.
Trying with more useflags enabled: x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/portscan -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I../../src/target-based -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing -O2 -pipe -Wall -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DSUP_IP6 -DDYNAMIC_PLUGIN -DPPM_MGR -DPERF_PROFILING -DLINUX_SMP -DARUBA -DMPLS -fno-strict-aliasing -c spo_alert_prelude.c spo_alert_prelude.c: In function 'packet_to_data': spo_alert_prelude.c:415: error: incompatible type for argument 1 of 'sfip_to_str' spo_alert_prelude.c: In function 'AlertPreludeSetup': spo_alert_prelude.c:801: warning: passing argument 3 of 'RegisterOutputPlugin' from incompatible pointer type make[3]: *** [spo_alert_prelude.o] Error 1 make[3]: Leaving directory `/var/tmp/portage/net-analyzer/snort-2.8.4/work/snort-2.8.4/src/output-plugins' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/var/tmp/portage/net-analyzer/snort-2.8.4/work/snort-2.8.4/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/var/tmp/portage/net-analyzer/snort-2.8.4/work/snort-2.8.4' make: *** [all] Error 2 * * ERROR: net-analyzer/snort-2.8.4 failed. [ebuild R ] net-analyzer/snort-2.8.4 USE="aruba* decoder-preprocessor-rules* dynamicplugin* flexresp2* ipv6 linux-smp-stats* mpls* perfprofiling* ppm* prelude* -debug -flexresp -gre -inline -inline-init-failopen -memory-cleanup -mysql -odbc -postgres -react (-selinux) -static -targetbased -threads -timestats"
+*snort-2.8.4 (17 Apr 2009) + + 17 Apr 2009; Patrick Lauer <patrick@gentoo.org> + +files/snort-2.8.4-libnet.patch, +files/pcap_memory.patch, + files/snort.confd, +files/snort.rc9, +files/spo_database_fix.patch, + metadata.xml, +snort-2.8.4.ebuild: + Bump to 2.8.4. Reworked ebuild thanks to Jason Wallace. Lots of changes, + see bug #266288 for details. So it's in the tree, if there are no further issues I'll unmask it soon.
I'll report the prelude issue upstream to the snort dev's. This looks like an issue with the spo_alert_prelude which is the output pluging for perlude. There have been some recent discussions on the snort-users mailing list about removing all the output plugins from snort except for unified and unified2, so they may decide to fix it or yank spo_alert_prelude in the next release.
(In reply to comment #17) > I'll report the prelude issue upstream to the snort dev's. This looks like an > issue with the spo_alert_prelude which is the output pluging for perlude. There > have been some recent discussions on the snort-users mailing list about > removing all the output plugins from snort except for unified and unified2, so > they may decide to fix it or yank spo_alert_prelude in the next release. > Scratch that. After some testing I think this is a USE flag combination issue. Hold off on moving to stable. I'll find the conflict and post a -r1 ebuild in a little bit. thx for finding this.
Created attachment 188688 [details] snort-2.8.4-r1.ebuild I found the conflict. spo_alert_prelude does not support ipv6. I have added logic to handle this. If both prelude and ipv6 are chosen ipv6 will be disabled and prelude will be enabled. A warning will be present to the user notifying them of this. I also removed the pic USE flag until I can look into this. The repoman has been paid... # repoman full RepoMan scours the neighborhood... ebuild.allmasked 1 net-analyzer/snort upstream.workaround 1 net-analyzer/snort/snort-2.8.4-r1.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 224) Note: use --without-mask to check KEYWORDS on dependencies of masked packages Note: use --include-dev (-d) to check dependencies for 'dev' profiles RepoMan sez: "You're only giving me a partial QA payment? I'll take it this time, but I'm not happy."
Created attachment 188689 [details] metadata.xml New metadata.xml with pic removed
Created attachment 188691 [details] Manifest new Manifest... Not sure if I need to submit this or not when submitting ebuilds...?
(In reply to comment #21) > Created an attachment (id=188691) [edit] > Manifest > > new Manifest... Not sure if I need to submit this or not when submitting > ebuilds...? > No :)
Mask removed, ebuild is now free :)