Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 266288 - New Ebuild for net-analyzer/snort-2.8.4
Summary: New Ebuild for net-analyzer/snort-2.8.4
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Patrick Lauer
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-15 17:48 UTC by Jason Wallace
Modified: 2009-04-18 14:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
snort-2.8.4.ebuild (snort-2.8.4.ebuild,11.75 KB, text/plain)
2009-04-15 17:51 UTC, Jason Wallace
Details
pcap_memory.patch (pcap_memory.patch,563 bytes, patch)
2009-04-15 17:52 UTC, Jason Wallace
Details | Diff
snort-2.8.4-libnet.patch (snort-2.8.4-libnet.patch,8.83 KB, patch)
2009-04-15 17:52 UTC, Jason Wallace
Details | Diff
spo_database_fix.patch (spo_database_fix.patch,597 bytes, patch)
2009-04-15 17:53 UTC, Jason Wallace
Details | Diff
snort.confd (snort.confd,442 bytes, text/plain)
2009-04-15 17:53 UTC, Jason Wallace
Details
snort.rc9 (snort.rc9,846 bytes, text/plain)
2009-04-15 17:54 UTC, Jason Wallace
Details
Manifest (Manifest,1.69 KB, text/plain)
2009-04-15 17:54 UTC, Jason Wallace
Details
metadata.xml (metadata.xml,1.49 KB, application/xml)
2009-04-15 17:55 UTC, Jason Wallace
Details
snort-2.8.4-r1.ebuild (snort-2.8.4-r1.ebuild,12.31 KB, text/plain)
2009-04-17 14:47 UTC, Jason Wallace
Details
metadata.xml (metadata.xml,1.43 KB, application/xml)
2009-04-17 14:47 UTC, Jason Wallace
Details
Manifest (Manifest,1.69 KB, text/plain)
2009-04-17 14:49 UTC, Jason Wallace
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jason Wallace 2009-04-15 17:48:03 UTC
PLEASE READ THE FOLLOWING BEFORE POSTING TO THIS BUG!

Please do not post patches for additional functionality not included in the standard snort source code to this bug (snortsam comes to mind). Please, open a separate bug for this. This will help move this ebuild to stable portage for the majority of Gentoo/Snort users.

This ebuild is for the latest stable version of Snort (snort-2.8.4). This build includes the patch for the spo_database bug.

The goal of this bug is to finally get snort-2.6.x (which is no longer supported) removed from portage, close the old 2.6 bugs, and get 2.8.4 added as stable for at least x86 and amd64. 

If you use this ebuild, please post the results of your test to this bug. That will help move this into stable portage for your arch. I have tested this extensively on x86 (hardened and non-hardened). It has also been tested on amd64 by others.


CHANGES
--------------
The major changes included in this ebuild are as follows:

1)The 'community-rules' USE flag has been removed. We are no longer distributing rule files via the snort ebuild. There are a couple of reasons for this change... 
   
   a.Rule files are not versioned making it impossible to use portage to update them properly. If you do not get the latest rules, snort can break.

   b.Although some of the rules are still useful, the Community Rules are quite old (RELEASED: 2007-04-27) and should only be used to supplement the VRT rule set.

   c.Sourcefire's VRT rule set requires users to register (for free) to download them. 

   d.Certain versions of Snort require specific rule set versions (as is the case for 2.8.4) for proper detection and to prevent Snort from breaking. Since the rule tarballs have no version numbers, if you downloaded an older set of rules they will not be downloaded again on your next emerge, which will cause snort to break.

2)The 'ruleperf' USE flag has been removed. The Snort Dev's have included it in the build by default now.

3)The 'stream4udp' USE flag has been removed. It is no longer a valid compile time option. If you are still using Stream4, you should switch to using Stream5.

4)/etc/init.d/snort and /etc/conf.d/snort have been updated to resolve some bugs with starting and stopping snort. It is important that you update these when you run 'etc-update'


Reproducible: Always

Steps to Reproduce:

Actual Results:  
I paid the repoman, but he still complains about the emake -j1 on line: 203. I tested without it and can confirm that it is still required.

# repoman full

RepoMan scours the neighborhood...
  ebuild.allmasked              1
   net-analyzer/snort
  upstream.workaround           1
   net-analyzer/snort/snort-2.8.4.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 203)

Note: use --without-mask to check KEYWORDS on dependencies of masked packages
Note: use --include-dev (-d) to check dependencies for 'dev' profiles

RepoMan sez: "You're only giving me a partial QA payment?
              I'll take it this time, but I'm not happy."



Full Changelog
---------------

*snort-2.8.4 (15 Apr 2009)

  15 Apr 2009; Jason Wallace <jason.r.wallace@gamil.com>
  snort-2.8.4.ebuild:
  Updated ebuild for snort-2.8.4
  Removed 'ruleperf', 'community-rules', and 'stream4udp' USE flags
  Removed runtime-dep to reslove #221625
  Updated 'flexresp' and 'flexresp2' USE flag logic
  Added correct 'react' USE flag logic
  Update econf section for USE flag changes
  Added dodoc and keepdir for /var/log/snort and set proper owner:group
  Added dodoc for /var/run/snort/ and set proper owner:group to resolve an error where snort reported that it could not remove the PID file
  Updated doins for config files
  Added dodir and keepdir for /etc/snort/rules
  Updated newinitd for new init script
  Added pkg_preinst section to clean up snort.conf.distrib
  Updated sed's to clean up the snort.conf.dstrib
  Removed example SO rule from being installed
  Updated pkg_postinst with new info

  +files/snort-2.8.4-libnet.patch:
  Updated libnet patch for new source tarball

  +spo_database_fix.patch
  Patch to fix bug in database output plugin. This was found after the stable tarball was released. The fix will be included in the next release of snort.

  +pcap_memory.patch
  Patch to print the environment variable PCAP_MEMORY when snort starts. Patch has been submitted upstream.

  +files/snort.confd:
  Added PIDPATH to resolve #217937

  +files/snort.rc9:
  Updated start() and stop() to work with new confd file to resolve #217937
  Added sleep 15 to stop() to give snort time to fully shutdown

  +metadata.xml
  Removed ruleperf, community-rules, and stream4udp USE flags


Happy Snorting,
Wally
Comment 1 Jason Wallace 2009-04-15 17:51:17 UTC
Created attachment 188462 [details]
snort-2.8.4.ebuild

snort-2.8.4.ebuild
Comment 2 Jason Wallace 2009-04-15 17:52:06 UTC
Created attachment 188464 [details, diff]
pcap_memory.patch

Patch to print the environment variable PCAP_MEMORY when snort starts. Patch has been submitted upstream.
Comment 3 Jason Wallace 2009-04-15 17:52:40 UTC
Created attachment 188465 [details, diff]
snort-2.8.4-libnet.patch

  Updated libnet patch for new source tarball
Comment 4 Jason Wallace 2009-04-15 17:53:09 UTC
Created attachment 188467 [details, diff]
spo_database_fix.patch

Patch to fix bug in database output plugin. This was found after the stable tarball was released. The fix will be included in the next release of snort.
Comment 5 Jason Wallace 2009-04-15 17:53:40 UTC
Created attachment 188469 [details]
snort.confd

Added PIDPATH to resolve #217937
Comment 6 Jason Wallace 2009-04-15 17:54:02 UTC
Created attachment 188471 [details]
snort.rc9

  Updated start() and stop() to work with new confd file to resolve #217937
  Added sleep 15 to stop() to give snort time to fully shutdown
Comment 7 Jason Wallace 2009-04-15 17:54:55 UTC
Created attachment 188473 [details]
Manifest

New Manifest for USE flag updates
Comment 8 Jason Wallace 2009-04-15 17:55:57 UTC
Created attachment 188474 [details]
metadata.xml

metadata.xml
Comment 9 Jason Wallace 2009-04-15 17:56:41 UTC
Comment on attachment 188474 [details]
metadata.xml

New Manifest for USE flag updates
Comment 10 Jason Wallace 2009-04-15 17:57:29 UTC
Comment on attachment 188473 [details]
Manifest

Manafest is obviously not for USE flag updates. Sorry
Comment 11 Jeremy Wood 2009-04-16 17:25:22 UTC
Using this on a hardened AMD64 box (Stable) and it compiles and runs fine!
Comment 12 bschnzl 2009-04-17 03:26:28 UTC
x86 [stable] box running!

>>> Verifying ebuild manifests

!!! Digest verification failed:
!!! /usr/local/portage/net-analyzer/snort/metadata.xml
!!! Reason: Filesize does not match recorded size
!!! Got: 1529
!!! Expected: 1504

~ # repoman manifest

diff -au ...


--- ./Manifest  2009-04-15 14:31:13.000000000 -0400
+++ /usr/local/portage/net-analyzer/snort/Manifest      2009-04-16 19:15:28.000000000 -0400
@@ -5,5 +5,4 @@
 AUX spo_database_fix.patch 597 RMD160 fdde2eeede5ea32b79fbf16c49419874e37f5a37 SHA1 ab3210b047a253de8a2b83b33a627356ac88281c SHA256 1f76a2aed7839bb49e8ec4652ad41999c54fcba2788b971264e69b7d89bb7acf
 DIST snort-2.8.4.tar.gz 4603710 RMD160 3fae1b0a472a5ae73eea323f312364bc9d7e1e2a SHA1 2e400f34728613f0e285f28dc38a0ae38733ea22 SHA256 ccf182121277730b3c5dab2ddcac15d78e00a092c7741546fc2ed9d54bd3836c
 EBUILD snort-2.8.4.ebuild 12031 RMD160 1f7544e368e1e3223ecfe8915d348f88dc5f7769 SHA1 c250b663530aa0308a51e4d51fb21b58e8d86ee1 SHA256 2f6f2dc4a38013db21335acda1e9920dea9d7035327bcce5c3c226fb19360064
-MISC ChangeLog 26248 RMD160 69c432abdd79799015fc3917df0ba6ee0db60622 SHA1 c591da9993f0a169358b0a64aa78bf3f2eaf96bd SHA256 69ae3c48f9d93eedc70b9b5738c06c31dcece5b7d17b6dced11b4e86edcb10da
-MISC metadata.xml 1504 RMD160 63907b3cbbfe44580cc6c67d8b80e986502e9fb9 SHA1 29fcbd71ae2eca2054d0a3b51bafcf3d03eec2e9 SHA256 dfd82fef805f1812192fea301ec92c4827c9b41302710edd8ad72ef46b6ea4f9
+MISC metadata.xml 1529 RMD160 d6f2c761d4a25ffffabef5ae29f9685c0da3105a SHA1 ba46d78bc2fcd16a31b81461b2827296c2aad8cf SHA256 02ca962eb94ecf9e15f09a5b653b92349e7158acb091dbfd9b3906b500670542


Loaded VRT Rules

Listening and logging directly to mysql over the network.  BarnYard in RnD.
Comment 13 Patrick Lauer gentoo-dev 2009-04-17 10:53:42 UTC
Let's see if we can get this into the tree soon :)
Comment 14 Patrick Lauer gentoo-dev 2009-04-17 11:48:15 UTC
Looks quite good so far. I did remove the pic useflag because it caused build failures for me and seems to be the wrong way of doing things.
Comment 15 Patrick Lauer gentoo-dev 2009-04-17 11:51:25 UTC
Trying with more useflags enabled:

x86_64-pc-linux-gnu-gcc -DHAVE_CONFIG_H -I. -I../.. -I../.. -I../../src -I../../src/sfutil -I/usr/include/pcap -I../../src/output-plugins -I../../src/detection-plugins -I../../src/dynamic-plugins -I../../src/preprocessors -I../../src/preprocessors/portscan -I../../src/preprocessors/HttpInspect/include -I../../src/preprocessors/Stream5 -I../../src/target-based  -DENABLE_RESPONSE2 -I/usr/include -fno-strict-aliasing  -O2 -pipe -Wall -DPREPROCESSOR_AND_DECODER_RULE_EVENTS -DSUP_IP6 -DDYNAMIC_PLUGIN -DPPM_MGR -DPERF_PROFILING -DLINUX_SMP -DARUBA -DMPLS -fno-strict-aliasing -c spo_alert_prelude.c                          
spo_alert_prelude.c: In function 'packet_to_data':
spo_alert_prelude.c:415: error: incompatible type for argument 1 of 'sfip_to_str'
spo_alert_prelude.c: In function 'AlertPreludeSetup':
spo_alert_prelude.c:801: warning: passing argument 3 of 'RegisterOutputPlugin' from incompatible pointer type
make[3]: *** [spo_alert_prelude.o] Error 1
make[3]: Leaving directory `/var/tmp/portage/net-analyzer/snort-2.8.4/work/snort-2.8.4/src/output-plugins'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/var/tmp/portage/net-analyzer/snort-2.8.4/work/snort-2.8.4/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/portage/net-analyzer/snort-2.8.4/work/snort-2.8.4'
make: *** [all] Error 2
 *
 * ERROR: net-analyzer/snort-2.8.4 failed.

[ebuild   R   ] net-analyzer/snort-2.8.4  USE="aruba* decoder-preprocessor-rules* dynamicplugin* flexresp2* ipv6 linux-smp-stats* mpls* perfprofiling* ppm* prelude* -debug -flexresp -gre -inline -inline-init-failopen -memory-cleanup -mysql -odbc -postgres -react (-selinux) -static -targetbased -threads -timestats"
Comment 16 Patrick Lauer gentoo-dev 2009-04-17 12:06:23 UTC
+*snort-2.8.4 (17 Apr 2009)                                                                                                                                 
+                                                                                                                                                           
+  17 Apr 2009; Patrick Lauer <patrick@gentoo.org>                                                                                                          
+  +files/snort-2.8.4-libnet.patch, +files/pcap_memory.patch,                                                                                               
+  files/snort.confd, +files/snort.rc9, +files/spo_database_fix.patch,                                                                                      
+  metadata.xml, +snort-2.8.4.ebuild:                                                                                                                       
+  Bump to 2.8.4. Reworked ebuild thanks to Jason Wallace. Lots of changes,                                                                                 
+  see bug #266288 for details.

So it's in the tree, if there are no further issues I'll unmask it soon.
Comment 17 Jason Wallace 2009-04-17 12:43:26 UTC
I'll report the prelude issue upstream to the snort dev's. This looks like an issue with the spo_alert_prelude which is the output pluging for perlude. There have been some recent discussions on the snort-users mailing list about removing all the output plugins from snort except for unified and unified2, so they may decide to fix it or yank spo_alert_prelude in the next release.
Comment 18 Jason Wallace 2009-04-17 13:12:25 UTC
(In reply to comment #17)
> I'll report the prelude issue upstream to the snort dev's. This looks like an
> issue with the spo_alert_prelude which is the output pluging for perlude. There
> have been some recent discussions on the snort-users mailing list about
> removing all the output plugins from snort except for unified and unified2, so
> they may decide to fix it or yank spo_alert_prelude in the next release.
> 

Scratch that. After some testing I think this is a USE flag combination issue. Hold off on moving to stable. I'll find the conflict and post a -r1 ebuild in a little bit.

thx for finding this.
Comment 19 Jason Wallace 2009-04-17 14:47:03 UTC
Created attachment 188688 [details]
snort-2.8.4-r1.ebuild


I found the conflict. spo_alert_prelude does not support ipv6. I have added logic to handle this. If both prelude and ipv6 are chosen ipv6 will be disabled and prelude will be enabled. A warning will be present to the user notifying them of this.

I also removed the pic USE flag until I can look into this.

The repoman has been paid...

# repoman full

RepoMan scours the neighborhood...
  ebuild.allmasked              1
   net-analyzer/snort
  upstream.workaround           1
   net-analyzer/snort/snort-2.8.4-r1.ebuild: Upstream parallel compilation bug (ebuild calls emake -j1 on line: 224)

Note: use --without-mask to check KEYWORDS on dependencies of masked packages
Note: use --include-dev (-d) to check dependencies for 'dev' profiles

RepoMan sez: "You're only giving me a partial QA payment?
              I'll take it this time, but I'm not happy."
Comment 20 Jason Wallace 2009-04-17 14:47:54 UTC
Created attachment 188689 [details]
metadata.xml

New metadata.xml with pic removed
Comment 21 Jason Wallace 2009-04-17 14:49:26 UTC
Created attachment 188691 [details]
Manifest

new Manifest... Not sure if I need to submit this or not when submitting ebuilds...?
Comment 22 Patrick Lauer gentoo-dev 2009-04-18 14:31:45 UTC
(In reply to comment #21)
> Created an attachment (id=188691) [edit]
> Manifest
> 
> new Manifest... Not sure if I need to submit this or not when submitting
> ebuilds...?
> 
No :)
Comment 23 Patrick Lauer gentoo-dev 2009-04-18 14:45:29 UTC
Mask removed, ebuild is now free :)