Here's an update to Suricata 7.0.4, based on gonzalo's update
recently posted to ports@. After discussion with gonzalo@ and
sthen@, I'm adding myself as co-maintainer.
In addition to the version update, this fixes the following issues:
Package README recommends suricata-update, but default config is
overridden to not use suricata-update. Stop overriding default
config, so way recommended by package README does not require
suricata.yaml modification.
Run SUBST_CMD on suricata.yaml.in to fix the ${LOCALSTATEDIR}
remaining in default installed configuration.
suricata-update downloads to /var/lib/suricata instead of
/var/suricata by default, despite the local patches. Not sure yet
how to fix that easily, so updated package README to specify -D
flag so it updates the correct place. I checked OpenBSD 7.4
(Suricata 6.0.12) and suricata-update also defaulted to
/var/lib/suricata there.
Remove now unnecessary patch for suricata/doc/Makefile.in. Remove
a couple unnecessary files in SUBST_CMD as well.
Fix README to not recommend restarting suricata twice after updating
the rules with suricata-update (once in the suricata-update section
and once in the "After updating rules" section).
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/suricata/Makefile,v
retrieving revision 1.67
diff -u -p -r1.67 Makefile
--- Makefile 23 Mar 2024 13:26:40 -0000 1.67
+++ Makefile 25 Mar 2024 20:09:24 -0000
@@ -3,9 +3,8 @@ NOT_FOR_ARCHS = powerpc64 riscv64
COMMENT = high performance network IDS, IPS and security monitoring
-SURICATA_V = 7.0.3
-SUPDATE_V = 1.2.8
-REVISION = 1
+SURICATA_V = 7.0.4
+SUPDATE_V = 1.3.2
DISTNAME = suricata-${SURICATA_V}
CATEGORIES = security
@@ -13,7 +12,8 @@ SHARED_LIBS += htp
HOMEPAGE = https://suricata.io/
-MAINTAINER = Gonzalo L. R. <gonz...@openbsd.org>
+MAINTAINER = Gonzalo L. R. <gonz...@openbsd.org>, \
+ Jeremy Evans <jer...@openbsd.org>
# GPLv2
PERMIT_PACKAGE= Yes
@@ -68,8 +68,7 @@ SUBST_VARS = SURICATA_V SUPDATE_V
pre-configure:
${SUBST_CMD} ${WRKSRC}/configure \
- ${WRKSRC}/doc/userguide/Makefile.in \
- ${WRKSRC}/suricata-update/doc/Makefile \
+ ${WRKSRC}/suricata.yaml.in \
${WRKSRC}/suricata-update/suricata/update/config.py \
${WRKSRC}/suricata-update/suricata/update/parsers.py
# prevent generating revision.py
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/suricata/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- distinfo 22 Feb 2024 09:49:35 -0000 1.22
+++ distinfo 25 Mar 2024 20:09:24 -0000
@@ -1,2 +1,2 @@
-SHA256 (suricata-7.0.3.tar.gz) = 6gdC16mHg/GvSldmGvYGi8LYUKw+ygSzIE0ozhZeNf8=
-SIZE (suricata-7.0.3.tar.gz) = 23599903
+SHA256 (suricata-7.0.4.tar.gz) = ZABgEgAkvnDb6B9uxu/HLkYlD8s2IZ3/Z+ZBciD/Ibc=
+SIZE (suricata-7.0.4.tar.gz) = 23610769
Index: patches/patch-doc_userguide_Makefile_in
===================================================================
RCS file: patches/patch-doc_userguide_Makefile_in
diff -N patches/patch-doc_userguide_Makefile_in
--- patches/patch-doc_userguide_Makefile_in 16 Nov 2023 18:15:37 -0000
1.7
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,8 +0,0 @@
-Index: doc/userguide/Makefile.in
---- doc/userguide/Makefile.in.orig
-+++ doc/userguide/Makefile.in
-@@ -1,3 +1,4 @@
-+
- # Makefile.in generated by automake 1.16.5 from Makefile.am.
- # @configure_input@
-
Index: patches/patch-src_suricata_c
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-src_suricata_c,v
retrieving revision 1.14
diff -u -p -r1.14 patch-src_suricata_c
--- patches/patch-src_suricata_c 18 Mar 2024 17:46:37 -0000 1.14
+++ patches/patch-src_suricata_c 25 Mar 2024 20:09:24 -0000
@@ -4,7 +4,7 @@ Suricata uses libcap-ng on Linux and run
Index: src/suricata.c
--- src/suricata.c.orig
+++ src/suricata.c
-@@ -1600,7 +1600,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1597,7 +1597,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
return TM_ECODE_FAILED;
#endif /* UNITTESTS */
} else if (strcmp((long_opts[option_index]).name, "user") == 0) {
@@ -13,7 +13,7 @@ Index: src/suricata.c
SCLogError("libcap-ng is required to"
" drop privileges, but it was not compiled into
Suricata.");
return TM_ECODE_FAILED;
-@@ -1609,7 +1609,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1606,7 +1606,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
suri->do_setuid = TRUE;
#endif /* HAVE_LIBCAP_NG */
} else if (strcmp((long_opts[option_index]).name, "group") == 0) {
@@ -22,10 +22,10 @@ Index: src/suricata.c
SCLogError("libcap-ng is required to"
" drop privileges, but it was not compiled into
Suricata.");
return TM_ECODE_FAILED;
-@@ -3036,6 +3036,7 @@ int SuricataMain(int argc, char **argv)
- SystemHugepageSnapshotDestroy(prerun_snap);
- SystemHugepageSnapshotDestroy(postrun_snap);
-
+@@ -3040,6 +3040,7 @@ int SuricataMain(int argc, char **argv)
+ SystemHugepageSnapshotDestroy(prerun_snap);
+ SystemHugepageSnapshotDestroy(postrun_snap);
+ }
+ SCSetUserID(suricata.userid, suricata.groupid);
SCPledge();
SuricataMainLoop(&suricata);
Index: patches/patch-suricata_yaml_in
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v
retrieving revision 1.20
diff -u -p -r1.20 patch-suricata_yaml_in
--- patches/patch-suricata_yaml_in 22 Feb 2024 09:49:35 -0000 1.20
+++ patches/patch-suricata_yaml_in 25 Mar 2024 20:09:24 -0000
@@ -103,7 +103,7 @@ Index: suricata.yaml.in
# Daemon working directory
# Suricata will change directory to this one if provided
-@@ -2143,14 +2152,38 @@ napatech:
+@@ -2143,14 +2152,36 @@ napatech:
#
hashmode: hash5tuplesorted
@@ -114,34 +114,32 @@ Index: suricata.yaml.in
##
## Configure Suricata to load Suricata-Update managed rules.
##
-+#default-rule-path: ${LOCALSTATEDIR}/suricata/rules
-+#rule-files:
-+# - suricata.rules
-
+-
-default-rule-path: @e_defaultruledir@
-
++default-rule-path: ${LOCALSTATEDIR}/suricata/rules
+ rule-files:
+ - suricata.rules
++
+##
+## Configure Suricata to use basic bundled rules.
+##
-+default-rule-path: @e_sysconfdir@rules
- rule-files:
-- - suricata.rules
-+ - app-layer-events.rules
-+ - decoder-events.rules
-+ - dhcp-events.rules
-+ - dnp3-events.rules
-+ - dns-events.rules
-+ - files.rules
-+ - http-events.rules
-+ - ipsec-events.rules
-+ - kerberos-events.rules
-+ - modbus-events.rules
-+ - nfs-events.rules
-+ - ntp-events.rules
-+ - smb-events.rules
-+ - smtp-events.rules
-+ - stream-events.rules
-+ - tls-events.rules
++#default-rule-path: @e_sysconfdir@rules
++#rule-files:
++# - app-layer-events.rules
++# - decoder-events.rules
++# - dhcp-events.rules
++# - dns-events.rules
++# - files.rules
++# - http-events.rules
++# - ipsec-events.rules
++# - kerberos-events.rules
++# - nfs-events.rules
++# - ntp-events.rules
++# - smb-events.rules
++# - smtp-events.rules
++# - stream-events.rules
++# - tls-events.rules
##
## Auxiliary configuration files.
Index: pkg/README
===================================================================
RCS file: /cvs/ports/security/suricata/pkg/README,v
retrieving revision 1.11
diff -u -p -r1.11 README
--- pkg/README 17 Dec 2023 15:29:06 -0000 1.11
+++ pkg/README 25 Mar 2024 20:09:24 -0000
@@ -23,18 +23,10 @@ and quicker to use one of the available
suricata-update
---------------
suricata-update is the recommended way to install and update rules.
-By default it will download the new rules into ${LOCALSTATEDIR}/suricata/rules
+Run it with the -D flag to download the rules to the directory
+suricata expects (${LOCALSTATEDIR}/suricata/rules):
-Edit ${SYSCONFDIR}/suricata/suricata.yaml and replace the existing
-default-rule-path and rule-files sections with this:
-
- default-rule-path: ${LOCALSTATEDIR}/suricata/rules/
- rule-files:
- - suricata.rules
-
-And restart Suricata:
-
-# rcctl restart suricata
+# suricata-update -D ${LOCALSTATEDIR}/suricata
Oinkmaster
----------
@@ -55,6 +47,10 @@ And you can download as follow:
# cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \
-o ${SYSCONFDIR}/suricata/rules
+
+Edit ${SYSCONFDIR}/suricata/suricata.yaml, comment out the default
+default-rule-path section and uncomment the commented out
+default-rule-path section.
After updating rules
--------------------
