Here's an update to Suricata 7.0.4, based on gonzalo's update recently posted to ports@. After discussion with gonzalo@ and sthen@, I'm adding myself as co-maintainer.
In addition to the version update, this fixes the following issues: Package README recommends suricata-update, but default config is overridden to not use suricata-update. Stop overriding default config, so way recommended by package README does not require suricata.yaml modification. Run SUBST_CMD on suricata.yaml.in to fix the ${LOCALSTATEDIR} remaining in default installed configuration. suricata-update downloads to /var/lib/suricata instead of /var/suricata by default, despite the local patches. Not sure yet how to fix that easily, so updated package README to specify -D flag so it updates the correct place. I checked OpenBSD 7.4 (Suricata 6.0.12) and suricata-update also defaulted to /var/lib/suricata there. Remove now unnecessary patch for suricata/doc/Makefile.in. Remove a couple unnecessary files in SUBST_CMD as well. Fix README to not recommend restarting suricata twice after updating the rules with suricata-update (once in the suricata-update section and once in the "After updating rules" section). Index: Makefile =================================================================== RCS file: /cvs/ports/security/suricata/Makefile,v retrieving revision 1.67 diff -u -p -r1.67 Makefile --- Makefile 23 Mar 2024 13:26:40 -0000 1.67 +++ Makefile 25 Mar 2024 20:09:24 -0000 @@ -3,9 +3,8 @@ NOT_FOR_ARCHS = powerpc64 riscv64 COMMENT = high performance network IDS, IPS and security monitoring -SURICATA_V = 7.0.3 -SUPDATE_V = 1.2.8 -REVISION = 1 +SURICATA_V = 7.0.4 +SUPDATE_V = 1.3.2 DISTNAME = suricata-${SURICATA_V} CATEGORIES = security @@ -13,7 +12,8 @@ SHARED_LIBS += htp HOMEPAGE = https://suricata.io/ -MAINTAINER = Gonzalo L. R. <gonz...@openbsd.org> +MAINTAINER = Gonzalo L. R. <gonz...@openbsd.org>, \ + Jeremy Evans <jer...@openbsd.org> # GPLv2 PERMIT_PACKAGE= Yes @@ -68,8 +68,7 @@ SUBST_VARS = SURICATA_V SUPDATE_V pre-configure: ${SUBST_CMD} ${WRKSRC}/configure \ - ${WRKSRC}/doc/userguide/Makefile.in \ - ${WRKSRC}/suricata-update/doc/Makefile \ + ${WRKSRC}/suricata.yaml.in \ ${WRKSRC}/suricata-update/suricata/update/config.py \ ${WRKSRC}/suricata-update/suricata/update/parsers.py # prevent generating revision.py Index: distinfo =================================================================== RCS file: /cvs/ports/security/suricata/distinfo,v retrieving revision 1.22 diff -u -p -r1.22 distinfo --- distinfo 22 Feb 2024 09:49:35 -0000 1.22 +++ distinfo 25 Mar 2024 20:09:24 -0000 @@ -1,2 +1,2 @@ -SHA256 (suricata-7.0.3.tar.gz) = 6gdC16mHg/GvSldmGvYGi8LYUKw+ygSzIE0ozhZeNf8= -SIZE (suricata-7.0.3.tar.gz) = 23599903 +SHA256 (suricata-7.0.4.tar.gz) = ZABgEgAkvnDb6B9uxu/HLkYlD8s2IZ3/Z+ZBciD/Ibc= +SIZE (suricata-7.0.4.tar.gz) = 23610769 Index: patches/patch-doc_userguide_Makefile_in =================================================================== RCS file: patches/patch-doc_userguide_Makefile_in diff -N patches/patch-doc_userguide_Makefile_in --- patches/patch-doc_userguide_Makefile_in 16 Nov 2023 18:15:37 -0000 1.7 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,8 +0,0 @@ -Index: doc/userguide/Makefile.in ---- doc/userguide/Makefile.in.orig -+++ doc/userguide/Makefile.in -@@ -1,3 +1,4 @@ -+ - # Makefile.in generated by automake 1.16.5 from Makefile.am. - # @configure_input@ - Index: patches/patch-src_suricata_c =================================================================== RCS file: /cvs/ports/security/suricata/patches/patch-src_suricata_c,v retrieving revision 1.14 diff -u -p -r1.14 patch-src_suricata_c --- patches/patch-src_suricata_c 18 Mar 2024 17:46:37 -0000 1.14 +++ patches/patch-src_suricata_c 25 Mar 2024 20:09:24 -0000 @@ -4,7 +4,7 @@ Suricata uses libcap-ng on Linux and run Index: src/suricata.c --- src/suricata.c.orig +++ src/suricata.c -@@ -1600,7 +1600,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, +@@ -1597,7 +1597,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, return TM_ECODE_FAILED; #endif /* UNITTESTS */ } else if (strcmp((long_opts[option_index]).name, "user") == 0) { @@ -13,7 +13,7 @@ Index: src/suricata.c SCLogError("libcap-ng is required to" " drop privileges, but it was not compiled into Suricata."); return TM_ECODE_FAILED; -@@ -1609,7 +1609,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, +@@ -1606,7 +1606,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, suri->do_setuid = TRUE; #endif /* HAVE_LIBCAP_NG */ } else if (strcmp((long_opts[option_index]).name, "group") == 0) { @@ -22,10 +22,10 @@ Index: src/suricata.c SCLogError("libcap-ng is required to" " drop privileges, but it was not compiled into Suricata."); return TM_ECODE_FAILED; -@@ -3036,6 +3036,7 @@ int SuricataMain(int argc, char **argv) - SystemHugepageSnapshotDestroy(prerun_snap); - SystemHugepageSnapshotDestroy(postrun_snap); - +@@ -3040,6 +3040,7 @@ int SuricataMain(int argc, char **argv) + SystemHugepageSnapshotDestroy(prerun_snap); + SystemHugepageSnapshotDestroy(postrun_snap); + } + SCSetUserID(suricata.userid, suricata.groupid); SCPledge(); SuricataMainLoop(&suricata); Index: patches/patch-suricata_yaml_in =================================================================== RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v retrieving revision 1.20 diff -u -p -r1.20 patch-suricata_yaml_in --- patches/patch-suricata_yaml_in 22 Feb 2024 09:49:35 -0000 1.20 +++ patches/patch-suricata_yaml_in 25 Mar 2024 20:09:24 -0000 @@ -103,7 +103,7 @@ Index: suricata.yaml.in # Daemon working directory # Suricata will change directory to this one if provided -@@ -2143,14 +2152,38 @@ napatech: +@@ -2143,14 +2152,36 @@ napatech: # hashmode: hash5tuplesorted @@ -114,34 +114,32 @@ Index: suricata.yaml.in ## ## Configure Suricata to load Suricata-Update managed rules. ## -+#default-rule-path: ${LOCALSTATEDIR}/suricata/rules -+#rule-files: -+# - suricata.rules - +- -default-rule-path: @e_defaultruledir@ - ++default-rule-path: ${LOCALSTATEDIR}/suricata/rules + rule-files: + - suricata.rules ++ +## +## Configure Suricata to use basic bundled rules. +## -+default-rule-path: @e_sysconfdir@rules - rule-files: -- - suricata.rules -+ - app-layer-events.rules -+ - decoder-events.rules -+ - dhcp-events.rules -+ - dnp3-events.rules -+ - dns-events.rules -+ - files.rules -+ - http-events.rules -+ - ipsec-events.rules -+ - kerberos-events.rules -+ - modbus-events.rules -+ - nfs-events.rules -+ - ntp-events.rules -+ - smb-events.rules -+ - smtp-events.rules -+ - stream-events.rules -+ - tls-events.rules ++#default-rule-path: @e_sysconfdir@rules ++#rule-files: ++# - app-layer-events.rules ++# - decoder-events.rules ++# - dhcp-events.rules ++# - dns-events.rules ++# - files.rules ++# - http-events.rules ++# - ipsec-events.rules ++# - kerberos-events.rules ++# - nfs-events.rules ++# - ntp-events.rules ++# - smb-events.rules ++# - smtp-events.rules ++# - stream-events.rules ++# - tls-events.rules ## ## Auxiliary configuration files. Index: pkg/README =================================================================== RCS file: /cvs/ports/security/suricata/pkg/README,v retrieving revision 1.11 diff -u -p -r1.11 README --- pkg/README 17 Dec 2023 15:29:06 -0000 1.11 +++ pkg/README 25 Mar 2024 20:09:24 -0000 @@ -23,18 +23,10 @@ and quicker to use one of the available suricata-update --------------- suricata-update is the recommended way to install and update rules. -By default it will download the new rules into ${LOCALSTATEDIR}/suricata/rules +Run it with the -D flag to download the rules to the directory +suricata expects (${LOCALSTATEDIR}/suricata/rules): -Edit ${SYSCONFDIR}/suricata/suricata.yaml and replace the existing -default-rule-path and rule-files sections with this: - - default-rule-path: ${LOCALSTATEDIR}/suricata/rules/ - rule-files: - - suricata.rules - -And restart Suricata: - -# rcctl restart suricata +# suricata-update -D ${LOCALSTATEDIR}/suricata Oinkmaster ---------- @@ -55,6 +47,10 @@ And you can download as follow: # cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \ -o ${SYSCONFDIR}/suricata/rules + +Edit ${SYSCONFDIR}/suricata/suricata.yaml, comment out the default +default-rule-path section and uncomment the commented out +default-rule-path section. After updating rules --------------------