On 2024/03/26 19:46, Jeremy Evans wrote: > > I updated suricata.yaml.in to replace all of the autoconf related code > with make variables that will be updated by SUBST_CMD. I found that > suricata does not like our /etc/magic file, so I left that commented > out.
ah, it will want /usr/local/share/misc/magic (.mgc) > I found that autoconf is used by the build system. I made a few > attempts at patching it out, but was unsuccessful. So I left that in. sorry I missed that, autoconf BDEP makes sense then. > Here's a revised diff. I plan to commit this tomorrow unless I hear > objections. > > Thanks, > Jeremy > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/security/suricata/Makefile,v > retrieving revision 1.67 > diff -u -p -r1.67 Makefile > --- Makefile 23 Mar 2024 13:26:40 -0000 1.67 > +++ Makefile 26 Mar 2024 19:44:49 -0000 > @@ -3,9 +3,8 @@ NOT_FOR_ARCHS = powerpc64 riscv64 > > COMMENT = high performance network IDS, IPS and security monitoring > > -SURICATA_V = 7.0.3 > -SUPDATE_V = 1.2.8 > -REVISION = 1 > +SURICATA_V = 7.0.4 > +SUPDATE_V = 1.3.2 > > DISTNAME = suricata-${SURICATA_V} > CATEGORIES = security > @@ -13,7 +12,8 @@ SHARED_LIBS += htp > > HOMEPAGE = https://suricata.io/ > > -MAINTAINER = Gonzalo L. R. <gonz...@openbsd.org> > +MAINTAINER = Gonzalo L. R. <gonz...@openbsd.org>, \ > + Jeremy Evans <jer...@openbsd.org> > > # GPLv2 > PERMIT_PACKAGE= Yes > @@ -48,7 +48,6 @@ DEBUG_PACKAGES = ${BUILD_PACKAGES} > > CONFIGURE_STYLE = autoconf > AUTOCONF_VERSION = 2.71 > -AUTOMAKE_VERSION = 1.15 > > CONFIGURE_ENV = ac_cv_path_HAVE_PDFLATEX= \ > ac_cv_path_HAVE_GIT_CMD= \ > @@ -67,9 +66,7 @@ CONFIGURE_ARGS = --disable-gccmarch-nati > SUBST_VARS = SURICATA_V SUPDATE_V > > pre-configure: > - ${SUBST_CMD} ${WRKSRC}/configure \ > - ${WRKSRC}/doc/userguide/Makefile.in \ > - ${WRKSRC}/suricata-update/doc/Makefile \ > + ${SUBST_CMD} ${WRKSRC}/suricata.yaml.in \ > ${WRKSRC}/suricata-update/suricata/update/config.py \ > ${WRKSRC}/suricata-update/suricata/update/parsers.py > # prevent generating revision.py > Index: distinfo > =================================================================== > RCS file: /cvs/ports/security/suricata/distinfo,v > retrieving revision 1.22 > diff -u -p -r1.22 distinfo > --- distinfo 22 Feb 2024 09:49:35 -0000 1.22 > +++ distinfo 26 Mar 2024 19:44:49 -0000 > @@ -1,2 +1,2 @@ > -SHA256 (suricata-7.0.3.tar.gz) = 6gdC16mHg/GvSldmGvYGi8LYUKw+ygSzIE0ozhZeNf8= > -SIZE (suricata-7.0.3.tar.gz) = 23599903 > +SHA256 (suricata-7.0.4.tar.gz) = ZABgEgAkvnDb6B9uxu/HLkYlD8s2IZ3/Z+ZBciD/Ibc= > +SIZE (suricata-7.0.4.tar.gz) = 23610769 > Index: patches/patch-doc_userguide_Makefile_in > =================================================================== > RCS file: patches/patch-doc_userguide_Makefile_in > diff -N patches/patch-doc_userguide_Makefile_in > --- patches/patch-doc_userguide_Makefile_in 16 Nov 2023 18:15:37 -0000 > 1.7 > +++ /dev/null 1 Jan 1970 00:00:00 -0000 > @@ -1,8 +0,0 @@ > -Index: doc/userguide/Makefile.in > ---- doc/userguide/Makefile.in.orig > -+++ doc/userguide/Makefile.in > -@@ -1,3 +1,4 @@ > -+ > - # Makefile.in generated by automake 1.16.5 from Makefile.am. > - # @configure_input@ > - > Index: patches/patch-src_suricata_c > =================================================================== > RCS file: /cvs/ports/security/suricata/patches/patch-src_suricata_c,v > retrieving revision 1.14 > diff -u -p -r1.14 patch-src_suricata_c > --- patches/patch-src_suricata_c 18 Mar 2024 17:46:37 -0000 1.14 > +++ patches/patch-src_suricata_c 26 Mar 2024 19:44:49 -0000 > @@ -4,7 +4,7 @@ Suricata uses libcap-ng on Linux and run > Index: src/suricata.c > --- src/suricata.c.orig > +++ src/suricata.c > -@@ -1600,7 +1600,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, > +@@ -1597,7 +1597,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, > return TM_ECODE_FAILED; > #endif /* UNITTESTS */ > } else if (strcmp((long_opts[option_index]).name, "user") == 0) > { > @@ -13,7 +13,7 @@ Index: src/suricata.c > SCLogError("libcap-ng is required to" > " drop privileges, but it was not compiled into > Suricata."); > return TM_ECODE_FAILED; > -@@ -1609,7 +1609,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, > +@@ -1606,7 +1606,7 @@ static TmEcode ParseCommandLine(int argc, char** argv, > suri->do_setuid = TRUE; > #endif /* HAVE_LIBCAP_NG */ > } else if (strcmp((long_opts[option_index]).name, "group") == > 0) { > @@ -22,10 +22,10 @@ Index: src/suricata.c > SCLogError("libcap-ng is required to" > " drop privileges, but it was not compiled into > Suricata."); > return TM_ECODE_FAILED; > -@@ -3036,6 +3036,7 @@ int SuricataMain(int argc, char **argv) > - SystemHugepageSnapshotDestroy(prerun_snap); > - SystemHugepageSnapshotDestroy(postrun_snap); > - > +@@ -3040,6 +3040,7 @@ int SuricataMain(int argc, char **argv) > + SystemHugepageSnapshotDestroy(prerun_snap); > + SystemHugepageSnapshotDestroy(postrun_snap); > + } > + SCSetUserID(suricata.userid, suricata.groupid); > SCPledge(); > SuricataMainLoop(&suricata); > Index: patches/patch-suricata_yaml_in > =================================================================== > RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v > retrieving revision 1.20 > diff -u -p -r1.20 patch-suricata_yaml_in > --- patches/patch-suricata_yaml_in 22 Feb 2024 09:49:35 -0000 1.20 > +++ patches/patch-suricata_yaml_in 26 Mar 2024 19:44:49 -0000 > @@ -1,15 +1,23 @@ > - After reload allow to write log files or use syslog. > - Switch user and group to avoid running as root. > - To remove pid file its directory must be writable by suricata user. > -- Comment-out suricata-update rules and add config for bundled rules > -so the package can be used directly. See pkg-readme for information > -about downloading rules. > +- Avoid need to run autoconf by setting variables which will be > + modified by SUBST_CMD > > > Index: suricata.yaml.in > --- suricata.yaml.in.orig > +++ suricata.yaml.in > -@@ -84,6 +84,7 @@ outputs: > +@@ -58,7 +58,7 @@ vars: > + # The default logging directory. Any log or output file will be > + # placed here if it's not specified with a full path name. This can be > + # overridden with the -l command line parameter. > +-default-log-dir: @e_logdir@ > ++default-log-dir: ${LOCALSTATEDIR}/log/suricata > + > + # Global stats configuration > + stats: > +@@ -84,14 +84,16 @@ outputs: > - fast: > enabled: yes > filename: fast.log > @@ -17,8 +25,10 @@ Index: suricata.yaml.in > append: yes > #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram' > > -@@ -92,6 +93,7 @@ outputs: > - enabled: @e_enable_evelog@ > + # Extensible Event Format (nicknamed EVE) event log in JSON format > + - eve-log: > +- enabled: @e_enable_evelog@ > ++ enabled: yes > filetype: regular #regular|syslog|unix_dgram|unix_stream|redis > filename: eve.json > + filemode: 664 > @@ -94,16 +104,60 @@ Index: suricata.yaml.in > > security: > # if true, prevents process creation from Suricata by calling > -@@ -1227,7 +1236,7 @@ security: > +@@ -1208,13 +1217,11 @@ security: > + enabled: no > + directories: > + #write: > +- # - @e_rundir@ > + # /usr and /etc folders are added to read list to allow > + # file magic to be used. > + read: > + - /usr/ > + - /etc/ > +- - @e_sysconfdir@ > + > + lua: > + # Allow Lua rules. Disabled by default. > +@@ -1227,7 +1234,7 @@ security: > # Default location of the pid file. The pid file is only used in > # daemon mode (start Suricata with -D). If not running in daemon mode > # the --pidfile command line option must be used to create a pid file. > -#pid-file: @e_run...@suricata.pid > -+pid-file: @e_run...@suricata.pid > ++pid-file: ${LOCALSTATEDIR}/run/suricata/suricata.pid > > # Daemon working directory > # Suricata will change directory to this one if provided > -@@ -2143,14 +2152,38 @@ napatech: > +@@ -1295,8 +1302,7 @@ unix-command: > + #filename: custom.socket > + > + # Magic file. The extension .mgc is added to the value here. > +-#magic-file: /usr/share/file/magic > ++#magic-file: ${SYSCONFDIR}/magic > +-@e_magic_file_comment@magic-file: @e_magic_file@ > + > + # GeoIP2 database file. Specify path and filename of GeoIP2 database > + # if using rules with "geoip" rule option. > +@@ -1334,8 +1340,8 @@ legacy: > + exception-policy: auto > + > + # IP Reputation > +-#reputation-categories-file: @e_sysconfdir@iprep/categories.txt > +-#default-reputation-path: @e_sysconfdir@iprep > ++#reputation-categories-file: ${SYSCONFDIR}/suricata/iprep/categories.txt > ++#default-reputation-path: ${SYSCONFDIR}/suricata/iprep > + #reputation-files: > + # - reputation.list > + > +@@ -1813,7 +1819,7 @@ profiling: > + limit: 10 > + > + # output to json > +- json: @e_enable_evelog@ > ++ json: true > + > + # per keyword profiling > + keywords: > +@@ -2143,22 +2149,44 @@ napatech: > # > hashmode: hash5tuplesorted > > @@ -114,34 +168,43 @@ Index: suricata.yaml.in > ## > ## Configure Suricata to load Suricata-Update managed rules. > ## > -+#default-rule-path: ${LOCALSTATEDIR}/suricata/rules > -+#rule-files: > -+# - suricata.rules > - > +- > -default-rule-path: @e_defaultruledir@ > - > -+## > -+## Configure Suricata to use basic bundled rules. > -+## > -+default-rule-path: @e_sysconfdir@rules > ++default-rule-path: ${LOCALSTATEDIR}/suricata/rules > rule-files: > -- - suricata.rules > -+ - app-layer-events.rules > -+ - decoder-events.rules > -+ - dhcp-events.rules > -+ - dnp3-events.rules > -+ - dns-events.rules > -+ - files.rules > -+ - http-events.rules > -+ - ipsec-events.rules > -+ - kerberos-events.rules > -+ - modbus-events.rules > -+ - nfs-events.rules > -+ - ntp-events.rules > -+ - smb-events.rules > -+ - smtp-events.rules > -+ - stream-events.rules > -+ - tls-events.rules > + - suricata.rules > > ## > ++## Configure Suricata to use basic bundled rules. > ++## > ++#default-rule-path: ${SYSCONFDIR}/suricata/rules > ++#rule-files: > ++# - app-layer-events.rules > ++# - decoder-events.rules > ++# - dhcp-events.rules > ++# - dns-events.rules > ++# - files.rules > ++# - http-events.rules > ++# - ipsec-events.rules > ++# - kerberos-events.rules > ++# - nfs-events.rules > ++# - ntp-events.rules > ++# - smb-events.rules > ++# - smtp-events.rules > ++# - stream-events.rules > ++# - tls-events.rules > ++ > ++## > ## Auxiliary configuration files. > + ## > + > +-classification-file: @e_sysconfdir@classification.config > +-reference-config-file: @e_sysconfdir@reference.config > +-# threshold-file: @e_sysconfdir@threshold.config > ++classification-file: ${SYSCONFDIR}/suricata/classification.config > ++reference-config-file: ${SYSCONFDIR}/suricata/reference.config > ++# threshold-file: ${SYSCONFDIR}/suricata/threshold.config > + > + ## > + ## Include other configs > Index: pkg/README > =================================================================== > RCS file: /cvs/ports/security/suricata/pkg/README,v > retrieving revision 1.11 > diff -u -p -r1.11 README > --- pkg/README 17 Dec 2023 15:29:06 -0000 1.11 > +++ pkg/README 26 Mar 2024 19:44:49 -0000 > @@ -23,18 +23,10 @@ and quicker to use one of the available > suricata-update > --------------- > suricata-update is the recommended way to install and update rules. > -By default it will download the new rules into > ${LOCALSTATEDIR}/suricata/rules > +Run it with the -D flag to download the rules to the directory > +suricata expects (${LOCALSTATEDIR}/suricata/rules): > > -Edit ${SYSCONFDIR}/suricata/suricata.yaml and replace the existing > -default-rule-path and rule-files sections with this: > - > - default-rule-path: ${LOCALSTATEDIR}/suricata/rules/ > - rule-files: > - - suricata.rules > - > -And restart Suricata: > - > -# rcctl restart suricata > +# suricata-update -D ${LOCALSTATEDIR}/suricata > > Oinkmaster > ---------- > @@ -55,6 +47,10 @@ And you can download as follow: > > # cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \ > -o ${SYSCONFDIR}/suricata/rules > + > +Edit ${SYSCONFDIR}/suricata/suricata.yaml, comment out the default > +default-rule-path section and uncomment the commented out > +default-rule-path section. > > After updating rules > -------------------- >