Bug 140881 - [patch] port security/snortsam update to version 2.68
Summary: [patch] port security/snortsam update to version 2.68
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Martin Wilke
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-11-25 23:50 UTC by Olli Hauer
Modified: 2009-12-31 20:20 UTC (History)
1 user (show)

See Also:

Attachments
patch_snortsam-2.68.txt (28.00 KB, text/plain)
2009-11-25 23:50 UTC, Olli Hauer 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Olli Hauer 2009-11-25 23:50:01 UTC 
Update snortsam to version 2.68

Additional:
 use the Makefile instead makesnortsam.sh
 patches to make the pf2 plugin even more proof (will be included in next official release)
 some small patches to correct the pf2 documentation
 some small other patches we will see in the next release 

For more information see http://snortsam.net/news.html

If this patch is committed PR ports/139460 can be closed
Since PR ports/139460 is now open since 6 weeks I will be happy to take maintainership
if the old maintainer does not respond or has no time.
In this case please remove http://www.freebsdbrasil.com.br/~urisso/files/snortsam/
from MASTER_SITES.


I've made build and function test (mostly pf2 plugin) on this platforms
 FreeBSD 6.4 7.1 7.2 8.0 9.0 i386
 FreeBSD 7.2 8.0 amd64
 OpenBSD 4.5 4.6 i386
 NetBSD  5.0 (i386)

If the diff is mangled somewhere (~750 lines) contact me direct, I will send
the whole port or the patch as tar/gz .

--
olli hauer
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2009-11-25 23:50:10 UTC 
Maintainer of security/snortsam,

Please note that PR ports/140881 has just been submitted.

If it contains a patch for an upgrade, an enhancement or a bug fix
you agree on, reply to this email stating that you approve the patch
and a committer will take care of it.

The full text of the PR can be found at:
    http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/140881

-- 
Edwin Groothuis via the GNATS Auto Assign Tool
edwin@FreeBSD.org
Comment 2 Edwin Groothuis freebsd_committer freebsd_triage 2009-11-25 23:50:12 UTC 
State Changed
From-To: open->feedback

Awaiting maintainers feedback (via the GNATS Auto Assign Tool)
Comment 3 Olli Hauer 2009-11-27 15:37:09 UTC 
Snortsam was updated with my patches, so please use this
version instead.

The new patch updates snortsam to version 2.69


--
olli hauer

--- patch_snortsam-2.69.txt begins here ---
--- snortsam/Makefile	2008-09-04 01:02:16.000000000 +0200
+++ snortsam/Makefile	2009-11-27 15:18:21.000000000 +0100
@@ -6,7 +6,7 @@
 #
 
 PORTNAME=	snortsam
-PORTVERSION=	2.60
+PORTVERSION=	2.69
 CATEGORIES=	security
 MASTER_SITES=	http://www.snortsam.net/files/snortsam/ \
 		http://www.freebsdbrasil.com.br/~urisso/files/snortsam/
@@ -15,53 +15,76 @@
 MAINTAINER=	urisso@bsd.com.br
 COMMENT=	SnortSam is a output plugin for Snort
 
-WRKSRC=		${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME}
+OPTIONS=	IPFW	"checks if configured tables are available" on \
+		SAMTOOL "install samtool" on \
+		DEBUG	"build with verbose messages" off
+
+.include <bsd.port.pre.mk>
 
+USE_RC_SUBR=	snortsam.sh
+SUB_FILES=	pkg-message
 HAS_CONFIGURE=	yes
 NO_BUILD=	yes
+CONFIGURE_SCRIPT=	src/Makefile
+WRKSRC=		${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME}
 
-SYSCONFDIR=	${PREFIX}/etc/snortsam
-
-CONFIGURE_SCRIPT=	makesnortsam.sh
-
-USE_RC_SUBR=	snortsam.sh
+CONFIG_DIR?=	${PREFIX}/etc/snortsam
 
 PLIST_DIRS=	etc/snortsam
-PLIST_FILES=	etc/snortsam/rootservers.cfg etc/snortsam/snortsam.conf.sample sbin/snortsam sbin/snortsam-debug
-PORTDOCS=	INSTALL README README.conf README.snmp_interface_down
+PLIST_FILES=	sbin/snortsam \
+		etc/snortsam/snortsam.conf.sample \
+		etc/snortsam/country-rootservers.conf.sample \
+		etc/snortsam/opsec.conf.sample \
+		etc/snortsam/rootservers.cfg.sample
 
-OPTIONS=	IPFW	"Enable IPFW table checking if it set deny rules" on
+.if defined(WITH_SAMTOOL)
+PLIST_FILES+=	sbin/samtool
+.endif
 
-.include <bsd.port.pre.mk>
+PORTDOCS=	AUTHORS BUGS CREDITS FAQ INSTALL LICENSE README README.ciscoacl \
+		README.conf README.iptables README.netscreen README.pf README.pf2 \
+		README.rules README.slackware README.snmp_interface_down README.wgrd \
+		README_8signs.rtf TODO
 
 .if defined(WITHOUT_IPFW)
-PATCH_SITES+=http://www.freebsdbrasil.com.br/~urisso/files/snortsam/:ipfw
-PATCHFILES+=ssp_ipfw2.c.diff:ipfw
+EXTRA_PATCHES+=	${FILESDIR}/ssp_ipfw2_no_table_check.patch
 .endif
 
-post-extract:
-	@${CAT} ${PATCHDIR}/pkg-message-snortsam
-	@sleep 5
+.if defined(WITH_DEBUG)
+DEBUG=-DDEBUG
+.endif
 
 pre-configure:
-	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/conf/snortsam.conf.sample
-	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/docs/README.conf
-	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/src/snortsam.c
-	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/contrib/snortsam-state.c
-	${CHMOD} +x ${WRKSRC}/makesnortsam.sh
+	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/conf/snortsam.conf.sample
+	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/docs/README.conf
+	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/src/snortsam.h
+	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/contrib/snortsam-state.c
+	@${CHMOD} +x ${WRKSRC}/makesnortsam.sh
+
+do-configure:
+	@cd ${WRKSRC}/src && ${MAKE} ${DEBUG}
+	@cd ${WRKSRC}/src && ${MAKE} samtool ${DEBUG}
 
+# no access to snortsam.conf and samtool for non root users!
 do-install:
-	${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin
-	${INSTALL_PROGRAM} ${WRKSRC}/snortsam-debug ${PREFIX}/sbin
-	${MKDIR} ${SYSCONFDIR}
-	${INSTALL_DATA} ${WRKSRC}/conf/snortsam.conf.sample ${SYSCONFDIR}/snortsam.conf.sample
-	${INSTALL_DATA} ${WRKSRC}/conf/*rootservers.cfg ${SYSCONFDIR}/
+	@${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin
+.if defined(WITH_SAMTOOL)
+	@${INSTALL} -o root -g wheel -m 500 ${WRKSRC}/samtool ${PREFIX}/sbin
+.endif
+	@${MKDIR} ${CONFIG_DIR}
+	@${INSTALL_DATA} -m 600 ${WRKSRC}/conf/snortsam.conf.sample ${CONFIG_DIR}/snortsam.conf.sample
+	@${INSTALL_DATA} ${WRKSRC}/conf/opsec.conf ${CONFIG_DIR}/opsec.conf.sample
+	@${INSTALL_DATA} ${WRKSRC}/conf/rootservers.cfg ${CONFIG_DIR}/rootservers.cfg.sample
+	@${INSTALL_DATA} ${WRKSRC}/conf/country-rootservers.conf ${CONFIG_DIR}/country-rootservers.conf.sample
 
 .if !defined(NOPORTDOCS)
+	@${MKDIR} ${DOCSDIR}
 .for f in ${PORTDOCS}
-	${MKDIR} ${DOCSDIR}
-	${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR}
+	@${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR}
 .endfor
 .endif
 
+post-install:
+	@${CAT} ${PKGMESSAGE}
+
 .include <bsd.port.post.mk>
--- snortsam/distinfo	2008-09-04 01:02:16.000000000 +0200
+++ snortsam/distinfo	2009-11-27 15:19:59.000000000 +0100
@@ -1,6 +1,3 @@
-MD5 (snortsam-src-2.60.tar.gz) = 5fdc69b18938237ac943beeb7f6c105a
-SHA256 (snortsam-src-2.60.tar.gz) = 65c44a91487f533f66291b1dd41f06237d21ba7c9e43a27d8784e2915c2771f4
-SIZE (snortsam-src-2.60.tar.gz) = 1982833
-MD5 (ssp_ipfw2.c.diff) = bcc60c6d27805db5d96c284189cefee8
-SHA256 (ssp_ipfw2.c.diff) = 29355590da907bb4c9f3e259c460c1c29d7a0e6cb201290ffc904c246c8ef3e4
-SIZE (ssp_ipfw2.c.diff) = 1193
+MD5 (snortsam-src-2.69.tar.gz) = 7663ce82956a97c5f725028716d66140
+SHA256 (snortsam-src-2.69.tar.gz) = eb0dc0ebd65b6d15e3adabd7be2720221005683eefb7ca5986b9ca0284d55f92
+SIZE (snortsam-src-2.69.tar.gz) = 1971579
--- snortsam/files/patch-makesnortsam.sh	2008-09-04 01:02:16.000000000 +0200
+++ snortsam/files/patch-makesnortsam.sh	1970-01-01 01:00:00.000000000 +0100
@@ -1,13 +0,0 @@
---- makesnortsam.sh.old	2008-08-03 00:04:24.000000000 -0300
-+++ makesnortsam.sh	2008-08-03 00:04:57.000000000 -0300
-@@ -11,8 +11,8 @@
- #        Under Solaris, the OPSEC stuff is linked dynamically.
- #        On other platforms, statically.
- 
--BSDTHREADLIB='-lc_r'
--#BSDTHREADLIB='-lpthread'
-+#BSDTHREADLIB='-lc_r'
-+BSDTHREADLIB='-lpthread'
- 
- systype=`uname`
- 
--- snortsam/files/patch-snortsam.h	2008-09-04 01:02:16.000000000 +0200
+++ snortsam/files/patch-snortsam.h	1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
---- src/snortsam.h.old	2008-08-03 00:08:34.000000000 -0300
-+++ src/snortsam.h	2008-08-03 00:10:58.000000000 -0300
-@@ -178,10 +178,10 @@
- #define safecopy(dst,src)		_safecp(dst,sizeof(dst),src)
- 
- #ifdef WIN32
--#define FWSAMCONFIGFILE			"snortsam.cfg"
--#define FWSAMHISTORYFILE			"snortsam.sta"
-+#define FWSAMCONFIGFILE			"/usr/local/etc/snortsam.cfg"
-+#define FWSAMHISTORYFILE			"/var/db/snortsam.sta"
- #else
--#define FWSAMCONFIGFILE			"/etc/snortsam.conf"
-+#define FWSAMCONFIGFILE			"/usr/local/etc/snortsam.conf"
- #define FWSAMHISTORYFILE			"/var/db/snortsam.state"  
- #endif
- 
--- snortsam/files/pkg-message-snortsam	2008-09-04 01:02:16.000000000 +0200
+++ snortsam/files/pkg-message-snortsam	1970-01-01 01:00:00.000000000 +0100
@@ -1,10 +0,0 @@
-
-============================================================
-NOTE:	Make sure that your SNORT installation it is defined
-	output plugin SNORTSAM for don't cause errors while
-	building SNORTSAM system. If exists some OLD SNORT
-	installation WITHOUT supports for interaction between
-	SNORT and SNORTSAM. PLEASE reconfigure WITH that this
-	feature and rebuild a new installation.
-=============================================================
-
--- snortsam/files/pkg-message.in	1970-01-01 01:00:00.000000000 +0100
+++ snortsam/files/pkg-message.in	2009-11-27 15:33:53.000000000 +0100
@@ -0,0 +1,18 @@
+================================================================
+NOTE:   SNORT have to be build with OPTION SNORTSAM.
+
+	To enable snortsam as output plugin for snort a config
+	line like the following should be present in snort.conf
+
+	  output alert_fwsam: <snortsambox>:<port>/<password>
+
+	With samtool it is possible to send alerts to snortsam,
+	this way you can test and adjust your FW rules.
+
+        For more information read the INSTALL, FAQ, README 
+        files in %%DOCSDIR%%
+
+        Additional consolidate http://snortsam.net
+
+==============================================================
+
--- snortsam/files/ssp_ipfw2_no_table_check.patch	1970-01-01 01:00:00.000000000 +0100
+++ snortsam/files/ssp_ipfw2_no_table_check.patch	2009-11-25 23:53:50.000000000 +0100
@@ -0,0 +1,18 @@
+--- src/ssp_ipfw2.c.orig	2008-04-26 21:53:21.000000000 +0200
++++ src/ssp_ipfw2.c	2009-11-14 22:03:41.000000000 +0100
+@@ -91,6 +91,7 @@
+ 				}
+ 			}
+ 		}
++#if defined(ENABLE_IPFW_TABLE_CHECK)
+ 		/* Check if inbound table exists */
+ 		snprintf(chk,sizeof(chk)-1,"/sbin/ipfw show | grep -q \"deny ip from any to table(%u) via %s\"",ipfw2p->in_table,ipfw2p->interface);
+ 		if(system(chk))
+@@ -110,6 +111,7 @@
+ 			}
+ 		}
+ 				
++#endif	/* ENABLE_IPFW_TABLE_CHECK */
+ #ifdef FWSAMDEBUG
+ 		if(plugindatalist->data)
+ 			printf("Debug: [ipfw2] Adding IPFW2: i/f '%s', tables %u (in) and %u (out)\n", ipfw2p->interface, ipfw2p->in_table,ipfw2p->out_table);
--- snortsam/pkg-descr	2008-09-04 01:02:16.000000000 +0200
+++ snortsam/pkg-descr	2009-11-25 23:53:50.000000000 +0100
@@ -1,5 +1,6 @@
-SnortSam is a plugin for Snort, an open-source light-weight
-Intrusion Detection System (IDS). The plugin allows for
-automated blocking of IP addresses on many firewalls.
+SnortSam is an intelligent agent that allows the popular
+open-source Intrusion Detection System called Snort to block
+intruding connections by reconfiguration of many firewalls
+and Cisco devices.
 
 WWW: http://www.snortsam.net
--- patch_snortsam-2.69.txt ends here ---
Comment 4 Olli Hauer 2009-12-25 21:20:43 UTC 
This patch updates snortsam from version 2.63 to version 2.69

Since the snortsam config files/directory contains sensitive
data like passwords for FW/routers ... the config file is moved
to a own config directory and the mode of this directory is set 
to 700 with owner root:wheel

If the Maintainer times out I will be happy to take over the port,
since I rewrote the ssp_pf(2) modules and buildscripts (upstream).

--
olli hauer

--- patch_snortsam-2.69_v2.txt begins here ---
--- snortsam/Makefile
+++ snortsam/Makefile
@@ -6,62 +6,85 @@
 #
 
 PORTNAME=	snortsam
-PORTVERSION=	2.63
+PORTVERSION=	2.69
 CATEGORIES=	security
-MASTER_SITES=	http://www.snortsam.net/files/snortsam/ \
-		http://www.freebsdbrasil.com.br/~urisso/files/snortsam/
+MASTER_SITES=	http://www.snortsam.net/files/snortsam/
 DISTNAME=	${PORTNAME}-src-${PORTVERSION}
 
 MAINTAINER=	urisso@bsd.com.br
 COMMENT=	SnortSam is a output plugin for Snort
 
-WRKSRC=		${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME}
+OPTIONS=	IPFW	"checks if configured tables are available" on \
+		SAMTOOL "install samtool" on \
+		DEBUG	"build with verbose messages" off
 
-HAS_CONFIGURE=	yes
-NO_BUILD=	yes
+.include <bsd.port.pre.mk>
 
-SYSCONFDIR=	${PREFIX}/etc/snortsam
+USE_RC_SUBR=	snortsam.sh
+SUB_FILES=	pkg-message \
+		pkg-install
 
-CONFIGURE_SCRIPT=	makesnortsam.sh
+HAS_CONFIGURE=	yes
+NO_BUILD=	yes
+CONFIGURE_SCRIPT=	src/Makefile
+WRKSRC=		${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME}
 
-USE_RC_SUBR=	snortsam.sh
+CONFIG_DIR?=	${PREFIX}/etc/snortsam
 
 PLIST_DIRS=	etc/snortsam
-PLIST_FILES=	etc/snortsam/rootservers.cfg etc/snortsam/snortsam.conf.sample sbin/snortsam sbin/snortsam-debug
-PORTDOCS=	INSTALL README README.conf README.snmp_interface_down
+PLIST_FILES=	sbin/snortsam \
+		etc/snortsam/snortsam.conf.sample \
+		etc/snortsam/country-rootservers.conf.sample \
+		etc/snortsam/rootservers.cfg.sample
 
-OPTIONS=	IPFW	"Enable IPFW table checking if it set deny rules" on
+.if defined(WITH_SAMTOOL)
+PLIST_FILES+=	sbin/samtool
+.endif
 
-.include <bsd.port.pre.mk>
+PORTDOCS=	AUTHORS BUGS CREDITS FAQ INSTALL LICENSE README README.ciscoacl \
+		README.conf README.iptables README.netscreen README.pf README.pf2 \
+		README.rules README.slackware README.snmp_interface_down README.wgrd \
+		README_8signs.rtf TODO
 
 .if defined(WITHOUT_IPFW)
-PATCH_SITES+=http://www.freebsdbrasil.com.br/~urisso/files/snortsam/:ipfw
-PATCHFILES+=ssp_ipfw2.c.diff:ipfw
+EXTRA_PATCHES+=	${FILESDIR}/ssp_ipfw2_no_table_check.patch
 .endif
 
-post-extract:
-	@${CAT} ${PATCHDIR}/pkg-message-snortsam
-	@sleep 5
+.if defined(WITH_DEBUG)
+DEBUG=-DDEBUG
+.endif
 
 pre-configure:
-	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/conf/snortsam.conf.sample
-	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/docs/README.conf
-	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/src/snortsam.c
-	${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/contrib/snortsam-state.c
-	${CHMOD} +x ${WRKSRC}/makesnortsam.sh
+	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/conf/snortsam.conf.sample
+	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/docs/README.conf
+	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/src/snortsam.h
+	@${REINPLACE_CMD} -e "s|/etc/snortsam.conf|${CONFIG_DIR}/snortsam.conf|g" ${WRKSRC}/contrib/snortsam-state.c
+	@${CHMOD} +x ${WRKSRC}/makesnortsam.sh
+
+do-configure:
+	@cd ${WRKSRC}/src && ${MAKE} ${DEBUG}
+	@cd ${WRKSRC}/src && ${MAKE} samtool ${DEBUG}
 
+# no access to snortsam.conf and samtool for non root users!
 do-install:
-	${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin
-	${INSTALL_PROGRAM} ${WRKSRC}/snortsam-debug ${PREFIX}/sbin
-	${MKDIR} ${SYSCONFDIR}
-	${INSTALL_DATA} ${WRKSRC}/conf/snortsam.conf.sample ${SYSCONFDIR}/snortsam.conf.sample
-	${INSTALL_DATA} ${WRKSRC}/conf/*rootservers.cfg ${SYSCONFDIR}/
+	@${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin
+.if defined(WITH_SAMTOOL)
+	@${INSTALL} -o root -g wheel -m 500 ${WRKSRC}/samtool ${PREFIX}/sbin
+.endif
+	@${MKDIR} -m 700 ${CONFIG_DIR}
+	@${INSTALL_DATA} -m 600 ${WRKSRC}/conf/snortsam.conf.sample ${CONFIG_DIR}/snortsam.conf.sample
+	@${INSTALL_DATA} ${WRKSRC}/conf/rootservers.cfg ${CONFIG_DIR}/rootservers.cfg.sample
+	@${INSTALL_DATA} ${WRKSRC}/conf/country-rootservers.conf ${CONFIG_DIR}/country-rootservers.conf.sample
 
 .if !defined(NOPORTDOCS)
+	@${MKDIR} ${DOCSDIR}
 .for f in ${PORTDOCS}
-	${MKDIR} ${DOCSDIR}
-	${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR}
+	@${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR}
 .endfor
 .endif
 
+post-install:
+	@${SH} ${PKGINSTALL} ${DISTNAME} POST-INSTALL
+	@${CAT} ${PKGMESSAGE}
+
 .include <bsd.port.post.mk>
--- snortsam/distinfo
+++ snortsam/distinfo
@@ -1,3 +1,3 @@
-MD5 (snortsam-src-2.63.tar.gz) = d74f5e744358bc9da85ad9d4fb393f76
-SHA256 (snortsam-src-2.63.tar.gz) = f56208e2cba56c55bb97c09582b71e3d9c1c05c551df2cc59f493910e9f403a3
-SIZE (snortsam-src-2.63.tar.gz) = 1967776
+MD5 (snortsam-src-2.69.tar.gz) = 7663ce82956a97c5f725028716d66140
+SHA256 (snortsam-src-2.69.tar.gz) = eb0dc0ebd65b6d15e3adabd7be2720221005683eefb7ca5986b9ca0284d55f92
+SIZE (snortsam-src-2.69.tar.gz) = 1971579
--- snortsam/files/patch-snortsam.h
+++ snortsam/files/patch-snortsam.h
@@ -1,16 +0,0 @@
---- src/snortsam.h.old	2008-08-03 00:08:34.000000000 -0300
-+++ src/snortsam.h	2008-08-03 00:10:58.000000000 -0300
-@@ -178,10 +178,10 @@
- #define safecopy(dst,src)		_safecp(dst,sizeof(dst),src)
- 
- #ifdef WIN32
--#define FWSAMCONFIGFILE			"snortsam.cfg"
--#define FWSAMHISTORYFILE			"snortsam.sta"
-+#define FWSAMCONFIGFILE			"/usr/local/etc/snortsam.cfg"
-+#define FWSAMHISTORYFILE			"/var/db/snortsam.sta"
- #else
--#define FWSAMCONFIGFILE			"/etc/snortsam.conf"
-+#define FWSAMCONFIGFILE			"/usr/local/etc/snortsam.conf"
- #define FWSAMHISTORYFILE			"/var/db/snortsam.state"  
- #endif
- 
--- snortsam/files/pkg-install.in
+++ snortsam/files/pkg-install.in
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# $FreeBSD$
+
+ETCDIR=${ETCDIR:=%%ETCDIR%%}
+
+# snortsam config file contain sensitive data like 
+# passwords needed to block IP's on the firewalls.
+# Set permission of the config dir to 700 so only
+# root:wheel can access this directory.
+if [ "$2" = "POST-INSTALL" ]; then
+    if [ -d ${ETCDIR} ]; then
+        /usr/sbin/chown root:wheel ${ETCDIR}
+        /bin/chmod 700 ${ETCDIR}
+    fi
+fi
+
--- snortsam/files/pkg-message-snortsam
+++ snortsam/files/pkg-message-snortsam
@@ -1,10 +0,0 @@
-
-============================================================
-NOTE:	Make sure that your SNORT installation it is defined
-	output plugin SNORTSAM for don't cause errors while
-	building SNORTSAM system. If exists some OLD SNORT
-	installation WITHOUT supports for interaction between
-	SNORT and SNORTSAM. PLEASE reconfigure WITH that this
-	feature and rebuild a new installation.
-=============================================================
-
--- snortsam/files/pkg-message.in
+++ snortsam/files/pkg-message.in
@@ -0,0 +1,18 @@
+================================================================
+NOTE:   SNORT have to be build with OPTION SNORTSAM.
+
+	To enable snortsam as output plugin for snort a config
+	line like the following should be present in snort.conf
+
+	  output alert_fwsam: <snortsambox>:<port>/<password>
+
+	With samtool it is possible to send alerts to snortsam,
+	this way you can test and adjust your FW rules.
+
+        For more information read the INSTALL, FAQ, README 
+        files in %%DOCSDIR%%
+
+        Additional consolidate http://snortsam.net
+
+==============================================================
+
--- snortsam/files/snortsam.sh.in
+++ snortsam/files/snortsam.sh.in
@@ -1,31 +1,30 @@
 #!/bin/sh
-# $FreeBSD:
+# $FreeBSD$
 
 # PROVIDE: snortsam
 # REQUIRE: DAEMON
-# BEFORE: LOGIN
+# BEFORE:  LOGIN
 # KEYWORD: shutdown
 
-# Add the following lines to /etc/rc.conf to enable snortsam:
-# snortsam_enable (bool):		Set to YES to enable snortsam
-# 				Default: NO
-# snortsam_flags (str):		Extra flags passed to snortsam
-#				Default: ""
-# snortsam_conf (str):		Snortsam configuration file
-#				Default: ${PREFIX}/etc/snortsam/snortsam.conf
 #
-
+# Add the following line to /etc/rc.conf to enable snortsam:
+#
+#  snortsam_enable="YES"
+#
+#  # optional Snortsam configuration file:
+#  snortsam_conf="%%ETCDIR%%/snortsam.conf"
+#
+# DO NOT CHANGE THE DEFAULT VALUES HERE
+#
 . %%RC_SUBR%%
 
 name="snortsam"
 rcvar=`set_rcvar`
+load_rc_config snortsam
 
+# defaults
 command="%%PREFIX%%/sbin/snortsam"
-
-load_rc_config $name
-
-[ -z "$snortsam_enable" ]    && snortsam_enable="NO"
-[ -z "$snortsam_conf" ]      && snortsam_conf="%%PREFIX%%/etc/snortsam/snortsam.conf"
-[ -n "$snortsam_conf" ]      && snortsam_flags="$snortsam_flags $snortsam_conf"
+snortsam_enable=${snortsam_enable:-"NO"}
+snortsam_flags=${snortsam_conf:-"%%ETCDIR%%/snortsam.conf"}
 
 run_rc_command "$1"
--- snortsam/files/ssp_ipfw2_no_table_check.patch
+++ snortsam/files/ssp_ipfw2_no_table_check.patch
@@ -0,0 +1,18 @@
+--- src/ssp_ipfw2.c.orig	2008-04-26 21:53:21.000000000 +0200
++++ src/ssp_ipfw2.c	2009-11-14 22:03:41.000000000 +0100
+@@ -91,6 +91,7 @@
+ 				}
+ 			}
+ 		}
++#if defined(ENABLE_IPFW_TABLE_CHECK)
+ 		/* Check if inbound table exists */
+ 		snprintf(chk,sizeof(chk)-1,"/sbin/ipfw show | grep -q \"deny ip from any to table(%u) via %s\"",ipfw2p->in_table,ipfw2p->interface);
+ 		if(system(chk))
+@@ -110,6 +111,7 @@
+ 			}
+ 		}
+ 				
++#endif	/* ENABLE_IPFW_TABLE_CHECK */
+ #ifdef FWSAMDEBUG
+ 		if(plugindatalist->data)
+ 			printf("Debug: [ipfw2] Adding IPFW2: i/f '%s', tables %u (in) and %u (out)\n", ipfw2p->interface, ipfw2p->in_table,ipfw2p->out_table);
--- snortsam/pkg-descr
+++ snortsam/pkg-descr
@@ -1,5 +1,6 @@
-SnortSam is a plugin for Snort, an open-source light-weight
-Intrusion Detection System (IDS). The plugin allows for
-automated blocking of IP addresses on many firewalls.
+SnortSam is an intelligent agent that allows the popular
+open-source Intrusion Detection System called Snort to block
+intruding connections by reconfiguration of many firewalls
+and Cisco devices.
 
 WWW: http://www.snortsam.net
--- patch_snortsam-2.69_v2.txt ends here ---
Comment 5 Martin Wilke freebsd_committer freebsd_triage 2009-12-26 00:03:14 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->miwi

I'll take it.
Comment 6 Martin Wilke freebsd_committer freebsd_triage 2009-12-31 20:18:37 UTC 
State Changed
From-To: feedback->closed

Committed. Thanks!
Comment 7 dfilter service freebsd_committer freebsd_triage 2009-12-31 20:18:41 UTC 
miwi        2009-12-31 20:18:29 UTC

  FreeBSD ports repository

  Modified files:
    security/snortsam    Makefile distinfo pkg-descr 
    security/snortsam/files snortsam.sh.in 
  Added files:
    security/snortsam/files pkg-install.in pkg-message.in 
                            ssp_ipfw2_no_table_check.patch 
  Removed files:
    security/snortsam/files patch-snortsam.h pkg-message-snortsam 
  Log:
  - Update to 2.69
  
  Changelog:
          http://snortsam.net/news.html
  
  PR:             140881
  Submitted by:   olli hauer <ohauer@gmx.de>
  Approved by:    maintainer timeout
  
  Revision  Changes    Path
  1.3       +53 -30    ports/security/snortsam/Makefile
  1.3       +3 -3      ports/security/snortsam/distinfo
  1.2       +0 -16     ports/security/snortsam/files/patch-snortsam.h (dead)
  1.1       +17 -0     ports/security/snortsam/files/pkg-install.in (new)
  1.2       +0 -10     ports/security/snortsam/files/pkg-message-snortsam (dead)
  1.1       +18 -0     ports/security/snortsam/files/pkg-message.in (new)
  1.3       +15 -16    ports/security/snortsam/files/snortsam.sh.in
  1.1       +18 -0     ports/security/snortsam/files/ssp_ipfw2_no_table_check.patch (new)
  1.2       +4 -3      ports/security/snortsam/pkg-descr
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"