Attachment #130618 for bug #174592

View | Details | Raw Unified | Return to bug 174592
Collapse All | Expand All




#

PORTNAME=	sguil-sensor
PORTVERSION=	0.8.0
PORTREVISION=	3
CATEGORIES=	security
MASTER_SITES=	SF/sguil/sguil/sguil-${PORTVERSION}


COMMENT=	Sguil is a network security monitoring program

LIB_DEPENDS=	tls:${PORTSDIR}/devel/tcltls
RUN_DEPENDS=	barnyard2:${PORTSDIR}/security/barnyard2-sguil \
		barnyard2:${PORTSDIR}/security/barnyard2 \
		${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX

OPTIONS_DEFINE=	PADS SANCP
PADS_DESC=	Include pads sensor
SANCP_DESC=	Include sancp sensor

LICENSE_NAME=	QPLv1.0
LICENSE_FILE=	${WRKSRC}/doc/LICENSE.QPL
LICENSE_PERMS=	auto-accept

NO_BUILD=	yes
USE_RC_SUBR=	pcap_agent snort_agent
TCL_VER=	8.5
TCLSH=		tclsh${TCL_VER}
WRKSRC=		${WRKDIR}/sguil-${PORTVERSION}
PATCH_WRKSRC=	${WRKSRC}/sensor
SGUILDIR?=	sguil-sensor
SUB_LIST=	SGUILDIR=${SGUILDIR} TCLSH=${TCLSH}
SUB_FILES=	pkg-message
PLIST_SUB=	SGUILDIR=${SGUILDIR}
AGENTS=		pcap_agent.tcl snort_agent.tcl
CONFS=		pcap_agent.conf snort_agent.conf
LOG_SCRIPTS=	log_packets-daemonlogger.sh log_packets.sh
WITH_PCRE=	true

PORTDOCS1=	README
PORTDOCS2=	README.daemonlogger
PORTDOCS3=	CHANGES FAQ INSTALL INSTALL.openbsd OPENSSL.README \
		TODO UPGRADE USAGE sguildb.dia

.include <bsd.port.options.mk>

.if ${PORT_OPTIONS:MSANCP}
AGENTS+=	sancp_agent.tcl pcap_agent-sancp.tcl
CONFS+=		sancp_agent.conf sancp-indexed.conf pcap_agent-sancp.conf
RUN_DEPENDS+=	sancp:${PORTSDIR}/security/sancp
USE_RC_SUBR+=	sancp_agent pcap_agent-sancp
PLIST_SUB+=	USESANCP=""
.else
PLIST_SUB+=	USESANCP="@comment "
.endif

.if ${PORT_OPTIONS:MPADS}
AGENTS+=	pads_agent.tcl
CONFS+=		pads_agent.conf
RUN_DEPENDS+=	pads:${PORTSDIR}/net-mgmt/pads
USE_RC_SUBR+=	pads_agent
PLIST_SUB+=	USEPADS=""
.else
PLIST_SUB+=	USEPADS="@comment "
.endif

post-patch:
.for f in ${AGENTS}
	@${REINPLACE_CMD} 's|/bin/sh|${PREFIX}/bin/${TCLSH}|' \
		${WRKSRC}/sensor/${f}
	@${REINPLACE_CMD} -e 's:/etc/:${PREFIX}/etc/${SGUILDIR}/:g' \
		${WRKSRC}/sensor/${f}
.endfor

do-install:
	@${MKDIR} ${PREFIX}/bin/${SGUILDIR}
	@${MKDIR} ${PREFIX}/etc/${SGUILDIR}
	@${MKDIR} ${PREFIX}/share/${SGUILDIR}
	@${MKDIR} ${PREFIX}/share/${SGUILDIR}/contrib
	@${MKDIR} ${PREFIX}/share/${SGUILDIR}/init
	(cd ${WRKSRC}/sensor/contrib && ${COPYTREE_SHARE} \* ${PREFIX}/share/${SGUILDIR}/contrib "! -name ossec_agent.tcl.orig")
	(cd ${WRKSRC}/sensor/init && ${COPYTREE_SHARE} \* ${PREFIX}/share/${SGUILDIR}/init)
.for f in ${AGENTS}
	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \
		${PREFIX}/bin/${SGUILDIR}/${f}
.endfor
.for f in ${LOG_SCRIPTS}
	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \
		${PREFIX}/bin/${SGUILDIR}/${f}
.endfor
.for f in ${CONFS}
	${INSTALL_DATA} ${WRKSRC}/sensor/${f} \
		${PREFIX}/etc/${SGUILDIR}/${f}-sample
.endfor
.if ${PORT_OPTIONS:MSANCP}
.for f in log_packets-sancp.sh
	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \
		${PREFIX}/bin/${SGUILDIR}/${f}
.endfor
.if defined(WITH_SANCP)
.for f in sancp_agent.conf
	${INSTALL_DATA} ${WRKSRC}/sensor/${f} \
		${PREFIX}/etc/${SGUILDIR}/${f}-sample
.endfor
.for f in sancp.conf
	${INSTALL_DATA} ${WRKSRC}/sensor/sancp/${f} \
		${PREFIX}/etc/${f}-sample
.endfor
.for f in sancp_agent.tcl
	${INSTALL_SCRIPT} ${WRKSRC}/sensor/${f} \
		${PREFIX}/bin/${SGUILDIR}/${f}
.endfor
.endif
.if defined(WITH_PADS)
.for f in pads_agent.conf
	${INSTALL_DATA} ${WRKSRC}/sensor/${f} \
		${PREFIX}/etc/${SGUILDIR}/${f}-sample
.endfor
.for f in pads_agent.tcl
	${INSTALL_SCRIPT} ${WRKSRC}/sensor/${f} \
		${PREFIX}/bin/${SGUILDIR}/${f}
.endfor
.endif
post-install:

.if ${PORT_OPTIONS:MDOCS}
	@${MKDIR} ${DOCSDIR}
	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS1} ${DOCSDIR}
	cd ${WRKSRC}/sensor && ${INSTALL_DATA} ${PORTDOCS2} ${DOCSDIR}
	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS3} ${DOCSDIR}
.if ${PORT_OPTIONS:MSANCP}
.for f in README.sancp_indexed_pcap
	cd ${WRKSRC}/sensor && ${INSTALL_DATA} ${f} ${DOCSDIR}
.endfor
.endif
.endif
	@${CAT} ${PKGMESSAGE}

.include <bsd.port.mk>

Lines 1-2 Link Here

(-)distinfo (-2 / +2 lines)
1	SHA256 (sguil-sensor-0.7.0.tar.gz) = c6f08b031df9de942fc38b35a4bfc7db13357e61b7290b526bad66fcbe3e4f3b	1	SHA256 (sguil-sensor-0.8.0.tar.gz) = aa4617c4f9cf1d598c6d728afed50cd6f90dc5d1516a6eda8126401b7bba4be5
2	SIZE (sguil-sensor-0.7.0.tar.gz) = 68436	2	SIZE (sguil-sensor-0.8.0.tar.gz) = 142829




#!/bin/sh

# $FreeBSD$

# PROVIDE: example_agent
# REQUIRE: DAEMON
# KEYWORD: shutdown

# Add the following line to /etc/rc.conf to enable example_agent:
# example_agent_enable (bool):	Set to YES to enable example_agent
# 				Default: NO
# example_agent_conf (str):	Example_agent configuration file
#				Default: %%PREFIX%%/etc/%%SGUILDIR%%/example_agent.conf
# example_agent_flags (str):	Default: -D
#

. /etc/rc.subr

load_rc_config example_agent

#set defaults
example_agent_enable=${example_agent_enable:-"NO"}
example_agent_conf=${example_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/example_agent.conf"}
example_agent_flags=${example_agent_flags:-"-D"}

name="example_agent"
rcvar=example_agent_enable
command="%%PREFIX%%/bin/%%SGUILDIR%%/example_agent.tcl"
command_args="-c ${example_agent_conf} ${example_agent_flags}"
procname="%%PREFIX%%/bin/tclsh8.4"
pidfile="/var/run/${name}.pid"
check_pidfile="${pidfile} ${procname} /bin/sh"

run_rc_command "$1"




# Conf file for the log_packets script
# Make sure you verify the location of
# each of the binaries on your OS

# Edit these for your setup

# Sensors hostname.
# Note: If running multiple snort instances, then this must be different
#       for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc)
HOSTNAME="myhost"
# Path to snort binary
SNORT_PATH="/usr/local/bin/snort"
# Directory to log pcap data to (date dirs will be created in here)
# Note: The path $HOSTNAME/dailylogs, will be appended to this.
LOG_DIR="/snort_data"
# Percentage of disk to try and maintain
MAX_DISK_USE=90
# Interface to 'listen' to.
INTERFACE="eth0"
# Other options to use when starting snort
#OPTIONS="-u sguil -g sguil -m 122"
# Where to store the pid
PIDFILE="/var/run/snort_log-${HOSTNAME}.pid"
# How do we run ps
PS="ps awx"
# Where is grep
GREP="/usr/bin/grep"
#Add BPFs here.
#The below is an example of a filter for ignoring outbound HTTP from my network
# to the world.
#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)'

#Some installs may need these
#LD_LIBRARY_PATH=/usr/local/lib/mysql
#export LD_LIBRARY_PATH





. /etc/rc.subr

name="pads_agent"
rcvar=${name}_enable
load_rc_config ${name}

#set defaults
: ${pads_agent_enable:="NO"}
: ${pads_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pads_agent.conf"}
: ${pads_agent_flags:="-D -c ${pads_agent_conf}"}

name="pads_agent"
rcvar=pads_agent_enable
command="%%PREFIX%%/bin/%%SGUILDIR%%/pads_agent.tcl"
procname="%%PREFIX%%/bin/%%TCLSH%%"
procname="%%PREFIX%%/bin/tclsh8.4"
pidfile="/var/run/${name}.pid"
check_pidfile="${pidfile} ${procname} /bin/sh"

start_precmd="pads_agent_ck4fifo"
stop_postcmd="pads_agent_rmfifo"

pads_agent_ck4fifo()
{
        LOG_DIR=`grep "LOG_DIR " ${pads_agent_conf} | awk '{print $3}'`
        HOSTNAME=`grep "HOSTNAME " ${pads_agent_conf} | awk '{print $3}'`
        PADS_FIFO=${LOG_DIR}/${HOSTNAME}/pads.fifo

        if [ ! -p ${PADS_FIFO} ]; then
                echo "${PADS_FIFO} does not exist.  Creating now....."
                /usr/bin/mkfifo ${PADS_FIFO}
        fi
        echo "Checking for ${PADS_FIFO}...."
        if [ -p ${PADS_FIFO} ]; then
                echo "Confirmed!  ${PADS_FIFO} exists."
        else
                echo "I tried to create ${PADS_FIFO} and failed."
                echo "You will need to create it manually before starting ${name}."
        fi
}

pads_agent_rmfifo()
{
        LOG_DIR=`grep "LOG_DIR " ${pads_agent_conf} | awk '{print $3}'`
        HOSTNAME=`grep "HOSTNAME " ${pads_agent_conf} | awk '{print $3}'`
        PADS_FIFO=${LOG_DIR}/${HOSTNAME}/pads.fifo

        if [ -p ${PADS_FIFO} ]; then
                /bin/rm ${PADS_FIFO}
                echo "Removing ${PADS_FIFO}...."
        fi
}

run_rc_command "$1"




--- sensor/log_packets.sh.orig	2008-04-03 22:16:22.000000000 -0500
+++ sensor/log_packets.sh	2008-04-03 22:22:20.000000000 -0500
@@ -22,38 +22,16 @@
 #                                                            #
 ##############################################################
 
+# You shouldn't need to edit anything in this script
 
-# Edit these for your setup
-
-# Sensors hostname.
-# Note: If running multiple snort instances, then this must be different
-#       for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc)
-HOSTNAME="myhost"
-# Path to snort binary
-SNORT_PATH="/usr/local/bin/snort"
-# Directory to log pcap data to (date dirs will be created in here)
-# Note: The path $HOSTNAME/dailylogs, will be appended to this.
-LOG_DIR="/snort_data"
-# Percentage of disk to try and maintain
-MAX_DISK_USE=90
-# Interface to 'listen' to.
-INTERFACE="eth0"
-# Other options to use when starting snort
-#OPTIONS="-u sguil -g sguil -m 122"
-# Where to store the pid
-PIDFILE="/var/run/snort_log-${HOSTNAME}.pid"
-# How do we run ps
-PS="ps awx"
-# Where is grep
-GREP="/usr/bin/grep"
-#Add BPFs here.
-#The below is an example of a filter for ignoring outbound HTTP from my network
-# to the world.
-#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)'
-
-#Some installs may need these
-#LD_LIBRARY_PATH=/usr/local/lib/mysql
-#export LD_LIBRARY_PATH
+CONF=/usr/local/etc/sguil-sensor/log_packets.conf
+if [ -r ${CONF} ]; then
+  . ${CONF}
+else
+  echo "Your conf file is either missing or the path "
+  echo "in the log_packets.sh script is incorrect."
+  exit 1
+fi
 
 TZ=GMT
 export TZ




--- contrib/ossec_agent/ossec_agent.tcl.orig	2012-12-17 22:47:18.000000000 +0000
+++ contrib/ossec_agent/ossec_agent.tcl	2012-12-17 22:48:45.000000000 +0000
@@ -1,6 +1,4 @@
 #!/bin/sh
-# Run tcl from users PATH \
-exec tclsh "$0" "$@"
 
 # OSSEC agent for Sguil 0.7.0.  Based on the "example_agent.tcl" code
 # distributed with sguil.  
@@ -593,9 +591,9 @@
 if { ![info exists CONF_FILE] } {
 
     # No conf file specified check the defaults
-    if { [file exists /etc/ossec_agent.conf] } {
+    if { [file exists /usr/local/etc/sguil-sensor/ossec_agent.conf] } {
 
-        set CONF_FILE /etc/ossec_agent.conf
+        set CONF_FILE /usr/local/etc/sguil-sensor/ossec_agent.conf
 
     } elseif { [file exists ./ossec_agent.conf] } {
 
@@ -604,7 +602,7 @@
     } else {
 
         puts "Couldn't determine where the ossec_agent.tcl config file is"
-        puts "Looked for /etc/ossec_agent.conf and ./ossec_agent.conf."
+        puts "Looked for /usr/local/etc/sguil-sensor/ossec_agent.conf and ./ossec_agent.conf."
         DisplayUsage $argv0
 
     }




--- pads_agent.tcl.orig	2012-12-19 21:25:26.000000000 +0000
+++ pads_agent.tcl	2012-12-19 21:27:37.000000000 +0000
@@ -1,6 +1,4 @@
 #!/bin/sh
-# Run tcl from users PATH \
-exec tclsh "$0" "$@"
 
 # $Id: pads_agent.tcl,v 1.13 2011/02/17 02:55:48 bamm Exp $ #
 
@@ -332,7 +330,7 @@
   id process group set
   if {[fork]} {exit 0}
   set PID [id process]
-  if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" }
+  if { ![info exists PID_FILE] } { set PID_FILE "/var/run/pads_agent.pid" }
   set PID_DIR [file dirname $PID_FILE]
   if { ![file exists $PID_DIR] || ![file isdirectory $PID_DIR] || ![file writable $PID_DIR] } {
     puts "ERROR: Directory $PID_DIR does not exists or is not writable."
@@ -380,16 +378,16 @@
   }
 }
 # Parse the config file here
-# Default location is /etc/pads_agent.conf or pwd
+# Default location is /usr/local/etc/sguil-sensor/pads_agent.conf or pwd
 if { ![info exists CONF_FILE] } {
   # No conf file specified check the defaults
-  if { [file exists /etc/pads_agent.conf] } {
-    set CONF_FILE /etc/pads_agent.conf
+  if { [file exists /usr/local/etc/sguil-sensor/pads_agent.conf] } {
+    set CONF_FILE /usr/local/etc/sguil-sensor/pads_agent.conf
   } elseif { [file exists ./pads_agent.conf] } {
     set CONF_FILE ./pads_agent.conf
   } else {
     puts "Couldn't determine where the sensor_agent.tcl config file is"
-    puts "Looked for /etc/pads_agent.conf and ./pads_agent.conf."
+    puts "Looked for /usr/local/etc/sguil-sensor/pads_agent.conf and ./pads_agent.conf."
     DisplayUsage $argv0
   }
 }




--- pcap_agent-sancp.tcl.orig	2012-12-17 22:36:43.000000000 +0000
+++ pcap_agent-sancp.tcl	2012-12-17 22:38:22.000000000 +0000
@@ -1,6 +1,4 @@
 #!/bin/sh
-# Run tcl from users PATH \
-exec tclsh "$0" "$@"
 
 # $Id: pcap_agent-sancp.tcl,v 1.2 2008/05/29 19:25:50 hanashi Exp $ #
 
@@ -754,13 +752,13 @@
 }
 
 # Parse the config file here
-# Default location is /etc/pcap_agent.conf or pwd
+# Default location is /usr/local/etc/sguil-sensor/pcap_agent.conf or pwd
 if { ![info exists CONF_FILE] } {
 
     # No conf file specified check the defaults
-    if { [file exists /etc/pcap_agent.conf] } {
+    if { [file exists /usr/local/etc/sguil-sensor/pcap_agent.conf] } {
 
-        set CONF_FILE /etc/pcap_agent.conf
+        set CONF_FILE /usr/local/etc/sguil-sensor/pcap_agent.conf
 
     } elseif { [file exists ./pcap_agent.conf] } {
 
@@ -769,7 +767,7 @@
     } else {
 
         puts "Couldn't determine where the pcap_agent.tcl config file is"
-        puts "Looked for /etc/pcap_agent.conf and ./pcap_agent.conf."
+        puts "Looked for /usr/local/etc/sguil-sensor/pcap_agent.conf and ./pcap_agent.conf."
         DisplayUsage $argv0
 
     }




--- pcap_agent.tcl.orig	2012-12-17 22:31:44.000000000 +0000
+++ pcap_agent.tcl	2012-12-17 22:42:50.000000000 +0000
@@ -1,6 +1,4 @@
 #!/bin/sh
-# Run tcl from users PATH \
-exec tclsh "$0" "$@"
 
 # $Id: pcap_agent.tcl,v 1.13 2011/03/10 22:03:33 bamm Exp $ #
 
@@ -771,13 +769,13 @@
 }
 
 # Parse the config file here
-# Default location is /etc/pcap_agent.conf or pwd
+# Default location is /usr/local/etc/sguil-sensor/pcap_agent.conf or pwd
 if { ![info exists CONF_FILE] } {
 
     # No conf file specified check the defaults
-    if { [file exists /etc/pcap_agent.conf] } {
+    if { [file exists /usr/local/etc/sguil-sensor/pcap_agent.conf] } {
 
-        set CONF_FILE /etc/pcap_agent.conf
+        set CONF_FILE /usr/local/etc/sguil-sensor/pcap_agent.conf
 
     } elseif { [file exists ./pcap_agent.conf] } {
 
@@ -786,7 +784,7 @@
     } else {
 
         puts "Couldn't determine where the pcap_agent.tcl config file is"
-        puts "Looked for /etc/pcap_agent.conf and ./pcap_agent.conf."
+        puts "Looked for /usr/local/etc/sguil-sensor/pcap_agent.conf and ./pcap_agent.conf."
         DisplayUsage $argv0
 
     }




--- sancp_agent.tcl.orig	2012-12-17 22:43:39.000000000 +0000
+++ sancp_agent.tcl	2012-12-17 22:44:56.000000000 +0000
@@ -1,6 +1,4 @@
 #!/bin/sh
-# Run tcl from users PATH \
-exec tclsh "$0" "$@"
 
 # $Id: sancp_agent.tcl,v 1.15 2011/03/10 22:03:33 bamm Exp $ #
 
@@ -582,16 +580,16 @@
   }
 }
 # Parse the config file here
-# Default location is /etc/sancp_agent.conf or pwd
+# Default location is /usr/local/etc/sguil-sensor/sancp_agent.conf or pwd
 if { ![info exists CONF_FILE] } {
   # No conf file specified check the defaults
-  if { [file exists /etc/sancp_agent.conf] } {
-    set CONF_FILE /etc/sancp_agent.conf
+  if { [file exists /usr/local/etc/sguil-sensor/sancp_agent.conf] } {
+    set CONF_FILE /usr/local/etc/sguil-sensor/sancp_agent.conf
   } elseif { [file exists ./sancp_agent.conf] } {
     set CONF_FILE ./sancp_agent.conf
   } else {
     puts "Couldn't determine where the sancp_agent.tcl config file is"
-    puts "Looked for /etc/sancp_agent.conf and ./sancp_agent.conf."
+    puts "Looked for /usr/local/etc/sguil-sensor/sancp_agent.conf and ./sancp_agent.conf."
     DisplayUsage $argv0
   }
 }




--- snort_agent.tcl.orig	2012-12-17 22:33:35.000000000 +0000
+++ snort_agent.tcl	2012-12-17 22:39:39.000000000 +0000
@@ -1,6 +1,4 @@
 #!/bin/sh
-# Run tcl from users PATH \
-exec tclsh "$0" "$@"
 
 # $Id: snort_agent.tcl,v 1.9 2011/02/17 02:55:48 bamm Exp $ #
 
@@ -680,13 +678,13 @@
 }
 
 # Parse the config file here
-# Default location is /etc/snort_agent.conf or pwd
+# Default location is /usr/local/etc/sguil-sensor/snort_agent.conf or pwd
 if { ![info exists CONF_FILE] } {
 
     # No conf file specified check the defaults
-    if { [file exists /etc/snort_agent.conf] } {
+    if { [file exists /usr/local/etc/sguil-sensor/snort_agent.conf] } {
 
-        set CONF_FILE /etc/snort_agent.conf
+        set CONF_FILE /usr/local/etc/sguil-sensor/snort_agent.conf
 
     } elseif { [file exists ./snort_agent.conf] } {
 
@@ -695,7 +693,7 @@
     } else {
 
         puts "Couldn't determine where the snort_agent.tcl config file is"
-        puts "Looked for /etc/snort_agent.conf and ./snort_agent.conf."
+        puts "Looked for /usr/local/etc/sguil-sensor/snort_agent.conf and ./snort_agent.conf."
         DisplayUsage $argv0
 
     }




#!/bin/sh

# $FreeBSD: head/security/sguil-sensor/files/pcap_agent-sancp.in 302141 2012-08-05 23:19:36Z dougb $

# PROVIDE: pcap_agent-sancp
# REQUIRE: DAEMON
# KEYWORD: shutdown

# Add the following line to /etc/rc.conf to enable pcap_agent-sancp:
# pcap_agent-sancp_enable (bool):	Set to YES to enable pcap_agent-sancp
# 				Default: NO
# pcap_agent-sancp_conf (str):	Pads_agent configuration file
#				Default: %%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent-sancp.conf
# pcap_agent-sancp_flags (str):	Default: -D
#

. /etc/rc.subr

name="pcap_agent-sancp"
rcvar=pcap_agent-sancp_enable
load_rc_config pcap_agent-sancp

#set defaults
: ${pcap_agent-sancp_enable:="NO"}
: ${pcap_agent-sancp_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent-sancp.conf"}
: ${pcap_agent-sancp_flags:="-D -c ${pcap_agent-sancp_conf}"}

command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent-sancp.tcl"
procname="%%PREFIX%%/bin/%%TCLSH%%"
pidfile="/var/run/${name}.pid"

run_rc_command "$1"





. /etc/rc.subr

name="pcap_agent"
rcvar=pcap_agent_enable
load_rc_config pcap_agent

#set defaults
: ${pcap_agent_enable:="NO"}
: ${pcap_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent.conf"}
: ${pcap_agent_flags:="-D -c ${pcap_agent_conf}"}

name="pcap_agent"
rcvar=pcap_agent_enable
command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent.tcl"
procname="%%PREFIX%%/bin/%%TCLSH%%"
procname="%%PREFIX%%/bin/tclsh8.4"
pidfile="/var/run/${name}.pid"
check_pidfile="${pidfile} ${procname} /bin/sh"

run_rc_command "$1"




            * !!!!!!!!!!! WARNING !!!!!!!!!!! *
            ***********************************

If you already had barnyard2 installed, this port will NOT deinstall
it and install the barnyard2-sguil port instead.  You will need to
deinstall the barnyard2 port and install the barnyard2-sguil port yourself
instead.  This port WILL NOT WORK without the barnyard2-sguil port!!

You MUST edit the log_packets.conf file (located in %%PREFIX%%/etc/%%SGUILDIR%%)
to fit your configuration before running the log_packets.sh script.
See the %%DOCSDIR%%/INSTALL doc for details on the 
configuration and for croning the script.  


quickly.  You should probably configure sguil et al to log to
another partition/location (e.g. /nsm/tmp/).

You must ALSO edit all of the sensor conf files (located in 
%%PREFIX%%/%%SGUILDIR%%/etc/) to reflect your configuration before 
starting the sensor_agents.

A number of ancilliary things have been installed in
%%PREFIX%%/share/%%SGUILDIR%%.

If you chose to run sancp, and you already had a sancp.conf file in
%%PREFIX%%/etc, copy it to sancp.conf.orig before creating the new one.
The new sancp.conf-sample file contains the settings for squil. NOTE:
the conf file is for sancp 1.5.3.  It may need additional edits to work
with the current ports version of sancp. If you still want to maintain
the customized sancp.conf file, then copy the new sancp.conf-sample
file to sguild-sancp.conf (for example) and add 
sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf.





. /etc/rc.subr

name="sancp_agent"
rcvar=sancp_agent_enable
load_rc_config sancp_agent

#set defaults
: ${sancp_agent_enable:="NO"}
: ${sancp_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/sancp_agent.conf"}
: ${sancp_agent_flags:="-D -c ${sancp_agent_conf}"}

name="sancp_agent"
rcvar=sancp_agent_enable
command="%%PREFIX%%/bin/%%SGUILDIR%%/sancp_agent.tcl"
procname="%%PREFIX%%/bin/%%TCLSH%%"
procname="%%PREFIX%%/bin/tclsh8.4"
pidfile="/var/run/${name}.pid"
check_pidfile="${pidfile} ${procname} /bin/sh"

run_rc_command "$1"





. /etc/rc.subr

name="snort_agent"
rcvar=snort_agent_enable
load_rc_config snort_agent

#set defaults
: ${snort_agent_enable:="NO"}
: ${snort_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/snort_agent.conf"}
: ${snort_agent_flags:="-D -c ${snort_agent_conf}"}

name="snort_agent"
rcvar=snort_agent_enable
command="%%PREFIX%%/bin/%%SGUILDIR%%/snort_agent.tcl"
procname="%%PREFIX%%/bin/%%TCLSH%%"
procname="%%PREFIX%%/bin/tclsh8.4"
pidfile="/var/run/${name}.pid"
check_pidfile="${pidfile} ${procname} /bin/sh"

run_rc_command "$1"

Lines 4-10 Link Here

(-)pkg-descr (-2 / +1 lines)
4	(www.tcl.tk). Sguil also relies on other open source software	4	(www.tcl.tk). Sguil also relies on other open source software
5	in order to function properly.	5	in order to function properly.
6		6
7	The sensor list includes security/barnyard, security/snort,	7	The sensor list includes security/barnyard2-sguil, security/snort,
8	security/sancp, net-mgmt/pads, tcpdump (a part of the OS)	8	security/sancp, net-mgmt/pads, tcpdump (a part of the OS)
9	and devel/tcltls as well as lang/tcl84 and lang/tclX. Care	9	and devel/tcltls as well as lang/tcl84 and lang/tclX. Care
10	has been taken to ensure that everything you need to build	10	has been taken to ensure that everything you need to build
Lines 15-18 Link Here
15	rule management capabilities.	15	rule management capabilities.
16		16
17	WWW: http://sguil.sourceforge.net/index.php	17	WWW: http://sguil.sourceforge.net/index.php
18	pauls@utdallas.edu




bin/%%SGUILDIR%%/log_packets-daemonlogger.sh
bin/%%SGUILDIR%%/log_packets.sh
bin/%%SGUILDIR%%/example_agent.tcl
bin/%%SGUILDIR%%/pcap_agent.tcl
bin/%%SGUILDIR%%/snort_agent.tcl
etc/%%SGUILDIR%%/example_agent.conf-sample
etc/%%SGUILDIR%%/pcap_agent.conf-sample
etc/%%SGUILDIR%%/snort_agent.conf-sample
%%DOCSDIR%%/CHANGES
%%DOCSDIR%%/FAQ
%%DOCSDIR%%/INSTALL
%%DOCSDIR%%/INSTALL.openbsd
%%DOCSDIR%%/OPENSSL.README
%%DOCSDIR%%/README
%%DOCSDIR%%/README.daemonlogger
%%DOCSDIR%%/TODO
%%DOCSDIR%%/UPGRADE
%%DOCSDIR%%/USAGE
%%DOCSDIR%%/sguildb.dia
share/%%SGUILDIR%%/contrib/ossec_agent/README
share/%%SGUILDIR%%/contrib/ossec_agent/ossec_agent.conf
share/%%SGUILDIR%%/contrib/ossec_agent/ossec_agent.tcl
share/%%SGUILDIR%%/contrib/portscan_loader/Makefile
share/%%SGUILDIR%%/contrib/portscan_loader/portscan_loader.c
share/%%SGUILDIR%%/init/sensoragent
%%USEPADS%%bin/%%SGUILDIR%%/pads_agent.tcl
%%USEPADS%%etc/%%SGUILDIR%%/pads_agent.conf-sample
%%USESANCP%%bin/%%SGUILDIR%%/log_packets-sancp.sh
%%USESANCP%%bin/%%SGUILDIR%%/pcap_agent-sancp.tcl
%%USESANCP%%bin/%%SGUILDIR%%/sancp_agent.tcl
%%USESANCP%%etc/%%SGUILDIR%%/sancp_agent.conf-sample
%%USESANCP%%etc/%%SGUILDIR%%/sancp-indexed.conf-sample
%%USESANCP%%etc/%%SGUILDIR%%/pcap_agent-sancp.conf-sample
%%USESANCP%%etc/%%SGUILDIR%%/sancp.conf-sample
%%USESANCP%%%%DOCSDIR%%/README.sancp_indexed_pcap
@dirrm share/%%SGUILDIR%%/init
@dirrm share/%%SGUILDIR%%/contrib/portscan_loader
@dirrm share/%%SGUILDIR%%/contrib/ossec_agent
@dirrm share/%%SGUILDIR%%/contrib
@dirrm share/%%SGUILDIR%%
@dirrmtry etc/%%SGUILDIR%%
@dirrm bin/%%SGUILDIR%%
@dirrm %%DOCSDIR%%

Return to bug 174592

Lines 6-13 Link Here

(-)Makefile (-53 / +56 lines)
6	#	6	#
7		7
8	PORTNAME= sguil-sensor	8	PORTNAME= sguil-sensor
9	PORTVERSION= 0.7.0	9	PORTVERSION= 0.8.0
10	PORTREVISION= 3
11	CATEGORIES= security	10	CATEGORIES= security
12	MASTER_SITES= SF/sguil/sguil/sguil-${PORTVERSION}	11	MASTER_SITES= SF/sguil/sguil/sguil-${PORTVERSION}
13		12
Lines 15-118 Link Here
15	COMMENT= Sguil is a network security monitoring program	14	COMMENT= Sguil is a network security monitoring program
16		15
17	LIB_DEPENDS= tls:${PORTSDIR}/devel/tcltls	16	LIB_DEPENDS= tls:${PORTSDIR}/devel/tcltls
18	RUN_DEPENDS= snort:${PORTSDIR}/security/snort \	17	RUN_DEPENDS= barnyard2:${PORTSDIR}/security/barnyard2-sguil \
19	barnyard2:${PORTSDIR}/security/barnyard2 \
20	${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX	18	${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX
21		19
22	OPTIONS= SANCP "Include sancp sensor" off \	20	OPTIONS_DEFINE= PADS SANCP
23	PADS "Include pads sensor" off	21	PADS_DESC= Include pads sensor
		22	SANCP_DESC= Include sancp sensor
24		23
		24	LICENSE_NAME= QPLv1.0
		25	LICENSE_FILE= ${WRKSRC}/doc/LICENSE.QPL
		26	LICENSE_PERMS= auto-accept
		27
25	NO_BUILD= yes	28	NO_BUILD= yes
26	USE_RC_SUBR= example_agent pcap_agent snort_agent	29	USE_RC_SUBR= pcap_agent snort_agent
27	TCLSH_CMD?= tclsh8.4	30	TCL_VER= 8.5
		31	TCLSH= tclsh${TCL_VER}
28	WRKSRC= ${WRKDIR}/sguil-${PORTVERSION}	32	WRKSRC= ${WRKDIR}/sguil-${PORTVERSION}
29	SUB_LIST= SGUILDIR=${SGUILDIR}	33	PATCH_WRKSRC= ${WRKSRC}/sensor
		34	SGUILDIR?= sguil-sensor
		35	SUB_LIST= SGUILDIR=${SGUILDIR} TCLSH=${TCLSH}
30	SUB_FILES= pkg-message	36	SUB_FILES= pkg-message
31	PLIST_SUB= SGUILDIR=${SGUILDIR}	37	PLIST_SUB= SGUILDIR=${SGUILDIR}
32	SGUILDIR?= sguil-sensor	38	AGENTS= pcap_agent.tcl snort_agent.tcl
33	AGENTS= example_agent.tcl pads_agent.tcl pcap_agent.tcl sancp_agent.tcl snort_agent.tcl	39	CONFS= pcap_agent.conf snort_agent.conf
		40	LOG_SCRIPTS= log_packets-daemonlogger.sh log_packets.sh
		41	WITH_PCRE= true
34		42
35	PORTDOCS= CHANGES FAQ INSTALL INSTALL.openbsd LICENSE.QPL \	43	PORTDOCS1= README
36	OPENSSL.README TODO UPGRADE USAGE sguildb.dia	44	PORTDOCS2= README.daemonlogger
		45	PORTDOCS3= CHANGES FAQ INSTALL INSTALL.openbsd OPENSSL.README \
		46	TODO UPGRADE USAGE sguildb.dia
37		47
38	.include <bsd.port.pre.mk>	48	.include <bsd.port.options.mk>
39		49
40	WITH_PCRE= true	50	.if ${PORT_OPTIONS:MSANCP}
41		51	AGENTS+= sancp_agent.tcl pcap_agent-sancp.tcl
42	.if defined(WITH_SANCP)	52	CONFS+= sancp_agent.conf sancp-indexed.conf pcap_agent-sancp.conf
43	RUN_DEPENDS+= sancp:${PORTSDIR}/security/sancp	53	RUN_DEPENDS+= sancp:${PORTSDIR}/security/sancp
44	USE_RC_SUBR+= sancp_agent	54	USE_RC_SUBR+= sancp_agent pcap_agent-sancp
45	PLIST_SUB+= USESANCP=	55	PLIST_SUB+= USESANCP=""
46	.else	56	.else
47	PLIST_SUB+= USESANCP="@comment "	57	PLIST_SUB+= USESANCP="@comment "
48	.endif	58	.endif
49		59
50	.if defined(WITH_PADS)	60	.if ${PORT_OPTIONS:MPADS}
		61	AGENTS+= pads_agent.tcl
		62	CONFS+= pads_agent.conf
51	RUN_DEPENDS+= pads:${PORTSDIR}/net-mgmt/pads	63	RUN_DEPENDS+= pads:${PORTSDIR}/net-mgmt/pads
52	USE_RC_SUBR+= pads_agent	64	USE_RC_SUBR+= pads_agent
53	PLIST_SUB+= USEPADS=	65	PLIST_SUB+= USEPADS=""
54	.else	66	.else
55	PLIST_SUB+= USEPADS="@comment "	67	PLIST_SUB+= USEPADS="@comment "
56	.endif	68	.endif
57		69
58	post-patch:	70	post-patch:
59	.for f in ${AGENTS}	71	.for f in ${AGENTS}
60	@${REINPLACE_CMD} -e 's:exec tclsh:exec ${PREFIX}/bin/${TCLSH_CMD}:g' \	72	@${REINPLACE_CMD} 's\|/bin/sh\|${PREFIX}/bin/${TCLSH}\|' \
61	${WRKSRC}/sensor/${f}	73	${WRKSRC}/sensor/${f}
62	@${REINPLACE_CMD} -e 's:/etc/:${PREFIX}/etc/${SGUILDIR}/:g' \
63	${WRKSRC}/sensor/${f}
64	.endfor	74	.endfor
65		75
66	do-install:	76	do-install:
67	@${MKDIR} ${PREFIX}/bin/${SGUILDIR}	77	@${MKDIR} ${PREFIX}/bin/${SGUILDIR}
68	@${MKDIR} ${PREFIX}/etc/${SGUILDIR}	78	@${MKDIR} ${PREFIX}/etc/${SGUILDIR}
69	.for f in example_agent.tcl pcap_agent.tcl snort_agent.tcl	79	@${MKDIR} ${PREFIX}/share/${SGUILDIR}
		80	@${MKDIR} ${PREFIX}/share/${SGUILDIR}/contrib
		81	@${MKDIR} ${PREFIX}/share/${SGUILDIR}/init
		82	(cd ${WRKSRC}/sensor/contrib && ${COPYTREE_SHARE} \* ${PREFIX}/share/${SGUILDIR}/contrib "! -name ossec_agent.tcl.orig")
		83	(cd ${WRKSRC}/sensor/init && ${COPYTREE_SHARE} \* ${PREFIX}/share/${SGUILDIR}/init)
		84	.for f in ${AGENTS}
70	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \	85	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \
71	${PREFIX}/bin/${SGUILDIR}/${f}	86	${PREFIX}/bin/${SGUILDIR}/${f}
72	.endfor	87	.endfor
73	.for f in log_packets.sh	88	.for f in ${LOG_SCRIPTS}
74	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \	89	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \
75	${PREFIX}/bin/${SGUILDIR}/${f}	90	${PREFIX}/bin/${SGUILDIR}/${f}
76	.endfor	91	.endfor
77	.for f in example_agent.conf pcap_agent.conf snort_agent.conf	92	.for f in ${CONFS}
78	${INSTALL_DATA} ${WRKSRC}/sensor/${f} \	93	${INSTALL_DATA} ${WRKSRC}/sensor/${f} \
79	${PREFIX}/etc/${SGUILDIR}/${f}-sample	94	${PREFIX}/etc/${SGUILDIR}/${f}-sample
80	.endfor	95	.endfor
81	.for f in log_packets.conf	96	.if ${PORT_OPTIONS:MSANCP}
82	${INSTALL_DATA} ${FILESDIR}/${f} \	97	.for f in log_packets-sancp.sh
83	${PREFIX}/etc/${SGUILDIR}/${f}-sample	98	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \
		99	${PREFIX}/bin/${SGUILDIR}/${f}
84	.endfor	100	.endfor
85	.if defined(WITH_SANCP)
86	.for f in sancp_agent.conf
87	${INSTALL_DATA} ${WRKSRC}/sensor/${f} \
88	${PREFIX}/etc/${SGUILDIR}/${f}-sample
89	.endfor
90	.for f in sancp.conf	101	.for f in sancp.conf
91	${INSTALL_DATA} ${WRKSRC}/sensor/sancp/${f} \	102	${INSTALL_DATA} ${WRKSRC}/sensor/sancp/${f} \
92	${PREFIX}/etc/${f}-sample
93	.endfor
94	.for f in sancp_agent.tcl
95	${INSTALL_SCRIPT} ${WRKSRC}/sensor/${f} \
96	${PREFIX}/bin/${SGUILDIR}/${f}
97	.endfor
98	.endif
99	.if defined(WITH_PADS)
100	.for f in pads_agent.conf
101	${INSTALL_DATA} ${WRKSRC}/sensor/${f} \
102	${PREFIX}/etc/${SGUILDIR}/${f}-sample	103	${PREFIX}/etc/${SGUILDIR}/${f}-sample
103	.endfor	104	.endfor
104	.for f in pads_agent.tcl
105	${INSTALL_SCRIPT} ${WRKSRC}/sensor/${f} \
106	${PREFIX}/bin/${SGUILDIR}/${f}
107	.endfor
108	.endif	105	.endif
109	post-install:	106	post-install:
110		107
111	.if !defined(NOPORTDOCS)	108	.if ${PORT_OPTIONS:MDOCS}
112	@${MKDIR} ${DOCSDIR}	109	@${MKDIR} ${DOCSDIR}
113	cd ${WRKSRC}/doc && ${INSTALL_DATA} \	110	cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS1} ${DOCSDIR}
114	${PORTDOCS} ${DOCSDIR}	111	cd ${WRKSRC}/sensor && ${INSTALL_DATA} ${PORTDOCS2} ${DOCSDIR}
		112	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS3} ${DOCSDIR}
		113	.if ${PORT_OPTIONS:MSANCP}
		114	.for f in README.sancp_indexed_pcap
		115	cd ${WRKSRC}/sensor && ${INSTALL_DATA} ${f} ${DOCSDIR}
		116	.endfor
115	.endif	117	.endif
		118	.endif
116	@${CAT} ${PKGMESSAGE}	119	@${CAT} ${PKGMESSAGE}
117		120
118	.include <bsd.port.post.mk>	121	.include <bsd.port.mk>

Lines 1-34 Link Here

(-)files/example_agent.in (-34 lines)
1	#!/bin/sh
2
3	# $FreeBSD$
4
5	# PROVIDE: example_agent
6	# REQUIRE: DAEMON
7	# KEYWORD: shutdown
8
9	# Add the following line to /etc/rc.conf to enable example_agent:
10	# example_agent_enable (bool): Set to YES to enable example_agent
11	# Default: NO
12	# example_agent_conf (str): Example_agent configuration file
13	# Default: %%PREFIX%%/etc/%%SGUILDIR%%/example_agent.conf
14	# example_agent_flags (str): Default: -D
15	#
16
17	. /etc/rc.subr
18
19	load_rc_config example_agent
20
21	#set defaults
22	example_agent_enable=${example_agent_enable:-"NO"}
23	example_agent_conf=${example_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/example_agent.conf"}
24	example_agent_flags=${example_agent_flags:-"-D"}
25
26	name="example_agent"
27	rcvar=example_agent_enable
28	command="%%PREFIX%%/bin/%%SGUILDIR%%/example_agent.tcl"
29	command_args="-c ${example_agent_conf} ${example_agent_flags}"
30	procname="%%PREFIX%%/bin/tclsh8.4"
31	pidfile="/var/run/${name}.pid"
32	check_pidfile="${pidfile} ${procname} /bin/sh"
33
34	run_rc_command "$1"

Lines 1-35 Link Here

(-)files/log_packets.conf (-35 lines)
1	# Conf file for the log_packets script
2	# Make sure you verify the location of
3	# each of the binaries on your OS
4
5	# Edit these for your setup
6
7	# Sensors hostname.
8	# Note: If running multiple snort instances, then this must be different
9	# for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc)
10	HOSTNAME="myhost"
11	# Path to snort binary
12	SNORT_PATH="/usr/local/bin/snort"
13	# Directory to log pcap data to (date dirs will be created in here)
14	# Note: The path $HOSTNAME/dailylogs, will be appended to this.
15	LOG_DIR="/snort_data"
16	# Percentage of disk to try and maintain
17	MAX_DISK_USE=90
18	# Interface to 'listen' to.
19	INTERFACE="eth0"
20	# Other options to use when starting snort
21	#OPTIONS="-u sguil -g sguil -m 122"
22	# Where to store the pid
23	PIDFILE="/var/run/snort_log-${HOSTNAME}.pid"
24	# How do we run ps
25	PS="ps awx"
26	# Where is grep
27	GREP="/usr/bin/grep"
28	#Add BPFs here.
29	#The below is an example of a filter for ignoring outbound HTTP from my network
30	# to the world.
31	#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)'
32
33	#Some installs may need these
34	#LD_LIBRARY_PATH=/usr/local/lib/mysql
35	#export LD_LIBRARY_PATH

Lines 16-34 Link Here

(-)files/pads_agent.in (-9 / +41 lines)
16		16
17	. /etc/rc.subr	17	. /etc/rc.subr
18		18
19	load_rc_config pads_agent	19	name="pads_agent"
		20	rcvar=${name}_enable
		21	load_rc_config ${name}
20		22
21	#set defaults	23	#set defaults
22	pads_agent_enable=${pads_agent_enable:-"NO"}	24	: ${pads_agent_enable:="NO"}
23	pads_agent_conf=${pads_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/pads_agent.conf"}	25	: ${pads_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pads_agent.conf"}
24	pads_agent_flags=${pads_agent_flags:-"-D"}	26	: ${pads_agent_flags:="-D -c ${pads_agent_conf}"}
25		27
26	name="pads_agent"
27	rcvar=pads_agent_enable
28	command="%%PREFIX%%/bin/%%SGUILDIR%%/pads_agent.tcl"	28	command="%%PREFIX%%/bin/%%SGUILDIR%%/pads_agent.tcl"
29	command_args="-c ${pads_agent_conf} ${pads_agent_flags}"	29	procname="%%PREFIX%%/bin/%%TCLSH%%"
30	procname="%%PREFIX%%/bin/tclsh8.4"
31	pidfile="/var/run/${name}.pid"	30	pidfile="/var/run/${name}.pid"
32	check_pidfile="${pidfile} ${procname} /bin/sh"
33		31
		32	start_precmd="pads_agent_ck4fifo"
		33	stop_postcmd="pads_agent_rmfifo"
		34
		35	pads_agent_ck4fifo()
		36	{
		37	LOG_DIR=`grep "LOG_DIR " ${pads_agent_conf} \| awk '{print $3}'`
		38	HOSTNAME=`grep "HOSTNAME " ${pads_agent_conf} \| awk '{print $3}'`
		39	PADS_FIFO=${LOG_DIR}/${HOSTNAME}/pads.fifo
		40
		41	if [ ! -p ${PADS_FIFO} ]; then
		42	echo "${PADS_FIFO} does not exist. Creating now....."
		43	/usr/bin/mkfifo ${PADS_FIFO}
		44	fi
		45	echo "Checking for ${PADS_FIFO}...."
		46	if [ -p ${PADS_FIFO} ]; then
		47	echo "Confirmed! ${PADS_FIFO} exists."
		48	else
		49	echo "I tried to create ${PADS_FIFO} and failed."
		50	echo "You will need to create it manually before starting ${name}."
		51	fi
		52	}
		53
		54	pads_agent_rmfifo()
		55	{
		56	LOG_DIR=`grep "LOG_DIR " ${pads_agent_conf} \| awk '{print $3}'`
		57	HOSTNAME=`grep "HOSTNAME " ${pads_agent_conf} \| awk '{print $3}'`
		58	PADS_FIFO=${LOG_DIR}/${HOSTNAME}/pads.fifo
		59
		60	if [ -p ${PADS_FIFO} ]; then
		61	/bin/rm ${PADS_FIFO}
		62	echo "Removing ${PADS_FIFO}...."
		63	fi
		64	}
		65
34	run_rc_command "$1"	66	run_rc_command "$1"

Lines 1-50 Link Here

(-)files/patch-log_packets.sh (-50 lines)
1	--- sensor/log_packets.sh.orig 2008-04-03 22:16:22.000000000 -0500
2	+++ sensor/log_packets.sh 2008-04-03 22:22:20.000000000 -0500
3	@@ -22,38 +22,16 @@
4	# #
5	##############################################################
6
7	+# You shouldn't need to edit anything in this script
8
9	-# Edit these for your setup
10	-
11	-# Sensors hostname.
12	-# Note: If running multiple snort instances, then this must be different
13	-# for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc)
14	-HOSTNAME="myhost"
15	-# Path to snort binary
16	-SNORT_PATH="/usr/local/bin/snort"
17	-# Directory to log pcap data to (date dirs will be created in here)
18	-# Note: The path $HOSTNAME/dailylogs, will be appended to this.
19	-LOG_DIR="/snort_data"
20	-# Percentage of disk to try and maintain
21	-MAX_DISK_USE=90
22	-# Interface to 'listen' to.
23	-INTERFACE="eth0"
24	-# Other options to use when starting snort
25	-#OPTIONS="-u sguil -g sguil -m 122"
26	-# Where to store the pid
27	-PIDFILE="/var/run/snort_log-${HOSTNAME}.pid"
28	-# How do we run ps
29	-PS="ps awx"
30	-# Where is grep
31	-GREP="/usr/bin/grep"
32	-#Add BPFs here.
33	-#The below is an example of a filter for ignoring outbound HTTP from my network
34	-# to the world.
35	-#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)'
36	-
37	-#Some installs may need these
38	-#LD_LIBRARY_PATH=/usr/local/lib/mysql
39	-#export LD_LIBRARY_PATH
40	+CONF=/usr/local/etc/sguil-sensor/log_packets.conf
41	+if [ -r ${CONF} ]; then
42	+ . ${CONF}
43	+else
44	+ echo "Your conf file is either missing or the path "
45	+ echo "in the log_packets.sh script is incorrect."
46	+ exit 1
47	+fi
48
49	TZ=GMT
50	export TZ

Line 0 Link Here

(-)files/patch-ossec_agent.tcl (+30 lines)
	1	--- contrib/ossec_agent/ossec_agent.tcl.orig 2012-12-17 22:47:18.000000000 +0000
	2	+++ contrib/ossec_agent/ossec_agent.tcl 2012-12-17 22:48:45.000000000 +0000
	3	@@ -1,6 +1,4 @@
	4	#!/bin/sh
	5	-# Run tcl from users PATH \
	6	-exec tclsh "$0" "$@"
	7
	8	# OSSEC agent for Sguil 0.7.0. Based on the "example_agent.tcl" code
	9	# distributed with sguil.
	10	@@ -593,9 +591,9 @@
	11	if { ![info exists CONF_FILE] } {
	12
	13	# No conf file specified check the defaults
	14	- if { [file exists /etc/ossec_agent.conf] } {
	15	+ if { [file exists /usr/local/etc/sguil-sensor/ossec_agent.conf] } {
	16
	17	- set CONF_FILE /etc/ossec_agent.conf
	18	+ set CONF_FILE /usr/local/etc/sguil-sensor/ossec_agent.conf
	19
	20	} elseif { [file exists ./ossec_agent.conf] } {
	21
	22	@@ -604,7 +602,7 @@
	23	} else {
	24
	25	puts "Couldn't determine where the ossec_agent.tcl config file is"
	26	- puts "Looked for /etc/ossec_agent.conf and ./ossec_agent.conf."
	27	+ puts "Looked for /usr/local/etc/sguil-sensor/ossec_agent.conf and ./ossec_agent.conf."
	28	DisplayUsage $argv0
	29
	30	}

Line 0 Link Here

(-)files/patch-pads_agent.tcl (+39 lines)
	1	--- pads_agent.tcl.orig 2012-12-19 21:25:26.000000000 +0000
	2	+++ pads_agent.tcl 2012-12-19 21:27:37.000000000 +0000
	3	@@ -1,6 +1,4 @@
	4	#!/bin/sh
	5	-# Run tcl from users PATH \
	6	-exec tclsh "$0" "$@"
	7
	8	# $Id: pads_agent.tcl,v 1.13 2011/02/17 02:55:48 bamm Exp $ #
	9
	10	@@ -332,7 +330,7 @@
	11	id process group set
	12	if {[fork]} {exit 0}
	13	set PID [id process]
	14	- if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" }
	15	+ if { ![info exists PID_FILE] } { set PID_FILE "/var/run/pads_agent.pid" }
	16	set PID_DIR [file dirname $PID_FILE]
	17	if { ![file exists $PID_DIR] \|\| ![file isdirectory $PID_DIR] \|\| ![file writable $PID_DIR] } {
	18	puts "ERROR: Directory $PID_DIR does not exists or is not writable."
	19	@@ -380,16 +378,16 @@
	20	}
	21	}
	22	# Parse the config file here
	23	-# Default location is /etc/pads_agent.conf or pwd
	24	+# Default location is /usr/local/etc/sguil-sensor/pads_agent.conf or pwd
	25	if { ![info exists CONF_FILE] } {
	26	# No conf file specified check the defaults
	27	- if { [file exists /etc/pads_agent.conf] } {
	28	- set CONF_FILE /etc/pads_agent.conf
	29	+ if { [file exists /usr/local/etc/sguil-sensor/pads_agent.conf] } {
	30	+ set CONF_FILE /usr/local/etc/sguil-sensor/pads_agent.conf
	31	} elseif { [file exists ./pads_agent.conf] } {
	32	set CONF_FILE ./pads_agent.conf
	33	} else {
	34	puts "Couldn't determine where the sensor_agent.tcl config file is"
	35	- puts "Looked for /etc/pads_agent.conf and ./pads_agent.conf."
	36	+ puts "Looked for /usr/local/etc/sguil-sensor/pads_agent.conf and ./pads_agent.conf."
	37	DisplayUsage $argv0
	38	}
	39	}

Line 0 Link Here

(-)files/patch-pcap_agent-sancp.tcl (+35 lines)
	1	--- pcap_agent-sancp.tcl.orig 2012-12-17 22:36:43.000000000 +0000
	2	+++ pcap_agent-sancp.tcl 2012-12-17 22:38:22.000000000 +0000
	3	@@ -1,6 +1,4 @@
	4	#!/bin/sh
	5	-# Run tcl from users PATH \
	6	-exec tclsh "$0" "$@"
	7
	8	# $Id: pcap_agent-sancp.tcl,v 1.2 2008/05/29 19:25:50 hanashi Exp $ #
	9
	10	@@ -754,13 +752,13 @@
	11	}
	12
	13	# Parse the config file here
	14	-# Default location is /etc/pcap_agent.conf or pwd
	15	+# Default location is /usr/local/etc/sguil-sensor/pcap_agent.conf or pwd
	16	if { ![info exists CONF_FILE] } {
	17
	18	# No conf file specified check the defaults
	19	- if { [file exists /etc/pcap_agent.conf] } {
	20	+ if { [file exists /usr/local/etc/sguil-sensor/pcap_agent.conf] } {
	21
	22	- set CONF_FILE /etc/pcap_agent.conf
	23	+ set CONF_FILE /usr/local/etc/sguil-sensor/pcap_agent.conf
	24
	25	} elseif { [file exists ./pcap_agent.conf] } {
	26
	27	@@ -769,7 +767,7 @@
	28	} else {
	29
	30	puts "Couldn't determine where the pcap_agent.tcl config file is"
	31	- puts "Looked for /etc/pcap_agent.conf and ./pcap_agent.conf."
	32	+ puts "Looked for /usr/local/etc/sguil-sensor/pcap_agent.conf and ./pcap_agent.conf."
	33	DisplayUsage $argv0
	34
	35	}

Line 0 Link Here

(-)files/patch-pcap_agent.tcl (+35 lines)
	1	--- pcap_agent.tcl.orig 2012-12-17 22:31:44.000000000 +0000
	2	+++ pcap_agent.tcl 2012-12-17 22:42:50.000000000 +0000
	3	@@ -1,6 +1,4 @@
	4	#!/bin/sh
	5	-# Run tcl from users PATH \
	6	-exec tclsh "$0" "$@"
	7
	8	# $Id: pcap_agent.tcl,v 1.13 2011/03/10 22:03:33 bamm Exp $ #
	9
	10	@@ -771,13 +769,13 @@
	11	}
	12
	13	# Parse the config file here
	14	-# Default location is /etc/pcap_agent.conf or pwd
	15	+# Default location is /usr/local/etc/sguil-sensor/pcap_agent.conf or pwd
	16	if { ![info exists CONF_FILE] } {
	17
	18	# No conf file specified check the defaults
	19	- if { [file exists /etc/pcap_agent.conf] } {
	20	+ if { [file exists /usr/local/etc/sguil-sensor/pcap_agent.conf] } {
	21
	22	- set CONF_FILE /etc/pcap_agent.conf
	23	+ set CONF_FILE /usr/local/etc/sguil-sensor/pcap_agent.conf
	24
	25	} elseif { [file exists ./pcap_agent.conf] } {
	26
	27	@@ -786,7 +784,7 @@
	28	} else {
	29
	30	puts "Couldn't determine where the pcap_agent.tcl config file is"
	31	- puts "Looked for /etc/pcap_agent.conf and ./pcap_agent.conf."
	32	+ puts "Looked for /usr/local/etc/sguil-sensor/pcap_agent.conf and ./pcap_agent.conf."
	33	DisplayUsage $argv0
	34
	35	}

Line 0 Link Here

(-)files/patch-sancp_agent.tcl (+30 lines)
	1	--- sancp_agent.tcl.orig 2012-12-17 22:43:39.000000000 +0000
	2	+++ sancp_agent.tcl 2012-12-17 22:44:56.000000000 +0000
	3	@@ -1,6 +1,4 @@
	4	#!/bin/sh
	5	-# Run tcl from users PATH \
	6	-exec tclsh "$0" "$@"
	7
	8	# $Id: sancp_agent.tcl,v 1.15 2011/03/10 22:03:33 bamm Exp $ #
	9
	10	@@ -582,16 +580,16 @@
	11	}
	12	}
	13	# Parse the config file here
	14	-# Default location is /etc/sancp_agent.conf or pwd
	15	+# Default location is /usr/local/etc/sguil-sensor/sancp_agent.conf or pwd
	16	if { ![info exists CONF_FILE] } {
	17	# No conf file specified check the defaults
	18	- if { [file exists /etc/sancp_agent.conf] } {
	19	- set CONF_FILE /etc/sancp_agent.conf
	20	+ if { [file exists /usr/local/etc/sguil-sensor/sancp_agent.conf] } {
	21	+ set CONF_FILE /usr/local/etc/sguil-sensor/sancp_agent.conf
	22	} elseif { [file exists ./sancp_agent.conf] } {
	23	set CONF_FILE ./sancp_agent.conf
	24	} else {
	25	puts "Couldn't determine where the sancp_agent.tcl config file is"
	26	- puts "Looked for /etc/sancp_agent.conf and ./sancp_agent.conf."
	27	+ puts "Looked for /usr/local/etc/sguil-sensor/sancp_agent.conf and ./sancp_agent.conf."
	28	DisplayUsage $argv0
	29	}
	30	}

Line 0 Link Here

(-)files/patch-snort_agent.tcl (+35 lines)
	1	--- snort_agent.tcl.orig 2012-12-17 22:33:35.000000000 +0000
	2	+++ snort_agent.tcl 2012-12-17 22:39:39.000000000 +0000
	3	@@ -1,6 +1,4 @@
	4	#!/bin/sh
	5	-# Run tcl from users PATH \
	6	-exec tclsh "$0" "$@"
	7
	8	# $Id: snort_agent.tcl,v 1.9 2011/02/17 02:55:48 bamm Exp $ #
	9
	10	@@ -680,13 +678,13 @@
	11	}
	12
	13	# Parse the config file here
	14	-# Default location is /etc/snort_agent.conf or pwd
	15	+# Default location is /usr/local/etc/sguil-sensor/snort_agent.conf or pwd
	16	if { ![info exists CONF_FILE] } {
	17
	18	# No conf file specified check the defaults
	19	- if { [file exists /etc/snort_agent.conf] } {
	20	+ if { [file exists /usr/local/etc/sguil-sensor/snort_agent.conf] } {
	21
	22	- set CONF_FILE /etc/snort_agent.conf
	23	+ set CONF_FILE /usr/local/etc/sguil-sensor/snort_agent.conf
	24
	25	} elseif { [file exists ./snort_agent.conf] } {
	26
	27	@@ -695,7 +693,7 @@
	28	} else {
	29
	30	puts "Couldn't determine where the snort_agent.tcl config file is"
	31	- puts "Looked for /etc/snort_agent.conf and ./snort_agent.conf."
	32	+ puts "Looked for /usr/local/etc/sguil-sensor/snort_agent.conf and ./snort_agent.conf."
	33	DisplayUsage $argv0
	34
	35	}

Line 0 Link Here

(-)files/pcap_agent-sancp.in (+32 lines)
	1	#!/bin/sh
	2
	3	# $FreeBSD: head/security/sguil-sensor/files/pcap_agent-sancp.in 302141 2012-08-05 23:19:36Z dougb $
	4
	5	# PROVIDE: pcap_agent-sancp
	6	# REQUIRE: DAEMON
	7	# KEYWORD: shutdown
	8
	9	# Add the following line to /etc/rc.conf to enable pcap_agent-sancp:
	10	# pcap_agent-sancp_enable (bool): Set to YES to enable pcap_agent-sancp
	11	# Default: NO
	12	# pcap_agent-sancp_conf (str): Pads_agent configuration file
	13	# Default: %%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent-sancp.conf
	14	# pcap_agent-sancp_flags (str): Default: -D
	15	#
	16
	17	. /etc/rc.subr
	18
	19	name="pcap_agent-sancp"
	20	rcvar=pcap_agent-sancp_enable
	21	load_rc_config pcap_agent-sancp
	22
	23	#set defaults
	24	: ${pcap_agent-sancp_enable:="NO"}
	25	: ${pcap_agent-sancp_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent-sancp.conf"}
	26	: ${pcap_agent-sancp_flags:="-D -c ${pcap_agent-sancp_conf}"}
	27
	28	command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent-sancp.tcl"
	29	procname="%%PREFIX%%/bin/%%TCLSH%%"
	30	pidfile="/var/run/${name}.pid"
	31
	32	run_rc_command "$1"

Lines 16-34 Link Here

(-)files/pcap_agent.in (-8 / +6 lines)
16		16
17	. /etc/rc.subr	17	. /etc/rc.subr
18		18
		19	name="pcap_agent"
		20	rcvar=pcap_agent_enable
19	load_rc_config pcap_agent	21	load_rc_config pcap_agent
20		22
21	#set defaults	23	#set defaults
22	pcap_agent_enable=${pcap_agent_enable:-"NO"}	24	: ${pcap_agent_enable:="NO"}
23	pcap_agent_conf=${pcap_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent.conf"}	25	: ${pcap_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent.conf"}
24	pcap_agent_flags=${pcap_agent_flags:-"-D"}	26	: ${pcap_agent_flags:="-D -c ${pcap_agent_conf}"}
25		27
26	name="pcap_agent"
27	rcvar=pcap_agent_enable
28	command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent.tcl"	28	command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent.tcl"
29	command_args="-c ${pcap_agent_conf} ${pcap_agent_flags}"	29	procname="%%PREFIX%%/bin/%%TCLSH%%"
30	procname="%%PREFIX%%/bin/tclsh8.4"
31	pidfile="/var/run/${name}.pid"	30	pidfile="/var/run/${name}.pid"
32	check_pidfile="${pidfile} ${procname} /bin/sh"
33		31
34	run_rc_command "$1"	32	run_rc_command "$1"

Lines 2-14 Link Here

(-)files/pkg-message.in (-11 / +14 lines)
2	* !!!!!!!!!!! WARNING !!!!!!!!!!! *	2	* !!!!!!!!!!! WARNING !!!!!!!!!!! *
3	***********************************	3	***********************************
4		4
5	If you already had barnyard installed, this port will NOT deinstall	5	If you already had barnyard2 installed, this port will NOT deinstall
6	it and install the barnyard-sguil6 port instead. You will need to	6	it and install the barnyard2-sguil port instead. You will need to
7	deinstall the barnyard port and install the barnyard-sguil6 port yourself	7	deinstall the barnyard2 port and install the barnyard2-sguil port yourself
8	instead. This port WILL NOT WORK without the barnyard-sguil6 port!!	8	instead. This port WILL NOT WORK without the barnyard2-sguil port!!
9		9
10	You MUST edit the log_packets.conf file (located in %%PREFIX%%/etc/%%SGUILDIR%%)
11	to fit your configuration before running the log_packets.sh script.
12	See the %%DOCSDIR%%/INSTALL doc for details on the	10	See the %%DOCSDIR%%/INSTALL doc for details on the
13	configuration and for croning the script.	11	configuration and for croning the script.
14		12
Lines 16-28 Link Here
16	quickly. You should probably configure sguil et al to log to	14	quickly. You should probably configure sguil et al to log to
17	another partition/location (e.g. /nsm/tmp/).	15	another partition/location (e.g. /nsm/tmp/).
18		16
19	You must ALSO edit all of the sensor conf fileis (located in	17	You must ALSO edit all of the sensor conf files (located in
20	%%PREFIX%%/%%SGUILDIR%%/etc/) to reflect your configuration before	18	%%PREFIX%%/%%SGUILDIR%%/etc/) to reflect your configuration before
21	starting the sensor_agents.	19	starting the sensor_agents.
22		20
		21	A number of ancilliary things have been installed in
		22	%%PREFIX%%/share/%%SGUILDIR%%.
		23
23	If you chose to run sancp, and you already had a sancp.conf file in	24	If you chose to run sancp, and you already had a sancp.conf file in
24	%%PREFIX%%/etc, copy it to sancp.conf.orig before creating the new one.	25	%%PREFIX%%/etc, copy it to sancp.conf.orig before creating the new one.
25	The new sancp.conf-sample file contains the settings for squil.	26	The new sancp.conf-sample file contains the settings for squil. NOTE:
26	If you still want to maintain the customized sancp.conf file, then copy	27	the conf file is for sancp 1.5.3. It may need additional edits to work
27	the new sancp.conf-sample file to sguild-sancp.conf (for example) and	28	with the current ports version of sancp. If you still want to maintain
28	add sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf.	29	the customized sancp.conf file, then copy the new sancp.conf-sample
		30	file to sguild-sancp.conf (for example) and add
		31	sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf.

Lines 16-34 Link Here

(-)files/sancp_agent.in (-8 / +6 lines)
16		16
17	. /etc/rc.subr	17	. /etc/rc.subr
18		18
		19	name="sancp_agent"
		20	rcvar=sancp_agent_enable
19	load_rc_config sancp_agent	21	load_rc_config sancp_agent
20		22
21	#set defaults	23	#set defaults
22	sancp_agent_enable=${sancp_agent_enable:-"NO"}	24	: ${sancp_agent_enable:="NO"}
23	sancp_agent_conf=${sancp_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/sancp_agent.conf"}	25	: ${sancp_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/sancp_agent.conf"}
24	sancp_agent_flags=${sancp_agent_flags:-"-D"}	26	: ${sancp_agent_flags:="-D -c ${sancp_agent_conf}"}
25		27
26	name="sancp_agent"
27	rcvar=sancp_agent_enable
28	command="%%PREFIX%%/bin/%%SGUILDIR%%/sancp_agent.tcl"	28	command="%%PREFIX%%/bin/%%SGUILDIR%%/sancp_agent.tcl"
29	command_args="-c ${sancp_agent_conf} ${sancp_agent_flags}"	29	procname="%%PREFIX%%/bin/%%TCLSH%%"
30	procname="%%PREFIX%%/bin/tclsh8.4"
31	pidfile="/var/run/${name}.pid"	30	pidfile="/var/run/${name}.pid"
32	check_pidfile="${pidfile} ${procname} /bin/sh"
33		31
34	run_rc_command "$1"	32	run_rc_command "$1"

Lines 16-34 Link Here

(-)files/snort_agent.in (-8 / +6 lines)
16		16
17	. /etc/rc.subr	17	. /etc/rc.subr
18		18
		19	name="snort_agent"
		20	rcvar=snort_agent_enable
19	load_rc_config snort_agent	21	load_rc_config snort_agent
20		22
21	#set defaults	23	#set defaults
22	snort_agent_enable=${snort_agent_enable:-"NO"}	24	: ${snort_agent_enable:="NO"}
23	snort_agent_conf=${snort_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/snort_agent.conf"}	25	: ${snort_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/snort_agent.conf"}
24	snort_agent_flags=${snort_agent_flags:-"-D"}	26	: ${snort_agent_flags:="-D -c ${snort_agent_conf}"}
25		27
26	name="snort_agent"
27	rcvar=snort_agent_enable
28	command="%%PREFIX%%/bin/%%SGUILDIR%%/snort_agent.tcl"	28	command="%%PREFIX%%/bin/%%SGUILDIR%%/snort_agent.tcl"
29	command_args="-c ${snort_agent_conf} ${snort_agent_flags}"	29	procname="%%PREFIX%%/bin/%%TCLSH%%"
30	procname="%%PREFIX%%/bin/tclsh8.4"
31	pidfile="/var/run/${name}.pid"	30	pidfile="/var/run/${name}.pid"
32	check_pidfile="${pidfile} ${procname} /bin/sh"
33		31
34	run_rc_command "$1"	32	run_rc_command "$1"

Lines 1-15 Link Here

(-)pkg-plist (-5 / +31 lines)
		1	bin/%%SGUILDIR%%/log_packets-daemonlogger.sh
1	bin/%%SGUILDIR%%/log_packets.sh	2	bin/%%SGUILDIR%%/log_packets.sh
2	bin/%%SGUILDIR%%/example_agent.tcl
3	bin/%%SGUILDIR%%/pcap_agent.tcl	3	bin/%%SGUILDIR%%/pcap_agent.tcl
4	bin/%%SGUILDIR%%/snort_agent.tcl	4	bin/%%SGUILDIR%%/snort_agent.tcl
5	etc/%%SGUILDIR%%/example_agent.conf-sample
6	etc/%%SGUILDIR%%/pcap_agent.conf-sample	5	etc/%%SGUILDIR%%/pcap_agent.conf-sample
7	etc/%%SGUILDIR%%/snort_agent.conf-sample	6	etc/%%SGUILDIR%%/snort_agent.conf-sample
8	etc/%%SGUILDIR%%/log_packets.conf-sample	7	%%DOCSDIR%%/CHANGES
		8	%%DOCSDIR%%/FAQ
		9	%%DOCSDIR%%/INSTALL
		10	%%DOCSDIR%%/INSTALL.openbsd
		11	%%DOCSDIR%%/OPENSSL.README
		12	%%DOCSDIR%%/README
		13	%%DOCSDIR%%/README.daemonlogger
		14	%%DOCSDIR%%/TODO
		15	%%DOCSDIR%%/UPGRADE
		16	%%DOCSDIR%%/USAGE
		17	%%DOCSDIR%%/sguildb.dia
		18	share/%%SGUILDIR%%/contrib/ossec_agent/README
		19	share/%%SGUILDIR%%/contrib/ossec_agent/ossec_agent.conf
		20	share/%%SGUILDIR%%/contrib/ossec_agent/ossec_agent.tcl
		21	share/%%SGUILDIR%%/contrib/portscan_loader/Makefile
		22	share/%%SGUILDIR%%/contrib/portscan_loader/portscan_loader.c
		23	share/%%SGUILDIR%%/init/sensoragent
9	%%USEPADS%%bin/%%SGUILDIR%%/pads_agent.tcl	24	%%USEPADS%%bin/%%SGUILDIR%%/pads_agent.tcl
10	%%USEPADS%%etc/%%SGUILDIR%%/pads_agent.conf-sample	25	%%USEPADS%%etc/%%SGUILDIR%%/pads_agent.conf-sample
11	%%USESANCP%%etc/sancp.conf-sample	26	%%USESANCP%%bin/%%SGUILDIR%%/log_packets-sancp.sh
		27	%%USESANCP%%bin/%%SGUILDIR%%/pcap_agent-sancp.tcl
12	%%USESANCP%%bin/%%SGUILDIR%%/sancp_agent.tcl	28	%%USESANCP%%bin/%%SGUILDIR%%/sancp_agent.tcl
13	%%USESANCP%%etc/%%SGUILDIR%%/sancp_agent.conf-sample	29	%%USESANCP%%etc/%%SGUILDIR%%/sancp_agent.conf-sample
		30	%%USESANCP%%etc/%%SGUILDIR%%/sancp-indexed.conf-sample
		31	%%USESANCP%%etc/%%SGUILDIR%%/pcap_agent-sancp.conf-sample
		32	%%USESANCP%%etc/%%SGUILDIR%%/sancp.conf-sample
		33	%%USESANCP%%%%DOCSDIR%%/README.sancp_indexed_pcap
		34	@dirrm share/%%SGUILDIR%%/init
		35	@dirrm share/%%SGUILDIR%%/contrib/portscan_loader
		36	@dirrm share/%%SGUILDIR%%/contrib/ossec_agent
		37	@dirrm share/%%SGUILDIR%%/contrib
		38	@dirrm share/%%SGUILDIR%%
		39	@dirrmtry etc/%%SGUILDIR%%
14	@dirrm bin/%%SGUILDIR%%	40	@dirrm bin/%%SGUILDIR%%
15	@dirrmtry etc/%%SGUILDIR%%	41	@dirrm %%DOCSDIR%%