Bug 95018
| Summary: | new port: security/sguil-sensor | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | pauls | ||||||||||||||||||||
| Component: | Individual Port(s) | Assignee: | Boris Samorodov <bsam> | ||||||||||||||||||||
| Status: | Closed FIXED | ||||||||||||||||||||||
| Severity: | Affects Only Me | ||||||||||||||||||||||
| Priority: | Normal | ||||||||||||||||||||||
| Version: | Latest | ||||||||||||||||||||||
| Hardware: | Any | ||||||||||||||||||||||
| OS: | Any | ||||||||||||||||||||||
| Attachments: |
|
||||||||||||||||||||||
This is a multi-part message in MIME format. Hello Paul, The port lang/tclX switched from 8.3.5 to 8.4 (as I can understand from cvs log changes are significant). Can you provide a new shar archieve for your port? I'll be glad to commit it. Thanks! -- bsam Responsible Changed From-To: freebsd-ports-bugs->bsam Take. State Changed From-To: open->feedback Awaiting for a feedback. Hi Paul! Your last shar files contains: ----- # This archive contains: # # /usr/ports/security/sguil-sensor/Makefile # /usr/ports/security/sguil-sensor/distinfo # /usr/ports/security/sguil-sensor/files # /usr/ports/security/sguil-sensor/pkg-descr # /usr/ports/security/sguil-sensor/pkg-plist # ----- But there should be some files at files directory: ----- ===> Installing for sguil-sensor-0.6.1 ===> sguil-sensor-0.6.1 depends on executable in : snort - found ===> sguil-sensor-0.6.1 depends on executable in : barnyard - found ===> sguil-sensor-0.6.1 depends on file: /usr/local/lib/tclx8.4/tclx.tcl - found ** Missing /a/ports/security/sguil-sensor/files/pkg-message.in for sguil-sensor-0.6.1. *** Error code 1 Stop in /a/ports/security/sguil-sensor. ================================================================ build of /usr/ports/security/sguil-sensor ended at Wed Oct 4 19:48:50 UTC 2006 ----- Should I use those (all?) files from previous shar file? WBR -- bsam Just in case you say "yes" to my previous question. There is a pkg-plist problem: ----- ====================<phase 7: make package>==================== ===> Building package for sguil-sensor-0.6.1 Creating package /tmp/packages/All/sguil-sensor-0.6.1.tbz Registering depends: barnyard-sguil6-0.2.0 snort-2.6.0.2 pcre-6.7 tclX-8.4 tcl-8.4.13_1,1. Creating bzip'd tar ball in '/tmp/packages/All/sguil-sensor-0.6.1.tbz' Deleting sguil-sensor-0.6.1 ================================================================ === Checking filesystem state list of extra files and directories in / (not present before this port was installed but present after it was deinstalled) 11402400 8 -r--r--r-- 1 root wheel 2433 Oct 4 19:59 usr/local/etc/sensor_agent.conf-sample Deleting tclX-8.4 Deleting barnyard-sguil6-0.2.0 Deleting snort-2.6.0.2 Deleting tcl-8.4.13_1,1 Deleting pcre-6.7 === Checking filesystem state after all packages deleted ================================================================ list of extra files and directories in / (not present on clean system but present after everything was deinstalled) 11402400 8 -r--r--r-- 1 root wheel 2433 Oct 4 19:59 usr/local/etc/sensor_agent.conf-sample ================================================================ build of /usr/ports/security/sguil-sensor ended at Wed Oct 4 20:00:08 UTC 2006 ----- WBR -- bsam I've attached a new shar file. The previous one was created incorrectly, leaving out all the files in files/, In addition, the pkg-plist was incomplete, as you pointed out. This shar file should contain everything and include a corrected pkg-plist. --On Thursday, October 05, 2006 00:12:01 +0400 Boris Samorodov <bsam@ipt.ru> wrote: > Just in case you say "yes" to my previous question. There is a > pkg-plist problem: > ----- > ====================<phase 7: make package>==================== > ===> Building package for sguil-sensor-0.6.1 > Creating package /tmp/packages/All/sguil-sensor-0.6.1.tbz > Registering depends: barnyard-sguil6-0.2.0 snort-2.6.0.2 pcre-6.7 > tclX-8.4 tcl-8.4.13_1,1. Creating bzip'd tar ball in > '/tmp/packages/All/sguil-sensor-0.6.1.tbz' Deleting sguil-sensor-0.6.1 > ================================================================ > > === Checking filesystem state > list of extra files and directories in / (not present before this port > was installed but present after it was deinstalled) 11402400 8 > -r--r--r-- 1 root wheel 2433 Oct 4 19:59 > usr/local/etc/sensor_agent.conf-sample Deleting tclX-8.4 > Deleting barnyard-sguil6-0.2.0 > Deleting snort-2.6.0.2 > Deleting tcl-8.4.13_1,1 > Deleting pcre-6.7 > > === Checking filesystem state after all packages deleted > ================================================================ > list of extra files and directories in / (not present on clean system but > present after everything was deinstalled) 11402400 8 -r--r--r-- > 1 root wheel 2433 Oct 4 19:59 > usr/local/etc/sensor_agent.conf-sample > ================================================================ > build of /usr/ports/security/sguil-sensor ended at Wed Oct 4 20:00:08 > UTC 2006 ----- > > WBR Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ Hi Paul!
Your last shar installs sancp.conf-sample only if WITH_SANCP is
defined (which is not defined by default). But pkg-plist supposes that
this files is installed unconditionally. Hence, the package is not
created.
I looked through your Makefile and created a patch against your last
shar. If it fits your needs I can commit the port.
I introduce a new variable USESANCP which is set to "" if
security/sancp is used and "@comment " otherwise. This variable is
transferred to pkg-plist and creates (or not) sancp.conf-sample.
-----
diff -ruN sguil-sensor.orig/Makefile sguil-sensor/Makefile
--- sguil-sensor.orig/Makefile Mon Oct 9 22:31:04 2006
+++ sguil-sensor/Makefile Mon Oct 9 22:24:07 2006
@@ -39,6 +39,9 @@
.if defined(WITH_SANCP)
RUN_DEPENDS+= sancp:${PORTSDIR}/security/sancp
+PLIST_SUB+= USESANCP=
+.else
+PLIST_SUB+= USESANCP="@comment "
.endif
.if defined(WITH_TLS)
diff -ruN sguil-sensor.orig/pkg-plist sguil-sensor/pkg-plist
--- sguil-sensor.orig/pkg-plist Mon Oct 9 22:31:04 2006
+++ sguil-sensor/pkg-plist Mon Oct 9 22:24:28 2006
@@ -1,6 +1,6 @@
bin/%%SGUILDIR%%/log_packets.sh
bin/%%SGUILDIR%%/sensor_agent.tcl
etc/log_packets.conf-sample
-etc/sancp.conf-sample
+%%USESANCP%%etc/sancp.conf-sample
etc/sensor_agent.conf-sample
@dirrm bin/%%SGUILDIR%%
-----
WBR
--
bsam
OK. That makes sense to me. Paul Schmehl (pauls@utdallas.edu) Adjunct Information Security Officer University of Texas at Dallas http://www.utdallas.edu/ir/security/ -----Original Message----- From: Boris Samorodov [mailto:bsam@ipt.ru] Sent: Monday, October 09, 2006 1:46 PM To: bug-followup@FreeBSD.org; Schmehl, Paul L Subject: Re: ports/95018: new port: security/sguil-sensor?Gcc=INBOX.Sent Hi Paul! Your last shar installs sancp.conf-sample only if WITH_SANCP is defined (which is not defined by default). But pkg-plist supposes that this files is installed unconditionally. Hence, the package is not created. I looked through your Makefile and created a patch against your last shar. If it fits your needs I can commit the port. I introduce a new variable USESANCP which is set to "" if security/sancp is used and "@comment " otherwise. This variable is transferred to pkg-plist and creates (or not) sancp.conf-sample. ----- diff -ruN sguil-sensor.orig/Makefile sguil-sensor/Makefile --- sguil-sensor.orig/Makefile Mon Oct 9 22:31:04 2006 +++ sguil-sensor/Makefile Mon Oct 9 22:24:07 2006 @@ -39,6 +39,9 @@ .if defined(WITH_SANCP) RUN_DEPENDS+= sancp:${PORTSDIR}/security/sancp +PLIST_SUB+= USESANCP= +.else +PLIST_SUB+= USESANCP="@comment " .endif .if defined(WITH_TLS) diff -ruN sguil-sensor.orig/pkg-plist sguil-sensor/pkg-plist --- sguil-sensor.orig/pkg-plist Mon Oct 9 22:31:04 2006 +++ sguil-sensor/pkg-plist Mon Oct 9 22:24:28 2006 @@ -1,6 +1,6 @@ bin/%%SGUILDIR%%/log_packets.sh bin/%%SGUILDIR%%/sensor_agent.tcl etc/log_packets.conf-sample -etc/sancp.conf-sample +%%USESANCP%%etc/sancp.conf-sample etc/sensor_agent.conf-sample @dirrm bin/%%SGUILDIR%% ----- WBR -- bsam bsam 2006-10-09 19:04:39 UTC
FreeBSD ports repository
Modified files:
security Makefile
Added files:
security/sguil-sensor Makefile distinfo pkg-descr pkg-plist
security/sguil-sensor/files log_packets.conf
patch-log_packets.sh
patch-sensor_agent.tcl
pkg-message.in sensor_agent.sh.in
Log:
Sguil (pronounced "sgweel") is a graphical interface to snort
(www.snort.org), an open source intrusion detection system.
The actual interface and GUI server are written in tcl/tk
(www.tcl.tk). Sguil also relies on other open source software
in order to function properly.
The sensor list includes security/barnyard, security/snort,
security/sancp, tcpdump (a part of the OS) and devel/tcltls as
well as lang/tcl84 and lang/tclX. Care has been taken to ensure
that everything you need to build a working sguil operation is
in the FreeBSD ports system or part of the OS already.
Sguil currently functions as an analysis interface and has
no snort sensor or rule management capabilities.
WWW: http://sguil.sourceforge.net/index.php
pauls@utdallas.edu
PR: ports/95018
Submitted by: Paul Schmehl <pauls at utdallas.edu>
Revision Changes Path
1.831 +1 -0 ports/security/Makefile
1.1 +86 -0 ports/security/sguil-sensor/Makefile (new)
1.1 +3 -0 ports/security/sguil-sensor/distinfo (new)
1.1 +30 -0 ports/security/sguil-sensor/files/log_packets.conf (new)
1.1 +49 -0 ports/security/sguil-sensor/files/patch-log_packets.sh (new)
1.1 +23 -0 ports/security/sguil-sensor/files/patch-sensor_agent.tcl (new)
1.1 +28 -0 ports/security/sguil-sensor/files/pkg-message.in (new)
1.1 +46 -0 ports/security/sguil-sensor/files/sensor_agent.sh.in (new)
1.1 +17 -0 ports/security/sguil-sensor/pkg-descr (new)
1.1 +6 -0 ports/security/sguil-sensor/pkg-plist (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
State Changed From-To: feedback->closed Committed, thanks! |
Sguil is a network security monitoring system that uses snort Fix: MD5 (sguil-sensor-0.6.1.tar.gz) = 62be71b0aa41ccacb7872839dc4bf5ad SHA256 (sguil-sensor-0.6.1.tar.gz) = b1da0fffeaecd69b9d8eeeb27025fdc3493a2eabfec8ed4153f688f11ee226eb SIZE (sguil-sensor-0.6.1.tar.gz) = 103441 --- distinfo ends here --- bin/%%SGUILDIR%%/log_packets.sh-sample bin/%%SGUILDIR%%/sensor_agent.tcl etc/log_packets.conf-sample @unexec if [ -f %D/etc/sancp.conf-sample ]; then rm %D/etc/sancp.conf-sample; fi; @dirrm bin/%%SGUILDIR%% --- pkg-plist ends here --- --- sensor/log_packets.sh.orig Fri Mar 24 13:12:18 2006 +++ sensor/log_packets.sh Mon Mar 27 17:22:54 2006 @@ -23,37 +23,16 @@ ############################################################## -# Edit these for your setup +# You shouldn't need to edit anything in this script -# Sensors hostname. -# Note: If running multiple snort instances, then this must be different -# for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc) -HOSTNAME="myhost" -# Path to snort binary -SNORT_PATH="/usr/local/bin/snort" -# Directory to log pcap data to (date dirs will be created in here) -# Note: The path $HOSTNAME/dailylogs, will be appended to this. -LOG_DIR="/snort_data" -# Percentage of disk to try and maintain -MAX_DISK_USE=90 -# Interface to 'listen' to. -INTERFACE="eth0" -# Other options to use when starting snort -#OPTIONS="-u sguil -g sguil -m 122" -# Where to store the pid -PIDFILE="/var/run/snort_log-${HOSTNAME}.pid" -# How do we run ps -PS="ps awx" -# Where is grep -GREP="/usr/bin/grep" -#Add BPFs here. -#The below is an example of a filter for ignoring outbound HTTP from my network -# to the world. -#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)' - -#Some installs may need these -#LD_LIBRARY_PATH=/usr/local/lib/mysql -#export LD_LIBRARY_PATH +CONF=/path/to/log_packets.conf +if [ -r ${CONF} ]; then + . ${CONF} +else + echo "Your conf file is either missing or the path " + echo "in the log_packets.sh script is incorrect." + exit 1 +fi TZ=GMT export TZ --- patch-log_packets.sh ends here --- *********************************** * !!!!!!!!!!! WARNING !!!!!!!!!!! * *********************************** If you already had barnyard installed, this port will NOT deinstall it and install the barnyard-sguil6 port instead. You will need to deinstall the barnyard port and install the barnyard-sguil6 port yourself instead. This port WILL NOT WORK without the barnyard-sguil6 port!! You MUST edit the log_packets.conf file (located in %%PREFIX%%/etc/) to fit your configuration before running the log_packets.sh script. See the %%DOCSDIR%%/INSTALL doc for details on the configuration and for croning the script. WARNING!!! Sguil et al will fill up your /tmp directory very quickly. You should probably configure sguil et al to log to another partition/location (e.g. /nsm/tmp/). You must ALSO edit the sensor_agent.conf file (located in %%PREFIX%%/etc/) to reflect your configuration before starting the sensor_agent. If you chose to run sancp, and you already had a sancp.conf file in %%PREFIX%%/etc, copy it to sancp.conf.orig before creating the new one. The new sancp.conf-sample file contains the settings for squil. If you still want to maintain the customized sancp.conf file, then copy the new sancp.conf-sample file to sguild-sancp.conf (for example) and add sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf. --- pkg-message.in ends here ---