* [meta-networking][PATCH 1/3] snort: add recipe
@ 2013-09-23 9:06 b40290
2013-09-23 16:58 ` Joe MacDonald
2013-09-23 17:13 ` Joe MacDonald
0 siblings, 2 replies; 9+ messages in thread
From: b40290 @ 2013-09-23 9:06 UTC (permalink / raw)
To: openembedded-devel
From: Chunrong Guo <B40290@freescale.com>
*snort - a free lightweight network intrusion detection
system for UNIX and Windows
Signed-off-by: Chunrong Guo <B40290@freescale.com>
---
.../recipes-connectivity/snort/files/default | 42 ++
.../snort/files/disable-dap-address-space-id.patch | 52 +++
.../snort/files/disable-inaddr-none.patch | 75 ++++
.../recipes-connectivity/snort/files/logrotate | 12 +
.../recipes-connectivity/snort/files/snort.init | 425 ++++++++++++++++++++
.../recipes-connectivity/snort/files/volatiles | 2 +
.../recipes-connectivity/snort/snort_2.9.4.6.bb | 86 ++++
7 files changed, 694 insertions(+), 0 deletions(-)
create mode 100644 meta-networking/recipes-connectivity/snort/files/default
create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate
create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init
create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles
create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default
new file mode 100644
index 0000000..afd3840
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/default
@@ -0,0 +1,42 @@
+# Parameters for the daemon
+# Add any additional parameteres here.
+PARAMS="-m 027 -D -d "
+#
+# Snort user
+# This user will be used to launch snort. Notice that the
+# preinst script of the package might do changes to the user
+# (home directory, User Name) when the package is upgraded or
+# reinstalled. So, do *not* change this to 'root' or to any other user
+# unless you are sure there is no problem with those changes being introduced.
+#
+SNORTUSER="snort"
+#
+# Logging directory
+# Snort logs will be dropped here and this will be the home
+# directory for the SNORTUSER. If you change this value you should
+# change the /etc/logrotate.d/snort definition too, otherwise logs
+# will not be rotated properly.
+#
+LOGDIR="/var/log/snort"
+#
+# Snort group
+# This is the group that the snort user will be added to.
+#
+SNORTGROUP="snort"
+#
+# Allow Snort's init.d script to work if the configured interfaces
+# are not available. Set this to yes if you configure Snort with
+# multiple interfaces but some might not be available on boot
+# (e.g. wireless interfaces)
+#
+# Note: In order for this to work the 'iproute' package needs to
+# be installed.
+ALLOW_UNAVAILABLE="no"
+
+# Local configs
+#
+LOCAL_SNORT_STARTUP=boot
+LOCAL_SNORT_HOME_NET="192.168.0.0/16"
+LOCAL_SNORT_INTERFACE=""
+LOCAL_SNORT_STATS_RCPT="root"
+LOCAL_SNORT_STATS_THRESHOLD="1"
diff --git a/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
new file mode 100644
index 0000000..39e5c9c
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
@@ -0,0 +1,52 @@
+Upstream-Status:Inappropriate [embedded specific]
+
+fix the below error:
+checking for dap address space id... configure:
+configure: error: cannot run test program while cross compiling
+
+
+Signed-off-by: Chunrong Guo <B40290@freescale.com>
+
+--- a/configure.in 2013-08-23 00:06:37.239361932 -0500
++++ b/configure.in 2013-08-23 00:07:32.860266534 -0500
+@@ -679,23 +679,23 @@
+
+ AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta])
+
+-AC_MSG_CHECKING([for daq address space ID])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <daq.h>
+-]],
+-[[
+- DAQ_PktHdr_t hdr;
+- hdr.address_space_id = 0;
+-]])],
+-[have_daq_address_space_id="yes"],
+-[have_daq_address_space_id="no"])
+-AC_MSG_RESULT($have_daq_address_space_id)
+-if test "x$have_daq_address_space_id" = "xyes"; then
+- AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
+- [DAQ version supports address space ID in header.])
+-fi
++#AC_MSG_CHECKING([for daq address space ID])
++#AC_RUN_IFELSE(
++#[AC_LANG_PROGRAM(
++#[[
++##include <daq.h>
++#]],
++#[[
++# DAQ_PktHdr_t hdr;
++# hdr.address_space_id = 0;
++#]])],
++have_daq_address_space_id="yes"
++#[have_daq_address_space_id="no"])
++#AC_MSG_RESULT($have_daq_address_space_id)
++#if test "x$have_daq_address_space_id" = "xyes"; then
++# AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
++# [DAQ version supports address space ID in header.])
++#fi
+
+ # any sparc platform has to have this one defined.
+ AC_MSG_CHECKING(for sparc)
diff --git a/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
new file mode 100644
index 0000000..9dafe63
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
@@ -0,0 +1,75 @@
+Upstream-Status: Inappropriate [embedded specific]
+
+fix the below error:
+checking for INADDR_NONE... configure:
+configure: error: cannot run test program while cross compiling
+
+Signed-off-by: Chunrong Guo <B40290@freescale.com>
+
+
+--- a/configure.in 2013-08-21 03:56:17.197414789 -0500
++++ b/configure.in 2013-08-21 23:19:05.298553560 -0500
+@@ -281,25 +281,7 @@
+ AC_CHECK_TYPES([boolean])
+
+ # In case INADDR_NONE is not defined (like on Solaris)
+-have_inaddr_none="no"
+-AC_MSG_CHECKING([for INADDR_NONE])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <sys/types.h>
+-#include <netinet/in.h>
+-#include <arpa/inet.h>
+-]],
+-[[
+- if (inet_addr("10,5,2") == INADDR_NONE);
+- return 0;
+-]])],
+-[have_inaddr_none="yes"],
+-[have_inaddr_none="no"])
+-AC_MSG_RESULT($have_inaddr_none)
+-if test "x$have_inaddr_none" = "xno"; then
+- AC_DEFINE([INADDR_NONE],[-1],[For INADDR_NONE definition])
+-fi
++have_inaddr_none="yes"
+
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <stdio.h>
+@@ -397,21 +379,21 @@
+ fi
+ fi
+
+-AC_MSG_CHECKING([for pcap_lex_destroy])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <pcap.h>
+-]],
+-[[
+- pcap_lex_destroy();
+-]])],
+-[have_pcap_lex_destroy="yes"],
+-[have_pcap_lex_destroy="no"])
+-AC_MSG_RESULT($have_pcap_lex_destroy)
+-if test "x$have_pcap_lex_destroy" = "xyes"; then
+- AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
+-fi
++#AC_MSG_CHECKING([for pcap_lex_destroy])
++#AC_RUN_IFELSE(
++#[AC_LANG_PROGRAM(
++#[[
++##include <pcap.h>
++#]],
++#[[
++# pcap_lex_destroy();
++#]])],
++have_pcap_lex_destroy="yes"
++#[have_pcap_lex_destroy="no"])
++#AC_MSG_RESULT($have_pcap_lex_destroy)
++#if test "x$have_pcap_lex_destroy" = "xyes"; then
++# AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
++#fi
+
+ AC_MSG_CHECKING([for pcap_lib_version])
+ AC_LINK_IFELSE(
diff --git a/meta-networking/recipes-connectivity/snort/files/logrotate b/meta-networking/recipes-connectivity/snort/files/logrotate
new file mode 100644
index 0000000..ef3e4af
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/logrotate
@@ -0,0 +1,12 @@
+/var/log/snort/*.log /var/log/snort/alert {
+ size 1M
+ missingok
+ compress
+ delaycompress
+ rotate 10
+ sharedscripts
+ postrotate
+ /etc/init.d/snort restart
+ endscript
+}
+
diff --git a/meta-networking/recipes-connectivity/snort/files/snort.init b/meta-networking/recipes-connectivity/snort/files/snort.init
new file mode 100755
index 0000000..af66619
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/snort.init
@@ -0,0 +1,425 @@
+#!/bin/sh -e
+#
+# Init.d script for Snort in OpenEmbedded, based on Debian's script
+#
+# Copyright (c) 2009 Roman I Khimov <khimov@altell.ru>
+#
+# Copyright (c) 2001 Christian Hammers
+# Copyright (c) 2001-2002 Robert van der Meulen
+# Copyright (c) 2002-2004 Sander Smeenk <ssmeenk@debian.org>
+# Copyright (c) 2004-2007 Javier Fernandez-Sanguino <jfs@debian.org>
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides: snort
+# Required-Start: $time $network $local_fs
+# Required-Stop:
+# Should-Start: $syslog
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Lightweight network intrusion detection system
+# Description: Intrusion detection system that will
+# capture traffic from the network cards and will
+# match against a set of known attacks.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+test $DEBIAN_SCRIPT_DEBUG && set -v -x
+
+DAEMON=/usr/bin/snort
+NAME=snort
+DESC="Network Intrusion Detection System"
+
+. /etc/default/snort
+COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP"
+
+test -x $DAEMON || exit 0
+test -z "$LOCAL_SNORT_HOME_NET" && LOCAL_SNORT_HOME_NET="192.168.0.0/16"
+
+# to find the lib files
+cd /etc/snort
+
+running()
+{
+ PIDFILE=$1
+# No pidfile, probably no daemon present
+ [ ! -f "$PIDFILE" ] && return 1
+ pid=`cat $PIDFILE`
+# No pid, probably no daemon present
+ [ -z "$pid" ] && return 1
+ [ ! -d /proc/$pid ] && return 1
+ cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
+# No daemon
+ [ "$cmd" != "$DAEMON" ] && return 1
+ return 0
+}
+
+
+check_log_dir() {
+# Does the logging directory belong to Snort?
+ # If we cannot determine the logdir return without error
+ # (we will not check it)
+ # This will only be used by people using /etc/default/snort
+ [ -n "$LOGDIR" ] || return 0
+ [ -n "$SNORTUSER" ] || return 0
+ if [ ! -e "$LOGDIR" ] ; then
+ echo "ERR: logging directory $LOGDIR does not exist"
+ return 1
+ elif [ ! -d "$LOGDIR" ] ; then
+ echo "ERR: logging directory $LOGDIR does not exist"
+ return 1
+ else
+ # Don't worry, be happy
+ true
+ fi
+ return 0
+}
+
+check_root() {
+ if [ "$(id -u)" != "0" ]; then
+ echo "You must be root to start, stop or restart $NAME."
+ exit 4
+ fi
+}
+
+case "$1" in
+ start)
+ check_root
+ echo "Starting $DESC " "$NAME"
+
+ if [ -e /etc/snort/db-pending-config ] ; then
+ echo "/etc/snort/db-pending-config file found"
+ echo "Snort will not start as its database is not yet configured."
+ echo "Please configure the database as described in"
+ echo "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian"
+ echo "and remove /etc/snort/db-pending-config"
+ exit 6
+ fi
+
+ if ! check_log_dir; then
+ echo " will not start $DESC!"
+ exit 5
+ fi
+ if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+ shift
+ set +e
+ /etc/ppp/ip-up.d/snort "$@"
+ ret=$?
+ if [ $ret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $ret
+ fi
+
+ # Usually, we start all interfaces
+ interfaces="$LOCAL_SNORT_INTERFACE"
+
+ # If we are requested to start a specific interface...
+ test "$2" && interfaces="$2"
+
+ # If the interfaces list is empty stop (no error)
+ if [ -z "$interfaces" ] ; then
+ echo "no interfaces configured, will not start"
+ echo 0
+ exit 0
+ fi
+
+ myret=0
+ got_instance=0
+ for interface in $interfaces; do
+ got_instance=1
+ echo "($interface"
+
+ # Check if the interface is available:
+ # - only if iproute is available
+ # - the interface exists
+ # - the interface is up
+ if ! [ -x /sbin/ip ] || ( ip link show dev "$interface" >/dev/null 2>&1 && [ -n "`ip link show up "$interface" 2>/dev/null`" ] ) ; then
+
+ PIDFILE=/var/run/snort_$interface.pid
+ CONFIGFILE=/etc/snort/snort.$interface.conf
+
+ # Defaults:
+ fail="failed (check /var/log/syslog and /var/log/snort)"
+ run="yes"
+
+ if [ -e "$PIDFILE" ] && running $PIDFILE; then
+ run="no"
+ # Do not start this instance, it is already runing
+ fi
+
+ if [ "$run" = "yes" ] ; then
+ if [ ! -e "$CONFIGFILE" ]; then
+ echo "no /etc/snort/snort.$interface.conf found, defaulting to snort.conf"
+ CONFIGFILE=/etc/snort/snort.conf
+ fi
+
+ set +e
+ /sbin/start-stop-daemon --start --quiet \
+ --pidfile "$PIDFILE" \
+ --exec $DAEMON -- $COMMON $LOCAL_SNORT_OPTIONS \
+ -c $CONFIGFILE \
+ -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
+ -i $interface >/dev/null
+ ret=$?
+ case "$ret" in
+ 0)
+ echo "...done)"
+ ;;
+ *)
+ echo "...ERROR: $fail)"
+ myret=$(expr "$myret" + 1)
+ ;;
+ esac
+ set -e
+ else
+ echo "...already running)"
+ fi
+
+ else
+ # What to do if the interface is not available
+ # or is not up
+ if [ "$ALLOW_UNAVAILABLE" != "no" ] ; then
+ echo "...interface not available)"
+ else
+ echo "...ERROR: interface not available)"
+ myret=$(expr "$myret" + 1)
+ fi
+ fi
+ done
+
+ if [ "$got_instance" = 0 ] && [ "$ALLOW_UNAVAILABLE" = "no" ]; then
+ echo "No snort instance found to be started!" >&2
+ exit 6
+ fi
+
+ if [ $myret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $myret
+ ;;
+ stop)
+ check_root
+ echo "Stopping $DESC " "$NAME"
+
+ if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+ shift
+ set +e
+ /etc/ppp/ip-down.d/snort "$@"
+ ret=$?
+ if [ $ret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $ret
+ fi
+
+ # Usually, we stop all current running interfaces
+ pidpattern=/var/run/snort_*.pid
+
+ # If we are requested to stop a specific interface...
+ test "$2" && pidpattern=/var/run/snort_"$2".pid
+
+ got_instance=0
+ myret=0
+ for PIDFILE in $pidpattern; do
+ # This check is also needed, if the above pattern doesn't match
+ test -f "$PIDFILE" || continue
+
+ got_instance=1
+ interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
+
+ echo "($interface"
+
+ set +e
+ if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then
+# Change ownership of the pidfile
+ /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \
+ --pidfile "$PIDFILE" --exec $DAEMON >/dev/null
+ ret=$?
+ rm -f "$PIDFILE"
+ rm -f "$PIDFILE.lck"
+ else
+ echo "cannot read $PIDFILE"
+ ret=4
+ fi
+ case "$ret" in
+ 0)
+ echo "...done)"
+ ;;
+ *)
+ echo "...ERROR)"
+ myret=$(expr "$myret" + 1)
+ ;;
+ esac
+ set -e
+
+ done
+
+ if [ "$got_instance" = 0 ]; then
+ log_warning_msg "No running snort instance found"
+ exit 0 # LSB demands we don't exit with error here
+ fi
+ if [ $myret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $myret
+ ;;
+ restart|force-restart|reload|force-reload)
+ check_root
+ # Usually, we restart all current running interfaces
+ pidpattern=/var/run/snort_*.pid
+
+ # If we are requested to restart a specific interface...
+ test "$2" && pidpattern=/var/run/snort_"$2".pid
+
+ got_instance=0
+ for PIDFILE in $pidpattern; do
+ # This check is also needed, if the above pattern doesn't match
+ test -f "$PIDFILE" || continue
+
+ got_instance=1
+ interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
+ $0 stop $interface || true
+ $0 start $interface || true
+ done
+
+ if [ "$got_instance" = 0 ]; then
+ echo "No snort instance found to be stopped!" >&2
+ exit 6
+ fi
+ ;;
+ status)
+# Non-root users can use this (if allowed to)
+ echo "Status of snort daemon(s)"
+ interfaces="$LOCAL_SNORT_INTERFACE"
+ # If we are requested to check for a specific interface...
+ test "$2" && interfaces="$2"
+ err=0
+ pid=0
+ for interface in $interfaces; do
+ echo " $interface "
+ pidfile=/var/run/snort_$interface.pid
+ if [ -f "$pidfile" ] ; then
+ if [ -r "$pidfile" ] ; then
+ pidval=`cat $pidfile`
+ pid=$(expr "$pid" + 1)
+ if ps -p $pidval | grep -q snort; then
+ echo "OK"
+ else
+ echo "ERROR"
+ err=$(expr "$err" + 1)
+ fi
+ else
+ echo "ERROR: cannot read status file"
+ err=$(expr "$err" + 1)
+ fi
+ else
+ echo "ERROR"
+ err=$(expr "$err" + 1)
+ fi
+ done
+ if [ $err -ne 0 ] ; then
+ if [ $pid -ne 0 ] ; then
+# More than one case where pidfile exists but no snort daemon
+# LSB demands a '1' exit value here
+ echo 1
+ exit 1
+ else
+# No pidfiles at all
+# LSB demands a '3' exit value here
+ echo 3
+ exit 3
+ fi
+ fi
+ echo 0
+ ;;
+ config-check)
+ echo "Checking $DESC configuration"
+ if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+ echo "Config-check is currently not supported for snort in Dialup configuration"
+ echo 3
+ exit 3
+ fi
+
+ # usually, we test all interfaces
+ interfaces="$LOCAL_SNORT_INTERFACE"
+ # if we are requested to test a specific interface...
+ test "$2" && interfaces="$2"
+
+ myret=0
+ got_instance=0
+ for interface in $interfaces; do
+ got_instance=1
+ echo "interface $interface"
+
+ CONFIGFILE=/etc/snort/snort.$interface.conf
+ if [ ! -e "$CONFIGFILE" ]; then
+ CONFIGFILE=/etc/snort/snort.conf
+ fi
+ COMMON=`echo $COMMON | sed -e 's/-D//'`
+ set +e
+ fail="INVALID"
+ if [ -r "$CONFIGFILE" ]; then
+ $DAEMON -T $COMMON $LOCAL_SNORT_OPTIONS \
+ -c $CONFIGFILE \
+ -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
+ -i $interface >/dev/null 2>&1
+ ret=$?
+ else
+ fail="cannot read $CONFIGFILE"
+ ret=4
+ fi
+ set -e
+
+ case "$ret" in
+ 0)
+ echo "OK"
+ ;;
+ *)
+ echo "$fail"
+ myret=$(expr "$myret" + 1)
+ ;;
+ esac
+ done
+ if [ "$got_instance" = 0 ]; then
+ echo "no snort instance found to be started!" >&2
+ exit 6
+ fi
+
+ if [ $myret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $myret
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}"
+ exit 1
+ ;;
+esac
+exit 0
diff --git a/meta-networking/recipes-connectivity/snort/files/volatiles b/meta-networking/recipes-connectivity/snort/files/volatiles
new file mode 100644
index 0000000..e3ab51d
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/volatiles
@@ -0,0 +1,2 @@
+# <type> <owner> <group> <mode> <path> <linksource>
+d snort snort 0755 /var/log/snort none
\ No newline at end of file
diff --git a/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
new file mode 100644
index 0000000..5a165ef
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
@@ -0,0 +1,86 @@
+DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows."
+HOMEPAGE = "http://www.snort.org/"
+LICENSE = "GPL"
+LIC_FILES_CHKSUM = "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5"
+
+DEPENDS = "libpcap libpcre daq libdnet"
+
+SRC_URI = " ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \
+ file://disable-inaddr-none.patch \
+ file://disable-dap-address-space-id.patch \
+ file://snort.init \
+ file://default \
+ file://logrotate \
+ file://volatiles \
+ "
+SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
+SRC_URI[tarball.sha256sum] = "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc"
+
+inherit autotools gettext
+
+EXTRA_OECONF = " \
+ --enable-gre \
+ --enable-linux-smp-stats \
+ --enable-reload \
+ --enable-reload-error-restart \
+ --enable-targetbased \
+ --disable-static-daq \
+ "
+
+do_install_append() {
+ install -d ${D}/${sysconfdir}/snort/rules
+ install -d ${D}/${sysconfdir}/snort/preproc_rules
+ install -d ${D}/${sysconfdir}/default/volatiles
+ mkdir -p ${D}/${sysconfdir}/init.d
+ for i in map config conf dtd; do
+ cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/
+ done
+ cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/
+ install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort
+ install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort
+ install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort
+ mkdir -p ${D}/${localstatedir}/log/snort
+ install -d ${D}${sysconfdir}/logrotate.d
+ install -m 0644 ${WORKDIR}/logrotate ${D}${sysconfdir}/logrotate.d/snort
+}
+
+pkg_postinst_${PN}() {
+ grep -q ^snort: /etc/group || addgroup snort
+ grep -q ^snort: /etc/passwd || \
+ adduser --disabled-password --home=/var/log/snort/ --system \
+ --ingroup snort --no-create-home -g "snort" snort
+ ${sysconfdir}/init.d/populate-volatile.sh update
+}
+
+PACKAGES =+ "${PN}-logrotate"
+FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort"
+FILES_${PN} += " \
+ ${libdir}/snort_dynamicengine/*.so.* \
+ ${libdir}/snort_dynamicpreprocessor/*.so.* \
+ ${libdir}/snort_dynamicrules/*.so.* \
+ "
+FILES_${PN}-dbg += " \
+ ${libdir}/snort_dynamicengine/.debug \
+ ${libdir}/snort_dynamicpreprocessor/.debug \
+ ${libdir}/snort_dynamicrules/.debug \
+ "
+FILES_${PN}-staticdev += " \
+ ${libdir}/snort_dynamicengine/*.a \
+ ${libdir}/snort_dynamicpreprocessor/*.a \
+ ${libdir}/snort_dynamicrules/*.a \
+ ${libdir}/snort/dynamic_preproc/*.a \
+ ${libdir}/snort/dynamic_output/*.a \
+ "
+FILES_${PN}-dev += " \
+ ${libdir}/snort_dynamicengine/*.la \
+ ${libdir}/snort_dynamicpreprocessor/*.la \
+ ${libdir}/snort_dynamicrules/*.la \
+ ${libdir}/snort_dynamicengine/*.so \
+ ${libdir}/snort_dynamicpreprocessor/*.so \
+ ${libdir}/snort_dynamicrules/*.so \
+ ${prefix}/src/snort_dynamicsrc \
+ "
+
+RRECOMMENDS_${PN} += "${PN}-logrotate"
+RRECOMMENDS_${PN} += "barnyard"
+RSUGGESTS_${PN}-logrotate += "logrotate"
--
1.7.5.4
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [meta-networking][PATCH 1/3] snort: add recipe
2013-09-23 9:06 [meta-networking][PATCH 1/3] snort: add recipe b40290
@ 2013-09-23 16:58 ` Joe MacDonald
2013-09-23 17:13 ` Joe MacDonald
1 sibling, 0 replies; 9+ messages in thread
From: Joe MacDonald @ 2013-09-23 16:58 UTC (permalink / raw)
To: b40290; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 28108 bytes --]
Hi Chunrong,
A few things with this one.
- can you be more specific with the LICENSE?
WARNING: snort: No generic license file exists for: GPL in any provider
- my test build generated QA errors due to host libraries being used in
the build:
cc1: warning: include location "/usr/include/pcap" is unsafe for cross-compilation [-Wpoison-system-directories]
cc1: warning: include location "/usr/include/pcap" is unsafe for cross-compilation [-Wpoison-system-directories]
cc1: warning: include location "/usr/include/pcap" is unsafe for cross-compilation [-Wpoison-system-directories]
cc1: warning: include location "/usr/include/pcap" is unsafe for cross-compilation [-Wpoison-system-directories]
- Is the pkg_postinst_${PN} action really necessary? Can't you
accomplish the same thing by inheriting useradd? At worst, I think
you'll only need the last line, directly invoking
populate-volatile.sh. Could be mistaken on that, though.
- Can you take another pass through the recipe itself, please? There's
some inconsistent formatting (specifically around SRC_URI) and
minor whitespace issues (around EXTRA_OECONF, for sure, maybe
elsewhere, I've only done a quick scan).
- While we're on the topic, I hate to ask, but any chance we could fix
up the formatting on the initscript itself? It's an indentation
disaster. Not your fault, I know, but I don't know that we'll ever go
back to taking the debian one again and I'd rather it be clean for
anyone who comes along later.
- There's one minor inconsistency in the logrotate file, too, can you
make them all space-indented or all tab-indented please?
Thanks,
-J.
[[oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 17:06) b40290@freescale.com wrote:
> From: Chunrong Guo <B40290@freescale.com>
>
> *snort - a free lightweight network intrusion detection
> system for UNIX and Windows
>
> Signed-off-by: Chunrong Guo <B40290@freescale.com>
> ---
> .../recipes-connectivity/snort/files/default | 42 ++
> .../snort/files/disable-dap-address-space-id.patch | 52 +++
> .../snort/files/disable-inaddr-none.patch | 75 ++++
> .../recipes-connectivity/snort/files/logrotate | 12 +
> .../recipes-connectivity/snort/files/snort.init | 425 ++++++++++++++++++++
> .../recipes-connectivity/snort/files/volatiles | 2 +
> .../recipes-connectivity/snort/snort_2.9.4.6.bb | 86 ++++
> 7 files changed, 694 insertions(+), 0 deletions(-)
> create mode 100644 meta-networking/recipes-connectivity/snort/files/default
> create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
> create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
> create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate
> create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init
> create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles
> create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
>
> diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default
> new file mode 100644
> index 0000000..afd3840
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/default
> @@ -0,0 +1,42 @@
> +# Parameters for the daemon
> +# Add any additional parameteres here.
> +PARAMS="-m 027 -D -d "
> +#
> +# Snort user
> +# This user will be used to launch snort. Notice that the
> +# preinst script of the package might do changes to the user
> +# (home directory, User Name) when the package is upgraded or
> +# reinstalled. So, do *not* change this to 'root' or to any other user
> +# unless you are sure there is no problem with those changes being introduced.
> +#
> +SNORTUSER="snort"
> +#
> +# Logging directory
> +# Snort logs will be dropped here and this will be the home
> +# directory for the SNORTUSER. If you change this value you should
> +# change the /etc/logrotate.d/snort definition too, otherwise logs
> +# will not be rotated properly.
> +#
> +LOGDIR="/var/log/snort"
> +#
> +# Snort group
> +# This is the group that the snort user will be added to.
> +#
> +SNORTGROUP="snort"
> +#
> +# Allow Snort's init.d script to work if the configured interfaces
> +# are not available. Set this to yes if you configure Snort with
> +# multiple interfaces but some might not be available on boot
> +# (e.g. wireless interfaces)
> +#
> +# Note: In order for this to work the 'iproute' package needs to
> +# be installed.
> +ALLOW_UNAVAILABLE="no"
> +
> +# Local configs
> +#
> +LOCAL_SNORT_STARTUP=boot
> +LOCAL_SNORT_HOME_NET="192.168.0.0/16"
> +LOCAL_SNORT_INTERFACE=""
> +LOCAL_SNORT_STATS_RCPT="root"
> +LOCAL_SNORT_STATS_THRESHOLD="1"
> diff --git a/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
> new file mode 100644
> index 0000000..39e5c9c
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
> @@ -0,0 +1,52 @@
> +Upstream-Status:Inappropriate [embedded specific]
> +
> +fix the below error:
> +checking for dap address space id... configure:
> +configure: error: cannot run test program while cross compiling
> +
> +
> +Signed-off-by: Chunrong Guo <B40290@freescale.com>
> +
> +--- a/configure.in 2013-08-23 00:06:37.239361932 -0500
> ++++ b/configure.in 2013-08-23 00:07:32.860266534 -0500
> +@@ -679,23 +679,23 @@
> +
> + AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta])
> +
> +-AC_MSG_CHECKING([for daq address space ID])
> +-AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM(
> +-[[
> +-#include <daq.h>
> +-]],
> +-[[
> +- DAQ_PktHdr_t hdr;
> +- hdr.address_space_id = 0;
> +-]])],
> +-[have_daq_address_space_id="yes"],
> +-[have_daq_address_space_id="no"])
> +-AC_MSG_RESULT($have_daq_address_space_id)
> +-if test "x$have_daq_address_space_id" = "xyes"; then
> +- AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
> +- [DAQ version supports address space ID in header.])
> +-fi
> ++#AC_MSG_CHECKING([for daq address space ID])
> ++#AC_RUN_IFELSE(
> ++#[AC_LANG_PROGRAM(
> ++#[[
> ++##include <daq.h>
> ++#]],
> ++#[[
> ++# DAQ_PktHdr_t hdr;
> ++# hdr.address_space_id = 0;
> ++#]])],
> ++have_daq_address_space_id="yes"
> ++#[have_daq_address_space_id="no"])
> ++#AC_MSG_RESULT($have_daq_address_space_id)
> ++#if test "x$have_daq_address_space_id" = "xyes"; then
> ++# AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
> ++# [DAQ version supports address space ID in header.])
> ++#fi
> +
> + # any sparc platform has to have this one defined.
> + AC_MSG_CHECKING(for sparc)
> diff --git a/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
> new file mode 100644
> index 0000000..9dafe63
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
> @@ -0,0 +1,75 @@
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +fix the below error:
> +checking for INADDR_NONE... configure:
> +configure: error: cannot run test program while cross compiling
> +
> +Signed-off-by: Chunrong Guo <B40290@freescale.com>
> +
> +
> +--- a/configure.in 2013-08-21 03:56:17.197414789 -0500
> ++++ b/configure.in 2013-08-21 23:19:05.298553560 -0500
> +@@ -281,25 +281,7 @@
> + AC_CHECK_TYPES([boolean])
> +
> + # In case INADDR_NONE is not defined (like on Solaris)
> +-have_inaddr_none="no"
> +-AC_MSG_CHECKING([for INADDR_NONE])
> +-AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM(
> +-[[
> +-#include <sys/types.h>
> +-#include <netinet/in.h>
> +-#include <arpa/inet.h>
> +-]],
> +-[[
> +- if (inet_addr("10,5,2") == INADDR_NONE);
> +- return 0;
> +-]])],
> +-[have_inaddr_none="yes"],
> +-[have_inaddr_none="no"])
> +-AC_MSG_RESULT($have_inaddr_none)
> +-if test "x$have_inaddr_none" = "xno"; then
> +- AC_DEFINE([INADDR_NONE],[-1],[For INADDR_NONE definition])
> +-fi
> ++have_inaddr_none="yes"
> +
> + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
> + #include <stdio.h>
> +@@ -397,21 +379,21 @@
> + fi
> + fi
> +
> +-AC_MSG_CHECKING([for pcap_lex_destroy])
> +-AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM(
> +-[[
> +-#include <pcap.h>
> +-]],
> +-[[
> +- pcap_lex_destroy();
> +-]])],
> +-[have_pcap_lex_destroy="yes"],
> +-[have_pcap_lex_destroy="no"])
> +-AC_MSG_RESULT($have_pcap_lex_destroy)
> +-if test "x$have_pcap_lex_destroy" = "xyes"; then
> +- AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
> +-fi
> ++#AC_MSG_CHECKING([for pcap_lex_destroy])
> ++#AC_RUN_IFELSE(
> ++#[AC_LANG_PROGRAM(
> ++#[[
> ++##include <pcap.h>
> ++#]],
> ++#[[
> ++# pcap_lex_destroy();
> ++#]])],
> ++have_pcap_lex_destroy="yes"
> ++#[have_pcap_lex_destroy="no"])
> ++#AC_MSG_RESULT($have_pcap_lex_destroy)
> ++#if test "x$have_pcap_lex_destroy" = "xyes"; then
> ++# AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
> ++#fi
> +
> + AC_MSG_CHECKING([for pcap_lib_version])
> + AC_LINK_IFELSE(
> diff --git a/meta-networking/recipes-connectivity/snort/files/logrotate b/meta-networking/recipes-connectivity/snort/files/logrotate
> new file mode 100644
> index 0000000..ef3e4af
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/logrotate
> @@ -0,0 +1,12 @@
> +/var/log/snort/*.log /var/log/snort/alert {
> + size 1M
> + missingok
> + compress
> + delaycompress
> + rotate 10
> + sharedscripts
> + postrotate
> + /etc/init.d/snort restart
> + endscript
> +}
> +
> diff --git a/meta-networking/recipes-connectivity/snort/files/snort.init b/meta-networking/recipes-connectivity/snort/files/snort.init
> new file mode 100755
> index 0000000..af66619
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/snort.init
> @@ -0,0 +1,425 @@
> +#!/bin/sh -e
> +#
> +# Init.d script for Snort in OpenEmbedded, based on Debian's script
> +#
> +# Copyright (c) 2009 Roman I Khimov <khimov@altell.ru>
> +#
> +# Copyright (c) 2001 Christian Hammers
> +# Copyright (c) 2001-2002 Robert van der Meulen
> +# Copyright (c) 2002-2004 Sander Smeenk <ssmeenk@debian.org>
> +# Copyright (c) 2004-2007 Javier Fernandez-Sanguino <jfs@debian.org>
> +#
> +# This is free software; you may redistribute it and/or modify
> +# it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; either version 2,
> +# or (at your option) any later version.
> +#
> +# This is distributed in the hope that it will be useful, but
> +# WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License with
> +# the Debian operating system, in /usr/share/common-licenses/GPL; if
> +# not, write to the Free Software Foundation, Inc., 59 Temple Place,
> +# Suite 330, Boston, MA 02111-1307 USA
> +#
> +### BEGIN INIT INFO
> +# Provides: snort
> +# Required-Start: $time $network $local_fs
> +# Required-Stop:
> +# Should-Start: $syslog
> +# Should-Stop:
> +# Default-Start: 2 3 4 5
> +# Default-Stop: 0 1 6
> +# Short-Description: Lightweight network intrusion detection system
> +# Description: Intrusion detection system that will
> +# capture traffic from the network cards and will
> +# match against a set of known attacks.
> +### END INIT INFO
> +
> +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
> +
> +test $DEBIAN_SCRIPT_DEBUG && set -v -x
> +
> +DAEMON=/usr/bin/snort
> +NAME=snort
> +DESC="Network Intrusion Detection System"
> +
> +. /etc/default/snort
> +COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP"
> +
> +test -x $DAEMON || exit 0
> +test -z "$LOCAL_SNORT_HOME_NET" && LOCAL_SNORT_HOME_NET="192.168.0.0/16"
> +
> +# to find the lib files
> +cd /etc/snort
> +
> +running()
> +{
> + PIDFILE=$1
> +# No pidfile, probably no daemon present
> + [ ! -f "$PIDFILE" ] && return 1
> + pid=`cat $PIDFILE`
> +# No pid, probably no daemon present
> + [ -z "$pid" ] && return 1
> + [ ! -d /proc/$pid ] && return 1
> + cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
> +# No daemon
> + [ "$cmd" != "$DAEMON" ] && return 1
> + return 0
> +}
> +
> +
> +check_log_dir() {
> +# Does the logging directory belong to Snort?
> + # If we cannot determine the logdir return without error
> + # (we will not check it)
> + # This will only be used by people using /etc/default/snort
> + [ -n "$LOGDIR" ] || return 0
> + [ -n "$SNORTUSER" ] || return 0
> + if [ ! -e "$LOGDIR" ] ; then
> + echo "ERR: logging directory $LOGDIR does not exist"
> + return 1
> + elif [ ! -d "$LOGDIR" ] ; then
> + echo "ERR: logging directory $LOGDIR does not exist"
> + return 1
> + else
> + # Don't worry, be happy
> + true
> + fi
> + return 0
> +}
> +
> +check_root() {
> + if [ "$(id -u)" != "0" ]; then
> + echo "You must be root to start, stop or restart $NAME."
> + exit 4
> + fi
> +}
> +
> +case "$1" in
> + start)
> + check_root
> + echo "Starting $DESC " "$NAME"
> +
> + if [ -e /etc/snort/db-pending-config ] ; then
> + echo "/etc/snort/db-pending-config file found"
> + echo "Snort will not start as its database is not yet configured."
> + echo "Please configure the database as described in"
> + echo "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian"
> + echo "and remove /etc/snort/db-pending-config"
> + exit 6
> + fi
> +
> + if ! check_log_dir; then
> + echo " will not start $DESC!"
> + exit 5
> + fi
> + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> + shift
> + set +e
> + /etc/ppp/ip-up.d/snort "$@"
> + ret=$?
> + if [ $ret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $ret
> + fi
> +
> + # Usually, we start all interfaces
> + interfaces="$LOCAL_SNORT_INTERFACE"
> +
> + # If we are requested to start a specific interface...
> + test "$2" && interfaces="$2"
> +
> + # If the interfaces list is empty stop (no error)
> + if [ -z "$interfaces" ] ; then
> + echo "no interfaces configured, will not start"
> + echo 0
> + exit 0
> + fi
> +
> + myret=0
> + got_instance=0
> + for interface in $interfaces; do
> + got_instance=1
> + echo "($interface"
> +
> + # Check if the interface is available:
> + # - only if iproute is available
> + # - the interface exists
> + # - the interface is up
> + if ! [ -x /sbin/ip ] || ( ip link show dev "$interface" >/dev/null 2>&1 && [ -n "`ip link show up "$interface" 2>/dev/null`" ] ) ; then
> +
> + PIDFILE=/var/run/snort_$interface.pid
> + CONFIGFILE=/etc/snort/snort.$interface.conf
> +
> + # Defaults:
> + fail="failed (check /var/log/syslog and /var/log/snort)"
> + run="yes"
> +
> + if [ -e "$PIDFILE" ] && running $PIDFILE; then
> + run="no"
> + # Do not start this instance, it is already runing
> + fi
> +
> + if [ "$run" = "yes" ] ; then
> + if [ ! -e "$CONFIGFILE" ]; then
> + echo "no /etc/snort/snort.$interface.conf found, defaulting to snort.conf"
> + CONFIGFILE=/etc/snort/snort.conf
> + fi
> +
> + set +e
> + /sbin/start-stop-daemon --start --quiet \
> + --pidfile "$PIDFILE" \
> + --exec $DAEMON -- $COMMON $LOCAL_SNORT_OPTIONS \
> + -c $CONFIGFILE \
> + -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
> + -i $interface >/dev/null
> + ret=$?
> + case "$ret" in
> + 0)
> + echo "...done)"
> + ;;
> + *)
> + echo "...ERROR: $fail)"
> + myret=$(expr "$myret" + 1)
> + ;;
> + esac
> + set -e
> + else
> + echo "...already running)"
> + fi
> +
> + else
> + # What to do if the interface is not available
> + # or is not up
> + if [ "$ALLOW_UNAVAILABLE" != "no" ] ; then
> + echo "...interface not available)"
> + else
> + echo "...ERROR: interface not available)"
> + myret=$(expr "$myret" + 1)
> + fi
> + fi
> + done
> +
> + if [ "$got_instance" = 0 ] && [ "$ALLOW_UNAVAILABLE" = "no" ]; then
> + echo "No snort instance found to be started!" >&2
> + exit 6
> + fi
> +
> + if [ $myret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $myret
> + ;;
> + stop)
> + check_root
> + echo "Stopping $DESC " "$NAME"
> +
> + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> + shift
> + set +e
> + /etc/ppp/ip-down.d/snort "$@"
> + ret=$?
> + if [ $ret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $ret
> + fi
> +
> + # Usually, we stop all current running interfaces
> + pidpattern=/var/run/snort_*.pid
> +
> + # If we are requested to stop a specific interface...
> + test "$2" && pidpattern=/var/run/snort_"$2".pid
> +
> + got_instance=0
> + myret=0
> + for PIDFILE in $pidpattern; do
> + # This check is also needed, if the above pattern doesn't match
> + test -f "$PIDFILE" || continue
> +
> + got_instance=1
> + interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
> +
> + echo "($interface"
> +
> + set +e
> + if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then
> +# Change ownership of the pidfile
> + /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \
> + --pidfile "$PIDFILE" --exec $DAEMON >/dev/null
> + ret=$?
> + rm -f "$PIDFILE"
> + rm -f "$PIDFILE.lck"
> + else
> + echo "cannot read $PIDFILE"
> + ret=4
> + fi
> + case "$ret" in
> + 0)
> + echo "...done)"
> + ;;
> + *)
> + echo "...ERROR)"
> + myret=$(expr "$myret" + 1)
> + ;;
> + esac
> + set -e
> +
> + done
> +
> + if [ "$got_instance" = 0 ]; then
> + log_warning_msg "No running snort instance found"
> + exit 0 # LSB demands we don't exit with error here
> + fi
> + if [ $myret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $myret
> + ;;
> + restart|force-restart|reload|force-reload)
> + check_root
> + # Usually, we restart all current running interfaces
> + pidpattern=/var/run/snort_*.pid
> +
> + # If we are requested to restart a specific interface...
> + test "$2" && pidpattern=/var/run/snort_"$2".pid
> +
> + got_instance=0
> + for PIDFILE in $pidpattern; do
> + # This check is also needed, if the above pattern doesn't match
> + test -f "$PIDFILE" || continue
> +
> + got_instance=1
> + interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
> + $0 stop $interface || true
> + $0 start $interface || true
> + done
> +
> + if [ "$got_instance" = 0 ]; then
> + echo "No snort instance found to be stopped!" >&2
> + exit 6
> + fi
> + ;;
> + status)
> +# Non-root users can use this (if allowed to)
> + echo "Status of snort daemon(s)"
> + interfaces="$LOCAL_SNORT_INTERFACE"
> + # If we are requested to check for a specific interface...
> + test "$2" && interfaces="$2"
> + err=0
> + pid=0
> + for interface in $interfaces; do
> + echo " $interface "
> + pidfile=/var/run/snort_$interface.pid
> + if [ -f "$pidfile" ] ; then
> + if [ -r "$pidfile" ] ; then
> + pidval=`cat $pidfile`
> + pid=$(expr "$pid" + 1)
> + if ps -p $pidval | grep -q snort; then
> + echo "OK"
> + else
> + echo "ERROR"
> + err=$(expr "$err" + 1)
> + fi
> + else
> + echo "ERROR: cannot read status file"
> + err=$(expr "$err" + 1)
> + fi
> + else
> + echo "ERROR"
> + err=$(expr "$err" + 1)
> + fi
> + done
> + if [ $err -ne 0 ] ; then
> + if [ $pid -ne 0 ] ; then
> +# More than one case where pidfile exists but no snort daemon
> +# LSB demands a '1' exit value here
> + echo 1
> + exit 1
> + else
> +# No pidfiles at all
> +# LSB demands a '3' exit value here
> + echo 3
> + exit 3
> + fi
> + fi
> + echo 0
> + ;;
> + config-check)
> + echo "Checking $DESC configuration"
> + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> + echo "Config-check is currently not supported for snort in Dialup configuration"
> + echo 3
> + exit 3
> + fi
> +
> + # usually, we test all interfaces
> + interfaces="$LOCAL_SNORT_INTERFACE"
> + # if we are requested to test a specific interface...
> + test "$2" && interfaces="$2"
> +
> + myret=0
> + got_instance=0
> + for interface in $interfaces; do
> + got_instance=1
> + echo "interface $interface"
> +
> + CONFIGFILE=/etc/snort/snort.$interface.conf
> + if [ ! -e "$CONFIGFILE" ]; then
> + CONFIGFILE=/etc/snort/snort.conf
> + fi
> + COMMON=`echo $COMMON | sed -e 's/-D//'`
> + set +e
> + fail="INVALID"
> + if [ -r "$CONFIGFILE" ]; then
> + $DAEMON -T $COMMON $LOCAL_SNORT_OPTIONS \
> + -c $CONFIGFILE \
> + -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
> + -i $interface >/dev/null 2>&1
> + ret=$?
> + else
> + fail="cannot read $CONFIGFILE"
> + ret=4
> + fi
> + set -e
> +
> + case "$ret" in
> + 0)
> + echo "OK"
> + ;;
> + *)
> + echo "$fail"
> + myret=$(expr "$myret" + 1)
> + ;;
> + esac
> + done
> + if [ "$got_instance" = 0 ]; then
> + echo "no snort instance found to be started!" >&2
> + exit 6
> + fi
> +
> + if [ $myret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $myret
> + ;;
> + *)
> + echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}"
> + exit 1
> + ;;
> +esac
> +exit 0
> diff --git a/meta-networking/recipes-connectivity/snort/files/volatiles b/meta-networking/recipes-connectivity/snort/files/volatiles
> new file mode 100644
> index 0000000..e3ab51d
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/volatiles
> @@ -0,0 +1,2 @@
> +# <type> <owner> <group> <mode> <path> <linksource>
> +d snort snort 0755 /var/log/snort none
> \ No newline at end of file
> diff --git a/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> new file mode 100644
> index 0000000..5a165ef
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> @@ -0,0 +1,86 @@
> +DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows."
> +HOMEPAGE = "http://www.snort.org/"
> +LICENSE = "GPL"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5"
> +
> +DEPENDS = "libpcap libpcre daq libdnet"
> +
> +SRC_URI = " ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \
> + file://disable-inaddr-none.patch \
> + file://disable-dap-address-space-id.patch \
> + file://snort.init \
> + file://default \
> + file://logrotate \
> + file://volatiles \
> + "
> +SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
> +SRC_URI[tarball.sha256sum] = "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc"
> +
> +inherit autotools gettext
> +
> +EXTRA_OECONF = " \
> + --enable-gre \
> + --enable-linux-smp-stats \
> + --enable-reload \
> + --enable-reload-error-restart \
> + --enable-targetbased \
> + --disable-static-daq \
> + "
> +
> +do_install_append() {
> + install -d ${D}/${sysconfdir}/snort/rules
> + install -d ${D}/${sysconfdir}/snort/preproc_rules
> + install -d ${D}/${sysconfdir}/default/volatiles
> + mkdir -p ${D}/${sysconfdir}/init.d
> + for i in map config conf dtd; do
> + cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/
> + done
> + cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/
> + install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort
> + install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort
> + install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort
> + mkdir -p ${D}/${localstatedir}/log/snort
> + install -d ${D}${sysconfdir}/logrotate.d
> + install -m 0644 ${WORKDIR}/logrotate ${D}${sysconfdir}/logrotate.d/snort
> +}
> +
> +pkg_postinst_${PN}() {
> + grep -q ^snort: /etc/group || addgroup snort
> + grep -q ^snort: /etc/passwd || \
> + adduser --disabled-password --home=/var/log/snort/ --system \
> + --ingroup snort --no-create-home -g "snort" snort
> + ${sysconfdir}/init.d/populate-volatile.sh update
> +}
> +
> +PACKAGES =+ "${PN}-logrotate"
> +FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort"
> +FILES_${PN} += " \
> + ${libdir}/snort_dynamicengine/*.so.* \
> + ${libdir}/snort_dynamicpreprocessor/*.so.* \
> + ${libdir}/snort_dynamicrules/*.so.* \
> + "
> +FILES_${PN}-dbg += " \
> + ${libdir}/snort_dynamicengine/.debug \
> + ${libdir}/snort_dynamicpreprocessor/.debug \
> + ${libdir}/snort_dynamicrules/.debug \
> + "
> +FILES_${PN}-staticdev += " \
> + ${libdir}/snort_dynamicengine/*.a \
> + ${libdir}/snort_dynamicpreprocessor/*.a \
> + ${libdir}/snort_dynamicrules/*.a \
> + ${libdir}/snort/dynamic_preproc/*.a \
> + ${libdir}/snort/dynamic_output/*.a \
> + "
> +FILES_${PN}-dev += " \
> + ${libdir}/snort_dynamicengine/*.la \
> + ${libdir}/snort_dynamicpreprocessor/*.la \
> + ${libdir}/snort_dynamicrules/*.la \
> + ${libdir}/snort_dynamicengine/*.so \
> + ${libdir}/snort_dynamicpreprocessor/*.so \
> + ${libdir}/snort_dynamicrules/*.so \
> + ${prefix}/src/snort_dynamicsrc \
> + "
> +
> +RRECOMMENDS_${PN} += "${PN}-logrotate"
> +RRECOMMENDS_${PN} += "barnyard"
> +RSUGGESTS_${PN}-logrotate += "logrotate"
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [meta-networking][PATCH 1/3] snort: add recipe
2013-09-23 9:06 [meta-networking][PATCH 1/3] snort: add recipe b40290
2013-09-23 16:58 ` Joe MacDonald
@ 2013-09-23 17:13 ` Joe MacDonald
2013-09-23 17:56 ` Paul Eggleton
1 sibling, 1 reply; 9+ messages in thread
From: Joe MacDonald @ 2013-09-23 17:13 UTC (permalink / raw)
To: b40290; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 4499 bytes --]
Actually, something else just occurred to me, too.
[[oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 17:06) b40290@freescale.com wrote:
> diff --git a/meta-networking/recipes-connectivity/snort/files/volatiles b/meta-networking/recipes-connectivity/snort/files/volatiles
> new file mode 100644
> index 0000000..e3ab51d
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/volatiles
> @@ -0,0 +1,2 @@
> +# <type> <owner> <group> <mode> <path> <linksource>
> +d snort snort 0755 /var/log/snort none
> \ No newline at end of file
Since you're going to be in there again anyway, can you fix this, too?
> diff --git a/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> new file mode 100644
> index 0000000..5a165ef
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> @@ -0,0 +1,86 @@
> +DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows."
> +HOMEPAGE = "http://www.snort.org/"
> +LICENSE = "GPL"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5"
> +
> +DEPENDS = "libpcap libpcre daq libdnet"
> +
> +SRC_URI = " ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \
> + file://disable-inaddr-none.patch \
> + file://disable-dap-address-space-id.patch \
> + file://snort.init \
> + file://default \
> + file://logrotate \
> + file://volatiles \
> + "
When you go back at this, can you also try to adopt the format laid out
by Peter here:
http://permalink.gmane.org/gmane.comp.handhelds.openembedded.core/41673
And I don't think the ";name=tarball" is required here. Is it?
-J.
> +SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
> +SRC_URI[tarball.sha256sum] = "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc"
> +
> +inherit autotools gettext
> +
> +EXTRA_OECONF = " \
> + --enable-gre \
> + --enable-linux-smp-stats \
> + --enable-reload \
> + --enable-reload-error-restart \
> + --enable-targetbased \
> + --disable-static-daq \
> + "
> +
> +do_install_append() {
> + install -d ${D}/${sysconfdir}/snort/rules
> + install -d ${D}/${sysconfdir}/snort/preproc_rules
> + install -d ${D}/${sysconfdir}/default/volatiles
> + mkdir -p ${D}/${sysconfdir}/init.d
> + for i in map config conf dtd; do
> + cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/
> + done
> + cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/
> + install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort
> + install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort
> + install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort
> + mkdir -p ${D}/${localstatedir}/log/snort
> + install -d ${D}${sysconfdir}/logrotate.d
> + install -m 0644 ${WORKDIR}/logrotate ${D}${sysconfdir}/logrotate.d/snort
> +}
> +
> +pkg_postinst_${PN}() {
> + grep -q ^snort: /etc/group || addgroup snort
> + grep -q ^snort: /etc/passwd || \
> + adduser --disabled-password --home=/var/log/snort/ --system \
> + --ingroup snort --no-create-home -g "snort" snort
> + ${sysconfdir}/init.d/populate-volatile.sh update
> +}
> +
> +PACKAGES =+ "${PN}-logrotate"
> +FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort"
> +FILES_${PN} += " \
> + ${libdir}/snort_dynamicengine/*.so.* \
> + ${libdir}/snort_dynamicpreprocessor/*.so.* \
> + ${libdir}/snort_dynamicrules/*.so.* \
> + "
> +FILES_${PN}-dbg += " \
> + ${libdir}/snort_dynamicengine/.debug \
> + ${libdir}/snort_dynamicpreprocessor/.debug \
> + ${libdir}/snort_dynamicrules/.debug \
> + "
> +FILES_${PN}-staticdev += " \
> + ${libdir}/snort_dynamicengine/*.a \
> + ${libdir}/snort_dynamicpreprocessor/*.a \
> + ${libdir}/snort_dynamicrules/*.a \
> + ${libdir}/snort/dynamic_preproc/*.a \
> + ${libdir}/snort/dynamic_output/*.a \
> + "
> +FILES_${PN}-dev += " \
> + ${libdir}/snort_dynamicengine/*.la \
> + ${libdir}/snort_dynamicpreprocessor/*.la \
> + ${libdir}/snort_dynamicrules/*.la \
> + ${libdir}/snort_dynamicengine/*.so \
> + ${libdir}/snort_dynamicpreprocessor/*.so \
> + ${libdir}/snort_dynamicrules/*.so \
> + ${prefix}/src/snort_dynamicsrc \
> + "
> +
> +RRECOMMENDS_${PN} += "${PN}-logrotate"
> +RRECOMMENDS_${PN} += "barnyard"
> +RSUGGESTS_${PN}-logrotate += "logrotate"
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: [meta-networking][PATCH 1/3] snort: add recipe
2013-09-23 17:13 ` Joe MacDonald
@ 2013-09-23 17:56 ` Paul Eggleton
2013-09-23 18:22 ` Joe MacDonald
0 siblings, 1 reply; 9+ messages in thread
From: Paul Eggleton @ 2013-09-23 17:56 UTC (permalink / raw)
To: openembedded-devel
All,
I'm a bit confused; is this recipe supposed to be going into meta-networking
or meta-security? Because patches have been sent recently to add it to both.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-networking][PATCH 1/3] snort: add recipe
2013-09-23 17:56 ` Paul Eggleton
@ 2013-09-23 18:22 ` Joe MacDonald
2013-09-24 17:16 ` Paul Eggleton
0 siblings, 1 reply; 9+ messages in thread
From: Joe MacDonald @ 2013-09-23 18:22 UTC (permalink / raw)
To: Paul Eggleton; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 855 bytes --]
Hey Paul,
[Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 18:56) Paul Eggleton wrote:
> All,
>
> I'm a bit confused; is this recipe supposed to be going into
> meta-networking or meta-security? Because patches have been sent
> recently to add it to both.
I had mentioned that I would accept snort into meta-networking if it
wasn't a good fit for meta-security since it was something I'd started
working on integrating anyway a while back. I assumed that was the case
since it was sent to the list for meta-networking today.
I don't think we need copies in both places, though, and since it was
first aimed at meta-security, if it gets merged there, I won't merge it
here.
Hopefully nothing I've said here contradicts what the meta-security
maintainers would want to see.
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-networking][PATCH 1/3] snort: add recipe
2013-09-23 18:22 ` Joe MacDonald
@ 2013-09-24 17:16 ` Paul Eggleton
2013-09-24 18:10 ` Joe MacDonald
0 siblings, 1 reply; 9+ messages in thread
From: Paul Eggleton @ 2013-09-24 17:16 UTC (permalink / raw)
To: Joe MacDonald; +Cc: openembedded-devel
Hi Joe,
On Monday 23 September 2013 14:22:02 Joe MacDonald wrote:
> [Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon
> 18:56) Paul Eggleton wrote:
> >
> > I'm a bit confused; is this recipe supposed to be going into
> > meta-networking or meta-security? Because patches have been sent
> > recently to add it to both.
>
> I had mentioned that I would accept snort into meta-networking if it
> wasn't a good fit for meta-security since it was something I'd started
> working on integrating anyway a while back. I assumed that was the case
> since it was sent to the list for meta-networking today.
>
> I don't think we need copies in both places, though, and since it was
> first aimed at meta-security, if it gets merged there, I won't merge it
> here.
>
> Hopefully nothing I've said here contradicts what the meta-security
> maintainers would want to see.
I would have thought it would go into meta-security myself; but ultimately
it's up to you and Saul really. I just wanted to make sure we didn't somehow
end up with it in both layers since we have patches for adding it to both.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [meta-networking][PATCH 1/3] snort: add recipe
2013-09-24 17:16 ` Paul Eggleton
@ 2013-09-24 18:10 ` Joe MacDonald
0 siblings, 0 replies; 9+ messages in thread
From: Joe MacDonald @ 2013-09-24 18:10 UTC (permalink / raw)
To: Paul Eggleton; +Cc: openembedded-devel
[-- Attachment #1: Type: text/plain, Size: 1774 bytes --]
[Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.24 (Tue 18:16) Paul Eggleton wrote:
> Hi Joe,
>
> On Monday 23 September 2013 14:22:02 Joe MacDonald wrote:
> > [Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon
> > 18:56) Paul Eggleton wrote:
> > >
> > > I'm a bit confused; is this recipe supposed to be going into
> > > meta-networking or meta-security? Because patches have been sent
> > > recently to add it to both.
> >
> > I had mentioned that I would accept snort into meta-networking if it
> > wasn't a good fit for meta-security since it was something I'd started
> > working on integrating anyway a while back. I assumed that was the case
> > since it was sent to the list for meta-networking today.
> >
> > I don't think we need copies in both places, though, and since it was
> > first aimed at meta-security, if it gets merged there, I won't merge it
> > here.
> >
> > Hopefully nothing I've said here contradicts what the meta-security
> > maintainers would want to see.
>
> I would have thought it would go into meta-security myself; but ultimately
> it's up to you and Saul really. I just wanted to make sure we didn't somehow
> end up with it in both layers since we have patches for adding it to both.
Yeah, I completely agree. Since I'm using meta-security a bit now and
sending a few patches back, I'll keep an eye out and if the snort stuff
lands in there, I would not consider merging it with meta-networking.
Snort has always been in the same category for me as tcpdump, nmap and
etherape/wireshark. A hugely useful network diagnostics tool. But as
and IDS / IPS it makes sense for meta-security as well.
Either works for me.
--
-Joe MacDonald.
:wq
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
^ permalink raw reply [flat|nested] 9+ messages in thread
* [meta-networking][PATCH 1/3] snort : add recipe
@ 2013-10-16 7:11 b40290
2013-10-16 8:43 ` Koen Kooi
0 siblings, 1 reply; 9+ messages in thread
From: b40290 @ 2013-10-16 7:11 UTC (permalink / raw)
To: openembedded-devel
From: Chunrong Guo <B40290@freescale.com>
*snort - a free lightweight network intrusion detection
system for UNIX and Windows
Signed-off-by: Chunrong Guo <B40290@freescale.com>
---
.../recipes-connectivity/snort/files/default | 42 ++
.../snort/files/disable-dap-address-space-id.patch | 52 +++
.../snort/files/disable-inaddr-none.patch | 75 ++++
.../recipes-connectivity/snort/files/logrotate | 12 +
.../recipes-connectivity/snort/files/snort.init | 425 ++++++++++++++++++++
.../recipes-connectivity/snort/files/volatiles | 2 +
.../recipes-connectivity/snort/snort_2.9.4.6.bb | 83 ++++
7 files changed, 691 insertions(+), 0 deletions(-)
create mode 100644 meta-networking/recipes-connectivity/snort/files/default
create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate
create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init
create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles
create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default
new file mode 100644
index 0000000..afd3840
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/default
@@ -0,0 +1,42 @@
+# Parameters for the daemon
+# Add any additional parameteres here.
+PARAMS="-m 027 -D -d "
+#
+# Snort user
+# This user will be used to launch snort. Notice that the
+# preinst script of the package might do changes to the user
+# (home directory, User Name) when the package is upgraded or
+# reinstalled. So, do *not* change this to 'root' or to any other user
+# unless you are sure there is no problem with those changes being introduced.
+#
+SNORTUSER="snort"
+#
+# Logging directory
+# Snort logs will be dropped here and this will be the home
+# directory for the SNORTUSER. If you change this value you should
+# change the /etc/logrotate.d/snort definition too, otherwise logs
+# will not be rotated properly.
+#
+LOGDIR="/var/log/snort"
+#
+# Snort group
+# This is the group that the snort user will be added to.
+#
+SNORTGROUP="snort"
+#
+# Allow Snort's init.d script to work if the configured interfaces
+# are not available. Set this to yes if you configure Snort with
+# multiple interfaces but some might not be available on boot
+# (e.g. wireless interfaces)
+#
+# Note: In order for this to work the 'iproute' package needs to
+# be installed.
+ALLOW_UNAVAILABLE="no"
+
+# Local configs
+#
+LOCAL_SNORT_STARTUP=boot
+LOCAL_SNORT_HOME_NET="192.168.0.0/16"
+LOCAL_SNORT_INTERFACE=""
+LOCAL_SNORT_STATS_RCPT="root"
+LOCAL_SNORT_STATS_THRESHOLD="1"
diff --git a/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
new file mode 100644
index 0000000..39e5c9c
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
@@ -0,0 +1,52 @@
+Upstream-Status:Inappropriate [embedded specific]
+
+fix the below error:
+checking for dap address space id... configure:
+configure: error: cannot run test program while cross compiling
+
+
+Signed-off-by: Chunrong Guo <B40290@freescale.com>
+
+--- a/configure.in 2013-08-23 00:06:37.239361932 -0500
++++ b/configure.in 2013-08-23 00:07:32.860266534 -0500
+@@ -679,23 +679,23 @@
+
+ AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta])
+
+-AC_MSG_CHECKING([for daq address space ID])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <daq.h>
+-]],
+-[[
+- DAQ_PktHdr_t hdr;
+- hdr.address_space_id = 0;
+-]])],
+-[have_daq_address_space_id="yes"],
+-[have_daq_address_space_id="no"])
+-AC_MSG_RESULT($have_daq_address_space_id)
+-if test "x$have_daq_address_space_id" = "xyes"; then
+- AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
+- [DAQ version supports address space ID in header.])
+-fi
++#AC_MSG_CHECKING([for daq address space ID])
++#AC_RUN_IFELSE(
++#[AC_LANG_PROGRAM(
++#[[
++##include <daq.h>
++#]],
++#[[
++# DAQ_PktHdr_t hdr;
++# hdr.address_space_id = 0;
++#]])],
++have_daq_address_space_id="yes"
++#[have_daq_address_space_id="no"])
++#AC_MSG_RESULT($have_daq_address_space_id)
++#if test "x$have_daq_address_space_id" = "xyes"; then
++# AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
++# [DAQ version supports address space ID in header.])
++#fi
+
+ # any sparc platform has to have this one defined.
+ AC_MSG_CHECKING(for sparc)
diff --git a/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
new file mode 100644
index 0000000..9dafe63
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
@@ -0,0 +1,75 @@
+Upstream-Status: Inappropriate [embedded specific]
+
+fix the below error:
+checking for INADDR_NONE... configure:
+configure: error: cannot run test program while cross compiling
+
+Signed-off-by: Chunrong Guo <B40290@freescale.com>
+
+
+--- a/configure.in 2013-08-21 03:56:17.197414789 -0500
++++ b/configure.in 2013-08-21 23:19:05.298553560 -0500
+@@ -281,25 +281,7 @@
+ AC_CHECK_TYPES([boolean])
+
+ # In case INADDR_NONE is not defined (like on Solaris)
+-have_inaddr_none="no"
+-AC_MSG_CHECKING([for INADDR_NONE])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <sys/types.h>
+-#include <netinet/in.h>
+-#include <arpa/inet.h>
+-]],
+-[[
+- if (inet_addr("10,5,2") == INADDR_NONE);
+- return 0;
+-]])],
+-[have_inaddr_none="yes"],
+-[have_inaddr_none="no"])
+-AC_MSG_RESULT($have_inaddr_none)
+-if test "x$have_inaddr_none" = "xno"; then
+- AC_DEFINE([INADDR_NONE],[-1],[For INADDR_NONE definition])
+-fi
++have_inaddr_none="yes"
+
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <stdio.h>
+@@ -397,21 +379,21 @@
+ fi
+ fi
+
+-AC_MSG_CHECKING([for pcap_lex_destroy])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <pcap.h>
+-]],
+-[[
+- pcap_lex_destroy();
+-]])],
+-[have_pcap_lex_destroy="yes"],
+-[have_pcap_lex_destroy="no"])
+-AC_MSG_RESULT($have_pcap_lex_destroy)
+-if test "x$have_pcap_lex_destroy" = "xyes"; then
+- AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
+-fi
++#AC_MSG_CHECKING([for pcap_lex_destroy])
++#AC_RUN_IFELSE(
++#[AC_LANG_PROGRAM(
++#[[
++##include <pcap.h>
++#]],
++#[[
++# pcap_lex_destroy();
++#]])],
++have_pcap_lex_destroy="yes"
++#[have_pcap_lex_destroy="no"])
++#AC_MSG_RESULT($have_pcap_lex_destroy)
++#if test "x$have_pcap_lex_destroy" = "xyes"; then
++# AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
++#fi
+
+ AC_MSG_CHECKING([for pcap_lib_version])
+ AC_LINK_IFELSE(
diff --git a/meta-networking/recipes-connectivity/snort/files/logrotate b/meta-networking/recipes-connectivity/snort/files/logrotate
new file mode 100644
index 0000000..e394e2e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/logrotate
@@ -0,0 +1,12 @@
+/var/log/snort/*.log /var/log/snort/alert {
+ size 1M
+ missingok
+ compress
+ delaycompress
+ rotate 10
+ sharedscripts
+ postrotate
+ /etc/init.d/snort restart
+ endscript
+}
+
diff --git a/meta-networking/recipes-connectivity/snort/files/snort.init b/meta-networking/recipes-connectivity/snort/files/snort.init
new file mode 100755
index 0000000..af66619
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/snort.init
@@ -0,0 +1,425 @@
+#!/bin/sh -e
+#
+# Init.d script for Snort in OpenEmbedded, based on Debian's script
+#
+# Copyright (c) 2009 Roman I Khimov <khimov@altell.ru>
+#
+# Copyright (c) 2001 Christian Hammers
+# Copyright (c) 2001-2002 Robert van der Meulen
+# Copyright (c) 2002-2004 Sander Smeenk <ssmeenk@debian.org>
+# Copyright (c) 2004-2007 Javier Fernandez-Sanguino <jfs@debian.org>
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL; if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides: snort
+# Required-Start: $time $network $local_fs
+# Required-Stop:
+# Should-Start: $syslog
+# Should-Stop:
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Lightweight network intrusion detection system
+# Description: Intrusion detection system that will
+# capture traffic from the network cards and will
+# match against a set of known attacks.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+test $DEBIAN_SCRIPT_DEBUG && set -v -x
+
+DAEMON=/usr/bin/snort
+NAME=snort
+DESC="Network Intrusion Detection System"
+
+. /etc/default/snort
+COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP"
+
+test -x $DAEMON || exit 0
+test -z "$LOCAL_SNORT_HOME_NET" && LOCAL_SNORT_HOME_NET="192.168.0.0/16"
+
+# to find the lib files
+cd /etc/snort
+
+running()
+{
+ PIDFILE=$1
+# No pidfile, probably no daemon present
+ [ ! -f "$PIDFILE" ] && return 1
+ pid=`cat $PIDFILE`
+# No pid, probably no daemon present
+ [ -z "$pid" ] && return 1
+ [ ! -d /proc/$pid ] && return 1
+ cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
+# No daemon
+ [ "$cmd" != "$DAEMON" ] && return 1
+ return 0
+}
+
+
+check_log_dir() {
+# Does the logging directory belong to Snort?
+ # If we cannot determine the logdir return without error
+ # (we will not check it)
+ # This will only be used by people using /etc/default/snort
+ [ -n "$LOGDIR" ] || return 0
+ [ -n "$SNORTUSER" ] || return 0
+ if [ ! -e "$LOGDIR" ] ; then
+ echo "ERR: logging directory $LOGDIR does not exist"
+ return 1
+ elif [ ! -d "$LOGDIR" ] ; then
+ echo "ERR: logging directory $LOGDIR does not exist"
+ return 1
+ else
+ # Don't worry, be happy
+ true
+ fi
+ return 0
+}
+
+check_root() {
+ if [ "$(id -u)" != "0" ]; then
+ echo "You must be root to start, stop or restart $NAME."
+ exit 4
+ fi
+}
+
+case "$1" in
+ start)
+ check_root
+ echo "Starting $DESC " "$NAME"
+
+ if [ -e /etc/snort/db-pending-config ] ; then
+ echo "/etc/snort/db-pending-config file found"
+ echo "Snort will not start as its database is not yet configured."
+ echo "Please configure the database as described in"
+ echo "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian"
+ echo "and remove /etc/snort/db-pending-config"
+ exit 6
+ fi
+
+ if ! check_log_dir; then
+ echo " will not start $DESC!"
+ exit 5
+ fi
+ if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+ shift
+ set +e
+ /etc/ppp/ip-up.d/snort "$@"
+ ret=$?
+ if [ $ret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $ret
+ fi
+
+ # Usually, we start all interfaces
+ interfaces="$LOCAL_SNORT_INTERFACE"
+
+ # If we are requested to start a specific interface...
+ test "$2" && interfaces="$2"
+
+ # If the interfaces list is empty stop (no error)
+ if [ -z "$interfaces" ] ; then
+ echo "no interfaces configured, will not start"
+ echo 0
+ exit 0
+ fi
+
+ myret=0
+ got_instance=0
+ for interface in $interfaces; do
+ got_instance=1
+ echo "($interface"
+
+ # Check if the interface is available:
+ # - only if iproute is available
+ # - the interface exists
+ # - the interface is up
+ if ! [ -x /sbin/ip ] || ( ip link show dev "$interface" >/dev/null 2>&1 && [ -n "`ip link show up "$interface" 2>/dev/null`" ] ) ; then
+
+ PIDFILE=/var/run/snort_$interface.pid
+ CONFIGFILE=/etc/snort/snort.$interface.conf
+
+ # Defaults:
+ fail="failed (check /var/log/syslog and /var/log/snort)"
+ run="yes"
+
+ if [ -e "$PIDFILE" ] && running $PIDFILE; then
+ run="no"
+ # Do not start this instance, it is already runing
+ fi
+
+ if [ "$run" = "yes" ] ; then
+ if [ ! -e "$CONFIGFILE" ]; then
+ echo "no /etc/snort/snort.$interface.conf found, defaulting to snort.conf"
+ CONFIGFILE=/etc/snort/snort.conf
+ fi
+
+ set +e
+ /sbin/start-stop-daemon --start --quiet \
+ --pidfile "$PIDFILE" \
+ --exec $DAEMON -- $COMMON $LOCAL_SNORT_OPTIONS \
+ -c $CONFIGFILE \
+ -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
+ -i $interface >/dev/null
+ ret=$?
+ case "$ret" in
+ 0)
+ echo "...done)"
+ ;;
+ *)
+ echo "...ERROR: $fail)"
+ myret=$(expr "$myret" + 1)
+ ;;
+ esac
+ set -e
+ else
+ echo "...already running)"
+ fi
+
+ else
+ # What to do if the interface is not available
+ # or is not up
+ if [ "$ALLOW_UNAVAILABLE" != "no" ] ; then
+ echo "...interface not available)"
+ else
+ echo "...ERROR: interface not available)"
+ myret=$(expr "$myret" + 1)
+ fi
+ fi
+ done
+
+ if [ "$got_instance" = 0 ] && [ "$ALLOW_UNAVAILABLE" = "no" ]; then
+ echo "No snort instance found to be started!" >&2
+ exit 6
+ fi
+
+ if [ $myret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $myret
+ ;;
+ stop)
+ check_root
+ echo "Stopping $DESC " "$NAME"
+
+ if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+ shift
+ set +e
+ /etc/ppp/ip-down.d/snort "$@"
+ ret=$?
+ if [ $ret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $ret
+ fi
+
+ # Usually, we stop all current running interfaces
+ pidpattern=/var/run/snort_*.pid
+
+ # If we are requested to stop a specific interface...
+ test "$2" && pidpattern=/var/run/snort_"$2".pid
+
+ got_instance=0
+ myret=0
+ for PIDFILE in $pidpattern; do
+ # This check is also needed, if the above pattern doesn't match
+ test -f "$PIDFILE" || continue
+
+ got_instance=1
+ interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
+
+ echo "($interface"
+
+ set +e
+ if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then
+# Change ownership of the pidfile
+ /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \
+ --pidfile "$PIDFILE" --exec $DAEMON >/dev/null
+ ret=$?
+ rm -f "$PIDFILE"
+ rm -f "$PIDFILE.lck"
+ else
+ echo "cannot read $PIDFILE"
+ ret=4
+ fi
+ case "$ret" in
+ 0)
+ echo "...done)"
+ ;;
+ *)
+ echo "...ERROR)"
+ myret=$(expr "$myret" + 1)
+ ;;
+ esac
+ set -e
+
+ done
+
+ if [ "$got_instance" = 0 ]; then
+ log_warning_msg "No running snort instance found"
+ exit 0 # LSB demands we don't exit with error here
+ fi
+ if [ $myret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $myret
+ ;;
+ restart|force-restart|reload|force-reload)
+ check_root
+ # Usually, we restart all current running interfaces
+ pidpattern=/var/run/snort_*.pid
+
+ # If we are requested to restart a specific interface...
+ test "$2" && pidpattern=/var/run/snort_"$2".pid
+
+ got_instance=0
+ for PIDFILE in $pidpattern; do
+ # This check is also needed, if the above pattern doesn't match
+ test -f "$PIDFILE" || continue
+
+ got_instance=1
+ interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
+ $0 stop $interface || true
+ $0 start $interface || true
+ done
+
+ if [ "$got_instance" = 0 ]; then
+ echo "No snort instance found to be stopped!" >&2
+ exit 6
+ fi
+ ;;
+ status)
+# Non-root users can use this (if allowed to)
+ echo "Status of snort daemon(s)"
+ interfaces="$LOCAL_SNORT_INTERFACE"
+ # If we are requested to check for a specific interface...
+ test "$2" && interfaces="$2"
+ err=0
+ pid=0
+ for interface in $interfaces; do
+ echo " $interface "
+ pidfile=/var/run/snort_$interface.pid
+ if [ -f "$pidfile" ] ; then
+ if [ -r "$pidfile" ] ; then
+ pidval=`cat $pidfile`
+ pid=$(expr "$pid" + 1)
+ if ps -p $pidval | grep -q snort; then
+ echo "OK"
+ else
+ echo "ERROR"
+ err=$(expr "$err" + 1)
+ fi
+ else
+ echo "ERROR: cannot read status file"
+ err=$(expr "$err" + 1)
+ fi
+ else
+ echo "ERROR"
+ err=$(expr "$err" + 1)
+ fi
+ done
+ if [ $err -ne 0 ] ; then
+ if [ $pid -ne 0 ] ; then
+# More than one case where pidfile exists but no snort daemon
+# LSB demands a '1' exit value here
+ echo 1
+ exit 1
+ else
+# No pidfiles at all
+# LSB demands a '3' exit value here
+ echo 3
+ exit 3
+ fi
+ fi
+ echo 0
+ ;;
+ config-check)
+ echo "Checking $DESC configuration"
+ if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+ echo "Config-check is currently not supported for snort in Dialup configuration"
+ echo 3
+ exit 3
+ fi
+
+ # usually, we test all interfaces
+ interfaces="$LOCAL_SNORT_INTERFACE"
+ # if we are requested to test a specific interface...
+ test "$2" && interfaces="$2"
+
+ myret=0
+ got_instance=0
+ for interface in $interfaces; do
+ got_instance=1
+ echo "interface $interface"
+
+ CONFIGFILE=/etc/snort/snort.$interface.conf
+ if [ ! -e "$CONFIGFILE" ]; then
+ CONFIGFILE=/etc/snort/snort.conf
+ fi
+ COMMON=`echo $COMMON | sed -e 's/-D//'`
+ set +e
+ fail="INVALID"
+ if [ -r "$CONFIGFILE" ]; then
+ $DAEMON -T $COMMON $LOCAL_SNORT_OPTIONS \
+ -c $CONFIGFILE \
+ -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
+ -i $interface >/dev/null 2>&1
+ ret=$?
+ else
+ fail="cannot read $CONFIGFILE"
+ ret=4
+ fi
+ set -e
+
+ case "$ret" in
+ 0)
+ echo "OK"
+ ;;
+ *)
+ echo "$fail"
+ myret=$(expr "$myret" + 1)
+ ;;
+ esac
+ done
+ if [ "$got_instance" = 0 ]; then
+ echo "no snort instance found to be started!" >&2
+ exit 6
+ fi
+
+ if [ $myret -eq 0 ] ; then
+ echo 0
+ else
+ echo 1
+ fi
+ exit $myret
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}"
+ exit 1
+ ;;
+esac
+exit 0
diff --git a/meta-networking/recipes-connectivity/snort/files/volatiles b/meta-networking/recipes-connectivity/snort/files/volatiles
new file mode 100644
index 0000000..0f22f9b
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/volatiles
@@ -0,0 +1,2 @@
+# <type> <owner> <group> <mode> <path> <linksource>
+d snort snort 0755 /var/log/snort none
diff --git a/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
new file mode 100644
index 0000000..c72b49b
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
@@ -0,0 +1,83 @@
+DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows."
+HOMEPAGE = "http://www.snort.org/"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5"
+
+DEPENDS = "libpcap libpcre daq libdnet"
+
+
+SRC_URI = " ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \
+ file://disable-inaddr-none.patch \
+ file://disable-dap-address-space-id.patch \
+ file://snort.init \
+ file://default \
+ file://logrotate \
+ file://volatiles"
+
+SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
+SRC_URI[tarball.sha256sum] = "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc"
+
+inherit autotools gettext
+
+EXTRA_OECONF = " \
+ --enable-gre \
+ --enable-linux-smp-stats \
+ --enable-reload \
+ --enable-reload-error-restart \
+ --enable-targetbased \
+ --disable-static-daq \
+ "
+
+do_install_append() {
+ install -d ${D}/${sysconfdir}/snort/rules
+ install -d ${D}/${sysconfdir}/snort/preproc_rules
+ install -d ${D}/${sysconfdir}/default/volatiles
+ mkdir -p ${D}/${sysconfdir}/init.d
+ for i in map config conf dtd; do
+ cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/
+ done
+ cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/
+ install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort
+ install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort
+ install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort
+ mkdir -p ${D}/${localstatedir}/log/snort
+ install -d ${D}${sysconfdir}/logrotate.d
+ install -m 0644 ${WORKDIR}/logrotate ${D}${sysconfdir}/logrotate.d/snort
+}
+
+pkg_postinst_${PN}() {
+ ${sysconfdir}/init.d/populate-volatile.sh update
+}
+
+PACKAGES =+ "${PN}-logrotate"
+FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort"
+FILES_${PN} += " \
+ ${libdir}/snort_dynamicengine/*.so.* \
+ ${libdir}/snort_dynamicpreprocessor/*.so.* \
+ ${libdir}/snort_dynamicrules/*.so.* \
+ "
+FILES_${PN}-dbg += " \
+ ${libdir}/snort_dynamicengine/.debug \
+ ${libdir}/snort_dynamicpreprocessor/.debug \
+ ${libdir}/snort_dynamicrules/.debug \
+ "
+FILES_${PN}-staticdev += " \
+ ${libdir}/snort_dynamicengine/*.a \
+ ${libdir}/snort_dynamicpreprocessor/*.a \
+ ${libdir}/snort_dynamicrules/*.a \
+ ${libdir}/snort/dynamic_preproc/*.a \
+ ${libdir}/snort/dynamic_output/*.a \
+ "
+FILES_${PN}-dev += " \
+ ${libdir}/snort_dynamicengine/*.la \
+ ${libdir}/snort_dynamicpreprocessor/*.la \
+ ${libdir}/snort_dynamicrules/*.la \
+ ${libdir}/snort_dynamicengine/*.so \
+ ${libdir}/snort_dynamicpreprocessor/*.so \
+ ${libdir}/snort_dynamicrules/*.so \
+ ${prefix}/src/snort_dynamicsrc \
+ "
+
+RRECOMMENDS_${PN} += "${PN}-logrotate"
+RRECOMMENDS_${PN} += "barnyard"
+RSUGGESTS_${PN}-logrotate += "logrotate"
--
1.7.5.4
^ permalink raw reply related [flat|nested] 9+ messages in thread* Re: [meta-networking][PATCH 1/3] snort : add recipe
2013-10-16 7:11 [meta-networking][PATCH 1/3] snort : " b40290
@ 2013-10-16 8:43 ` Koen Kooi
0 siblings, 0 replies; 9+ messages in thread
From: Koen Kooi @ 2013-10-16 8:43 UTC (permalink / raw)
To: openembedded-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Op 16-10-13 09:11, b40290@freescale.com schreef:
> From: Chunrong Guo <B40290@freescale.com>
>
> *snort - a free lightweight network intrusion detection system for UNIX
> and Windows
>
> Signed-off-by: Chunrong Guo <B40290@freescale.com> ---
> .../recipes-connectivity/snort/files/default | 42 ++
> .../snort/files/disable-dap-address-space-id.patch | 52 +++
> .../snort/files/disable-inaddr-none.patch | 75 ++++
> .../recipes-connectivity/snort/files/logrotate | 12 +
> .../recipes-connectivity/snort/files/snort.init | 425
> ++++++++++++++++++++ .../recipes-connectivity/snort/files/volatiles |
> 2 + .../recipes-connectivity/snort/snort_2.9.4.6.bb | 83 ++++ 7
> files changed, 691 insertions(+), 0 deletions(-) create mode 100644
> meta-networking/recipes-connectivity/snort/files/default create mode
> 100644
> meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
>
>
create mode 100644
meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
> create mode 100644
> meta-networking/recipes-connectivity/snort/files/logrotate create mode
> 100755 meta-networking/recipes-connectivity/snort/files/snort.init create
> mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles
> create mode 100644
> meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
>
> diff --git a/meta-networking/recipes-connectivity/snort/files/default
> b/meta-networking/recipes-connectivity/snort/files/default new file mode
> 100644 index 0000000..afd3840 --- /dev/null +++
> b/meta-networking/recipes-connectivity/snort/files/default @@ -0,0 +1,42
> @@
> +LOGDIR="/var/log/snort"
Hardcoded path
> diff --git a/meta-networking/recipes-connectivity/snort/files/logrotate
> b/meta-networking/recipes-connectivity/snort/files/logrotate new file
> mode 100644 index 0000000..e394e2e --- /dev/null +++
> b/meta-networking/recipes-connectivity/snort/files/logrotate @@ -0,0
> +1,12 @@ +/var/log/snort/*.log /var/log/snort/alert {
hardcoded path
> + size 1M + missingok + compress + delaycompress + rotate
> 10 + sharedscripts + postrotate + /etc/init.d/snort restart
hardcoded path and sysvinit specific
> diff --git a/meta-networking/recipes-connectivity/snort/files/snort.init
> b/meta-networking/recipes-connectivity/snort/files/snort.init new file
> mode 100755 index 0000000..af66619 --- /dev/null +++
> b/meta-networking/recipes-connectivity/snort/files/snort.init @@ -0,0
> +1,425 @@
> + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
hardcoded paths
> + +test $DEBIAN_SCRIPT_DEBUG && set -v -x + +DAEMON=/usr/bin/snort
hardcoded path
> +NAME=snort +DESC="Network Intrusion Detection System" + +.
> /etc/default/snort
hardcoded path
> +COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP" + +test -x
> $DAEMON || exit 0 +test -z "$LOCAL_SNORT_HOME_NET" &&
> LOCAL_SNORT_HOME_NET="192.168.0.0/16" + +# to find the lib files +cd
> /etc/snort
hardcoded path
> +check_root() { + if [ "$(id -u)" != "0" ]; then + echo "You
> must be root to start, stop or restart $NAME." + exit 4 + fi
does this work with busybox?
> +} + +case "$1" in + start) + check_root + echo "Starting $DESC "
> "$NAME" + + if [ -e /etc/snort/db-pending-config ] ; then + echo
> "/etc/snort/db-pending-config file found" + echo "Snort will not start
> as its database is not yet configured." + echo "Please configure the
> database as described in" + echo
> "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian" + echo "and
> remove /etc/snort/db-pending-config"
Tons of hardcoded paths
> + exit 6 + fi + + if ! check_log_dir; then + echo " will not
> start $DESC!" + exit 5 + fi + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ];
> then + shift + set +e + /etc/ppp/ip-up.d/snort "$@"
hardcoded path and needs RRECOMMENDS = pppd?
> + myret=0 + got_instance=0 + for interface in $interfaces; do +
> got_instance=1 + echo "($interface" + + # Check if the
> interface is available: + # - only if iproute is
> available + # - the interface exists + # -
> the interface is up + if ! [ -x /sbin/ip ] || ( ip link
> show dev "$interface" >/dev/null 2>&1 && [ -n "`ip link show up
> "$interface" 2>/dev/null`" ] ) ; then
hardcoded path and needs RDEPENDS = iputils?
> + + PIDFILE=/var/run/snort_$interface.pid +
> CONFIGFILE=/etc/snort/snort.$interface.conf + + #
> Defaults: + fail="failed (check /var/log/syslog and /var/log/snort)" +
> run="yes"
paths...
> + + if [ -e "$PIDFILE" ] && running $PIDFILE; then +
> run="no" + # Do not start this instance, it is
> already runing + fi + + if [ "$run" = "yes"
> ] ; then + if [ ! -e "$CONFIGFILE" ]; then +
> echo "no /etc/snort/snort.$interface.conf found, defaulting to
> snort.conf" + CONFIGFILE=/etc/snort/snort.conf
paths...
> + fi + + set +e +
> /sbin/start-stop-daemon --start --quiet \
start-stop-daemon is in $PATH, so no need to hardcode /sbin
> + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then + shift + set +e +
> /etc/ppp/ip-down.d/snort "$@"
paths....
> + # Usually, we stop all current running interfaces +
> pidpattern=/var/run/snort_*.pid
paths and isn't that /run nowadays?
> + # If we are requested to stop a specific interface... + test "$2" &&
> pidpattern=/var/run/snort_"$2".pid
paths
> + + got_instance=0 + myret=0 + for PIDFILE in $pidpattern; do + #
> This check is also needed, if the above pattern doesn't match + test -f
> "$PIDFILE" || continue + + got_instance=1 + interface=$(basename
> "$PIDFILE" .pid | sed -e 's/^snort_//') + + echo "($interface" + + set
> +e + if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then +#
> Change ownership of the pidfile + /sbin/start-stop-daemon --stop
> --retry 5 --quiet --oknodo \
paths
> + restart|force-restart|reload|force-reload) + check_root + #
> Usually, we restart all current running interfaces +
> pidpattern=/var/run/snort_*.pid
paths and I'll stop here a sed in do_install will catch most if not all
hardcodes. The start-stop-daemon ones need to get removed.
> diff --git a/meta-networking/recipes-connectivity/snort/files/volatiles
> b/meta-networking/recipes-connectivity/snort/files/volatiles new file
> mode 100644 index 0000000..0f22f9b --- /dev/null +++
> b/meta-networking/recipes-connectivity/snort/files/volatiles @@ -0,0 +1,2
> @@ +# <type> <owner> <group> <mode> <path> <linksource> +d snort snort
> 0755 /var/log/snort none diff --git
> a/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb new file
> mode 100644 index 0000000..c72b49b --- /dev/null +++
> b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb @@ -0,0
> +1,83 @@ +DESCRIPTION = "snort - a free lightweight network intrusion
> detection system for UNIX and Windows." +HOMEPAGE =
> "http://www.snort.org/" +LICENSE = "GPL-2.0" +LIC_FILES_CHKSUM =
> "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5" + +DEPENDS =
> "libpcap libpcre daq libdnet" + + +SRC_URI = "
> ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \ +
> file://disable-inaddr-none.patch \ +
> file://disable-dap-address-space-id.patch \ +
> file://snort.init \ + file://default \ +
> file://logrotate \ + file://volatiles" +
> +SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
> +SRC_URI[tarball.sha256sum] =
> "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc" +
> +inherit autotools gettext
update-rc.d class for the sysvscript?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: GPGTools - http://gpgtools.org
iD8DBQFSXlGnMkyGM64RGpERAiuLAKCELquADUALv8QG7yjV9oWopld8xwCgtQUU
8sMwg/KHo2JzsX0Vr3AH/KM=
=jg8m
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2013-10-16 8:43 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-23 9:06 [meta-networking][PATCH 1/3] snort: add recipe b40290
2013-09-23 16:58 ` Joe MacDonald
2013-09-23 17:13 ` Joe MacDonald
2013-09-23 17:56 ` Paul Eggleton
2013-09-23 18:22 ` Joe MacDonald
2013-09-24 17:16 ` Paul Eggleton
2013-09-24 18:10 ` Joe MacDonald
-- strict thread matches above, loose matches on Subject: below --
2013-10-16 7:11 [meta-networking][PATCH 1/3] snort : " b40290
2013-10-16 8:43 ` Koen Kooi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.