[oe] [meta-networking][PATCH 1/3] snort : add recipe
From: Chunrong Guo b40...@freescale.com *snort - a free lightweight network intrusion detection system for UNIX and Windows Signed-off-by: Chunrong Guo b40...@freescale.com --- .../recipes-connectivity/snort/files/default | 42 ++ .../snort/files/disable-dap-address-space-id.patch | 52 +++ .../snort/files/disable-inaddr-none.patch | 75 .../recipes-connectivity/snort/files/logrotate | 12 + .../recipes-connectivity/snort/files/snort.init| 425 .../recipes-connectivity/snort/files/volatiles |2 + .../recipes-connectivity/snort/snort_2.9.4.6.bb| 83 7 files changed, 691 insertions(+), 0 deletions(-) create mode 100644 meta-networking/recipes-connectivity/snort/files/default create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default new file mode 100644 index 000..afd3840 --- /dev/null +++ b/meta-networking/recipes-connectivity/snort/files/default @@ -0,0 +1,42 @@ +# Parameters for the daemon +# Add any additional parameteres here. +PARAMS=-m 027 -D -d +# +# Snort user +# This user will be used to launch snort. Notice that the +# preinst script of the package might do changes to the user +# (home directory, User Name) when the package is upgraded or +# reinstalled. So, do *not* change this to 'root' or to any other user +# unless you are sure there is no problem with those changes being introduced. +# +SNORTUSER=snort +# +# Logging directory +# Snort logs will be dropped here and this will be the home +# directory for the SNORTUSER. If you change this value you should +# change the /etc/logrotate.d/snort definition too, otherwise logs +# will not be rotated properly. +# +LOGDIR=/var/log/snort +# +# Snort group +# This is the group that the snort user will be added to. +# +SNORTGROUP=snort +# +# Allow Snort's init.d script to work if the configured interfaces +# are not available. Set this to yes if you configure Snort with +# multiple interfaces but some might not be available on boot +# (e.g. wireless interfaces) +# +# Note: In order for this to work the 'iproute' package needs to +# be installed. +ALLOW_UNAVAILABLE=no + +# Local configs +# +LOCAL_SNORT_STARTUP=boot +LOCAL_SNORT_HOME_NET=192.168.0.0/16 +LOCAL_SNORT_INTERFACE= +LOCAL_SNORT_STATS_RCPT=root +LOCAL_SNORT_STATS_THRESHOLD=1 diff --git a/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch new file mode 100644 index 000..39e5c9c --- /dev/null +++ b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch @@ -0,0 +1,52 @@ +Upstream-Status:Inappropriate [embedded specific] + +fix the below error: +checking for dap address space id... configure: +configure: error: cannot run test program while cross compiling + + +Signed-off-by: Chunrong Guo b40...@freescale.com + +--- a/configure.in 2013-08-23 00:06:37.239361932 -0500 b/configure.in 2013-08-23 00:07:32.860266534 -0500 +@@ -679,23 +679,23 @@ + + AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta]) + +-AC_MSG_CHECKING([for daq address space ID]) +-AC_RUN_IFELSE( +-[AC_LANG_PROGRAM( +-[[ +-#include daq.h +-]], +-[[ +- DAQ_PktHdr_t hdr; +- hdr.address_space_id = 0; +-]])], +-[have_daq_address_space_id=yes], +-[have_daq_address_space_id=no]) +-AC_MSG_RESULT($have_daq_address_space_id) +-if test x$have_daq_address_space_id = xyes; then +-AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1], +-[DAQ version supports address space ID in header.]) +-fi ++#AC_MSG_CHECKING([for daq address space ID]) ++#AC_RUN_IFELSE( ++#[AC_LANG_PROGRAM( ++#[[ ++##include daq.h ++#]], ++#[[ ++# DAQ_PktHdr_t hdr; ++# hdr.address_space_id = 0; ++#]])], ++have_daq_address_space_id=yes ++#[have_daq_address_space_id=no]) ++#AC_MSG_RESULT($have_daq_address_space_id) ++#if test x$have_daq_address_space_id = xyes; then ++#AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1], ++#[DAQ version supports address space ID in header.]) ++#fi + + # any sparc platform has to have this one defined. + AC_MSG_CHECKING(for sparc) diff --git a/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch new file mode 100644 index 000..9dafe63 --- /dev/null +++
Re: [oe] [meta-networking][PATCH 1/3] snort : add recipe
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Op 16-10-13 09:11, b40...@freescale.com schreef: From: Chunrong Guo b40...@freescale.com *snort - a free lightweight network intrusion detection system for UNIX and Windows Signed-off-by: Chunrong Guo b40...@freescale.com --- .../recipes-connectivity/snort/files/default | 42 ++ .../snort/files/disable-dap-address-space-id.patch | 52 +++ .../snort/files/disable-inaddr-none.patch | 75 .../recipes-connectivity/snort/files/logrotate | 12 + .../recipes-connectivity/snort/files/snort.init| 425 .../recipes-connectivity/snort/files/volatiles | 2 + .../recipes-connectivity/snort/snort_2.9.4.6.bb| 83 7 files changed, 691 insertions(+), 0 deletions(-) create mode 100644 meta-networking/recipes-connectivity/snort/files/default create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default new file mode 100644 index 000..afd3840 --- /dev/null +++ b/meta-networking/recipes-connectivity/snort/files/default @@ -0,0 +1,42 @@ +LOGDIR=/var/log/snort Hardcoded path diff --git a/meta-networking/recipes-connectivity/snort/files/logrotate b/meta-networking/recipes-connectivity/snort/files/logrotate new file mode 100644 index 000..e394e2e --- /dev/null +++ b/meta-networking/recipes-connectivity/snort/files/logrotate @@ -0,0 +1,12 @@ +/var/log/snort/*.log /var/log/snort/alert { hardcoded path +size 1M +missingok +compress +delaycompress +rotate 10 +sharedscripts +postrotate +/etc/init.d/snort restart hardcoded path and sysvinit specific diff --git a/meta-networking/recipes-connectivity/snort/files/snort.init b/meta-networking/recipes-connectivity/snort/files/snort.init new file mode 100755 index 000..af66619 --- /dev/null +++ b/meta-networking/recipes-connectivity/snort/files/snort.init @@ -0,0 +1,425 @@ + +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin hardcoded paths + +test $DEBIAN_SCRIPT_DEBUG set -v -x + +DAEMON=/usr/bin/snort hardcoded path +NAME=snort +DESC=Network Intrusion Detection System + +. /etc/default/snort hardcoded path +COMMON=$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP + +test -x $DAEMON || exit 0 +test -z $LOCAL_SNORT_HOME_NET LOCAL_SNORT_HOME_NET=192.168.0.0/16 + +# to find the lib files +cd /etc/snort hardcoded path +check_root() { +if [ $(id -u) != 0 ]; then +echo You must be root to start, stop or restart $NAME. +exit 4 +fi does this work with busybox? +} + +case $1 in + start) +check_root +echo Starting $DESC $NAME + +if [ -e /etc/snort/db-pending-config ] ; then + echo /etc/snort/db-pending-config file found + echo Snort will not start as its database is not yet configured. + echo Please configure the database as described in + echo /usr/share/doc/snort-{pgsql,mysql}/README-database.Debian + echo and remove /etc/snort/db-pending-config Tons of hardcoded paths + exit 6 +fi + +if ! check_log_dir; then + echo will not start $DESC! + exit 5 +fi +if [ $LOCAL_SNORT_STARTUP = dialup ]; then +shift + set +e + /etc/ppp/ip-up.d/snort $@ hardcoded path and needs RRECOMMENDS = pppd? + myret=0 + got_instance=0 +for interface in $interfaces; do + got_instance=1 + echo ($interface + +# Check if the interface is available: +# - only if iproute is available +# - the interface exists +# - the interface is up +if ! [ -x /sbin/ip ] || ( ip link show dev $interface /dev/null 21 [ -n `ip link show up $interface 2/dev/null` ] ) ; then hardcoded path and needs RDEPENDS = iputils? + + PIDFILE=/var/run/snort_$interface.pid + CONFIGFILE=/etc/snort/snort.$interface.conf + +# Defaults: + fail=failed (check /var/log/syslog and /var/log/snort) + run=yes paths... + +if [ -e $PIDFILE ] running $PIDFILE; then + run=no +# Do not start this instance, it is already runing +fi + +if [ $run = yes ] ; then +if [ ! -e
Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe
Hi Joe, On Monday 23 September 2013 14:22:02 Joe MacDonald wrote: [Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 18:56) Paul Eggleton wrote: I'm a bit confused; is this recipe supposed to be going into meta-networking or meta-security? Because patches have been sent recently to add it to both. I had mentioned that I would accept snort into meta-networking if it wasn't a good fit for meta-security since it was something I'd started working on integrating anyway a while back. I assumed that was the case since it was sent to the list for meta-networking today. I don't think we need copies in both places, though, and since it was first aimed at meta-security, if it gets merged there, I won't merge it here. Hopefully nothing I've said here contradicts what the meta-security maintainers would want to see. I would have thought it would go into meta-security myself; but ultimately it's up to you and Saul really. I just wanted to make sure we didn't somehow end up with it in both layers since we have patches for adding it to both. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe
[Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.24 (Tue 18:16) Paul Eggleton wrote: Hi Joe, On Monday 23 September 2013 14:22:02 Joe MacDonald wrote: [Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 18:56) Paul Eggleton wrote: I'm a bit confused; is this recipe supposed to be going into meta-networking or meta-security? Because patches have been sent recently to add it to both. I had mentioned that I would accept snort into meta-networking if it wasn't a good fit for meta-security since it was something I'd started working on integrating anyway a while back. I assumed that was the case since it was sent to the list for meta-networking today. I don't think we need copies in both places, though, and since it was first aimed at meta-security, if it gets merged there, I won't merge it here. Hopefully nothing I've said here contradicts what the meta-security maintainers would want to see. I would have thought it would go into meta-security myself; but ultimately it's up to you and Saul really. I just wanted to make sure we didn't somehow end up with it in both layers since we have patches for adding it to both. Yeah, I completely agree. Since I'm using meta-security a bit now and sending a few patches back, I'll keep an eye out and if the snort stuff lands in there, I would not consider merging it with meta-networking. Snort has always been in the same category for me as tcpdump, nmap and etherape/wireshark. A hugely useful network diagnostics tool. But as and IDS / IPS it makes sense for meta-security as well. Either works for me. -- -Joe MacDonald. :wq signature.asc Description: Digital signature ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
[oe] [meta-networking][PATCH 1/3] snort: add recipe
From: Chunrong Guo b40...@freescale.com *snort - a free lightweight network intrusion detection system for UNIX and Windows Signed-off-by: Chunrong Guo b40...@freescale.com --- .../recipes-connectivity/snort/files/default | 42 ++ .../snort/files/disable-dap-address-space-id.patch | 52 +++ .../snort/files/disable-inaddr-none.patch | 75 .../recipes-connectivity/snort/files/logrotate | 12 + .../recipes-connectivity/snort/files/snort.init| 425 .../recipes-connectivity/snort/files/volatiles |2 + .../recipes-connectivity/snort/snort_2.9.4.6.bb| 86 7 files changed, 694 insertions(+), 0 deletions(-) create mode 100644 meta-networking/recipes-connectivity/snort/files/default create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default new file mode 100644 index 000..afd3840 --- /dev/null +++ b/meta-networking/recipes-connectivity/snort/files/default @@ -0,0 +1,42 @@ +# Parameters for the daemon +# Add any additional parameteres here. +PARAMS=-m 027 -D -d +# +# Snort user +# This user will be used to launch snort. Notice that the +# preinst script of the package might do changes to the user +# (home directory, User Name) when the package is upgraded or +# reinstalled. So, do *not* change this to 'root' or to any other user +# unless you are sure there is no problem with those changes being introduced. +# +SNORTUSER=snort +# +# Logging directory +# Snort logs will be dropped here and this will be the home +# directory for the SNORTUSER. If you change this value you should +# change the /etc/logrotate.d/snort definition too, otherwise logs +# will not be rotated properly. +# +LOGDIR=/var/log/snort +# +# Snort group +# This is the group that the snort user will be added to. +# +SNORTGROUP=snort +# +# Allow Snort's init.d script to work if the configured interfaces +# are not available. Set this to yes if you configure Snort with +# multiple interfaces but some might not be available on boot +# (e.g. wireless interfaces) +# +# Note: In order for this to work the 'iproute' package needs to +# be installed. +ALLOW_UNAVAILABLE=no + +# Local configs +# +LOCAL_SNORT_STARTUP=boot +LOCAL_SNORT_HOME_NET=192.168.0.0/16 +LOCAL_SNORT_INTERFACE= +LOCAL_SNORT_STATS_RCPT=root +LOCAL_SNORT_STATS_THRESHOLD=1 diff --git a/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch new file mode 100644 index 000..39e5c9c --- /dev/null +++ b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch @@ -0,0 +1,52 @@ +Upstream-Status:Inappropriate [embedded specific] + +fix the below error: +checking for dap address space id... configure: +configure: error: cannot run test program while cross compiling + + +Signed-off-by: Chunrong Guo b40...@freescale.com + +--- a/configure.in 2013-08-23 00:06:37.239361932 -0500 b/configure.in 2013-08-23 00:07:32.860266534 -0500 +@@ -679,23 +679,23 @@ + + AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta]) + +-AC_MSG_CHECKING([for daq address space ID]) +-AC_RUN_IFELSE( +-[AC_LANG_PROGRAM( +-[[ +-#include daq.h +-]], +-[[ +- DAQ_PktHdr_t hdr; +- hdr.address_space_id = 0; +-]])], +-[have_daq_address_space_id=yes], +-[have_daq_address_space_id=no]) +-AC_MSG_RESULT($have_daq_address_space_id) +-if test x$have_daq_address_space_id = xyes; then +-AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1], +-[DAQ version supports address space ID in header.]) +-fi ++#AC_MSG_CHECKING([for daq address space ID]) ++#AC_RUN_IFELSE( ++#[AC_LANG_PROGRAM( ++#[[ ++##include daq.h ++#]], ++#[[ ++# DAQ_PktHdr_t hdr; ++# hdr.address_space_id = 0; ++#]])], ++have_daq_address_space_id=yes ++#[have_daq_address_space_id=no]) ++#AC_MSG_RESULT($have_daq_address_space_id) ++#if test x$have_daq_address_space_id = xyes; then ++#AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1], ++#[DAQ version supports address space ID in header.]) ++#fi + + # any sparc platform has to have this one defined. + AC_MSG_CHECKING(for sparc) diff --git a/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch new file mode 100644 index 000..9dafe63 --- /dev/null +++
Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe
Hey Paul, [Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 18:56) Paul Eggleton wrote: All, I'm a bit confused; is this recipe supposed to be going into meta-networking or meta-security? Because patches have been sent recently to add it to both. I had mentioned that I would accept snort into meta-networking if it wasn't a good fit for meta-security since it was something I'd started working on integrating anyway a while back. I assumed that was the case since it was sent to the list for meta-networking today. I don't think we need copies in both places, though, and since it was first aimed at meta-security, if it gets merged there, I won't merge it here. Hopefully nothing I've said here contradicts what the meta-security maintainers would want to see. -- -Joe MacDonald. :wq signature.asc Description: Digital signature ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe
All, I'm a bit confused; is this recipe supposed to be going into meta-networking or meta-security? Because patches have been sent recently to add it to both. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre ___ Openembedded-devel mailing list Openembedded-devel@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-devel
Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe
Hi Chunrong, A few things with this one. - can you be more specific with the LICENSE? WARNING: snort: No generic license file exists for: GPL in any provider - my test build generated QA errors due to host libraries being used in the build: cc1: warning: include location /usr/include/pcap is unsafe for cross-compilation [-Wpoison-system-directories] cc1: warning: include location /usr/include/pcap is unsafe for cross-compilation [-Wpoison-system-directories] cc1: warning: include location /usr/include/pcap is unsafe for cross-compilation [-Wpoison-system-directories] cc1: warning: include location /usr/include/pcap is unsafe for cross-compilation [-Wpoison-system-directories] - Is the pkg_postinst_${PN} action really necessary? Can't you accomplish the same thing by inheriting useradd? At worst, I think you'll only need the last line, directly invoking populate-volatile.sh. Could be mistaken on that, though. - Can you take another pass through the recipe itself, please? There's some inconsistent formatting (specifically around SRC_URI) and minor whitespace issues (around EXTRA_OECONF, for sure, maybe elsewhere, I've only done a quick scan). - While we're on the topic, I hate to ask, but any chance we could fix up the formatting on the initscript itself? It's an indentation disaster. Not your fault, I know, but I don't know that we'll ever go back to taking the debian one again and I'd rather it be clean for anyone who comes along later. - There's one minor inconsistency in the logrotate file, too, can you make them all space-indented or all tab-indented please? Thanks, -J. [[oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 17:06) b40...@freescale.com wrote: From: Chunrong Guo b40...@freescale.com *snort - a free lightweight network intrusion detection system for UNIX and Windows Signed-off-by: Chunrong Guo b40...@freescale.com --- .../recipes-connectivity/snort/files/default | 42 ++ .../snort/files/disable-dap-address-space-id.patch | 52 +++ .../snort/files/disable-inaddr-none.patch | 75 .../recipes-connectivity/snort/files/logrotate | 12 + .../recipes-connectivity/snort/files/snort.init| 425 .../recipes-connectivity/snort/files/volatiles |2 + .../recipes-connectivity/snort/snort_2.9.4.6.bb| 86 7 files changed, 694 insertions(+), 0 deletions(-) create mode 100644 meta-networking/recipes-connectivity/snort/files/default create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default new file mode 100644 index 000..afd3840 --- /dev/null +++ b/meta-networking/recipes-connectivity/snort/files/default @@ -0,0 +1,42 @@ +# Parameters for the daemon +# Add any additional parameteres here. +PARAMS=-m 027 -D -d +# +# Snort user +# This user will be used to launch snort. Notice that the +# preinst script of the package might do changes to the user +# (home directory, User Name) when the package is upgraded or +# reinstalled. So, do *not* change this to 'root' or to any other user +# unless you are sure there is no problem with those changes being introduced. +# +SNORTUSER=snort +# +# Logging directory +# Snort logs will be dropped here and this will be the home +# directory for the SNORTUSER. If you change this value you should +# change the /etc/logrotate.d/snort definition too, otherwise logs +# will not be rotated properly. +# +LOGDIR=/var/log/snort +# +# Snort group +# This is the group that the snort user will be added to. +# +SNORTGROUP=snort +# +# Allow Snort's init.d script to work if the configured interfaces +# are not available. Set this to yes if you configure Snort with +# multiple interfaces but some might not be available on boot +# (e.g. wireless interfaces) +# +# Note: In order for this to work the 'iproute' package needs to +# be installed. +ALLOW_UNAVAILABLE=no + +# Local configs +# +LOCAL_SNORT_STARTUP=boot +LOCAL_SNORT_HOME_NET=192.168.0.0/16 +LOCAL_SNORT_INTERFACE= +LOCAL_SNORT_STATS_RCPT=root +LOCAL_SNORT_STATS_THRESHOLD=1 diff --git a/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch new file mode 100644 index 000