Re: [update] net/snort 2.9.4.0 and net/daq 2.0.0

[Lawrence Teo]

This DAQ/Snort update is from Markus Lude (maintainer), and also
includes a snort.conf patch from me that Markus has OK'ed.  The
snort.conf patch ensures that Snort will load the latest Snort ruleset
since the rule files have been reorganized by upstream.  It also
excludes local.rules by default, since rule managers like Oinkmaster
skip that file when downloading rules.

In terms of testing, Markus has tested this update on sparc64 and i386.
Rodolfo Gouveia has tested this on 5.2/amd64 with his own snort.conf. I
have tested this on a public Internet-facing i386 system for about a
week without issues, and have also tested it on amd64 in a lab
environment.

I have also tested that pkg_add -u works, and verified LIB_DEPENDS and
WANTLIB with port-lib-depends-check.

I think it's ready to be committed.  Would anyone like to review and
give an OK?

Thank you,
Lawrence
Index: net/daq/Makefile
===
RCS file: /cvs/ports/net/daq/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- net/daq/Makefile28 Sep 2012 19:30:55 -  1.2
+++ net/daq/Makefile15 Dec 2012 18:10:29 -
@@ -2,9 +2,9 @@
 
 COMMENT =  data acquisition library for snort
 
-DISTNAME = daq-1.1.1
+DISTNAME = daq-2.0.0
 
-SHARED_LIBS += daq 0.0 # 1.0
+SHARED_LIBS += daq 1.0 # 2.0
 SHARED_LIBS += sfbpf   0.0 # 0.1
 
 CATEGORIES =   net
Index: net/daq/distinfo
===
RCS file: /cvs/ports/net/daq/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 distinfo
--- net/daq/distinfo26 Sep 2012 01:40:32 -  1.1.1.1
+++ net/daq/distinfo15 Dec 2012 18:10:29 -
@@ -1,2 +1,2 @@
-SHA256 (daq-1.1.1.tar.gz) = UPA8rMq7H8oCpWyzyOCrnKJcCwEnEDQu9rJmWRAaHuU=
-SIZE (daq-1.1.1.tar.gz) = 472223
+SHA256 (daq-2.0.0.tar.gz) = +6/I42Kpb8rcaXMfkSA++QhFUHquCkd01cKCXp0sHDg=
+SIZE (daq-2.0.0.tar.gz) = 480030
Index: net/daq/patches/patch-configure
===
RCS file: /cvs/ports/net/daq/patches/patch-configure,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-configure
--- net/daq/patches/patch-configure 26 Sep 2012 01:40:32 -  1.1.1.1
+++ net/daq/patches/patch-configure 15 Dec 2012 18:10:29 -
@@ -1,7 +1,7 @@
 $OpenBSD: patch-configure,v 1.1.1.1 2012/09/26 01:40:32 lteo Exp $
 configure.orig Tue Jul 10 21:32:51 2012
-+++ configure  Sat Aug 11 17:23:56 2012
-@@ -12727,12 +12727,20 @@ else
+--- configure.orig Mon Nov  5 22:07:56 2012
 configure  Wed Dec 12 23:13:06 2012
+@@ -12784,12 +12784,20 @@ else
  
  #include 
  #include 
Index: net/snort/Makefile
===
RCS file: /cvs/ports/net/snort/Makefile,v
retrieving revision 1.72
diff -u -p -r1.72 Makefile
--- net/snort/Makefile  25 Oct 2012 19:52:16 -  1.72
+++ net/snort/Makefile  15 Dec 2012 18:10:53 -
@@ -4,9 +4,9 @@ SHARED_ONLY =   Yes
 
 COMMENT =  highly flexible sniffer/NIDS
 
-VERSION =  2.9.3.1
-DISTNAME = snort-${VERSION}
-REVISION = 0
+VERSION =  2.9.4.0
+DISTNAME = snort-2.9.4
+PKGNAME =  snort-${VERSION}
 
 CATEGORIES =   net security
 
@@ -20,7 +20,7 @@ PERMIT_PACKAGE_FTP =  Yes
 PERMIT_DISTFILES_CDROM = Yes
 PERMIT_DISTFILES_FTP = Yes
 
-WANTLIB =  c daq dnet m pcap pcre pthread z
+WANTLIB =  c crypto daq dnet m pcap pcre pthread z
 
 MASTER_SITES = http://www.snort.org/dl/snort-current/
 
@@ -31,7 +31,6 @@ SEPARATE_BUILD =  Yes
 CONFIGURE_STYLE =  gnu
 CONFIGURE_ARGS +=  ${CONFIGURE_SHARED} \
--disable-static-daq
-CONFIGURE_ENV= MKDIR_P="/bin/mkdir -p"
 
 LIB_DEPENDS =  devel/pcre \
net/libdnet \
Index: net/snort/distinfo
===
RCS file: /cvs/ports/net/snort/distinfo,v
retrieving revision 1.20
diff -u -p -r1.20 distinfo
--- net/snort/distinfo  26 Sep 2012 02:11:05 -  1.20
+++ net/snort/distinfo  15 Dec 2012 18:10:53 -
@@ -1,2 +1,2 @@
-SHA256 (snort-2.9.3.1.tar.gz) = sbIVTfVMW7b4GqmeLGyAgSiDmcAJSYO4/6Oy7lQsvlA=
-SIZE (snort-2.9.3.1.tar.gz) = 5295237
+SHA256 (snort-2.9.4.tar.gz) = QgKuD2ZqU0jGJEdqRUPx0FmnCZjesNytq2hlzWukmbU=
+SIZE (snort-2.9.4.tar.gz) = 5289321
Index: net/snort/patches/patch-etc_snort_conf
===
RCS file: /cvs/ports/net/snort/patches/patch-etc_snort_conf,v
retrieving revision 1.7
diff -u -p -r1.7 patch-etc_snort_conf
--- net/snort/patches/patch-etc_snort_conf  11 Oct 2012 02:40:48 -  
1.7
+++ net/snort/patches/patch-etc_snort_conf  11 Jan 2013 04:43:52 -
@@ -2,8 +2,11 @@ $OpenBSD: patch-etc_snort_conf,v 1.7 201
 
 reputation preprocessor d

Re: [update] net/snort 2.9.4.0 and net/daq 2.0.0

[Lawrence Teo]

On Wed, Jan 09, 2013 at 11:01:59PM +0100, Markus Lude wrote:
> On Tue, Jan 08, 2013 at 11:05:27PM -0500, Lawrence Teo wrote:
> > I have tested both diffs and here are my comments.  The Snort rule
> > categories are going through a reorganization (please see
> > http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html)
> > where a lot of rules have moved to new files.
> > 
> > During this transition, some old rule files are now empty; for example,
> > web-iis.rules now has no rules because most of them have been moved to
> > the new server-iis.rules file.
> > 
> > I have added a patch to your snort-2.9.4.0 diff so that snort.conf will
> > include the new rule filenames.  While there, I have also sync'ed a few
> > parts of snort.conf with the snort.conf in the Dec 6, 2012 Snort ruleset
> > (the latest ruleset I have access to) to make them consistent.  Apart
> > from that, everything remains the same.  I have made no changes to your
> > daq-2.0.0.diff.
>  
> The (not your) changes in snort.conf are a mess. Sometimes stuff is
> forgotten for a release, old stuff seems to creep in again, ...

Yes, I have seen old stuff creep in in past rulesets. :) Since trying to
sync with the ruleset's snort.conf is like chasing a moving target, I
have removed those changes and just added lines to include the new rule
filenames.

> I'm ok with adding the new rule files names.

Great, I have made sure the include lines are there in
patch-etc_snort_conf.

> I received a mail noting that neither the snort package nor the VRT rule
> set does come with an (even empty) local.rules. So I think we should
> comment out the line
> 
> include $RULE_PATH/local.rules
> 
> in snort.conf.

A local.rules file does exist in the VRT ruleset:

$ tar tzvf snortrules-snapshot-2940.tar.gz *local.rules 
-rw-r--r--  1 1210 1210   135 Dec  6 12:27 rules/local.rules

It just has some comments in it and doesn't have any rules, so it's
effectively empty.

Could it be that the person who sent you the mail used a rule manager
like Oinkmaster or PulledPork to download the rules?  If yes, it looks
like both of those programs skip local.rules by default, which makes
sense.  Our own Oinkmaster port skips local.rules as well.  Because of
that I think commenting out the local.rules line is the right thing to
do, so I have done that in patch-etc_snort_conf.

Attached is the updated snort-2.9.4.0e.diff which has the revised
patch-etc_snort_conf file, but everything else remains the same.

I have also attached your original daq-2.0.0.diff again for the
convenience of anyone who would like to review/test.

Comments? OK?

Thanks,
Lawrence
Index: net/daq/Makefile
===
RCS file: /cvs/ports/net/daq/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- net/daq/Makefile28 Sep 2012 19:30:55 -  1.2
+++ net/daq/Makefile15 Dec 2012 18:10:29 -
@@ -2,9 +2,9 @@
 
 COMMENT =  data acquisition library for snort
 
-DISTNAME = daq-1.1.1
+DISTNAME = daq-2.0.0
 
-SHARED_LIBS += daq 0.0 # 1.0
+SHARED_LIBS += daq 1.0 # 2.0
 SHARED_LIBS += sfbpf   0.0 # 0.1
 
 CATEGORIES =   net
Index: net/daq/distinfo
===
RCS file: /cvs/ports/net/daq/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 distinfo
--- net/daq/distinfo26 Sep 2012 01:40:32 -  1.1.1.1
+++ net/daq/distinfo15 Dec 2012 18:10:29 -
@@ -1,2 +1,2 @@
-SHA256 (daq-1.1.1.tar.gz) = UPA8rMq7H8oCpWyzyOCrnKJcCwEnEDQu9rJmWRAaHuU=
-SIZE (daq-1.1.1.tar.gz) = 472223
+SHA256 (daq-2.0.0.tar.gz) = +6/I42Kpb8rcaXMfkSA++QhFUHquCkd01cKCXp0sHDg=
+SIZE (daq-2.0.0.tar.gz) = 480030
Index: net/daq/patches/patch-configure
===
RCS file: /cvs/ports/net/daq/patches/patch-configure,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-configure
--- net/daq/patches/patch-configure 26 Sep 2012 01:40:32 -  1.1.1.1
+++ net/daq/patches/patch-configure 15 Dec 2012 18:10:29 -
@@ -1,7 +1,7 @@
 $OpenBSD: patch-configure,v 1.1.1.1 2012/09/26 01:40:32 lteo Exp $
 configure.orig Tue Jul 10 21:32:51 2012
-+++ configure  Sat Aug 11 17:23:56 2012
-@@ -12727,12 +12727,20 @@ else
+--- configure.orig Mon Nov  5 22:07:56 2012
 configure  Wed Dec 12 23:13:06 2012
+@@ -12784,12 +12784,20 @@ else
  
  #include 
  #include 
Index: net/snort/Makefile
===
RCS file: /cvs/ports/net/snort/Makefile,v
retrieving revision 1.72
diff -u -p -r1.72 Makefile
--- net/snort/Makefile  25 Oct 2012 19:52:16 -  1.72
+++ net/snort/Makefile  15 Dec 2012 18:10:53 -
@@ -4,9 +4,9 @@ SHARED_ONLY =   Yes
 
 COMMENT =  highly flexible sniffer/NIDS
 
-VERSION =  2.9.3.1
-DISTNAME = snort-${VERSION}
-REVISI

Re: [update] net/snort 2.9.4.0 and net/daq 2.0.0

[Markus Lude]

On Tue, Jan 08, 2013 at 11:05:27PM -0500, Lawrence Teo wrote:
> On Sat, Dec 15, 2012 at 07:20:53PM +0100, Markus Lude wrote:
> > Hello,
> > 
> > attached are updates of daq to version 2.0.0 and snort to version
> > 2.9.4.0. Build on i386 and sparc64 works. Been running it on sparc64 for
> > two days with low traffic.
> > 
> > Please test, comment.
> 
> Hi Markus,
> 
> Thank you for the update!
> 
> I have tested both diffs and here are my comments.  The Snort rule
> categories are going through a reorganization (please see
> http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html)
> where a lot of rules have moved to new files.
> 
> During this transition, some old rule files are now empty; for example,
> web-iis.rules now has no rules because most of them have been moved to
> the new server-iis.rules file.
> 
> I have added a patch to your snort-2.9.4.0 diff so that snort.conf will
> include the new rule filenames.  While there, I have also sync'ed a few
> parts of snort.conf with the snort.conf in the Dec 6, 2012 Snort ruleset
> (the latest ruleset I have access to) to make them consistent.  Apart
> from that, everything remains the same.  I have made no changes to your
> daq-2.0.0.diff.
 
The (not your) changes in snort.conf are a mess. Sometimes stuff is
forgotten for a release, old stuff seems to creep in again, ...

I'm ok with adding the new rule files names.

I received a mail noting that neither the snort package nor the VRT rule
set does come with an (even empty) local.rules. So I think we should
comment out the line

include $RULE_PATH/local.rules

in snort.conf.

> I have tested the attached snort-2.9.4.0a.diff and daq-2.0.0.diff on
> amd64 and i386 using my simple test procedure described at
> http://lteo.net/blog/2012/10/26/an-easy-way-to-test-your-snort-rules/
> and it works as expected.

Thanks!

Regards,
Markus

Re: [update] net/snort 2.9.4.0 and net/daq 2.0.0

[Rodolfo Gouveia]

On Sat, Dec 15, 2012 at 07:20:53PM +0100, Markus Lude wrote:
> Hello,
> 
> attached are updates of daq to version 2.0.0 and snort to version
> 2.9.4.0. Build on i386 and sparc64 works. Been running it on sparc64 for
> two days with low traffic.

Upgraded it from 2.9.3 and running it under amd64 on 5.2 without any issues.
Note that I'm not using the rc.d script or the snort.conf included as my
setup was already customized before the port.

cheers,
--rodolfo

Re: [update] net/snort 2.9.4.0 and net/daq 2.0.0

[Lawrence Teo]

On Sat, Dec 15, 2012 at 07:20:53PM +0100, Markus Lude wrote:
> Hello,
> 
> attached are updates of daq to version 2.0.0 and snort to version
> 2.9.4.0. Build on i386 and sparc64 works. Been running it on sparc64 for
> two days with low traffic.
> 
> Please test, comment.

Hi Markus,

Thank you for the update!

I have tested both diffs and here are my comments.  The Snort rule
categories are going through a reorganization (please see
http://blog.snort.org/2012/10/rule-category-reorganization-phase-3.html)
where a lot of rules have moved to new files.

During this transition, some old rule files are now empty; for example,
web-iis.rules now has no rules because most of them have been moved to
the new server-iis.rules file.

I have added a patch to your snort-2.9.4.0 diff so that snort.conf will
include the new rule filenames.  While there, I have also sync'ed a few
parts of snort.conf with the snort.conf in the Dec 6, 2012 Snort ruleset
(the latest ruleset I have access to) to make them consistent.  Apart
from that, everything remains the same.  I have made no changes to your
daq-2.0.0.diff.

I have tested the attached snort-2.9.4.0a.diff and daq-2.0.0.diff on
amd64 and i386 using my simple test procedure described at
http://lteo.net/blog/2012/10/26/an-easy-way-to-test-your-snort-rules/
and it works as expected.

Thoughts? OK?

Thanks,
Lawrence
Index: net/daq/Makefile
===
RCS file: /cvs/ports/net/daq/Makefile,v
retrieving revision 1.2
diff -u -p -r1.2 Makefile
--- net/daq/Makefile28 Sep 2012 19:30:55 -  1.2
+++ net/daq/Makefile15 Dec 2012 18:10:29 -
@@ -2,9 +2,9 @@
 
 COMMENT =  data acquisition library for snort
 
-DISTNAME = daq-1.1.1
+DISTNAME = daq-2.0.0
 
-SHARED_LIBS += daq 0.0 # 1.0
+SHARED_LIBS += daq 1.0 # 2.0
 SHARED_LIBS += sfbpf   0.0 # 0.1
 
 CATEGORIES =   net
Index: net/daq/distinfo
===
RCS file: /cvs/ports/net/daq/distinfo,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 distinfo
--- net/daq/distinfo26 Sep 2012 01:40:32 -  1.1.1.1
+++ net/daq/distinfo15 Dec 2012 18:10:29 -
@@ -1,2 +1,2 @@
-SHA256 (daq-1.1.1.tar.gz) = UPA8rMq7H8oCpWyzyOCrnKJcCwEnEDQu9rJmWRAaHuU=
-SIZE (daq-1.1.1.tar.gz) = 472223
+SHA256 (daq-2.0.0.tar.gz) = +6/I42Kpb8rcaXMfkSA++QhFUHquCkd01cKCXp0sHDg=
+SIZE (daq-2.0.0.tar.gz) = 480030
Index: net/daq/patches/patch-configure
===
RCS file: /cvs/ports/net/daq/patches/patch-configure,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 patch-configure
--- net/daq/patches/patch-configure 26 Sep 2012 01:40:32 -  1.1.1.1
+++ net/daq/patches/patch-configure 15 Dec 2012 18:10:29 -
@@ -1,7 +1,7 @@
 $OpenBSD: patch-configure,v 1.1.1.1 2012/09/26 01:40:32 lteo Exp $
 configure.orig Tue Jul 10 21:32:51 2012
-+++ configure  Sat Aug 11 17:23:56 2012
-@@ -12727,12 +12727,20 @@ else
+--- configure.orig Mon Nov  5 22:07:56 2012
 configure  Wed Dec 12 23:13:06 2012
+@@ -12784,12 +12784,20 @@ else
  
  #include 
  #include 
Index: net/snort/Makefile
===
RCS file: /cvs/ports/net/snort/Makefile,v
retrieving revision 1.72
diff -u -p -r1.72 Makefile
--- net/snort/Makefile  25 Oct 2012 19:52:16 -  1.72
+++ net/snort/Makefile  15 Dec 2012 18:10:53 -
@@ -4,9 +4,9 @@ SHARED_ONLY =   Yes
 
 COMMENT =  highly flexible sniffer/NIDS
 
-VERSION =  2.9.3.1
-DISTNAME = snort-${VERSION}
-REVISION = 0
+VERSION =  2.9.4.0
+DISTNAME = snort-2.9.4
+PKGNAME =  snort-${VERSION}
 
 CATEGORIES =   net security
 
@@ -20,7 +20,7 @@ PERMIT_PACKAGE_FTP =  Yes
 PERMIT_DISTFILES_CDROM = Yes
 PERMIT_DISTFILES_FTP = Yes
 
-WANTLIB =  c daq dnet m pcap pcre pthread z
+WANTLIB =  c crypto daq dnet m pcap pcre pthread z
 
 MASTER_SITES = http://www.snort.org/dl/snort-current/
 
@@ -31,7 +31,6 @@ SEPARATE_BUILD =  Yes
 CONFIGURE_STYLE =  gnu
 CONFIGURE_ARGS +=  ${CONFIGURE_SHARED} \
--disable-static-daq
-CONFIGURE_ENV= MKDIR_P="/bin/mkdir -p"
 
 LIB_DEPENDS =  devel/pcre \
net/libdnet \
Index: net/snort/distinfo
===
RCS file: /cvs/ports/net/snort/distinfo,v
retrieving revision 1.20
diff -u -p -r1.20 distinfo
--- net/snort/distinfo  26 Sep 2012 02:11:05 -  1.20
+++ net/snort/distinfo  15 Dec 2012 18:10:53 -
@@ -1,2 +1,2 @@
-SHA256 (snort-2.9.3.1.tar.gz) = sbIVTfVMW7b4GqmeLGyAgSiDmcAJSYO4/6Oy7lQsvlA=
-SIZE (snort-2.9.3.1.tar.gz) = 5295237
+SHA256 (snort-2.9.4.tar.gz) = QgKuD2ZqU0jGJEdqRUPx0FmnCZjesNytq2hlzWukmbU=
+SIZE (snort-2.9.4.tar.gz) = 52