Add snort package, with experimental -custom package for build-time package customizations

git-svn-id: svn://svn.openwrt.org/openwrt/trunk/openwrt@667 3c298f89-4303-0410-b956-a3cf2f4a3e73
master
Nicolas Thill 2005-04-18 06:41:36 +00:00
parent 9754608d27
commit 648a09ca7b
13 changed files with 503 additions and 0 deletions

View File

@ -47,6 +47,7 @@ source "package/radvd/Config.in"
source "package/openswan/Config.in"
source "package/shfs/Config.in"
source "package/asterisk/Config.in"
source "package/snort/Config.in"
comment "Libraries"
source "package/libgcc/Config.in"

View File

@ -51,6 +51,7 @@ package-$(BR2_PACKAGE_SDK) += sdk
package-$(BR2_PACKAGE_SER) += ser
package-$(BR2_PACKAGE_SETSERIAL) += setserial
package-$(BR2_PACKAGE_SHFS) += shfs
package-$(BR2_PACKAGE_SNORT) += snort
package-$(BR2_PACKAGE_SPEEX) += speex
package-$(BR2_PACKAGE_STRACE) += strace
package-$(BR2_PACKAGE_TCPDUMP) += tcpdump
@ -97,6 +98,14 @@ libnet-compile: libpcap-compile
mysql-compile: ncurses-compile zlib-compile
postgresql-compile: zlib-compile
snort-compile: libnet-compile libpcap-compile pcre-compile
ifeq ($(BR2_PACKAGE_SNORT_MYSQL),y)
snort-compile: mysql-compile
endif
ifeq ($(BR2_PACKAGE_SNORT_PGSQL),y)
snort-compile: postgresql-compile
endif
sdk-compile: $(DEV_LIBS_COMPILE)
$(patsubst %,%-prepare,$(package-y) $(package-m) $(package-)): linux-install

63
package/snort/Config.in Normal file
View File

@ -0,0 +1,63 @@
choice
prompt "snort"
tristate
default n
optional
help
A ligthweight Network Intrusion Detection System (NIDS)
http://www.snort.org/
Depends: libnet, libpcap, libpcre
config BR2_PACKAGE_SNORT_BASIC
prompt "snort: without database support"
tristate
select BR2_PACKAGE_LIBNET
select BR2_PACKAGE_LIBPCAP
select BR2_PACKAGE_LIBPCRE
config BR2_PACKAGE_SNORT_MYSQL
prompt "snort-mysql: with MySQL database support"
tristate
select BR2_PACKAGE_LIBNET
select BR2_PACKAGE_LIBPCAP
select BR2_PACKAGE_LIBPCRE
select BR2_PACKAGE_LIBMYSQLCLIENT
config BR2_PACKAGE_SNORT_PGSQL
prompt "snort-pgsql: with PostgreSQL database support"
tristate
select BR2_PACKAGE_LIBNET
select BR2_PACKAGE_LIBPCAP
select BR2_PACKAGE_LIBPCRE
select BR2_PACKAGE_LIBPQ
config BR2_PACKAGE_SNORT_CUSTOM
prompt "snort-custom: customized to your needs"
tristate
select BR2_PACKAGE_LIBNET
select BR2_PACKAGE_LIBPCAP
select BR2_PACKAGE_LIBPCRE
config BR2_PACKAGE_SNORT_WITH_MYSQL
prompt "MySQL database support"
bool
default y
depends BR2_PACKAGE_SNORT_CUSTOM
select BR2_PACKAGE_LIBMYSQLCLIENT
config BR2_PACKAGE_SNORT_WITH_PGSQL
prompt "PostgreSQL database support"
bool
default y
depends BR2_PACKAGE_SNORT_CUSTOM
select BR2_PACKAGE_LIBPQ
endchoice
config BR2_PACKAGE_SNORT
tristate
default BR2_PACKAGE_SNORT_BASIC || BR2_PACKAGE_SNORT_MYSQL || BR2_PACKAGE_SNORT_PGSQL

149
package/snort/Makefile Normal file
View File

@ -0,0 +1,149 @@
# $Id$
include $(TOPDIR)/rules.mk
PKG_NAME:=snort
PKG_VERSION:=2.3.2
PKG_RELEASE:=1
PKG_MD5SUM:=692602827ce9d1a611630149f8e50ec8
PKG_SOURCE_URL:= \
http://www.snort.org/dl/current/ \
http://nthill.free.fr/openwrt/sources/$(PKG_NAME)/
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_CAT:=zcat
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install
include $(TOPDIR)/package/templates.mk
PKG_CONFIGURE_OPTS := \
--target=$(GNU_TARGET_NAME) \
--host=$(GNU_TARGET_NAME) \
--build=$(GNU_HOST_NAME) \
--program-prefix="" \
--program-suffix="" \
--prefix=/usr \
--exec-prefix=/usr \
--bindir=/usr/sbin \
--datadir=/usr/share \
--includedir=/usr/include \
--infodir=/usr/share/info \
--libdir=/usr/lib \
--libexecdir=/usr/lib/locate \
--localstatedir=/var/lib \
--mandir=/usr/share/man \
--sbindir=/usr/sbin \
--sysconfdir=/etc \
$(DISABLE_LARGEFILE) \
$(DISABLE_NLS) \
--enable-shared \
--disable-static \
--enable-flexresp \
--disable-smbalerts \
--with-libnet-includes="$(STAGING_DIR)/usr/include" \
--with-libnet-libraries="$(STAGING_DIR)/usr/lib" \
--with-libpcap-includes="$(STAGING_DIR)/usr/include" \
--with-libpcap-libraries="$(STAGING_DIR)/usr/lib" \
--with-libpcre-includes="$(STAGING_DIR)/usr/include" \
--with-libpcre-libraries="$(STAGING_DIR)/usr/lib" \
--without-odbc \
--without-openssl \
--without-oracle \
--without-snmp \
SNORT_BASIC_CONFIGURE_OPTS := \
--without-mysql \
--without-postgresql \
SNORT_MYSQL_CONFIGURE_OPTS := \
--with-mysql=$(STAGING_DIR)/usr \
--without-postgresql \
SNORT_PGSQL_CONFIGURE_OPTS := \
--without-mysql \
--with-postgresql=$(STAGING_DIR)/usr \
SNORT_CUSTOM_CONFIGURE_OPTS := \
ifeq ($(BR2_PACKAGE_SNORT_WITH_MYSQL),y)
SNORT_CUSTOM_CONFIGURE_OPTS += --with-mysql="$(STAGING_DIR)/usr"
else
SNORT_CUSTOM_CONFIGURE_OPTS += --without-mysql
endif
ifeq ($(BR2_PACKAGE_SNORT_WITH_PGSQL),y)
SNORT_CUSTOM_CONFIGURE_OPTS += --with-postgresql="$(STAGING_DIR)/usr"
else
SNORT_CUSTOM_CONFIGURE_OPTS += --without-postgresql
endif
define PKG_build
ifneq ($(BR2_PACKAGE_$(1)),)
BUILD_TARGETS += $(PKG_BUILD_DIR)/$(2)
endif
$(PKG_BUILD_DIR)/$(2): $(PKG_BUILD_DIR)/.prepared
-$(MAKE) -C $(PKG_BUILD_DIR) distclean
(cd $(PKG_BUILD_DIR); rm -rf config.{cache,status} ; \
$(TARGET_CONFIGURE_OPTS) \
CFLAGS="$(TARGET_CFLAGS)" \
CPPFLAGS="-I$(STAGING_DIR)/usr/include -I$(STAGING_DIR)/usr/include/mysql" \
LDFLAGS="-L$(STAGING_DIR)/usr/lib -L$(STAGING_DIR)/usr/lib/mysql" \
./configure \
$(PKG_CONFIGURE_OPTS) \
$$($(1)_CONFIGURE_OPTS) \
);
$(MAKE) -C $(PKG_BUILD_DIR)
mv $(PKG_BUILD_DIR)/src/snort $(PKG_BUILD_DIR)/$(2)
$(PKG_INSTALL_DIR)/usr/sbin/$(2): $(PKG_BUILD_DIR)/$(2)
install -m0755 $(PKG_BUILD_DIR)/$(2) $(PKG_INSTALL_DIR)/usr/sbin/
$$(IPKG_$(1)): $(PKG_BUILD_DIR)/.installed $(PKG_INSTALL_DIR)/usr/sbin/$(2)
rm -rf $$(IDIR_$(1))
$(SCRIPT_DIR)/make-ipkg-dir.sh $$(IDIR_$(1)) ./ipkg/$(2).control $(3) $(4)
install -m0644 ./ipkg/snort.conffiles $$(IDIR_$(1))/CONTROL/conffiles
install -d -m0755 $$(IDIR_$(1))/etc/default
install -m0644 ./ipkg/snort.default $$(IDIR_$(1))/etc/default/snort
install -d -m0755 $$(IDIR_$(1))/etc/init.d
install -m0755 ./ipkg/snort.init $$(IDIR_$(1))/etc/init.d/snort
install -d -m0755 $$(IDIR_$(1))/etc/snort
install -m0644 $(PKG_BUILD_DIR)/etc/snort.conf $$(IDIR_$(1))/etc/snort/
install -m0644 $(PKG_BUILD_DIR)/etc/classification.config $$(IDIR_$(1))/etc/snort/
install -m0644 $(PKG_BUILD_DIR)/etc/gen-msg.map $$(IDIR_$(1))/etc/snort/
install -m0644 $(PKG_BUILD_DIR)/etc/reference.config $$(IDIR_$(1))/etc/snort/
install -m0644 $(PKG_BUILD_DIR)/etc/sid-msg.map $$(IDIR_$(1))/etc/snort/
install -m0644 $(PKG_BUILD_DIR)/etc/threshold.conf $$(IDIR_$(1))/etc/snort/
install -m0644 $(PKG_BUILD_DIR)/etc/unicode.map $$(IDIR_$(1))/etc/snort/
install -d -m0755 $$(IDIR_$(1))/usr/sbin
cp -fpR $(PKG_INSTALL_DIR)/usr/sbin/$(2) $$(IDIR_$(1))/usr/sbin/snort
$(RSTRIP) $$(IDIR_$(1))
mkdir -p $(PACKAGE_DIR)
$(IPKG_BUILD) $$(IDIR_$(1)) $(PACKAGE_DIR)
endef
$(eval $(call PKG_template,SNORT_BASIC,snort,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
$(eval $(call PKG_template,SNORT_MYSQL,snort-mysql,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
$(eval $(call PKG_template,SNORT_PGSQL,snort-pgsql,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
$(eval $(call PKG_template,SNORT_CUSTOM,snort-custom,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
$(eval $(call PKG_build,SNORT_BASIC,snort,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
$(eval $(call PKG_build,SNORT_MYSQL,snort-mysql,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
$(eval $(call PKG_build,SNORT_PGSQL,snort-pgsql,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
$(eval $(call PKG_build,SNORT_CUSTOM,snort-custom,$(PKG_VERSION)-$(PKG_RELEASE),$(ARCH)))
include $(TOPDIR)/package/rules.mk
$(PKG_BUILD_DIR)/.built: $(BUILD_TARGETS)
touch $(PKG_BUILD_DIR)/.built
$(PKG_BUILD_DIR)/.installed: $(PKG_BUILD_DIR)/.built
mkdir -p $(PKG_INSTALL_DIR)
$(MAKE) -C $(PKG_BUILD_DIR) \
DESTDIR="$(PKG_INSTALL_DIR)" \
install
touch $(PKG_BUILD_DIR)/.installed

View File

@ -0,0 +1,10 @@
Package: snort
Priority: optional
Section: net
Version: [TBDL]
Architecture: [TBDL]
Maintainer: Nico <nthill@free.fr>
Source: http://nthill.free.fr/openwrt/sources/snort/
Description: a flexible Network Intrusion Detection System (NIDS),
built with custom options
Depends: libnet, libpcap, libpcre

View File

@ -0,0 +1,10 @@
Package: snort-mysql
Priority: optional
Section: net
Version: [TBDL]
Architecture: [TBDL]
Maintainer: Nico <nthill@free.fr>
Source: http://nthill.free.fr/openwrt/sources/snort/
Description: a flexible Network Intrusion Detection System (NIDS),
built with MySQL database logging support
Depends: libnet, libpcap, libpcre, libmysqlclient

View File

@ -0,0 +1,10 @@
Package: snort-pgsql
Priority: optional
Section: net
Version: [TBDL]
Architecture: [TBDL]
Maintainer: Nico <nthill@free.fr>
Source: http://nthill.free.fr/openwrt/sources/snort/
Description: a flexible Network Intrusion Detection System (NIDS),
built with PostgreSQL database logging support
Depends: libnet, libpcap, libpcre, libpq

View File

@ -0,0 +1,3 @@
/etc/default/snort
/etc/snort/snort.conf
/etc/snort/threshold.conf

View File

@ -0,0 +1,10 @@
Package: snort
Priority: optional
Section: net
Version: [TBDL]
Architecture: [TBDL]
Maintainer: Nico <nthill@free.fr>
Source: http://nthill.free.fr/openwrt/sources/snort/
Description: a flexible Network Intrusion Detection System (NIDS),
built without database logging support
Depends: libnet, libpcap, libpcre

View File

@ -0,0 +1,2 @@
INTERFACE="vlan1" # WAN
OPTIONS="-i $INTERFACE -c /etc/snort/snort.conf -D -N -q -s"

View File

@ -0,0 +1,23 @@
#!/bin/sh
DEFAULT=/etc/default/snort
LOG_D=/var/log/snort
RUN_D=/var/run
[ -f $DEFAULT ] && . $DEFAULT
PID_F=$RUN_D/snort_$INTERFACE.pid
case $1 in
start)
[ -d $LOG_D ] || mkdir -p $LOG_D
[ -d $RUN_D ] || mkdir -p $RUN_D
snort $OPTIONS
;;
stop)
[ -f $PID_F ] && kill $(cat $PID_F)
;;
*)
echo "usage: $0 (start|stop)"
exit 1
esac
exit $?

View File

@ -0,0 +1,35 @@
--- snort-2.3.2-orig/src/snort.c 2005-01-13 21:36:20.000000000 +0100
+++ snort-2.3.2-1/src/snort.c 2005-04-04 20:03:34.000000000 +0200
@@ -1949,7 +1949,7 @@
{
struct stat st;
int i;
- char *conf_files[]={"/etc/snort.conf", "./snort.conf", NULL};
+ char *conf_files[]={"/etc/snort/snort.conf", NULL};
char *fname = NULL;
char *home_dir = NULL;
char *rval = NULL;
@@ -1970,23 +1970,6 @@
i++;
}
- /* search for .snortrc in the HOMEDIR */
- if(!rval)
- {
- if((home_dir = getenv("HOME")))
- {
- /* create the full path */
- fname = (char *)malloc(strlen(home_dir) + strlen("/.snortrc") + 1);
- if(!fname)
- FatalError("Out of memory searching for config file\n");
-
- if(stat(fname, &st) != -1)
- rval = fname;
- else
- free(fname);
- }
- }
-
return rval;
}

View File

@ -0,0 +1,178 @@
--- snort-2.3.2-orig/etc/snort.conf 2005-03-10 23:04:38.000000000 +0100
+++ snort-2.3.2-1/etc/snort.conf 2005-04-04 20:01:41.000000000 +0200
@@ -6,6 +6,7 @@
#
###################################################
# This file contains a sample snort configuration.
+# Most preprocessors and rules were disabled to save memory.
# You can take the following steps to create your own custom configuration:
#
# 1) Set the network variables for your network
@@ -41,10 +42,10 @@
# or you can specify the variable to be any IP address
# like this:
-var HOME_NET any
+var HOME_NET 192.168.1.0/24
# Set up the external network addresses as well. A good start may be "any"
-var EXTERNAL_NET any
+var EXTERNAL_NET !$HOME_NET
# Configure your server lists. This allows snort to only look for attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
@@ -106,7 +107,7 @@
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
-var RULE_PATH ../rules
+var RULE_PATH /etc/snort/rules
# Configure the snort decoder
# ============================
@@ -297,11 +298,11 @@
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
-preprocessor http_inspect: global \
- iis_unicode_map unicode.map 1252
+#preprocessor http_inspect: global \
+# iis_unicode_map unicode.map 1252
-preprocessor http_inspect_server: server default \
- profile all ports { 80 8080 8180 } oversize_dir_length 500
+#preprocessor http_inspect_server: server default \
+# profile all ports { 80 8080 8180 } oversize_dir_length 500
#
# Example unique server configuration
@@ -335,7 +336,7 @@
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
-preprocessor rpc_decode: 111 32771
+#preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
@@ -347,7 +348,7 @@
# ----- -------------------
# 1 Back Orifice traffic detected
-preprocessor bo
+#preprocessor bo
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
@@ -359,7 +360,7 @@
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.
-preprocessor telnet_decode
+#preprocessor telnet_decode
# Flow-Portscan: detect a variety of portscans
# ---------------------------------------
@@ -455,9 +456,9 @@
# are still watched as scanner hosts. The 'ignore_scanned' option is
# used to tune alerts from very active hosts such as syslog servers, etc.
#
-preprocessor sfportscan: proto { all } \
- memcap { 10000000 } \
- sense_level { low }
+#preprocessor sfportscan: proto { all } \
+# memcap { 10000000 } \
+# sense_level { low }
# arpspoof
#----------------------------------------
@@ -642,41 +643,41 @@
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/tftp.rules
-
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-php.rules
-
-include $RULE_PATH/sql.rules
-include $RULE_PATH/x11.rules
-include $RULE_PATH/icmp.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/snmp.rules
-
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
+#include $RULE_PATH/finger.rules
+#include $RULE_PATH/ftp.rules
+#include $RULE_PATH/telnet.rules
+#include $RULE_PATH/rpc.rules
+#include $RULE_PATH/rservices.rules
+#include $RULE_PATH/dos.rules
+#include $RULE_PATH/ddos.rules
+#include $RULE_PATH/dns.rules
+#include $RULE_PATH/tftp.rules
+
+#include $RULE_PATH/web-cgi.rules
+#include $RULE_PATH/web-coldfusion.rules
+#include $RULE_PATH/web-iis.rules
+#include $RULE_PATH/web-frontpage.rules
+#include $RULE_PATH/web-misc.rules
+#include $RULE_PATH/web-client.rules
+#include $RULE_PATH/web-php.rules
+
+#include $RULE_PATH/sql.rules
+#include $RULE_PATH/x11.rules
+#include $RULE_PATH/icmp.rules
+#include $RULE_PATH/netbios.rules
+#include $RULE_PATH/misc.rules
+#include $RULE_PATH/attack-responses.rules
+#include $RULE_PATH/oracle.rules
+#include $RULE_PATH/mysql.rules
+#include $RULE_PATH/snmp.rules
+
+#include $RULE_PATH/smtp.rules
+#include $RULE_PATH/imap.rules
+#include $RULE_PATH/pop2.rules
+#include $RULE_PATH/pop3.rules
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/other-ids.rules
+#include $RULE_PATH/nntp.rules
+#include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
@@ -684,11 +685,11 @@
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
- include $RULE_PATH/virus.rules
+# include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
-include $RULE_PATH/experimental.rules
+#include $RULE_PATH/experimental.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be