From a382935f837f6a18529793813228cb2731e9d36f Mon Sep 17 00:00:00 2001 From: Slawomir Lis Date: Wed, 28 Dec 2016 10:34:11 +0100 Subject: net-analyzer/suricata: Updated suricata logging and added logrotate file I've also bumped revision number, as there are many changes, and those fixes should finally close bug 602590. Thanks to Vieri for support. Package-Manager: Portage-2.3.3, Repoman-2.3.1 --- net-analyzer/suricata/files/suricata-3.2-conf | 11 +- net-analyzer/suricata/files/suricata-3.2-init | 28 +++-- net-analyzer/suricata/files/suricata-logrotate | 6 + net-analyzer/suricata/metadata.xml | 1 + net-analyzer/suricata/suricata-3.2-r1.ebuild | 161 +++++++++++++++++++++++++ 5 files changed, 189 insertions(+), 18 deletions(-) create mode 100644 net-analyzer/suricata/files/suricata-logrotate create mode 100644 net-analyzer/suricata/suricata-3.2-r1.ebuild (limited to 'net-analyzer/suricata') diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf index d900ade85258..fc6885d25309 100644 --- a/net-analyzer/suricata/files/suricata-3.2-conf +++ b/net-analyzer/suricata/files/suricata-3.2-conf @@ -41,11 +41,6 @@ SURICATA_OPTS="-i eth0" # Log paths listed here will be created by the init script and will override the log path # set in the yaml file, if present. -# SURICATA_LOG_PATH_q0="/var/log/suricata/q0" -# SURICATA_LOG_PATH_q1="/var/log/suricata/q1" -# SURICATA_LOG_PATH="/var/log/suricata" -# SURICATA_LOG_FILE="suricata.log" - -# You can view all the available options you can set with --set -# and check the full config settings in an easily parsable format. -# SURICATA_DUMP=1 +# SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log" +# SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log" +# SURICATA_LOG_FILE="/var/log/suricata/suricata.log" diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init index 3ec6afd68f72..1717dbb32729 100644 --- a/net-analyzer/suricata/files/suricata-3.2-init +++ b/net-analyzer/suricata/files/suricata-3.2-init @@ -12,18 +12,23 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}" SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid" eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID} - eval SURICATALOGPATH=\$SURICATA_LOG_PATH_${SURICATAID} + eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID} else SURICATACONF=${SURICATA_CONF} [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}" SURICATAPID="/var/run/suricata/suricata.pid" SURICATAOPTS=${SURICATA_OPTS} - SURICATALOGPATH=${SURICATA_LOG_PATH} + SURICATALOGPATH=${SURICATA_LOG_FILE} fi [ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}" -extra_commands="checkconfig" +description="Suricata IDS/IPS" +extra_commands="checkconfig dump" +description_checkconfig="Check config for ${SVCNAME}" +description_dump="List all config values that can be used with --set" extra_started_commands="reload relog" +description_reload="Live rule and config reload" +description_relog="Close and re-open all log files" depend() { need net @@ -41,10 +46,12 @@ checkconfig() { checkpath -d /var/run/suricata fi if [ ${#SURICATALOGPATH} -gt 0 ]; then + SURICATALOGFILE=$( basename ${SURICATA_LOG_FILE} ) + SURICATALOGFILE=${SURICATALOGFILE:-suricata.log} + SURICATALOGPATH=$( dirname ${SURICATALOGPATH} ) if [ ! -d "${SURICATALOGPATH}" ] ; then checkpath -d "${SURICATALOGPATH}" fi - SURICATALOGFILE=${SURICATA_LOG_FILE:-suricata.log} SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}" SURICATALOGPATH="-l ${SURICATALOGPATH}" fi @@ -77,12 +84,6 @@ checkpidinfo() { start() { checkconfig || return 1 - if [ $((SURICATA_DUMP)) -eq 1 ]; then - einfo "Dumping ${SVCNAME} config values and quitting." - ${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH} - einfo "You need to disable SURICATA_DUMP to start ${SVCNAME}." - return 1 - fi ebegin "Starting ${SVCNAME}" start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \ -- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH} >/dev/null 2>&1 @@ -145,3 +146,10 @@ relog() { start-stop-daemon --signal HUP --pidfile ${SURICATAPID} eend $? } + +dump() { + checkconfig || return 1 + ebegin "Dumping ${SVCNAME} config values and quitting." + ${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH} + eend $? +} diff --git a/net-analyzer/suricata/files/suricata-logrotate b/net-analyzer/suricata/files/suricata-logrotate new file mode 100644 index 000000000000..0dc145ba4162 --- /dev/null +++ b/net-analyzer/suricata/files/suricata-logrotate @@ -0,0 +1,6 @@ +/var/log/suricata/* { + missingok + postrotate + /etc/init.d/suricata reload + endscript +} diff --git a/net-analyzer/suricata/metadata.xml b/net-analyzer/suricata/metadata.xml index e538ae141435..58878c64f05c 100644 --- a/net-analyzer/suricata/metadata.xml +++ b/net-analyzer/suricata/metadata.xml @@ -14,5 +14,6 @@ Enable NFQUEUE support for inline IDP Enable Redis support Install default ruleset + Install logrotate rule diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild b/net-analyzer/suricata/suricata-3.2-r1.ebuild new file mode 100644 index 000000000000..816a69d13a89 --- /dev/null +++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild @@ -0,0 +1,161 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +inherit autotools eutils user + +DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine" +HOMEPAGE="http://suricata-ids.org/" +SRC_URI="http://www.openinfosecfoundation.org/download/${P}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="+af-packet control-socket cuda debug +detection geoip hardened logrotate lua luajit nflog +nfqueue redis +rules test" + +DEPEND=" + >=dev-libs/jansson-2.2 + dev-libs/libpcre + dev-libs/libyaml + net-libs/libnet:* + net-libs/libnfnetlink + dev-libs/nspr + dev-libs/nss + >=net-libs/libhtp-0.5.20 + net-libs/libpcap + sys-apps/file + cuda? ( dev-util/nvidia-cuda-toolkit ) + geoip? ( dev-libs/geoip ) + lua? ( dev-lang/lua:* ) + luajit? ( dev-lang/luajit:* ) + nflog? ( net-libs/libnetfilter_log ) + nfqueue? ( net-libs/libnetfilter_queue ) + redis? ( dev-libs/hiredis ) + logrotate? ( app-admin/logrotate ) +" +# #446814 +# prelude? ( dev-libs/libprelude ) +# pfring? ( sys-process/numactl net-libs/pf_ring) +RDEPEND="${DEPEND}" + +pkg_setup() { + enewgroup ${PN} + enewuser ${PN} -1 -1 /var/lib/${PN} "${PN}" +} + +src_prepare() { + eautoreconf +} + +src_configure() { + local myeconfargs=( + "--localstatedir=/var/" \ + "--enable-non-bundled-htp" \ + $(use_enable af-packet) \ + $(use_enable detection) \ + $(use_enable nfqueue) \ + $(use_enable test coccinelle) \ + $(use_enable test unittests) \ + $(use_enable control-socket unix-socket) + ) + + if use cuda ; then + myeconfargs+=( $(use_enable cuda) ) + fi + if use geoip ; then + myeconfargs+=( $(use_enable geoip) ) + fi + if use hardened ; then + myeconfargs+=( $(use_enable hardened gccprotect) ) + fi + if use nflog ; then + myeconfargs+=( $(use_enable nflog) ) + fi + if use redis ; then + myeconfargs+=( $(use_enable redis hiredis) ) + fi + # not supported yet (no pfring in portage) +# if use pfring ; then +# myeconfargs+=( $(use_enable pfring) ) +# fi + # no libprelude in portage +# if use prelude ; then +# myeconfargs+=( $(use_enable prelude) ) +# fi + if use lua ; then + myeconfargs+=( $(use_enable lua) ) + fi + if use luajit ; then + myeconfargs+=( $(use_enable luajit) ) + fi + +# this should be used when pf_ring use flag support will be added +# LIBS+="-lrt -lnuma" + + # avoid upstream configure script trying to add -march=native to CFLAGS + myeconfargs+=( --enable-gccmarch-native=no ) + + if use debug ; then + myeconfargs+=( $(use_enable debug) ) + # so we can get a backtrace according to "reporting bugs" on upstream web site + CFLAGS="-ggdb -O0" econf LIBS="${LIBS}" ${myeconfargs[@]} + else + econf LIBS="${LIBS}" ${myeconfargs[@]} + fi +} + +src_install() { + emake DESTDIR="${D}" install + + insinto "/etc/${PN}" + doins {classification,reference,threshold}.config suricata.yaml + + if use rules ; then + insinto "/etc/${PN}/rules" + doins rules/*.rules + fi + + dodir "/var/lib/${PN}" + dodir "/var/log/${PN}" + dodir "/var/log/${PN}" \ + "/var/lib/${PN}" + + fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" + fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}" + + newinitd "${FILESDIR}/${P}-init" ${PN} + newconfd "${FILESDIR}/${P}-conf" ${PN} + + if use logrotate; then + insopts -m0644 + insinto /etc/logrotate.d + newins "${FILESDIR}"/${PN}.logrotate ${PN} + fi +} + +pkg_postinst() { + elog "The ${PN} init script expects to find the path to the configuration" + elog "file as well as extra options in /etc/conf.d." + elog "" + elog "To create more than one ${PN} service, simply create a new .yaml file for it" + elog "then create a symlink to the init script from a link called" + elog "${PN}.foo - like so" + elog " cd /etc/${PN}" + elog " ${EDITOR##*/} suricata-foo.yaml" + elog " cd /etc/init.d" + elog " ln -s ${PN} ${PN}.foo" + elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo." + elog "" + elog "You can create as many ${PN}.foo* services as you wish." + + if use logrotate; then + elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logortate config file in /etc/logrotate.d/." + fi + + if use debug; then + elog "You enabled the debug USE flag. Please read this link to report bugs upstream:" + elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs" + fi +} -- cgit v1.2.3-65-gdbad