Index | Thread | Search

From:
Jeremy Evans <jeremy@openbsd.org>
Subject:
Update: Suricata 7.0.4 + fixes
To:
gonzalo@openbsd.org, OpenBSD ports <ports@openbsd.org>, sthen@openbsd.org
Date:
Mon, 25 Mar 2024 20:16:15 +0000

Download raw body.

Thread 
Here's an update to Suricata 7.0.4, based on gonzalo's update
recently posted to ports@.  After discussion with gonzalo@ and
sthen@, I'm adding myself as co-maintainer.

In addition to the version update, this fixes the following issues:

Package README recommends suricata-update, but default config is
overridden to not use suricata-update. Stop overriding default
config, so way recommended by package README does not require
suricata.yaml modification.

Run SUBST_CMD on suricata.yaml.in to fix the ${LOCALSTATEDIR}
remaining in default installed configuration.

suricata-update downloads to /var/lib/suricata instead of
/var/suricata by default, despite the local patches.  Not sure yet
how to fix that easily, so updated package README to specify -D
flag so it updates the correct place.  I checked OpenBSD 7.4
(Suricata 6.0.12) and suricata-update also defaulted to
/var/lib/suricata there.

Remove now unnecessary patch for suricata/doc/Makefile.in. Remove
a couple unnecessary files in SUBST_CMD as well.

Fix README to not recommend restarting suricata twice after updating
the rules with suricata-update (once in the suricata-update section
and once in the "After updating rules" section).

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/suricata/Makefile,v
retrieving revision 1.67
diff -u -p -r1.67 Makefile
--- Makefile	23 Mar 2024 13:26:40 -0000	1.67
+++ Makefile	25 Mar 2024 20:09:24 -0000
@@ -3,9 +3,8 @@ NOT_FOR_ARCHS =	powerpc64 riscv64
 
 COMMENT =	high performance network IDS, IPS and security monitoring
 
-SURICATA_V =	7.0.3
-SUPDATE_V =	1.2.8
-REVISION =	1
+SURICATA_V =	7.0.4
+SUPDATE_V =	1.3.2
 
 DISTNAME =	suricata-${SURICATA_V}
 CATEGORIES =	security
@@ -13,7 +12,8 @@ SHARED_LIBS +=	htp                      
 
 HOMEPAGE =	https://suricata.io/
 
-MAINTAINER =	Gonzalo L. R. <gonzalo@openbsd.org>
+MAINTAINER =	Gonzalo L. R. <gonzalo@openbsd.org>, \
+		Jeremy Evans <jeremy@openbsd.org>
 
 # GPLv2
 PERMIT_PACKAGE=	Yes
@@ -68,8 +68,7 @@ SUBST_VARS =		SURICATA_V SUPDATE_V
 
 pre-configure:
 	${SUBST_CMD} ${WRKSRC}/configure \
-		${WRKSRC}/doc/userguide/Makefile.in \
-		${WRKSRC}/suricata-update/doc/Makefile \
+		${WRKSRC}/suricata.yaml.in \
 		${WRKSRC}/suricata-update/suricata/update/config.py \
 		${WRKSRC}/suricata-update/suricata/update/parsers.py
 	# prevent generating revision.py
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/suricata/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- distinfo	22 Feb 2024 09:49:35 -0000	1.22
+++ distinfo	25 Mar 2024 20:09:24 -0000
@@ -1,2 +1,2 @@
-SHA256 (suricata-7.0.3.tar.gz) = 6gdC16mHg/GvSldmGvYGi8LYUKw+ygSzIE0ozhZeNf8=
-SIZE (suricata-7.0.3.tar.gz) = 23599903
+SHA256 (suricata-7.0.4.tar.gz) = ZABgEgAkvnDb6B9uxu/HLkYlD8s2IZ3/Z+ZBciD/Ibc=
+SIZE (suricata-7.0.4.tar.gz) = 23610769
Index: patches/patch-doc_userguide_Makefile_in
===================================================================
RCS file: patches/patch-doc_userguide_Makefile_in
diff -N patches/patch-doc_userguide_Makefile_in
--- patches/patch-doc_userguide_Makefile_in	16 Nov 2023 18:15:37 -0000	1.7
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,8 +0,0 @@
-Index: doc/userguide/Makefile.in
---- doc/userguide/Makefile.in.orig
-+++ doc/userguide/Makefile.in
-@@ -1,3 +1,4 @@
-+
- # Makefile.in generated by automake 1.16.5 from Makefile.am.
- # @configure_input@
- 
Index: patches/patch-src_suricata_c
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-src_suricata_c,v
retrieving revision 1.14
diff -u -p -r1.14 patch-src_suricata_c
--- patches/patch-src_suricata_c	18 Mar 2024 17:46:37 -0000	1.14
+++ patches/patch-src_suricata_c	25 Mar 2024 20:09:24 -0000
@@ -4,7 +4,7 @@ Suricata uses libcap-ng on Linux and run
 Index: src/suricata.c
 --- src/suricata.c.orig
 +++ src/suricata.c
-@@ -1600,7 +1600,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1597,7 +1597,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
                  return TM_ECODE_FAILED;
  #endif /* UNITTESTS */
              } else if (strcmp((long_opts[option_index]).name, "user") == 0) {
@@ -13,7 +13,7 @@ Index: src/suricata.c
                  SCLogError("libcap-ng is required to"
                             " drop privileges, but it was not compiled into Suricata.");
                  return TM_ECODE_FAILED;
-@@ -1609,7 +1609,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1606,7 +1606,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
                  suri->do_setuid = TRUE;
  #endif /* HAVE_LIBCAP_NG */
              } else if (strcmp((long_opts[option_index]).name, "group") == 0) {
@@ -22,10 +22,10 @@ Index: src/suricata.c
                  SCLogError("libcap-ng is required to"
                             " drop privileges, but it was not compiled into Suricata.");
                  return TM_ECODE_FAILED;
-@@ -3036,6 +3036,7 @@ int SuricataMain(int argc, char **argv)
-     SystemHugepageSnapshotDestroy(prerun_snap);
-     SystemHugepageSnapshotDestroy(postrun_snap);
- 
+@@ -3040,6 +3040,7 @@ int SuricataMain(int argc, char **argv)
+         SystemHugepageSnapshotDestroy(prerun_snap);
+         SystemHugepageSnapshotDestroy(postrun_snap);
+     }
 +    SCSetUserID(suricata.userid, suricata.groupid);
      SCPledge();
      SuricataMainLoop(&suricata);
Index: patches/patch-suricata_yaml_in
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v
retrieving revision 1.20
diff -u -p -r1.20 patch-suricata_yaml_in
--- patches/patch-suricata_yaml_in	22 Feb 2024 09:49:35 -0000	1.20
+++ patches/patch-suricata_yaml_in	25 Mar 2024 20:09:24 -0000
@@ -103,7 +103,7 @@ Index: suricata.yaml.in
  
  # Daemon working directory
  # Suricata will change directory to this one if provided
-@@ -2143,14 +2152,38 @@ napatech:
+@@ -2143,14 +2152,36 @@ napatech:
      #
      hashmode: hash5tuplesorted
  
@@ -114,34 +114,32 @@ Index: suricata.yaml.in
  ##
  ## Configure Suricata to load Suricata-Update managed rules.
  ##
-+#default-rule-path: ${LOCALSTATEDIR}/suricata/rules
-+#rule-files:
-+#  - suricata.rules
- 
+-
 -default-rule-path: @e_defaultruledir@
 -
++default-rule-path: ${LOCALSTATEDIR}/suricata/rules
+ rule-files:
+   - suricata.rules
++
 +##
 +## Configure Suricata to use basic bundled rules.
 +##
-+default-rule-path: @e_sysconfdir@rules
- rule-files:
--  - suricata.rules
-+  - app-layer-events.rules
-+  - decoder-events.rules
-+  - dhcp-events.rules
-+  - dnp3-events.rules
-+  - dns-events.rules
-+  - files.rules
-+  - http-events.rules
-+  - ipsec-events.rules
-+  - kerberos-events.rules
-+  - modbus-events.rules
-+  - nfs-events.rules
-+  - ntp-events.rules
-+  - smb-events.rules
-+  - smtp-events.rules
-+  - stream-events.rules
-+  - tls-events.rules
++#default-rule-path: @e_sysconfdir@rules
++#rule-files:
++#  - app-layer-events.rules
++#  - decoder-events.rules
++#  - dhcp-events.rules
++#  - dns-events.rules
++#  - files.rules
++#  - http-events.rules
++#  - ipsec-events.rules
++#  - kerberos-events.rules
++#  - nfs-events.rules
++#  - ntp-events.rules
++#  - smb-events.rules
++#  - smtp-events.rules
++#  - stream-events.rules
++#  - tls-events.rules
  
  ##
  ## Auxiliary configuration files.
Index: pkg/README
===================================================================
RCS file: /cvs/ports/security/suricata/pkg/README,v
retrieving revision 1.11
diff -u -p -r1.11 README
--- pkg/README	17 Dec 2023 15:29:06 -0000	1.11
+++ pkg/README	25 Mar 2024 20:09:24 -0000
@@ -23,18 +23,10 @@ and quicker to use one of the available 
 suricata-update
 ---------------
 suricata-update is the recommended way to install and update rules.
-By default it will download the new rules into ${LOCALSTATEDIR}/suricata/rules
+Run it with the -D flag to download the rules to the directory
+suricata expects (${LOCALSTATEDIR}/suricata/rules):
 
-Edit ${SYSCONFDIR}/suricata/suricata.yaml and replace the existing
-default-rule-path and rule-files sections with this:
-
-    default-rule-path: ${LOCALSTATEDIR}/suricata/rules/
-    rule-files:
-      - suricata.rules
-
-And restart Suricata:
-
-# rcctl restart suricata
+# suricata-update -D ${LOCALSTATEDIR}/suricata
 
 Oinkmaster
 ----------
@@ -55,6 +47,10 @@ And you can download as follow:
 
 # cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \
 	-o ${SYSCONFDIR}/suricata/rules
+
+Edit ${SYSCONFDIR}/suricata/suricata.yaml, comment out the default
+default-rule-path section and uncomment the commented out
+default-rule-path section.
 
 After updating rules
 --------------------