Download raw body.
Update: Suricata 7.0.4 + fixes
On 03/26 09:38, Stuart Henderson wrote:
> On 2024/03/25 20:16, Jeremy Evans wrote:
> > Here's an update to Suricata 7.0.4, based on gonzalo's update
> > recently posted to ports@. After discussion with gonzalo@ and
> > sthen@, I'm adding myself as co-maintainer.
> >
> > In addition to the version update, this fixes the following issues:
> >
> > Package README recommends suricata-update, but default config is
> > overridden to not use suricata-update. Stop overriding default
> > config, so way recommended by package README does not require
> > suricata.yaml modification.
> >
> > Run SUBST_CMD on suricata.yaml.in to fix the ${LOCALSTATEDIR}
> > remaining in default installed configuration.
> >
> > suricata-update downloads to /var/lib/suricata instead of
> > /var/suricata by default, despite the local patches. Not sure yet
> > how to fix that easily, so updated package README to specify -D
> > flag so it updates the correct place. I checked OpenBSD 7.4
> > (Suricata 6.0.12) and suricata-update also defaulted to
> > /var/lib/suricata there.
> >
> > Remove now unnecessary patch for suricata/doc/Makefile.in. Remove
> > a couple unnecessary files in SUBST_CMD as well.
>
> OK.
>
> Some other possible tweaks:
>
> ${WRKSRC}/configure can be dropped from SUBST_CMD too.
I made that change.
> AUTOMAKE_VERSION is set but does nothing (the port does not use a
> CONFIGURE_STYLE which depends on automake) so probably better removed.
> Alternatively as e_rundir is only used to set the default pid path in
> suricata.yaml, that could be patched in suricata.yaml.in and avoid the
> need to re-run autoconf completely (-> CONFIGURE_STYLE=gnu and drop
> both AUTO*_VERSION lines).
I updated suricata.yaml.in to replace all of the autoconf related code
with make variables that will be updated by SUBST_CMD. I found that
suricata does not like our /etc/magic file, so I left that commented
out.
I found that autoconf is used by the build system. I made a few
attempts at patching it out, but was unsuccessful. So I left that in.
Here's a revised diff. I plan to commit this tomorrow unless I hear
objections.
Thanks,
Jeremy
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/suricata/Makefile,v
retrieving revision 1.67
diff -u -p -r1.67 Makefile
--- Makefile 23 Mar 2024 13:26:40 -0000 1.67
+++ Makefile 26 Mar 2024 19:44:49 -0000
@@ -3,9 +3,8 @@ NOT_FOR_ARCHS = powerpc64 riscv64
COMMENT = high performance network IDS, IPS and security monitoring
-SURICATA_V = 7.0.3
-SUPDATE_V = 1.2.8
-REVISION = 1
+SURICATA_V = 7.0.4
+SUPDATE_V = 1.3.2
DISTNAME = suricata-${SURICATA_V}
CATEGORIES = security
@@ -13,7 +12,8 @@ SHARED_LIBS += htp
HOMEPAGE = https://suricata.io/
-MAINTAINER = Gonzalo L. R. <gonzalo@openbsd.org>
+MAINTAINER = Gonzalo L. R. <gonzalo@openbsd.org>, \
+ Jeremy Evans <jeremy@openbsd.org>
# GPLv2
PERMIT_PACKAGE= Yes
@@ -48,7 +48,6 @@ DEBUG_PACKAGES = ${BUILD_PACKAGES}
CONFIGURE_STYLE = autoconf
AUTOCONF_VERSION = 2.71
-AUTOMAKE_VERSION = 1.15
CONFIGURE_ENV = ac_cv_path_HAVE_PDFLATEX= \
ac_cv_path_HAVE_GIT_CMD= \
@@ -67,9 +66,7 @@ CONFIGURE_ARGS = --disable-gccmarch-nati
SUBST_VARS = SURICATA_V SUPDATE_V
pre-configure:
- ${SUBST_CMD} ${WRKSRC}/configure \
- ${WRKSRC}/doc/userguide/Makefile.in \
- ${WRKSRC}/suricata-update/doc/Makefile \
+ ${SUBST_CMD} ${WRKSRC}/suricata.yaml.in \
${WRKSRC}/suricata-update/suricata/update/config.py \
${WRKSRC}/suricata-update/suricata/update/parsers.py
# prevent generating revision.py
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/suricata/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- distinfo 22 Feb 2024 09:49:35 -0000 1.22
+++ distinfo 26 Mar 2024 19:44:49 -0000
@@ -1,2 +1,2 @@
-SHA256 (suricata-7.0.3.tar.gz) = 6gdC16mHg/GvSldmGvYGi8LYUKw+ygSzIE0ozhZeNf8=
-SIZE (suricata-7.0.3.tar.gz) = 23599903
+SHA256 (suricata-7.0.4.tar.gz) = ZABgEgAkvnDb6B9uxu/HLkYlD8s2IZ3/Z+ZBciD/Ibc=
+SIZE (suricata-7.0.4.tar.gz) = 23610769
Index: patches/patch-doc_userguide_Makefile_in
===================================================================
RCS file: patches/patch-doc_userguide_Makefile_in
diff -N patches/patch-doc_userguide_Makefile_in
--- patches/patch-doc_userguide_Makefile_in 16 Nov 2023 18:15:37 -0000 1.7
+++ /dev/null 1 Jan 1970 00:00:00 -0000
@@ -1,8 +0,0 @@
-Index: doc/userguide/Makefile.in
---- doc/userguide/Makefile.in.orig
-+++ doc/userguide/Makefile.in
-@@ -1,3 +1,4 @@
-+
- # Makefile.in generated by automake 1.16.5 from Makefile.am.
- # @configure_input@
-
Index: patches/patch-src_suricata_c
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-src_suricata_c,v
retrieving revision 1.14
diff -u -p -r1.14 patch-src_suricata_c
--- patches/patch-src_suricata_c 18 Mar 2024 17:46:37 -0000 1.14
+++ patches/patch-src_suricata_c 26 Mar 2024 19:44:49 -0000
@@ -4,7 +4,7 @@ Suricata uses libcap-ng on Linux and run
Index: src/suricata.c
--- src/suricata.c.orig
+++ src/suricata.c
-@@ -1600,7 +1600,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1597,7 +1597,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
return TM_ECODE_FAILED;
#endif /* UNITTESTS */
} else if (strcmp((long_opts[option_index]).name, "user") == 0) {
@@ -13,7 +13,7 @@ Index: src/suricata.c
SCLogError("libcap-ng is required to"
" drop privileges, but it was not compiled into Suricata.");
return TM_ECODE_FAILED;
-@@ -1609,7 +1609,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1606,7 +1606,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
suri->do_setuid = TRUE;
#endif /* HAVE_LIBCAP_NG */
} else if (strcmp((long_opts[option_index]).name, "group") == 0) {
@@ -22,10 +22,10 @@ Index: src/suricata.c
SCLogError("libcap-ng is required to"
" drop privileges, but it was not compiled into Suricata.");
return TM_ECODE_FAILED;
-@@ -3036,6 +3036,7 @@ int SuricataMain(int argc, char **argv)
- SystemHugepageSnapshotDestroy(prerun_snap);
- SystemHugepageSnapshotDestroy(postrun_snap);
-
+@@ -3040,6 +3040,7 @@ int SuricataMain(int argc, char **argv)
+ SystemHugepageSnapshotDestroy(prerun_snap);
+ SystemHugepageSnapshotDestroy(postrun_snap);
+ }
+ SCSetUserID(suricata.userid, suricata.groupid);
SCPledge();
SuricataMainLoop(&suricata);
Index: patches/patch-suricata_yaml_in
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v
retrieving revision 1.20
diff -u -p -r1.20 patch-suricata_yaml_in
--- patches/patch-suricata_yaml_in 22 Feb 2024 09:49:35 -0000 1.20
+++ patches/patch-suricata_yaml_in 26 Mar 2024 19:44:49 -0000
@@ -1,15 +1,23 @@
- After reload allow to write log files or use syslog.
- Switch user and group to avoid running as root.
- To remove pid file its directory must be writable by suricata user.
-- Comment-out suricata-update rules and add config for bundled rules
-so the package can be used directly. See pkg-readme for information
-about downloading rules.
+- Avoid need to run autoconf by setting variables which will be
+ modified by SUBST_CMD
Index: suricata.yaml.in
--- suricata.yaml.in.orig
+++ suricata.yaml.in
-@@ -84,6 +84,7 @@ outputs:
+@@ -58,7 +58,7 @@ vars:
+ # The default logging directory. Any log or output file will be
+ # placed here if it's not specified with a full path name. This can be
+ # overridden with the -l command line parameter.
+-default-log-dir: @e_logdir@
++default-log-dir: ${LOCALSTATEDIR}/log/suricata
+
+ # Global stats configuration
+ stats:
+@@ -84,14 +84,16 @@ outputs:
- fast:
enabled: yes
filename: fast.log
@@ -17,8 +25,10 @@ Index: suricata.yaml.in
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-@@ -92,6 +93,7 @@ outputs:
- enabled: @e_enable_evelog@
+ # Extensible Event Format (nicknamed EVE) event log in JSON format
+ - eve-log:
+- enabled: @e_enable_evelog@
++ enabled: yes
filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
filename: eve.json
+ filemode: 664
@@ -94,16 +104,60 @@ Index: suricata.yaml.in
security:
# if true, prevents process creation from Suricata by calling
-@@ -1227,7 +1236,7 @@ security:
+@@ -1208,13 +1217,11 @@ security:
+ enabled: no
+ directories:
+ #write:
+- # - @e_rundir@
+ # /usr and /etc folders are added to read list to allow
+ # file magic to be used.
+ read:
+ - /usr/
+ - /etc/
+- - @e_sysconfdir@
+
+ lua:
+ # Allow Lua rules. Disabled by default.
+@@ -1227,7 +1234,7 @@ security:
# Default location of the pid file. The pid file is only used in
# daemon mode (start Suricata with -D). If not running in daemon mode
# the --pidfile command line option must be used to create a pid file.
-#pid-file: @e_rundir@suricata.pid
-+pid-file: @e_rundir@suricata.pid
++pid-file: ${LOCALSTATEDIR}/run/suricata/suricata.pid
# Daemon working directory
# Suricata will change directory to this one if provided
-@@ -2143,14 +2152,38 @@ napatech:
+@@ -1295,8 +1302,7 @@ unix-command:
+ #filename: custom.socket
+
+ # Magic file. The extension .mgc is added to the value here.
+-#magic-file: /usr/share/file/magic
++#magic-file: ${SYSCONFDIR}/magic
+-@e_magic_file_comment@magic-file: @e_magic_file@
+
+ # GeoIP2 database file. Specify path and filename of GeoIP2 database
+ # if using rules with "geoip" rule option.
+@@ -1334,8 +1340,8 @@ legacy:
+ exception-policy: auto
+
+ # IP Reputation
+-#reputation-categories-file: @e_sysconfdir@iprep/categories.txt
+-#default-reputation-path: @e_sysconfdir@iprep
++#reputation-categories-file: ${SYSCONFDIR}/suricata/iprep/categories.txt
++#default-reputation-path: ${SYSCONFDIR}/suricata/iprep
+ #reputation-files:
+ # - reputation.list
+
+@@ -1813,7 +1819,7 @@ profiling:
+ limit: 10
+
+ # output to json
+- json: @e_enable_evelog@
++ json: true
+
+ # per keyword profiling
+ keywords:
+@@ -2143,22 +2149,44 @@ napatech:
#
hashmode: hash5tuplesorted
@@ -114,34 +168,43 @@ Index: suricata.yaml.in
##
## Configure Suricata to load Suricata-Update managed rules.
##
-+#default-rule-path: ${LOCALSTATEDIR}/suricata/rules
-+#rule-files:
-+# - suricata.rules
-
+-
-default-rule-path: @e_defaultruledir@
-
-+##
-+## Configure Suricata to use basic bundled rules.
-+##
-+default-rule-path: @e_sysconfdir@rules
++default-rule-path: ${LOCALSTATEDIR}/suricata/rules
rule-files:
-- - suricata.rules
-+ - app-layer-events.rules
-+ - decoder-events.rules
-+ - dhcp-events.rules
-+ - dnp3-events.rules
-+ - dns-events.rules
-+ - files.rules
-+ - http-events.rules
-+ - ipsec-events.rules
-+ - kerberos-events.rules
-+ - modbus-events.rules
-+ - nfs-events.rules
-+ - ntp-events.rules
-+ - smb-events.rules
-+ - smtp-events.rules
-+ - stream-events.rules
-+ - tls-events.rules
+ - suricata.rules
##
++## Configure Suricata to use basic bundled rules.
++##
++#default-rule-path: ${SYSCONFDIR}/suricata/rules
++#rule-files:
++# - app-layer-events.rules
++# - decoder-events.rules
++# - dhcp-events.rules
++# - dns-events.rules
++# - files.rules
++# - http-events.rules
++# - ipsec-events.rules
++# - kerberos-events.rules
++# - nfs-events.rules
++# - ntp-events.rules
++# - smb-events.rules
++# - smtp-events.rules
++# - stream-events.rules
++# - tls-events.rules
++
++##
## Auxiliary configuration files.
+ ##
+
+-classification-file: @e_sysconfdir@classification.config
+-reference-config-file: @e_sysconfdir@reference.config
+-# threshold-file: @e_sysconfdir@threshold.config
++classification-file: ${SYSCONFDIR}/suricata/classification.config
++reference-config-file: ${SYSCONFDIR}/suricata/reference.config
++# threshold-file: ${SYSCONFDIR}/suricata/threshold.config
+
+ ##
+ ## Include other configs
Index: pkg/README
===================================================================
RCS file: /cvs/ports/security/suricata/pkg/README,v
retrieving revision 1.11
diff -u -p -r1.11 README
--- pkg/README 17 Dec 2023 15:29:06 -0000 1.11
+++ pkg/README 26 Mar 2024 19:44:49 -0000
@@ -23,18 +23,10 @@ and quicker to use one of the available
suricata-update
---------------
suricata-update is the recommended way to install and update rules.
-By default it will download the new rules into ${LOCALSTATEDIR}/suricata/rules
+Run it with the -D flag to download the rules to the directory
+suricata expects (${LOCALSTATEDIR}/suricata/rules):
-Edit ${SYSCONFDIR}/suricata/suricata.yaml and replace the existing
-default-rule-path and rule-files sections with this:
-
- default-rule-path: ${LOCALSTATEDIR}/suricata/rules/
- rule-files:
- - suricata.rules
-
-And restart Suricata:
-
-# rcctl restart suricata
+# suricata-update -D ${LOCALSTATEDIR}/suricata
Oinkmaster
----------
@@ -55,6 +47,10 @@ And you can download as follow:
# cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \
-o ${SYSCONFDIR}/suricata/rules
+
+Edit ${SYSCONFDIR}/suricata/suricata.yaml, comment out the default
+default-rule-path section and uncomment the commented out
+default-rule-path section.
After updating rules
--------------------
Update: Suricata 7.0.4 + fixes