Download raw body.
Update: Suricata 7.0.4 + fixes
On 2024/03/26 19:46, Jeremy Evans wrote:
>
> I updated suricata.yaml.in to replace all of the autoconf related code
> with make variables that will be updated by SUBST_CMD. I found that
> suricata does not like our /etc/magic file, so I left that commented
> out.
ah, it will want /usr/local/share/misc/magic (.mgc)
> I found that autoconf is used by the build system. I made a few
> attempts at patching it out, but was unsuccessful. So I left that in.
sorry I missed that, autoconf BDEP makes sense then.
> Here's a revised diff. I plan to commit this tomorrow unless I hear
> objections.
>
> Thanks,
> Jeremy
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/security/suricata/Makefile,v
> retrieving revision 1.67
> diff -u -p -r1.67 Makefile
> --- Makefile 23 Mar 2024 13:26:40 -0000 1.67
> +++ Makefile 26 Mar 2024 19:44:49 -0000
> @@ -3,9 +3,8 @@ NOT_FOR_ARCHS = powerpc64 riscv64
>
> COMMENT = high performance network IDS, IPS and security monitoring
>
> -SURICATA_V = 7.0.3
> -SUPDATE_V = 1.2.8
> -REVISION = 1
> +SURICATA_V = 7.0.4
> +SUPDATE_V = 1.3.2
>
> DISTNAME = suricata-${SURICATA_V}
> CATEGORIES = security
> @@ -13,7 +12,8 @@ SHARED_LIBS += htp
>
> HOMEPAGE = https://suricata.io/
>
> -MAINTAINER = Gonzalo L. R. <gonzalo@openbsd.org>
> +MAINTAINER = Gonzalo L. R. <gonzalo@openbsd.org>, \
> + Jeremy Evans <jeremy@openbsd.org>
>
> # GPLv2
> PERMIT_PACKAGE= Yes
> @@ -48,7 +48,6 @@ DEBUG_PACKAGES = ${BUILD_PACKAGES}
>
> CONFIGURE_STYLE = autoconf
> AUTOCONF_VERSION = 2.71
> -AUTOMAKE_VERSION = 1.15
>
> CONFIGURE_ENV = ac_cv_path_HAVE_PDFLATEX= \
> ac_cv_path_HAVE_GIT_CMD= \
> @@ -67,9 +66,7 @@ CONFIGURE_ARGS = --disable-gccmarch-nati
> SUBST_VARS = SURICATA_V SUPDATE_V
>
> pre-configure:
> - ${SUBST_CMD} ${WRKSRC}/configure \
> - ${WRKSRC}/doc/userguide/Makefile.in \
> - ${WRKSRC}/suricata-update/doc/Makefile \
> + ${SUBST_CMD} ${WRKSRC}/suricata.yaml.in \
> ${WRKSRC}/suricata-update/suricata/update/config.py \
> ${WRKSRC}/suricata-update/suricata/update/parsers.py
> # prevent generating revision.py
> Index: distinfo
> ===================================================================
> RCS file: /cvs/ports/security/suricata/distinfo,v
> retrieving revision 1.22
> diff -u -p -r1.22 distinfo
> --- distinfo 22 Feb 2024 09:49:35 -0000 1.22
> +++ distinfo 26 Mar 2024 19:44:49 -0000
> @@ -1,2 +1,2 @@
> -SHA256 (suricata-7.0.3.tar.gz) = 6gdC16mHg/GvSldmGvYGi8LYUKw+ygSzIE0ozhZeNf8=
> -SIZE (suricata-7.0.3.tar.gz) = 23599903
> +SHA256 (suricata-7.0.4.tar.gz) = ZABgEgAkvnDb6B9uxu/HLkYlD8s2IZ3/Z+ZBciD/Ibc=
> +SIZE (suricata-7.0.4.tar.gz) = 23610769
> Index: patches/patch-doc_userguide_Makefile_in
> ===================================================================
> RCS file: patches/patch-doc_userguide_Makefile_in
> diff -N patches/patch-doc_userguide_Makefile_in
> --- patches/patch-doc_userguide_Makefile_in 16 Nov 2023 18:15:37 -0000 1.7
> +++ /dev/null 1 Jan 1970 00:00:00 -0000
> @@ -1,8 +0,0 @@
> -Index: doc/userguide/Makefile.in
> ---- doc/userguide/Makefile.in.orig
> -+++ doc/userguide/Makefile.in
> -@@ -1,3 +1,4 @@
> -+
> - # Makefile.in generated by automake 1.16.5 from Makefile.am.
> - # @configure_input@
> -
> Index: patches/patch-src_suricata_c
> ===================================================================
> RCS file: /cvs/ports/security/suricata/patches/patch-src_suricata_c,v
> retrieving revision 1.14
> diff -u -p -r1.14 patch-src_suricata_c
> --- patches/patch-src_suricata_c 18 Mar 2024 17:46:37 -0000 1.14
> +++ patches/patch-src_suricata_c 26 Mar 2024 19:44:49 -0000
> @@ -4,7 +4,7 @@ Suricata uses libcap-ng on Linux and run
> Index: src/suricata.c
> --- src/suricata.c.orig
> +++ src/suricata.c
> -@@ -1600,7 +1600,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
> +@@ -1597,7 +1597,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
> return TM_ECODE_FAILED;
> #endif /* UNITTESTS */
> } else if (strcmp((long_opts[option_index]).name, "user") == 0) {
> @@ -13,7 +13,7 @@ Index: src/suricata.c
> SCLogError("libcap-ng is required to"
> " drop privileges, but it was not compiled into Suricata.");
> return TM_ECODE_FAILED;
> -@@ -1609,7 +1609,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
> +@@ -1606,7 +1606,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
> suri->do_setuid = TRUE;
> #endif /* HAVE_LIBCAP_NG */
> } else if (strcmp((long_opts[option_index]).name, "group") == 0) {
> @@ -22,10 +22,10 @@ Index: src/suricata.c
> SCLogError("libcap-ng is required to"
> " drop privileges, but it was not compiled into Suricata.");
> return TM_ECODE_FAILED;
> -@@ -3036,6 +3036,7 @@ int SuricataMain(int argc, char **argv)
> - SystemHugepageSnapshotDestroy(prerun_snap);
> - SystemHugepageSnapshotDestroy(postrun_snap);
> -
> +@@ -3040,6 +3040,7 @@ int SuricataMain(int argc, char **argv)
> + SystemHugepageSnapshotDestroy(prerun_snap);
> + SystemHugepageSnapshotDestroy(postrun_snap);
> + }
> + SCSetUserID(suricata.userid, suricata.groupid);
> SCPledge();
> SuricataMainLoop(&suricata);
> Index: patches/patch-suricata_yaml_in
> ===================================================================
> RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v
> retrieving revision 1.20
> diff -u -p -r1.20 patch-suricata_yaml_in
> --- patches/patch-suricata_yaml_in 22 Feb 2024 09:49:35 -0000 1.20
> +++ patches/patch-suricata_yaml_in 26 Mar 2024 19:44:49 -0000
> @@ -1,15 +1,23 @@
> - After reload allow to write log files or use syslog.
> - Switch user and group to avoid running as root.
> - To remove pid file its directory must be writable by suricata user.
> -- Comment-out suricata-update rules and add config for bundled rules
> -so the package can be used directly. See pkg-readme for information
> -about downloading rules.
> +- Avoid need to run autoconf by setting variables which will be
> + modified by SUBST_CMD
>
>
> Index: suricata.yaml.in
> --- suricata.yaml.in.orig
> +++ suricata.yaml.in
> -@@ -84,6 +84,7 @@ outputs:
> +@@ -58,7 +58,7 @@ vars:
> + # The default logging directory. Any log or output file will be
> + # placed here if it's not specified with a full path name. This can be
> + # overridden with the -l command line parameter.
> +-default-log-dir: @e_logdir@
> ++default-log-dir: ${LOCALSTATEDIR}/log/suricata
> +
> + # Global stats configuration
> + stats:
> +@@ -84,14 +84,16 @@ outputs:
> - fast:
> enabled: yes
> filename: fast.log
> @@ -17,8 +25,10 @@ Index: suricata.yaml.in
> append: yes
> #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
>
> -@@ -92,6 +93,7 @@ outputs:
> - enabled: @e_enable_evelog@
> + # Extensible Event Format (nicknamed EVE) event log in JSON format
> + - eve-log:
> +- enabled: @e_enable_evelog@
> ++ enabled: yes
> filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
> filename: eve.json
> + filemode: 664
> @@ -94,16 +104,60 @@ Index: suricata.yaml.in
>
> security:
> # if true, prevents process creation from Suricata by calling
> -@@ -1227,7 +1236,7 @@ security:
> +@@ -1208,13 +1217,11 @@ security:
> + enabled: no
> + directories:
> + #write:
> +- # - @e_rundir@
> + # /usr and /etc folders are added to read list to allow
> + # file magic to be used.
> + read:
> + - /usr/
> + - /etc/
> +- - @e_sysconfdir@
> +
> + lua:
> + # Allow Lua rules. Disabled by default.
> +@@ -1227,7 +1234,7 @@ security:
> # Default location of the pid file. The pid file is only used in
> # daemon mode (start Suricata with -D). If not running in daemon mode
> # the --pidfile command line option must be used to create a pid file.
> -#pid-file: @e_rundir@suricata.pid
> -+pid-file: @e_rundir@suricata.pid
> ++pid-file: ${LOCALSTATEDIR}/run/suricata/suricata.pid
>
> # Daemon working directory
> # Suricata will change directory to this one if provided
> -@@ -2143,14 +2152,38 @@ napatech:
> +@@ -1295,8 +1302,7 @@ unix-command:
> + #filename: custom.socket
> +
> + # Magic file. The extension .mgc is added to the value here.
> +-#magic-file: /usr/share/file/magic
> ++#magic-file: ${SYSCONFDIR}/magic
> +-@e_magic_file_comment@magic-file: @e_magic_file@
> +
> + # GeoIP2 database file. Specify path and filename of GeoIP2 database
> + # if using rules with "geoip" rule option.
> +@@ -1334,8 +1340,8 @@ legacy:
> + exception-policy: auto
> +
> + # IP Reputation
> +-#reputation-categories-file: @e_sysconfdir@iprep/categories.txt
> +-#default-reputation-path: @e_sysconfdir@iprep
> ++#reputation-categories-file: ${SYSCONFDIR}/suricata/iprep/categories.txt
> ++#default-reputation-path: ${SYSCONFDIR}/suricata/iprep
> + #reputation-files:
> + # - reputation.list
> +
> +@@ -1813,7 +1819,7 @@ profiling:
> + limit: 10
> +
> + # output to json
> +- json: @e_enable_evelog@
> ++ json: true
> +
> + # per keyword profiling
> + keywords:
> +@@ -2143,22 +2149,44 @@ napatech:
> #
> hashmode: hash5tuplesorted
>
> @@ -114,34 +168,43 @@ Index: suricata.yaml.in
> ##
> ## Configure Suricata to load Suricata-Update managed rules.
> ##
> -+#default-rule-path: ${LOCALSTATEDIR}/suricata/rules
> -+#rule-files:
> -+# - suricata.rules
> -
> +-
> -default-rule-path: @e_defaultruledir@
> -
> -+##
> -+## Configure Suricata to use basic bundled rules.
> -+##
> -+default-rule-path: @e_sysconfdir@rules
> ++default-rule-path: ${LOCALSTATEDIR}/suricata/rules
> rule-files:
> -- - suricata.rules
> -+ - app-layer-events.rules
> -+ - decoder-events.rules
> -+ - dhcp-events.rules
> -+ - dnp3-events.rules
> -+ - dns-events.rules
> -+ - files.rules
> -+ - http-events.rules
> -+ - ipsec-events.rules
> -+ - kerberos-events.rules
> -+ - modbus-events.rules
> -+ - nfs-events.rules
> -+ - ntp-events.rules
> -+ - smb-events.rules
> -+ - smtp-events.rules
> -+ - stream-events.rules
> -+ - tls-events.rules
> + - suricata.rules
>
> ##
> ++## Configure Suricata to use basic bundled rules.
> ++##
> ++#default-rule-path: ${SYSCONFDIR}/suricata/rules
> ++#rule-files:
> ++# - app-layer-events.rules
> ++# - decoder-events.rules
> ++# - dhcp-events.rules
> ++# - dns-events.rules
> ++# - files.rules
> ++# - http-events.rules
> ++# - ipsec-events.rules
> ++# - kerberos-events.rules
> ++# - nfs-events.rules
> ++# - ntp-events.rules
> ++# - smb-events.rules
> ++# - smtp-events.rules
> ++# - stream-events.rules
> ++# - tls-events.rules
> ++
> ++##
> ## Auxiliary configuration files.
> + ##
> +
> +-classification-file: @e_sysconfdir@classification.config
> +-reference-config-file: @e_sysconfdir@reference.config
> +-# threshold-file: @e_sysconfdir@threshold.config
> ++classification-file: ${SYSCONFDIR}/suricata/classification.config
> ++reference-config-file: ${SYSCONFDIR}/suricata/reference.config
> ++# threshold-file: ${SYSCONFDIR}/suricata/threshold.config
> +
> + ##
> + ## Include other configs
> Index: pkg/README
> ===================================================================
> RCS file: /cvs/ports/security/suricata/pkg/README,v
> retrieving revision 1.11
> diff -u -p -r1.11 README
> --- pkg/README 17 Dec 2023 15:29:06 -0000 1.11
> +++ pkg/README 26 Mar 2024 19:44:49 -0000
> @@ -23,18 +23,10 @@ and quicker to use one of the available
> suricata-update
> ---------------
> suricata-update is the recommended way to install and update rules.
> -By default it will download the new rules into ${LOCALSTATEDIR}/suricata/rules
> +Run it with the -D flag to download the rules to the directory
> +suricata expects (${LOCALSTATEDIR}/suricata/rules):
>
> -Edit ${SYSCONFDIR}/suricata/suricata.yaml and replace the existing
> -default-rule-path and rule-files sections with this:
> -
> - default-rule-path: ${LOCALSTATEDIR}/suricata/rules/
> - rule-files:
> - - suricata.rules
> -
> -And restart Suricata:
> -
> -# rcctl restart suricata
> +# suricata-update -D ${LOCALSTATEDIR}/suricata
>
> Oinkmaster
> ----------
> @@ -55,6 +47,10 @@ And you can download as follow:
>
> # cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \
> -o ${SYSCONFDIR}/suricata/rules
> +
> +Edit ${SYSCONFDIR}/suricata/suricata.yaml, comment out the default
> +default-rule-path section and uncomment the commented out
> +default-rule-path section.
>
> After updating rules
> --------------------
>
Update: Suricata 7.0.4 + fixes