From: Jeremy Evans <jeremy@openbsd.org>
Subject: Re: Update: Suricata 7.0.4 + fixes
To: gonzalo@openbsd.org, OpenBSD ports <ports@openbsd.org>
Date: Tue, 26 Mar 2024 19:46:41 +0000

On 03/26 09:38, Stuart Henderson wrote:
> On 2024/03/25 20:16, Jeremy Evans wrote:
> > Here's an update to Suricata 7.0.4, based on gonzalo's update
> > recently posted to ports@.  After discussion with gonzalo@ and
> > sthen@, I'm adding myself as co-maintainer.
> > 
> > In addition to the version update, this fixes the following issues:
> > 
> > Package README recommends suricata-update, but default config is
> > overridden to not use suricata-update. Stop overriding default
> > config, so way recommended by package README does not require
> > suricata.yaml modification.
> > 
> > Run SUBST_CMD on suricata.yaml.in to fix the ${LOCALSTATEDIR}
> > remaining in default installed configuration.
> > 
> > suricata-update downloads to /var/lib/suricata instead of
> > /var/suricata by default, despite the local patches.  Not sure yet
> > how to fix that easily, so updated package README to specify -D
> > flag so it updates the correct place.  I checked OpenBSD 7.4
> > (Suricata 6.0.12) and suricata-update also defaulted to
> > /var/lib/suricata there.
> > 
> > Remove now unnecessary patch for suricata/doc/Makefile.in. Remove
> > a couple unnecessary files in SUBST_CMD as well.
> 
> OK.
> 
> Some other possible tweaks:
> 
> ${WRKSRC}/configure can be dropped from SUBST_CMD too.

I made that change.
 
> AUTOMAKE_VERSION is set but does nothing (the port does not use a
> CONFIGURE_STYLE which depends on automake) so probably better removed.
> Alternatively as e_rundir is only used to set the default pid path in
> suricata.yaml, that could be patched  in suricata.yaml.in and avoid the
> need to re-run autoconf completely (-> CONFIGURE_STYLE=gnu and drop
> both AUTO*_VERSION lines).

I updated suricata.yaml.in to replace all of the autoconf related code
with make variables that will be updated by SUBST_CMD. I found that
suricata does not like our /etc/magic file, so I left that commented
out.

I found that autoconf is used by the build system.  I made a few
attempts at patching it out, but was unsuccessful. So I left that in.

Here's a revised diff.  I plan to commit this tomorrow unless I hear
objections.

Thanks,
Jeremy

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/suricata/Makefile,v
retrieving revision 1.67
diff -u -p -r1.67 Makefile
--- Makefile	23 Mar 2024 13:26:40 -0000	1.67
+++ Makefile	26 Mar 2024 19:44:49 -0000
@@ -3,9 +3,8 @@ NOT_FOR_ARCHS =	powerpc64 riscv64
 
 COMMENT =	high performance network IDS, IPS and security monitoring
 
-SURICATA_V =	7.0.3
-SUPDATE_V =	1.2.8
-REVISION =	1
+SURICATA_V =	7.0.4
+SUPDATE_V =	1.3.2
 
 DISTNAME =	suricata-${SURICATA_V}
 CATEGORIES =	security
@@ -13,7 +12,8 @@ SHARED_LIBS +=	htp                      
 
 HOMEPAGE =	https://suricata.io/
 
-MAINTAINER =	Gonzalo L. R. <gonzalo@openbsd.org>
+MAINTAINER =	Gonzalo L. R. <gonzalo@openbsd.org>, \
+		Jeremy Evans <jeremy@openbsd.org>
 
 # GPLv2
 PERMIT_PACKAGE=	Yes
@@ -48,7 +48,6 @@ DEBUG_PACKAGES = ${BUILD_PACKAGES}
 
 CONFIGURE_STYLE =	autoconf
 AUTOCONF_VERSION =	2.71
-AUTOMAKE_VERSION =	1.15
 
 CONFIGURE_ENV =		ac_cv_path_HAVE_PDFLATEX= \
 			ac_cv_path_HAVE_GIT_CMD= \
@@ -67,9 +66,7 @@ CONFIGURE_ARGS =	--disable-gccmarch-nati
 SUBST_VARS =		SURICATA_V SUPDATE_V
 
 pre-configure:
-	${SUBST_CMD} ${WRKSRC}/configure \
-		${WRKSRC}/doc/userguide/Makefile.in \
-		${WRKSRC}/suricata-update/doc/Makefile \
+	${SUBST_CMD} ${WRKSRC}/suricata.yaml.in \
 		${WRKSRC}/suricata-update/suricata/update/config.py \
 		${WRKSRC}/suricata-update/suricata/update/parsers.py
 	# prevent generating revision.py
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/suricata/distinfo,v
retrieving revision 1.22
diff -u -p -r1.22 distinfo
--- distinfo	22 Feb 2024 09:49:35 -0000	1.22
+++ distinfo	26 Mar 2024 19:44:49 -0000
@@ -1,2 +1,2 @@
-SHA256 (suricata-7.0.3.tar.gz) = 6gdC16mHg/GvSldmGvYGi8LYUKw+ygSzIE0ozhZeNf8=
-SIZE (suricata-7.0.3.tar.gz) = 23599903
+SHA256 (suricata-7.0.4.tar.gz) = ZABgEgAkvnDb6B9uxu/HLkYlD8s2IZ3/Z+ZBciD/Ibc=
+SIZE (suricata-7.0.4.tar.gz) = 23610769
Index: patches/patch-doc_userguide_Makefile_in
===================================================================
RCS file: patches/patch-doc_userguide_Makefile_in
diff -N patches/patch-doc_userguide_Makefile_in
--- patches/patch-doc_userguide_Makefile_in	16 Nov 2023 18:15:37 -0000	1.7
+++ /dev/null	1 Jan 1970 00:00:00 -0000
@@ -1,8 +0,0 @@
-Index: doc/userguide/Makefile.in
---- doc/userguide/Makefile.in.orig
-+++ doc/userguide/Makefile.in
-@@ -1,3 +1,4 @@
-+
- # Makefile.in generated by automake 1.16.5 from Makefile.am.
- # @configure_input@
- 
Index: patches/patch-src_suricata_c
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-src_suricata_c,v
retrieving revision 1.14
diff -u -p -r1.14 patch-src_suricata_c
--- patches/patch-src_suricata_c	18 Mar 2024 17:46:37 -0000	1.14
+++ patches/patch-src_suricata_c	26 Mar 2024 19:44:49 -0000
@@ -4,7 +4,7 @@ Suricata uses libcap-ng on Linux and run
 Index: src/suricata.c
 --- src/suricata.c.orig
 +++ src/suricata.c
-@@ -1600,7 +1600,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1597,7 +1597,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
                  return TM_ECODE_FAILED;
  #endif /* UNITTESTS */
              } else if (strcmp((long_opts[option_index]).name, "user") == 0) {
@@ -13,7 +13,7 @@ Index: src/suricata.c
                  SCLogError("libcap-ng is required to"
                             " drop privileges, but it was not compiled into Suricata.");
                  return TM_ECODE_FAILED;
-@@ -1609,7 +1609,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1606,7 +1606,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
                  suri->do_setuid = TRUE;
  #endif /* HAVE_LIBCAP_NG */
              } else if (strcmp((long_opts[option_index]).name, "group") == 0) {
@@ -22,10 +22,10 @@ Index: src/suricata.c
                  SCLogError("libcap-ng is required to"
                             " drop privileges, but it was not compiled into Suricata.");
                  return TM_ECODE_FAILED;
-@@ -3036,6 +3036,7 @@ int SuricataMain(int argc, char **argv)
-     SystemHugepageSnapshotDestroy(prerun_snap);
-     SystemHugepageSnapshotDestroy(postrun_snap);
- 
+@@ -3040,6 +3040,7 @@ int SuricataMain(int argc, char **argv)
+         SystemHugepageSnapshotDestroy(prerun_snap);
+         SystemHugepageSnapshotDestroy(postrun_snap);
+     }
 +    SCSetUserID(suricata.userid, suricata.groupid);
      SCPledge();
      SuricataMainLoop(&suricata);
Index: patches/patch-suricata_yaml_in
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v
retrieving revision 1.20
diff -u -p -r1.20 patch-suricata_yaml_in
--- patches/patch-suricata_yaml_in	22 Feb 2024 09:49:35 -0000	1.20
+++ patches/patch-suricata_yaml_in	26 Mar 2024 19:44:49 -0000
@@ -1,15 +1,23 @@
 - After reload allow to write log files or use syslog.
 - Switch user and group to avoid running as root.
 - To remove pid file its directory must be writable by suricata user.
-- Comment-out suricata-update rules and add config for bundled rules
-so the package can be used directly. See pkg-readme for information
-about downloading rules.
+- Avoid need to run autoconf by setting variables which will be
+  modified by SUBST_CMD
 
 
 Index: suricata.yaml.in
 --- suricata.yaml.in.orig
 +++ suricata.yaml.in
-@@ -84,6 +84,7 @@ outputs:
+@@ -58,7 +58,7 @@ vars:
+ # The default logging directory.  Any log or output file will be
+ # placed here if it's not specified with a full path name. This can be
+ # overridden with the -l command line parameter.
+-default-log-dir: @e_logdir@
++default-log-dir: ${LOCALSTATEDIR}/log/suricata
+ 
+ # Global stats configuration
+ stats:
+@@ -84,14 +84,16 @@ outputs:
    - fast:
        enabled: yes
        filename: fast.log
@@ -17,8 +25,10 @@ Index: suricata.yaml.in
        append: yes
        #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
  
-@@ -92,6 +93,7 @@ outputs:
-       enabled: @e_enable_evelog@
+   # Extensible Event Format (nicknamed EVE) event log in JSON format
+   - eve-log:
+-      enabled: @e_enable_evelog@
++      enabled: yes
        filetype: regular #regular|syslog|unix_dgram|unix_stream|redis
        filename: eve.json
 +      filemode: 664
@@ -94,16 +104,60 @@ Index: suricata.yaml.in
  
  security:
    # if true, prevents process creation from Suricata by calling
-@@ -1227,7 +1236,7 @@ security:
+@@ -1208,13 +1217,11 @@ security:
+     enabled: no
+     directories:
+       #write:
+-      #  - @e_rundir@
+       # /usr and /etc folders are added to read list to allow
+       # file magic to be used.
+       read:
+         - /usr/
+         - /etc/
+-        - @e_sysconfdir@
+ 
+   lua:
+     # Allow Lua rules. Disabled by default.
+@@ -1227,7 +1234,7 @@ security:
  # Default location of the pid file. The pid file is only used in
  # daemon mode (start Suricata with -D). If not running in daemon mode
  # the --pidfile command line option must be used to create a pid file.
 -#pid-file: @e_rundir@suricata.pid
-+pid-file: @e_rundir@suricata.pid
++pid-file: ${LOCALSTATEDIR}/run/suricata/suricata.pid
  
  # Daemon working directory
  # Suricata will change directory to this one if provided
-@@ -2143,14 +2152,38 @@ napatech:
+@@ -1295,8 +1302,7 @@ unix-command:
+   #filename: custom.socket
+ 
+ # Magic file. The extension .mgc is added to the value here.
+-#magic-file: /usr/share/file/magic
++#magic-file: ${SYSCONFDIR}/magic
+-@e_magic_file_comment@magic-file: @e_magic_file@
+ 
+ # GeoIP2 database file. Specify path and filename of GeoIP2 database
+ # if using rules with "geoip" rule option.
+@@ -1334,8 +1340,8 @@ legacy:
+ exception-policy: auto
+ 
+ # IP Reputation
+-#reputation-categories-file: @e_sysconfdir@iprep/categories.txt
+-#default-reputation-path: @e_sysconfdir@iprep
++#reputation-categories-file: ${SYSCONFDIR}/suricata/iprep/categories.txt
++#default-reputation-path: ${SYSCONFDIR}/suricata/iprep
+ #reputation-files:
+ # - reputation.list
+ 
+@@ -1813,7 +1819,7 @@ profiling:
+     limit: 10
+ 
+     # output to json
+-    json: @e_enable_evelog@
++    json: true
+ 
+   # per keyword profiling
+   keywords:
+@@ -2143,22 +2149,44 @@ napatech:
      #
      hashmode: hash5tuplesorted
  
@@ -114,34 +168,43 @@ Index: suricata.yaml.in
  ##
  ## Configure Suricata to load Suricata-Update managed rules.
  ##
-+#default-rule-path: ${LOCALSTATEDIR}/suricata/rules
-+#rule-files:
-+#  - suricata.rules
- 
+-
 -default-rule-path: @e_defaultruledir@
 -
-+##
-+## Configure Suricata to use basic bundled rules.
-+##
-+default-rule-path: @e_sysconfdir@rules
++default-rule-path: ${LOCALSTATEDIR}/suricata/rules
  rule-files:
--  - suricata.rules
-+  - app-layer-events.rules
-+  - decoder-events.rules
-+  - dhcp-events.rules
-+  - dnp3-events.rules
-+  - dns-events.rules
-+  - files.rules
-+  - http-events.rules
-+  - ipsec-events.rules
-+  - kerberos-events.rules
-+  - modbus-events.rules
-+  - nfs-events.rules
-+  - ntp-events.rules
-+  - smb-events.rules
-+  - smtp-events.rules
-+  - stream-events.rules
-+  - tls-events.rules
+   - suricata.rules
  
  ##
++## Configure Suricata to use basic bundled rules.
++##
++#default-rule-path: ${SYSCONFDIR}/suricata/rules
++#rule-files:
++#  - app-layer-events.rules
++#  - decoder-events.rules
++#  - dhcp-events.rules
++#  - dns-events.rules
++#  - files.rules
++#  - http-events.rules
++#  - ipsec-events.rules
++#  - kerberos-events.rules
++#  - nfs-events.rules
++#  - ntp-events.rules
++#  - smb-events.rules
++#  - smtp-events.rules
++#  - stream-events.rules
++#  - tls-events.rules
++
++##
  ## Auxiliary configuration files.
+ ##
+ 
+-classification-file: @e_sysconfdir@classification.config
+-reference-config-file: @e_sysconfdir@reference.config
+-# threshold-file: @e_sysconfdir@threshold.config
++classification-file: ${SYSCONFDIR}/suricata/classification.config
++reference-config-file: ${SYSCONFDIR}/suricata/reference.config
++# threshold-file: ${SYSCONFDIR}/suricata/threshold.config
+ 
+ ##
+ ## Include other configs
Index: pkg/README
===================================================================
RCS file: /cvs/ports/security/suricata/pkg/README,v
retrieving revision 1.11
diff -u -p -r1.11 README
--- pkg/README	17 Dec 2023 15:29:06 -0000	1.11
+++ pkg/README	26 Mar 2024 19:44:49 -0000
@@ -23,18 +23,10 @@ and quicker to use one of the available 
 suricata-update
 ---------------
 suricata-update is the recommended way to install and update rules.
-By default it will download the new rules into ${LOCALSTATEDIR}/suricata/rules
+Run it with the -D flag to download the rules to the directory
+suricata expects (${LOCALSTATEDIR}/suricata/rules):
 
-Edit ${SYSCONFDIR}/suricata/suricata.yaml and replace the existing
-default-rule-path and rule-files sections with this:
-
-    default-rule-path: ${LOCALSTATEDIR}/suricata/rules/
-    rule-files:
-      - suricata.rules
-
-And restart Suricata:
-
-# rcctl restart suricata
+# suricata-update -D ${LOCALSTATEDIR}/suricata
 
 Oinkmaster
 ----------
@@ -55,6 +47,10 @@ And you can download as follow:
 
 # cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \
 	-o ${SYSCONFDIR}/suricata/rules
+
+Edit ${SYSCONFDIR}/suricata/suricata.yaml, comment out the default
+default-rule-path section and uncomment the commented out
+default-rule-path section.
 
 After updating rules
 --------------------