[yocto] [Meta-security][PATCH V3 1/3] snort : add recipe
Joe MacDonald
joe at deserted.net
Tue Oct 15 13:54:20 PDT 2013
Hi Chunrong,
[Re: [yocto] [Meta-security][PATCH V3 1/3] snort : add recipe] On 13.10.10 (Thu 08:19) Guo Chunrong-B40290 wrote:
> Hello, all
>
> Please give me some comments.
The meta-security maintainer and I have discussed this at length and
we're in agreement that for the time being it's probably appropriate to
have this in meta-networking rather than meta-security. I haven't had a
chance to go back over this but I think somewhere along the way a few of
the earlier comments was lost (I don't see Khem's suggestion addressed
in the latest meta-security, for example).
Can you do another round of this, ensuring you've addressed the comments
(either by incorporating the suggestions or addressing why you think
they aren't appropriate here) and send this back for inclusion in
meta-networking?
I think you'd also had some out-of-band info from the meta-security
maintainer that the PERL dependencies listed in the recipes may be
over-zealous, can you take a quick pass at reducing them to a somewhat
more minimal set before sending a new version?
Thanks,
-Joe.
>
> Thanks
> chunrong
>
>
>
> -----Original Message-----
> From: Guo Chunrong-B40290
> Sent: Thursday, September 26, 2013 11:26 AM
> To: yocto at yoctoproject.org
> Cc: Liu Ting-B28495; Luo Zhenhua-B19537; Guo Chunrong-B40290; Guo Chunrong-B40290
> Subject: [Meta-security][PATCH V3 1/3] snort : add recipe
>
> From: Chunrong Guo <B40290 at freescale.com>
>
> *snort - a free lightweight network intrusion detection
> system for UNIX and Windows
>
> Signed-off-by: Chunrong Guo <B40290 at freescale.com>
> ---
> recipes-security/snort/files/default | 42 ++
> .../snort/files/disable-dap-address-space-id.patch | 52 +++
> .../snort/files/disable-inaddr-none.patch | 75 ++++
> recipes-security/snort/files/logrotate | 12 +
> recipes-security/snort/files/snort.init | 425 ++++++++++++++++++++
> recipes-security/snort/files/volatiles | 2 +
> recipes-security/snort/snort_2.9.4.6.bb | 83 ++++
> 7 files changed, 691 insertions(+), 0 deletions(-) create mode 100644 recipes-security/snort/files/default
> create mode 100644 recipes-security/snort/files/disable-dap-address-space-id.patch
> create mode 100644 recipes-security/snort/files/disable-inaddr-none.patch
> create mode 100644 recipes-security/snort/files/logrotate
> create mode 100755 recipes-security/snort/files/snort.init
> create mode 100644 recipes-security/snort/files/volatiles
> create mode 100644 recipes-security/snort/snort_2.9.4.6.bb
>
> diff --git a/recipes-security/snort/files/default b/recipes-security/snort/files/default
> new file mode 100644
> index 0000000..afd3840
> --- /dev/null
> +++ b/recipes-security/snort/files/default
> @@ -0,0 +1,42 @@
> +# Parameters for the daemon
> +# Add any additional parameteres here.
> +PARAMS="-m 027 -D -d "
> +#
> +# Snort user
> +# This user will be used to launch snort. Notice that the # preinst
> +script of the package might do changes to the user # (home directory,
> +User Name) when the package is upgraded or # reinstalled. So, do *not*
> +change this to 'root' or to any other user # unless you are sure there
> +is no problem with those changes being introduced.
> +#
> +SNORTUSER="snort"
> +#
> +# Logging directory
> +# Snort logs will be dropped here and this will be the home # directory
> +for the SNORTUSER. If you change this value you should # change the
> +/etc/logrotate.d/snort definition too, otherwise logs # will not be
> +rotated properly.
> +#
> +LOGDIR="/var/log/snort"
> +#
> +# Snort group
> +# This is the group that the snort user will be added to.
> +#
> +SNORTGROUP="snort"
> +#
> +# Allow Snort's init.d script to work if the configured interfaces #
> +are not available. Set this to yes if you configure Snort with #
> +multiple interfaces but some might not be available on boot # (e.g.
> +wireless interfaces) # # Note: In order for this to work the 'iproute'
> +package needs to # be installed.
> +ALLOW_UNAVAILABLE="no"
> +
> +# Local configs
> +#
> +LOCAL_SNORT_STARTUP=boot
> +LOCAL_SNORT_HOME_NET="192.168.0.0/16"
> +LOCAL_SNORT_INTERFACE=""
> +LOCAL_SNORT_STATS_RCPT="root"
> +LOCAL_SNORT_STATS_THRESHOLD="1"
> diff --git a/recipes-security/snort/files/disable-dap-address-space-id.patch b/recipes-security/snort/files/disable-dap-address-space-id.patch
> new file mode 100644
> index 0000000..39e5c9c
> --- /dev/null
> +++ b/recipes-security/snort/files/disable-dap-address-space-id.patch
> @@ -0,0 +1,52 @@
> +Upstream-Status:Inappropriate [embedded specific]
> +
> +fix the below error:
> +checking for dap address space id... configure:
> +configure: error: cannot run test program while cross compiling
> +
> +
> +Signed-off-by: Chunrong Guo <B40290 at freescale.com>
> +
> +--- a/configure.in 2013-08-23 00:06:37.239361932 -0500
> ++++ b/configure.in 2013-08-23 00:07:32.860266534 -0500
> +@@ -679,23 +679,23 @@
> +
> + AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta])
> +
> +-AC_MSG_CHECKING([for daq address space ID]) -AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM( -[[ -#include <daq.h> -]], -[[
> +- DAQ_PktHdr_t hdr;
> +- hdr.address_space_id = 0;
> +-]])],
> +-[have_daq_address_space_id="yes"],
> +-[have_daq_address_space_id="no"])
> +-AC_MSG_RESULT($have_daq_address_space_id)
> +-if test "x$have_daq_address_space_id" = "xyes"; then
> +- AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
> +- [DAQ version supports address space ID in header.])
> +-fi
> ++#AC_MSG_CHECKING([for daq address space ID]) #AC_RUN_IFELSE(
> ++#[AC_LANG_PROGRAM( #[[ ##include <daq.h> #]], #[[
> ++# DAQ_PktHdr_t hdr;
> ++# hdr.address_space_id = 0;
> ++#]])],
> ++have_daq_address_space_id="yes"
> ++#[have_daq_address_space_id="no"])
> ++#AC_MSG_RESULT($have_daq_address_space_id)
> ++#if test "x$have_daq_address_space_id" = "xyes"; then
> ++# AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
> ++# [DAQ version supports address space ID in header.])
> ++#fi
> +
> + # any sparc platform has to have this one defined.
> + AC_MSG_CHECKING(for sparc)
> diff --git a/recipes-security/snort/files/disable-inaddr-none.patch b/recipes-security/snort/files/disable-inaddr-none.patch
> new file mode 100644
> index 0000000..9dafe63
> --- /dev/null
> +++ b/recipes-security/snort/files/disable-inaddr-none.patch
> @@ -0,0 +1,75 @@
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +fix the below error:
> +checking for INADDR_NONE... configure:
> +configure: error: cannot run test program while cross compiling
> +
> +Signed-off-by: Chunrong Guo <B40290 at freescale.com>
> +
> +
> +--- a/configure.in 2013-08-21 03:56:17.197414789 -0500
> ++++ b/configure.in 2013-08-21 23:19:05.298553560 -0500
> +@@ -281,25 +281,7 @@
> + AC_CHECK_TYPES([boolean])
> +
> + # In case INADDR_NONE is not defined (like on Solaris)
> +-have_inaddr_none="no"
> +-AC_MSG_CHECKING([for INADDR_NONE])
> +-AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM(
> +-[[
> +-#include <sys/types.h>
> +-#include <netinet/in.h>
> +-#include <arpa/inet.h>
> +-]],
> +-[[
> +- if (inet_addr("10,5,2") == INADDR_NONE);
> +- return 0;
> +-]])],
> +-[have_inaddr_none="yes"],
> +-[have_inaddr_none="no"])
> +-AC_MSG_RESULT($have_inaddr_none)
> +-if test "x$have_inaddr_none" = "xno"; then
> +- AC_DEFINE([INADDR_NONE],[-1],[For INADDR_NONE definition])
> +-fi
> ++have_inaddr_none="yes"
> +
> + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
> + #include <stdio.h>
> +@@ -397,21 +379,21 @@
> + fi
> + fi
> +
> +-AC_MSG_CHECKING([for pcap_lex_destroy]) -AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM( -[[ -#include <pcap.h> -]], -[[
> +- pcap_lex_destroy();
> +-]])],
> +-[have_pcap_lex_destroy="yes"],
> +-[have_pcap_lex_destroy="no"])
> +-AC_MSG_RESULT($have_pcap_lex_destroy)
> +-if test "x$have_pcap_lex_destroy" = "xyes"; then
> +- AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
> +-fi
> ++#AC_MSG_CHECKING([for pcap_lex_destroy]) #AC_RUN_IFELSE(
> ++#[AC_LANG_PROGRAM( #[[ ##include <pcap.h> #]], #[[
> ++# pcap_lex_destroy();
> ++#]])],
> ++have_pcap_lex_destroy="yes"
> ++#[have_pcap_lex_destroy="no"])
> ++#AC_MSG_RESULT($have_pcap_lex_destroy)
> ++#if test "x$have_pcap_lex_destroy" = "xyes"; then
> ++# AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
> ++#fi
> +
> + AC_MSG_CHECKING([for pcap_lib_version]) AC_LINK_IFELSE(
> diff --git a/recipes-security/snort/files/logrotate b/recipes-security/snort/files/logrotate
> new file mode 100644
> index 0000000..e394e2e
> --- /dev/null
> +++ b/recipes-security/snort/files/logrotate
> @@ -0,0 +1,12 @@
> +/var/log/snort/*.log /var/log/snort/alert {
> + size 1M
> + missingok
> + compress
> + delaycompress
> + rotate 10
> + sharedscripts
> + postrotate
> + /etc/init.d/snort restart
> + endscript
> +}
> +
> diff --git a/recipes-security/snort/files/snort.init b/recipes-security/snort/files/snort.init
> new file mode 100755
> index 0000000..af66619
> --- /dev/null
> +++ b/recipes-security/snort/files/snort.init
> @@ -0,0 +1,425 @@
> +#!/bin/sh -e
> +#
> +# Init.d script for Snort in OpenEmbedded, based on Debian's script # #
> +Copyright (c) 2009 Roman I Khimov <khimov at altell.ru> # # Copyright (c)
> +2001 Christian Hammers # Copyright (c) 2001-2002 Robert van der Meulen
> +# Copyright (c) 2002-2004 Sander Smeenk <ssmeenk at debian.org> #
> +Copyright (c) 2004-2007 Javier Fernandez-Sanguino <jfs at debian.org> # #
> +This is free software; you may redistribute it and/or modify # it under
> +the terms of the GNU General Public License as # published by the Free
> +Software Foundation; either version 2, # or (at your option) any later
> +version.
> +#
> +# This is distributed in the hope that it will be useful, but # WITHOUT
> +ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or
> +FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License
> +for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +with # the Debian operating system, in /usr/share/common-licenses/GPL;
> +if # not, write to the Free Software Foundation, Inc., 59 Temple Place,
> +# Suite 330, Boston, MA 02111-1307 USA # ### BEGIN INIT INFO
> +# Provides: snort
> +# Required-Start: $time $network $local_fs
> +# Required-Stop:
> +# Should-Start: $syslog
> +# Should-Stop:
> +# Default-Start: 2 3 4 5
> +# Default-Stop: 0 1 6
> +# Short-Description: Lightweight network intrusion detection system
> +# Description: Intrusion detection system that will
> +# capture traffic from the network cards and will
> +# match against a set of known attacks.
> +### END INIT INFO
> +
> +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
> +
> +test $DEBIAN_SCRIPT_DEBUG && set -v -x
> +
> +DAEMON=/usr/bin/snort
> +NAME=snort
> +DESC="Network Intrusion Detection System"
> +
> +. /etc/default/snort
> +COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP"
> +
> +test -x $DAEMON || exit 0
> +test -z "$LOCAL_SNORT_HOME_NET" && LOCAL_SNORT_HOME_NET="192.168.0.0/16"
> +
> +# to find the lib files
> +cd /etc/snort
> +
> +running()
> +{
> + PIDFILE=$1
> +# No pidfile, probably no daemon present
> + [ ! -f "$PIDFILE" ] && return 1
> + pid=`cat $PIDFILE`
> +# No pid, probably no daemon present
> + [ -z "$pid" ] && return 1
> + [ ! -d /proc/$pid ] && return 1
> + cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d
> +: -f 1` # No daemon
> + [ "$cmd" != "$DAEMON" ] && return 1
> + return 0
> +}
> +
> +
> +check_log_dir() {
> +# Does the logging directory belong to Snort?
> + # If we cannot determine the logdir return without error
> + # (we will not check it)
> + # This will only be used by people using /etc/default/snort
> + [ -n "$LOGDIR" ] || return 0
> + [ -n "$SNORTUSER" ] || return 0
> + if [ ! -e "$LOGDIR" ] ; then
> + echo "ERR: logging directory $LOGDIR does not exist"
> + return 1
> + elif [ ! -d "$LOGDIR" ] ; then
> + echo "ERR: logging directory $LOGDIR does not exist"
> + return 1
> + else
> + # Don't worry, be happy
> + true
> + fi
> + return 0
> +}
> +
> +check_root() {
> + if [ "$(id -u)" != "0" ]; then
> + echo "You must be root to start, stop or restart $NAME."
> + exit 4
> + fi
> +}
> +
> +case "$1" in
> + start)
> + check_root
> + echo "Starting $DESC " "$NAME"
> +
> + if [ -e /etc/snort/db-pending-config ] ; then
> + echo "/etc/snort/db-pending-config file found"
> + echo "Snort will not start as its database is not yet configured."
> + echo "Please configure the database as described in"
> + echo "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian"
> + echo "and remove /etc/snort/db-pending-config"
> + exit 6
> + fi
> +
> + if ! check_log_dir; then
> + echo " will not start $DESC!"
> + exit 5
> + fi
> + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> + shift
> + set +e
> + /etc/ppp/ip-up.d/snort "$@"
> + ret=$?
> + if [ $ret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $ret
> + fi
> +
> + # Usually, we start all interfaces
> + interfaces="$LOCAL_SNORT_INTERFACE"
> +
> + # If we are requested to start a specific interface...
> + test "$2" && interfaces="$2"
> +
> + # If the interfaces list is empty stop (no error)
> + if [ -z "$interfaces" ] ; then
> + echo "no interfaces configured, will not start"
> + echo 0
> + exit 0
> + fi
> +
> + myret=0
> + got_instance=0
> + for interface in $interfaces; do
> + got_instance=1
> + echo "($interface"
> +
> + # Check if the interface is available:
> + # - only if iproute is available
> + # - the interface exists
> + # - the interface is up
> + if ! [ -x /sbin/ip ] || ( ip link show dev "$interface"
> + >/dev/null 2>&1 && [ -n "`ip link show up "$interface" 2>/dev/null`" ]
> + ) ; then
> +
> + PIDFILE=/var/run/snort_$interface.pid
> + CONFIGFILE=/etc/snort/snort.$interface.conf
> +
> + # Defaults:
> + fail="failed (check /var/log/syslog and /var/log/snort)"
> + run="yes"
> +
> + if [ -e "$PIDFILE" ] && running $PIDFILE; then
> + run="no"
> + # Do not start this instance, it is already runing
> + fi
> +
> + if [ "$run" = "yes" ] ; then
> + if [ ! -e "$CONFIGFILE" ]; then
> + echo "no /etc/snort/snort.$interface.conf found, defaulting to snort.conf"
> + CONFIGFILE=/etc/snort/snort.conf
> + fi
> +
> + set +e
> + /sbin/start-stop-daemon --start --quiet \
> + --pidfile "$PIDFILE" \
> + --exec $DAEMON -- $COMMON $LOCAL_SNORT_OPTIONS \
> + -c $CONFIGFILE \
> + -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
> + -i $interface >/dev/null
> + ret=$?
> + case "$ret" in
> + 0)
> + echo "...done)"
> + ;;
> + *)
> + echo "...ERROR: $fail)"
> + myret=$(expr "$myret" + 1)
> + ;;
> + esac
> + set -e
> + else
> + echo "...already running)"
> + fi
> +
> + else
> + # What to do if the interface is not available
> + # or is not up
> + if [ "$ALLOW_UNAVAILABLE" != "no" ] ; then
> + echo "...interface not available)"
> + else
> + echo "...ERROR: interface not available)"
> + myret=$(expr "$myret" + 1)
> + fi
> + fi
> + done
> +
> + if [ "$got_instance" = 0 ] && [ "$ALLOW_UNAVAILABLE" = "no" ]; then
> + echo "No snort instance found to be started!" >&2
> + exit 6
> + fi
> +
> + if [ $myret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $myret
> + ;;
> + stop)
> + check_root
> + echo "Stopping $DESC " "$NAME"
> +
> + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> + shift
> + set +e
> + /etc/ppp/ip-down.d/snort "$@"
> + ret=$?
> + if [ $ret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $ret
> + fi
> +
> + # Usually, we stop all current running interfaces
> + pidpattern=/var/run/snort_*.pid
> +
> + # If we are requested to stop a specific interface...
> + test "$2" && pidpattern=/var/run/snort_"$2".pid
> +
> + got_instance=0
> + myret=0
> + for PIDFILE in $pidpattern; do
> + # This check is also needed, if the above pattern doesn't match
> + test -f "$PIDFILE" || continue
> +
> + got_instance=1
> + interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
> +
> + echo "($interface"
> +
> + set +e
> + if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then # Change
> +ownership of the pidfile
> + /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \
> + --pidfile "$PIDFILE" --exec $DAEMON >/dev/null
> + ret=$?
> + rm -f "$PIDFILE"
> + rm -f "$PIDFILE.lck"
> + else
> + echo "cannot read $PIDFILE"
> + ret=4
> + fi
> + case "$ret" in
> + 0)
> + echo "...done)"
> + ;;
> + *)
> + echo "...ERROR)"
> + myret=$(expr "$myret" + 1)
> + ;;
> + esac
> + set -e
> +
> + done
> +
> + if [ "$got_instance" = 0 ]; then
> + log_warning_msg "No running snort instance found"
> + exit 0 # LSB demands we don't exit with error here
> + fi
> + if [ $myret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $myret
> + ;;
> + restart|force-restart|reload|force-reload)
> + check_root
> + # Usually, we restart all current running interfaces
> + pidpattern=/var/run/snort_*.pid
> +
> + # If we are requested to restart a specific interface...
> + test "$2" && pidpattern=/var/run/snort_"$2".pid
> +
> + got_instance=0
> + for PIDFILE in $pidpattern; do
> + # This check is also needed, if the above pattern doesn't match
> + test -f "$PIDFILE" || continue
> +
> + got_instance=1
> + interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
> + $0 stop $interface || true
> + $0 start $interface || true
> + done
> +
> + if [ "$got_instance" = 0 ]; then
> + echo "No snort instance found to be stopped!" >&2
> + exit 6
> + fi
> + ;;
> + status)
> +# Non-root users can use this (if allowed to)
> + echo "Status of snort daemon(s)"
> + interfaces="$LOCAL_SNORT_INTERFACE"
> + # If we are requested to check for a specific interface...
> + test "$2" && interfaces="$2"
> + err=0
> + pid=0
> + for interface in $interfaces; do
> + echo " $interface "
> + pidfile=/var/run/snort_$interface.pid
> + if [ -f "$pidfile" ] ; then
> + if [ -r "$pidfile" ] ; then
> + pidval=`cat $pidfile`
> + pid=$(expr "$pid" + 1)
> + if ps -p $pidval | grep -q snort; then
> + echo "OK"
> + else
> + echo "ERROR"
> + err=$(expr "$err" + 1)
> + fi
> + else
> + echo "ERROR: cannot read status file"
> + err=$(expr "$err" + 1)
> + fi
> + else
> + echo "ERROR"
> + err=$(expr "$err" + 1)
> + fi
> + done
> + if [ $err -ne 0 ] ; then
> + if [ $pid -ne 0 ] ; then
> +# More than one case where pidfile exists but no snort daemon # LSB
> +demands a '1' exit value here
> + echo 1
> + exit 1
> + else
> +# No pidfiles at all
> +# LSB demands a '3' exit value here
> + echo 3
> + exit 3
> + fi
> + fi
> + echo 0
> + ;;
> + config-check)
> + echo "Checking $DESC configuration"
> + if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> + echo "Config-check is currently not supported for snort in Dialup configuration"
> + echo 3
> + exit 3
> + fi
> +
> + # usually, we test all interfaces
> + interfaces="$LOCAL_SNORT_INTERFACE"
> + # if we are requested to test a specific interface...
> + test "$2" && interfaces="$2"
> +
> + myret=0
> + got_instance=0
> + for interface in $interfaces; do
> + got_instance=1
> + echo "interface $interface"
> +
> + CONFIGFILE=/etc/snort/snort.$interface.conf
> + if [ ! -e "$CONFIGFILE" ]; then
> + CONFIGFILE=/etc/snort/snort.conf
> + fi
> + COMMON=`echo $COMMON | sed -e 's/-D//'`
> + set +e
> + fail="INVALID"
> + if [ -r "$CONFIGFILE" ]; then
> + $DAEMON -T $COMMON $LOCAL_SNORT_OPTIONS \
> + -c $CONFIGFILE \
> + -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
> + -i $interface >/dev/null 2>&1
> + ret=$?
> + else
> + fail="cannot read $CONFIGFILE"
> + ret=4
> + fi
> + set -e
> +
> + case "$ret" in
> + 0)
> + echo "OK"
> + ;;
> + *)
> + echo "$fail"
> + myret=$(expr "$myret" + 1)
> + ;;
> + esac
> + done
> + if [ "$got_instance" = 0 ]; then
> + echo "no snort instance found to be started!" >&2
> + exit 6
> + fi
> +
> + if [ $myret -eq 0 ] ; then
> + echo 0
> + else
> + echo 1
> + fi
> + exit $myret
> + ;;
> + *)
> + echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}"
> + exit 1
> + ;;
> +esac
> +exit 0
> diff --git a/recipes-security/snort/files/volatiles b/recipes-security/snort/files/volatiles
> new file mode 100644
> index 0000000..0f22f9b
> --- /dev/null
> +++ b/recipes-security/snort/files/volatiles
> @@ -0,0 +1,2 @@
> +# <type> <owner> <group> <mode> <path> <linksource> d snort snort 0755
> +/var/log/snort none
> diff --git a/recipes-security/snort/snort_2.9.4.6.bb b/recipes-security/snort/snort_2.9.4.6.bb
> new file mode 100644
> index 0000000..c72b49b
> --- /dev/null
> +++ b/recipes-security/snort/snort_2.9.4.6.bb
> @@ -0,0 +1,83 @@
> +DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows."
> +HOMEPAGE = "http://www.snort.org/"
> +LICENSE = "GPL-2.0"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5"
> +
> +DEPENDS = "libpcap libpcre daq libdnet"
> +
> +
> +SRC_URI = " ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \
> + file://disable-inaddr-none.patch \
> + file://disable-dap-address-space-id.patch \
> + file://snort.init \
> + file://default \
> + file://logrotate \
> + file://volatiles"
> +
> +SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
> +SRC_URI[tarball.sha256sum] = "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc"
> +
> +inherit autotools gettext
> +
> +EXTRA_OECONF = " \
> + --enable-gre \
> + --enable-linux-smp-stats \
> + --enable-reload \
> + --enable-reload-error-restart \
> + --enable-targetbased \
> + --disable-static-daq \
> + "
> +
> +do_install_append() {
> + install -d ${D}/${sysconfdir}/snort/rules
> + install -d ${D}/${sysconfdir}/snort/preproc_rules
> + install -d ${D}/${sysconfdir}/default/volatiles
> + mkdir -p ${D}/${sysconfdir}/init.d
> + for i in map config conf dtd; do
> + cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/
> + done
> + cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/
> + install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort
> + install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort
> + install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort
> + mkdir -p ${D}/${localstatedir}/log/snort
> + install -d ${D}${sysconfdir}/logrotate.d
> + install -m 0644 ${WORKDIR}/logrotate
> +${D}${sysconfdir}/logrotate.d/snort
> +}
> +
> +pkg_postinst_${PN}() {
> + ${sysconfdir}/init.d/populate-volatile.sh update }
> +
> +PACKAGES =+ "${PN}-logrotate"
> +FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort"
> +FILES_${PN} += " \
> + ${libdir}/snort_dynamicengine/*.so.* \
> + ${libdir}/snort_dynamicpreprocessor/*.so.* \
> + ${libdir}/snort_dynamicrules/*.so.* \
> + "
> +FILES_${PN}-dbg += " \
> + ${libdir}/snort_dynamicengine/.debug \
> + ${libdir}/snort_dynamicpreprocessor/.debug \
> + ${libdir}/snort_dynamicrules/.debug \
> + "
> +FILES_${PN}-staticdev += " \
> + ${libdir}/snort_dynamicengine/*.a \
> + ${libdir}/snort_dynamicpreprocessor/*.a \
> + ${libdir}/snort_dynamicrules/*.a \
> + ${libdir}/snort/dynamic_preproc/*.a \
> + ${libdir}/snort/dynamic_output/*.a \
> + "
> +FILES_${PN}-dev += " \
> + ${libdir}/snort_dynamicengine/*.la \
> + ${libdir}/snort_dynamicpreprocessor/*.la \
> + ${libdir}/snort_dynamicrules/*.la \
> + ${libdir}/snort_dynamicengine/*.so \
> + ${libdir}/snort_dynamicpreprocessor/*.so \
> + ${libdir}/snort_dynamicrules/*.so \
> + ${prefix}/src/snort_dynamicsrc \
> + "
> +
> +RRECOMMENDS_${PN} += "${PN}-logrotate"
> +RRECOMMENDS_${PN} += "barnyard"
> +RSUGGESTS_${PN}-logrotate += "logrotate"
> --
> 1.7.5.4
>
>
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
--
-Joe MacDonald.
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20131015/d18c277f/attachment.pgp>
More information about the yocto
mailing list