suricata6: IDS/IPS/NDM version 6.0.4

Suricata is the leading independent open source threat detection engine.
By combining intrusion detection (IDS), intrusion prevention (IPS), network
security monitoring (NSM) and PCAP processing, Suricata can quickly identify,
stop, and assess even the most sophisticated attacks.

Signed-off-by: Donald Hoskins <grommish@gmail.com>

5 files changed, 327 insertions, 0 deletions

diff --git a/net/suricata6/Config.in b/net/suricata6/Config.in
new file mode 100644
index 0000000..2f83cbb
--- /dev/null
+++ b/net/suricata6/Config.in
@@ -0,0 +1,52 @@
+# Suricata 6 configuration
+menu "Suricata 6 Options"
+	menu "Engine Options"
+		config SURICATA_ENABLE_LUAJIT
+			bool "Enable Lua/LuaJIT Support"
+			default n
+
+		config SURICATA_ENABLE_PYTON
+			bool "Enable Python Support"
+			default n
+
+		config SURICATA_ENABLE_GCCPROTECT
+			bool "Enable GCC Hardening Options"
+			default n
+
+		config SURICATA_ENABLE_GCCPROFILE
+			bool "Enable GCC Profile Info (-pg flag set)"
+			default n
+	endmenu
+
+	config SURICATA_ENABLE_PROFILING
+		bool "Enable Performance Profiling"
+		default n
+
+	config SURICATA_ENABLE_NFQUEUE
+		bool "Enable NFQueue Support"
+		default n
+
+        config SURICATA_ENABLE_NFLOG
+                bool "Enable NFLog Support"
+                default n
+
+	config SURICATA_ENABLE_GEOIP
+		bool "Enable GeoIP2 Support"
+		default n
+
+	config SURICATA_ENABLE_LIBMAGIC
+		bool "Enable LibMagic Support"
+		default y
+
+	config SURICATA_ENABLE_DEBUG
+		bool "Enable Debug Output"
+		default n
+
+	config SURICATA_ENABLE_HIREDIS
+		bool "Enable Hiredis Support"
+		default y
+
+	config SURICATA_ENABLE_EBPF
+		bool "Enable eBPF Support"
+		default n
+endmenu
diff --git a/net/suricata6/Makefile b/net/suricata6/Makefile
new file mode 100644
index 0000000..9859f89
--- /dev/null
+++ b/net/suricata6/Makefile
@@ -0,0 +1,170 @@
+include $(TOPDIR)/rules.mk
+
+PKG_NAME := suricata
+PKG_VERSION := 6.0.4
+PKG_RELEASE := 1
+
+PKG_SOURCE_PROTO := git
+PKG_SOURCE_DATE := 2021-11-18
+PKG_SOURCE_VERSION := e9c8767b905fcae53432076572bfbeaf639b202d
+PKG_SOURCE_URL := https://github.com/OISF/suricata.git
+PKG_MIRROR_HASH := 0fc6a18c503022f304ae9c86ff8be0f52fe9b204c6dc78c69ef2039395d67d9c
+
+PKG_FIXUP := autoreconf
+PKG_FIXUP := patch-libtool
+
+PKG_BUILD_PARALLEL := 1
+PKG_INSTALL := 1
+PKG_BUILD_DEPENDS := rust/host python3/host expat/host
+
+include $(INCLUDE_DIR)/package.mk
+include ../../lang/rust/rust_environment.mk
+
+define Package/suricata6/config
+    source "$(SOURCE)/Config.in"
+endef
+
+CONFIGURE_VARS += \
+  CARGO_HOME="$(CARGO_HOME)" \
+  ac_cv_path_CARGO="$(CARGO_HOME)/bin/cargo" \
+  ac_cv_path_RUSTC="$(CARGO_HOME)/bin/rustc" \
+
+CONFIGURE_ARGS += \
+  --target=$(RUSTC_TARGET_ARCH) \
+  --host=$(RUSTC_TARGET_ARCH) \
+  --build=$(RUSTC_HOST_ARCH) \
+  --enable-shared \
+  --disable-gccmarch-native \
+  --with-gnu-ld \
+  --with-sysroot=$(STAGING_DIR_HOST)
+#	--enable-non-bundled-htp \
+#	--with-libhtp-includes=$(STAGING_DIR_HOSTPKG)/include \
+#	--with-libhtp-libraries=$(STAGING_DIR_HOSTPKG)/lib
+#	--with-sysroot=$(TOOLCHAIN_DIR)
+
+ifeq ($(CONFIG_SURICATA_ENABLE_PYTHON),y)
+CONFIGURE_ARGS += --enable-python
+endif
+ifeq ($(CONFIG_SURICATA_ENABLE_LUAJIT),y)
+CONFIGURE_ARGS += --enable-luajit
+endif
+ifeq ($(CONFIG_SURICATA_ENABLE_GCCPROTECT),y)
+CONFIGURE_ARBBBGS += --enable-gccprotect
+endif
+ifeq ($(CONFIG_SURICATA_ENABLE_GCCPROFILE),y)
+CONFIGURE_ARGS += --enable-gccprofile
+endif
+
+# For now, x86_64 targets can't use PIE
+ifneq ($(CONFIG_TARGET_x86),y)
+  ifeq ($(CONFIG_PKG_ASLR_PIE_ALL),y)
+    CONFIGURE_ARGS += --enable-pie
+  else ($(CONFIG_PKG_ASLR_PIE_REGULAR),y)
+    CONFIGURE_ARGS += --enable-pie
+  endif
+endif
+
+ifeq ($(CONFIG_SURICATA_ENABLE_NFQUEUE),y)
+CONFIGURE_ARGS += --enable-nfqueue
+endif
+
+ifeq ($(CONFIG_SURICATA_ENABLE_GEOIP),y)
+CONFIGURE_ARGS += --enable-geoip
+endif
+
+ifeq ($(CONFIG_SURICATA_ENABLE_LIBMAGIC),n)
+CONFIGURE_ARGS += --disable-libmagic
+endif
+
+ifeq ($(CONFIG_SURICATA_ENABLE_DEBUG),y)
+TARGET_CXXFLAGS += -ggdb3
+CONFIGURE_ARGS += --enable-debug
+endif
+
+ifeq ($(CONFIG_SURICATA_ENABLE_HIREDIS),y)
+CONFIGURE_ARGS += --enable-hiredis
+endif
+
+ifeq ($(CONFIG_SURICATA_ENABLE_EBPF),y)
+CONFIGURE_ARGS += --enable-ebpf-build
+endif
+
+ifeq ($(CONFIG_SURICATA_ENABLE_NFLOG),y)
+CONFIGURE_ARGS += --enable-nflog
+endif
+
+define Build/Prepare
+	$(call Build/Prepare/Default)
+
+	cd $(PKG_BUILD_DIR) && \
+	  git clone https://github.com/OISF/libhtp.git
+
+	[ -f $(CARGO_HOME)/bin/cbindgen ] || \
+	  $(CONFIGURE_VARS) cargo install --root=$(CARGO_HOME) cbindgen
+
+	cd $(PKG_BUILD_DIR) && $(CONFIGURE_VARS) ./autogen.sh
+endef
+
+define Build/Install
+	$(call Build/Install/Default,install)
+	$(call Build/Install/Default,install-conf)
+endef
+
+define Package/suricata6
+    SUBMENU:=Firewall
+    SECTION:=net
+    CATEGORY:=Network
+    DEPENDS:=@!SMALL_FLASH @!LOW_MEMORY_FOOTPRINT +libexpat +jansson +libpcre +libyaml +libpcap +libcap-ng \
+        +nspr +libnss +liblz4 +libatomic +libnet-1.2.x \
+	+SURICATA_ENABLE_NFLOG:libnetfilter-log \
+  	+SURICATA_ENABLE_NFQUEUE:libnetfilter-queue +SURICATA_ENABLE_NFQUEUE:iptables-mod-nfqueue \
+  	+SURICATA_ENABLE_HIREDIS:libhiredis +SURICATA_ENABLE_HIREDIS:libevent2 \
+  	+SURICATA_ENABLE_LIBMAGIC:file \
+  	+SURICATA_ENABLE_GEOIP:libmaxminddb \
+  	+SURICATA_ENABLE_PYTHON:python3 +SURICATA_ENABLE_PYTHON:python3-yaml \
+  	+SURICATA_ENABLE_LUAJIT:luajit
+    TITLE:=OISF Suricata IDS
+    URL:=https://www.openinfosecfoundation.org/
+    MENU:=1
+endef
+
+define Package/suricata6/description
+Suricata is an open source-based intrusion detection system (IDS), intrusion
+prevention system (IPS), and Network Monitoring System (NMS)
+endef
+
+define Package/suricata6/conffiles
+/etc/config/suricata
+/etc/suricata/
+endef
+
+define Package/suricata6/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricata $(1)/usr/bin/suricata
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricatactl $(1)/usr/bin/suricatactl
+	$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricatasc $(1)/usr/bin/suricatasc
+
+	$(INSTALL_DIR) $(1)/usr/lib
+	$(CP) -r $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/
+
+	$(INSTALL_DIR) $(1)/usr/include
+	$(CP) -r $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/
+
+	$(INSTALL_DIR) $(1)/etc/suricata
+	$(CP) $(PKG_BUILD_DIR)/suricata.yaml \
+	$(PKG_BUILD_DIR)/etc/classification.config \
+	$(PKG_BUILD_DIR)/threshold.config \
+	$(PKG_BUILD_DIR)/etc/reference.config \
+	$(1)/etc/suricata/
+
+	$(INSTALL_DIR) $(1)/usr/share/suricata/rules
+	$(CP) $(PKG_INSTALL_DIR)/usr/share/suricata/rules/* $(1)/usr/share/suricata/rules/
+
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_DIR) $(1)/etc/config
+
+	$(INSTALL_BIN) ./files/etc/init.d/suricata $(1)/etc/init.d/suricata
+	$(INSTALL_CONF) ./files/etc/config/suricata $(1)/etc/config/suricata
+endef
+
+$(eval $(call BuildPackage,suricata6))
diff --git a/net/suricata6/files/etc/config/suricata b/net/suricata6/files/etc/config/suricata
new file mode 100644
index 0000000..9b3ccbe
--- /dev/null
+++ b/net/suricata6/files/etc/config/suricata
@@ -0,0 +1,12 @@
+
+config suricata 'service'
+	option config_file '/etc/suricata/suricata.yaml'
+	option logdir '/var/log/suricata'
+	option pidfile '/var/log/suricata.pid'
+	option rules_file '/var/lib/suricata/rules/suricata.rules'
+	list queue '2'
+	list queue '9'
+	option verbose '0'
+	option scan_mode 'af-packet'
+	option interface 'eth0'
+
diff --git a/net/suricata6/files/etc/init.d/suricata b/net/suricata6/files/etc/init.d/suricata
new file mode 100755
index 0000000..ae92ca5
--- /dev/null
+++ b/net/suricata6/files/etc/init.d/suricata
@@ -0,0 +1,82 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2021 Ashkan Jazayeri <ashkan@jazayeri.net>
+
+START=99
+STOP=10
+
+USE_PROCD=1
+PROG=/usr/bin/suricata
+
+validate_suricata_section() {
+	uci_load_validate suricata suricata "$1" "$2" \
+		'scan_mode:string:af-packet' \
+		'interface:string' \
+		'config_file:string' \
+		'logdir:string' \
+		'pidfile:string' \
+		'rules_file:string' \
+		'verbose:range(0,4):0' \
+		'queue:list(range(0,65535))'
+}
+
+start_suricata_instance() {
+	[ "$2" = 0 ] || {
+		echo "validation failed"
+		return 1
+	}
+
+	[ -f $pidfile -a -z $(pgrep suricata) ] && rm $pidfile && \
+		logger -t suricata[init_script] -p daemon.alert -s \
+		"Suricata was not closed properly or it has crashed. Successfully removed the previous $pidfile"
+
+	[ ! -d $logdir ] && mkdir -p $logdir
+
+	procd_open_instance
+	procd_set_param command $PROG -c $config_file
+	[ $rules_file ] && \
+		procd_append_param command -s $rules_file
+	procd_set_param file $config_file
+
+	[ "$verbose" -gt 0 ] && {
+		procd_append_param command -$(printf 'v%.0s' $(seq 1 $verbose))
+		procd_set_param stdout 1
+		procd_set_param stderr 1
+	}
+
+		case "$scan_mode" in
+			"af-packet" )
+				procd_append_param command --af-packet
+				procd_append_param command -i $interface
+				;;
+			"nfq" )
+				[ -n "$queue" ] || {
+					logger -t suricata[init_script] -p daemon.emerg -s "No queue list provided. In NFQUEUE mode, a queue list must be specified under suricata config section (e.g. uci add_list suricata.service.queue=9)"
+					return 1
+				}
+				for number in $queue; do procd_append_param command -q $number ;done
+				;;
+		esac
+
+		procd_set_param respawn
+		procd_close_instance
+}
+
+start_service() {
+	validate_suricata_section service start_suricata_instance
+}
+
+
+stop_service()
+{
+	service_stop $PROG
+}
+
+reload_service() {
+	procd_send_signal suricata '*' SIGUSR2
+}
+
+service_triggers()
+{
+	procd_add_reload_trigger "suricata"
+	procd_add_validation validate_suricata_section
+}
diff --git a/net/suricata6/patches/00-fix-soft-float.patch b/net/suricata6/patches/00-fix-soft-float.patch
new file mode 100644
index 0000000..fb2128e
--- /dev/null
+++ b/net/suricata6/patches/00-fix-soft-float.patch
@@ -0,0 +1,11 @@
+--- a/rust/Cargo.toml.in
++++ b/rust/Cargo.toml.in
+@@ -4,7 +4,7 @@
+ edition = "2018"
+
+ [lib]
+-crate-type = ["staticlib", "rlib"]
++crate-type = ["staticlib", "rlib", "cdylib"]
+ path = "@e_rustdir@/src/lib.rs"
+
+ [profile.release]