diff options
| -rw-r--r-- | net/suricata6/Config.in | 52 | ||||
| -rw-r--r-- | net/suricata6/Makefile | 170 | ||||
| -rw-r--r-- | net/suricata6/files/etc/config/suricata | 12 | ||||
| -rwxr-xr-x | net/suricata6/files/etc/init.d/suricata | 82 | ||||
| -rw-r--r-- | net/suricata6/patches/00-fix-soft-float.patch | 11 |
5 files changed, 327 insertions, 0 deletions
diff --git a/net/suricata6/Config.in b/net/suricata6/Config.in new file mode 100644 index 0000000..2f83cbb --- /dev/null +++ b/net/suricata6/Config.in @@ -0,0 +1,52 @@ +# Suricata 6 configuration +menu "Suricata 6 Options" + menu "Engine Options" + config SURICATA_ENABLE_LUAJIT + bool "Enable Lua/LuaJIT Support" + default n + + config SURICATA_ENABLE_PYTON + bool "Enable Python Support" + default n + + config SURICATA_ENABLE_GCCPROTECT + bool "Enable GCC Hardening Options" + default n + + config SURICATA_ENABLE_GCCPROFILE + bool "Enable GCC Profile Info (-pg flag set)" + default n + endmenu + + config SURICATA_ENABLE_PROFILING + bool "Enable Performance Profiling" + default n + + config SURICATA_ENABLE_NFQUEUE + bool "Enable NFQueue Support" + default n + + config SURICATA_ENABLE_NFLOG + bool "Enable NFLog Support" + default n + + config SURICATA_ENABLE_GEOIP + bool "Enable GeoIP2 Support" + default n + + config SURICATA_ENABLE_LIBMAGIC + bool "Enable LibMagic Support" + default y + + config SURICATA_ENABLE_DEBUG + bool "Enable Debug Output" + default n + + config SURICATA_ENABLE_HIREDIS + bool "Enable Hiredis Support" + default y + + config SURICATA_ENABLE_EBPF + bool "Enable eBPF Support" + default n +endmenu diff --git a/net/suricata6/Makefile b/net/suricata6/Makefile new file mode 100644 index 0000000..9859f89 --- /dev/null +++ b/net/suricata6/Makefile @@ -0,0 +1,170 @@ +include $(TOPDIR)/rules.mk + +PKG_NAME := suricata +PKG_VERSION := 6.0.4 +PKG_RELEASE := 1 + +PKG_SOURCE_PROTO := git +PKG_SOURCE_DATE := 2021-11-18 +PKG_SOURCE_VERSION := e9c8767b905fcae53432076572bfbeaf639b202d +PKG_SOURCE_URL := https://github.com/OISF/suricata.git +PKG_MIRROR_HASH := 0fc6a18c503022f304ae9c86ff8be0f52fe9b204c6dc78c69ef2039395d67d9c + +PKG_FIXUP := autoreconf +PKG_FIXUP := patch-libtool + +PKG_BUILD_PARALLEL := 1 +PKG_INSTALL := 1 +PKG_BUILD_DEPENDS := rust/host python3/host expat/host + +include $(INCLUDE_DIR)/package.mk +include ../../lang/rust/rust_environment.mk + +define Package/suricata6/config + source "$(SOURCE)/Config.in" +endef + +CONFIGURE_VARS += \ + CARGO_HOME="$(CARGO_HOME)" \ + ac_cv_path_CARGO="$(CARGO_HOME)/bin/cargo" \ + ac_cv_path_RUSTC="$(CARGO_HOME)/bin/rustc" \ + +CONFIGURE_ARGS += \ + --target=$(RUSTC_TARGET_ARCH) \ + --host=$(RUSTC_TARGET_ARCH) \ + --build=$(RUSTC_HOST_ARCH) \ + --enable-shared \ + --disable-gccmarch-native \ + --with-gnu-ld \ + --with-sysroot=$(STAGING_DIR_HOST) +# --enable-non-bundled-htp \ +# --with-libhtp-includes=$(STAGING_DIR_HOSTPKG)/include \ +# --with-libhtp-libraries=$(STAGING_DIR_HOSTPKG)/lib +# --with-sysroot=$(TOOLCHAIN_DIR) + +ifeq ($(CONFIG_SURICATA_ENABLE_PYTHON),y) +CONFIGURE_ARGS += --enable-python +endif +ifeq ($(CONFIG_SURICATA_ENABLE_LUAJIT),y) +CONFIGURE_ARGS += --enable-luajit +endif +ifeq ($(CONFIG_SURICATA_ENABLE_GCCPROTECT),y) +CONFIGURE_ARBBBGS += --enable-gccprotect +endif +ifeq ($(CONFIG_SURICATA_ENABLE_GCCPROFILE),y) +CONFIGURE_ARGS += --enable-gccprofile +endif + +# For now, x86_64 targets can't use PIE +ifneq ($(CONFIG_TARGET_x86),y) + ifeq ($(CONFIG_PKG_ASLR_PIE_ALL),y) + CONFIGURE_ARGS += --enable-pie + else ($(CONFIG_PKG_ASLR_PIE_REGULAR),y) + CONFIGURE_ARGS += --enable-pie + endif +endif + +ifeq ($(CONFIG_SURICATA_ENABLE_NFQUEUE),y) +CONFIGURE_ARGS += --enable-nfqueue +endif + +ifeq ($(CONFIG_SURICATA_ENABLE_GEOIP),y) +CONFIGURE_ARGS += --enable-geoip +endif + +ifeq ($(CONFIG_SURICATA_ENABLE_LIBMAGIC),n) +CONFIGURE_ARGS += --disable-libmagic +endif + +ifeq ($(CONFIG_SURICATA_ENABLE_DEBUG),y) +TARGET_CXXFLAGS += -ggdb3 +CONFIGURE_ARGS += --enable-debug +endif + +ifeq ($(CONFIG_SURICATA_ENABLE_HIREDIS),y) +CONFIGURE_ARGS += --enable-hiredis +endif + +ifeq ($(CONFIG_SURICATA_ENABLE_EBPF),y) +CONFIGURE_ARGS += --enable-ebpf-build +endif + +ifeq ($(CONFIG_SURICATA_ENABLE_NFLOG),y) +CONFIGURE_ARGS += --enable-nflog +endif + +define Build/Prepare + $(call Build/Prepare/Default) + + cd $(PKG_BUILD_DIR) && \ + git clone https://github.com/OISF/libhtp.git + + [ -f $(CARGO_HOME)/bin/cbindgen ] || \ + $(CONFIGURE_VARS) cargo install --root=$(CARGO_HOME) cbindgen + + cd $(PKG_BUILD_DIR) && $(CONFIGURE_VARS) ./autogen.sh +endef + +define Build/Install + $(call Build/Install/Default,install) + $(call Build/Install/Default,install-conf) +endef + +define Package/suricata6 + SUBMENU:=Firewall + SECTION:=net + CATEGORY:=Network + DEPENDS:=@!SMALL_FLASH @!LOW_MEMORY_FOOTPRINT +libexpat +jansson +libpcre +libyaml +libpcap +libcap-ng \ + +nspr +libnss +liblz4 +libatomic +libnet-1.2.x \ + +SURICATA_ENABLE_NFLOG:libnetfilter-log \ + +SURICATA_ENABLE_NFQUEUE:libnetfilter-queue +SURICATA_ENABLE_NFQUEUE:iptables-mod-nfqueue \ + +SURICATA_ENABLE_HIREDIS:libhiredis +SURICATA_ENABLE_HIREDIS:libevent2 \ + +SURICATA_ENABLE_LIBMAGIC:file \ + +SURICATA_ENABLE_GEOIP:libmaxminddb \ + +SURICATA_ENABLE_PYTHON:python3 +SURICATA_ENABLE_PYTHON:python3-yaml \ + +SURICATA_ENABLE_LUAJIT:luajit + TITLE:=OISF Suricata IDS + URL:=https://www.openinfosecfoundation.org/ + MENU:=1 +endef + +define Package/suricata6/description +Suricata is an open source-based intrusion detection system (IDS), intrusion +prevention system (IPS), and Network Monitoring System (NMS) +endef + +define Package/suricata6/conffiles +/etc/config/suricata +/etc/suricata/ +endef + +define Package/suricata6/install + $(INSTALL_DIR) $(1)/usr/bin + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricata $(1)/usr/bin/suricata + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricatactl $(1)/usr/bin/suricatactl + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/suricatasc $(1)/usr/bin/suricatasc + + $(INSTALL_DIR) $(1)/usr/lib + $(CP) -r $(PKG_INSTALL_DIR)/usr/lib/* $(1)/usr/lib/ + + $(INSTALL_DIR) $(1)/usr/include + $(CP) -r $(PKG_INSTALL_DIR)/usr/include/* $(1)/usr/include/ + + $(INSTALL_DIR) $(1)/etc/suricata + $(CP) $(PKG_BUILD_DIR)/suricata.yaml \ + $(PKG_BUILD_DIR)/etc/classification.config \ + $(PKG_BUILD_DIR)/threshold.config \ + $(PKG_BUILD_DIR)/etc/reference.config \ + $(1)/etc/suricata/ + + $(INSTALL_DIR) $(1)/usr/share/suricata/rules + $(CP) $(PKG_INSTALL_DIR)/usr/share/suricata/rules/* $(1)/usr/share/suricata/rules/ + + $(INSTALL_DIR) $(1)/etc/init.d + $(INSTALL_DIR) $(1)/etc/config + + $(INSTALL_BIN) ./files/etc/init.d/suricata $(1)/etc/init.d/suricata + $(INSTALL_CONF) ./files/etc/config/suricata $(1)/etc/config/suricata +endef + +$(eval $(call BuildPackage,suricata6)) diff --git a/net/suricata6/files/etc/config/suricata b/net/suricata6/files/etc/config/suricata new file mode 100644 index 0000000..9b3ccbe --- /dev/null +++ b/net/suricata6/files/etc/config/suricata @@ -0,0 +1,12 @@ + +config suricata 'service' + option config_file '/etc/suricata/suricata.yaml' + option logdir '/var/log/suricata' + option pidfile '/var/log/suricata.pid' + option rules_file '/var/lib/suricata/rules/suricata.rules' + list queue '2' + list queue '9' + option verbose '0' + option scan_mode 'af-packet' + option interface 'eth0' + diff --git a/net/suricata6/files/etc/init.d/suricata b/net/suricata6/files/etc/init.d/suricata new file mode 100755 index 0000000..ae92ca5 --- /dev/null +++ b/net/suricata6/files/etc/init.d/suricata @@ -0,0 +1,82 @@ +#!/bin/sh /etc/rc.common +# Copyright (C) 2021 Ashkan Jazayeri <ashkan@jazayeri.net> + +START=99 +STOP=10 + +USE_PROCD=1 +PROG=/usr/bin/suricata + +validate_suricata_section() { + uci_load_validate suricata suricata "$1" "$2" \ + 'scan_mode:string:af-packet' \ + 'interface:string' \ + 'config_file:string' \ + 'logdir:string' \ + 'pidfile:string' \ + 'rules_file:string' \ + 'verbose:range(0,4):0' \ + 'queue:list(range(0,65535))' +} + +start_suricata_instance() { + [ "$2" = 0 ] || { + echo "validation failed" + return 1 + } + + [ -f $pidfile -a -z $(pgrep suricata) ] && rm $pidfile && \ + logger -t suricata[init_script] -p daemon.alert -s \ + "Suricata was not closed properly or it has crashed. Successfully removed the previous $pidfile" + + [ ! -d $logdir ] && mkdir -p $logdir + + procd_open_instance + procd_set_param command $PROG -c $config_file + [ $rules_file ] && \ + procd_append_param command -s $rules_file + procd_set_param file $config_file + + [ "$verbose" -gt 0 ] && { + procd_append_param command -$(printf 'v%.0s' $(seq 1 $verbose)) + procd_set_param stdout 1 + procd_set_param stderr 1 + } + + case "$scan_mode" in + "af-packet" ) + procd_append_param command --af-packet + procd_append_param command -i $interface + ;; + "nfq" ) + [ -n "$queue" ] || { + logger -t suricata[init_script] -p daemon.emerg -s "No queue list provided. In NFQUEUE mode, a queue list must be specified under suricata config section (e.g. uci add_list suricata.service.queue=9)" + return 1 + } + for number in $queue; do procd_append_param command -q $number ;done + ;; + esac + + procd_set_param respawn + procd_close_instance +} + +start_service() { + validate_suricata_section service start_suricata_instance +} + + +stop_service() +{ + service_stop $PROG +} + +reload_service() { + procd_send_signal suricata '*' SIGUSR2 +} + +service_triggers() +{ + procd_add_reload_trigger "suricata" + procd_add_validation validate_suricata_section +} diff --git a/net/suricata6/patches/00-fix-soft-float.patch b/net/suricata6/patches/00-fix-soft-float.patch new file mode 100644 index 0000000..fb2128e --- /dev/null +++ b/net/suricata6/patches/00-fix-soft-float.patch @@ -0,0 +1,11 @@ +--- a/rust/Cargo.toml.in ++++ b/rust/Cargo.toml.in +@@ -4,7 +4,7 @@ + edition = "2018" + + [lib] +-crate-type = ["staticlib", "rlib"] ++crate-type = ["staticlib", "rlib", "cdylib"] + path = "@e_rustdir@/src/lib.rs" + + [profile.release] |