Opened 7 years ago

Last modified 4 years ago

#42858 new submission

[NEW] suricata 1.4.7

Reported by: jul_bsd@… Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version: 2.2.1
Keywords: Cc: Schamschula (Marius Schamschula), mkae (Marko Käning)
Port: suricata

Description

Open Source IDS / IPS / NSM engine

  • compile/run
  • devel subport

Attachments (26)

patch-configure.ac.diff (589 bytes) - added by jul_bsd@… 7 years ago.
oinkmaster-suricata.conf (20.1 KB) - added by jul_bsd@… 7 years ago.
org.macports.oinkmaster-suricata.plist (940 bytes) - added by jul_bsd@… 7 years ago.
patch-configure.ac2.diff (517 bytes) - added by jul_bsd@… 7 years ago.
suricata2.0-fail-main.log (41.5 KB) - added by jul_bsd@… 7 years ago.
suricata-universal-main.log (137.4 KB) - added by jul_bsd@… 7 years ago.
patch-src-suricata-common.h2.diff (829 bytes) - added by jul_bsd@… 6 years ago.
patch-Makefile.in.diff (4.1 KB) - added by jul_bsd@… 6 years ago.
Portfile-suricata.diff (2.4 KB) - added by Schamschula (Marius Schamschula) 6 years ago.
Update from 2.0.4 to 2.0.7
patch-src-output-json.h.diff (441 bytes) - added by Schamschula (Marius Schamschula) 6 years ago.
Portfile-suricata.2.diff (1.1 KB) - added by Schamschula (Marius Schamschula) 6 years ago.
Update post-destroot
patch-src-suricata-common.h.diff (311 bytes) - added by jul_bsd@… 6 years ago.
Portfile (12.0 KB) - added by jul_bsd@… 6 years ago.
oinkmaster-suricata.2.conf (20.5 KB) - added by jul_bsd@… 6 years ago.
mp-suricata.conf (411 bytes) - added by jul_bsd@… 6 years ago.
Portfile-suricata-2.0.8.diff (853 bytes) - added by Schamschula (Marius Schamschula) 6 years ago.
Portfile-suricata-2.0.9.diff (853 bytes) - added by Schamschula (Marius Schamschula) 5 years ago.
Portfile-suricata-oinkmaster.diff (545 bytes) - added by Schamschula (Marius Schamschula) 5 years ago.
Portfile-suricata-2.0.10.diff (1.3 KB) - added by Schamschula (Marius Schamschula) 5 years ago.
Portfile-suricata-2.0.11.diff (854 bytes) - added by Schamschula (Marius Schamschula) 5 years ago.
Portfile-suricata-3.0.diff (2.1 KB) - added by Schamschula (Marius Schamschula) 5 years ago.
patch-src-output-json.h-3.0.diff (401 bytes) - added by Schamschula (Marius Schamschula) 5 years ago.
patch-src-output-json-alert.h.diff (349 bytes) - added by Schamschula (Marius Schamschula) 5 years ago.
patch-src-util-debug.c.diff (278 bytes) - added by Schamschula (Marius Schamschula) 5 years ago.
patch-src-util-profiling-rules.c.diff (340 bytes) - added by Schamschula (Marius Schamschula) 5 years ago.
Portfile-suricata-3.0.1.diff (2.0 KB) - added by Schamschula (Marius Schamschula) 5 years ago.

Download all attachments as: .zip

Change History (54)

comment:1 Changed 7 years ago by jul_bsd@…

  • port lint --nitpick
  • livecheck
  • /tab/spacex4/

comment:2 Changed 7 years ago by neverpanic (Clemens Lang)

  • --prefix=${prefix} is automatically passed configure in configure.pre_args by MacPorts. You don't have to pass it again.
  • --sysconfdir defaults to PREFIX/etc, so passing --sysconfdir=${prefix}/etc isn't necessary.
  • The same applies to --localstatedir.
  • revision 0 is the default and can be omitted.
  • Don't set configure.compiler directly unless absolutely necessary. Instead, use compiler.blacklist to blacklist the compilers that will fail to compile suricata and let MacPorts choose a fallback. Even better would be fixing the build with clang.
  • Conflicts should be specified both ways, so the suricata subport should conflicts ${name}-devel
  • Instead of listing a variant that does nothing, consider commenting it.
  • I'm not sure hardcoding the startupitem to the en1 interface is a good solution. I don't have a better idea either, though.
  • When adding optional features with dependencies in variants you need to make sure the configure script doesn't autodetect the presence of the dependency and links against libraries when the dependency isn't specified. For example, suricata must not link against libgeoip when installed without the geoip variant even when the libgeoip port is installed. To do this, pass --disable-geoip in the default configure.args and replace it with --enable-geoip in the geoip variant.

comment:3 Changed 7 years ago by neverpanic (Clemens Lang)

Also, configure picks up python as $prefix/bin/python

checking for python... /opt/local/bin/python

which is a symlink that can be adjusted by users and might cause the package to build different depending on what a user has chosen as python version. You should choose a version of python you want to use and set configure.python to avoid that to make the build reproducible.

comment:4 Changed 7 years ago by neverpanic (Clemens Lang)

Also, here's a patch to fix the build problem with clang due to the system headers defining strlcat(3) and strlcpy(3) as macros:

  • configure.ac

    old new  
    155155    # Checks for library functions.
    156156    AC_FUNC_MALLOC
    157157    AC_FUNC_REALLOC
    158     AC_CHECK_FUNCS([gettimeofday memset strcasecmp strchr strdup strerror strncasecmp strtol strtoul memchr])
     158    AC_CHECK_FUNCS([gettimeofday memset strcasecmp strchr strdup strerror strncasecmp strtol strtoul memchr strlcat strlcpy])
    159159
    160160    # Add large file support
    161161    AC_SYS_LARGEFILE
  • src/suricata-common.h

    old new  
    304304#include "util-optimize.h"
    305305#include "util-path.h"
    306306
     307#ifndef strlcat
     308/* strlcat is a macro on some systems; if it is, we probably don't need this
     309 * declaration and the macro expansion will break the declaration. */
    307310size_t strlcat(char *, const char *src, size_t siz);
     311#endif
     312#ifndef strlcpy
     313/* strlcpy is a macro on some systems; if it is, we probably don't need this
     314 * declaration and the macro expansion will break the declaration. */
    308315size_t strlcpy(char *dst, const char *src, size_t siz);
     316#endif
    309317
    310318#endif /* __SURICATA_COMMON_H__ */

Please submit this patch upstream as well.

Changed 7 years ago by jul_bsd@…

Attachment: patch-configure.ac.diff added

Changed 7 years ago by jul_bsd@…

Attachment: oinkmaster-suricata.conf added

Changed 7 years ago by jul_bsd@…

comment:5 Changed 7 years ago by jul_bsd@…

  • update to 2.0 and subport suricata1, disabled suricata-devel for now, review patch for 2.0
  • 2.0 is NOT compiling, see main.log
  • add test command but not sure if it is executed
  • review livecheck for 2.0

Changed 7 years ago by jul_bsd@…

Attachment: patch-configure.ac2.diff added

Changed 7 years ago by jul_bsd@…

Attachment: suricata2.0-fail-main.log added

comment:6 Changed 7 years ago by jul_bsd@…

  • suricata 2.0.1 + subport suricata1 => both install/run
  • configure.blacklist need to be reviewed but seems to be a long one. works ok w gcc4.9
  • universal variant in work in progress but failing if enable build.args (be it in universal or not)
    util-affinity.h:70:5: error: unknown type name 'cpu_set_t'
    
  • test.run
  • switch tasks to LaunchDaemons
  • newsyslog configuration to rotate logs
  • fix livecheck

Changed 7 years ago by jul_bsd@…

Attachment: suricata-universal-main.log added

comment:7 Changed 6 years ago by jul_bsd@…

  • bump to 2,0,3, -devel 2,1beta1 and keep old 1,4,7
  • Merge some patch from duplicate submission #44227 (#44691 "port search: return Trac ticket for submission" would mostly avoid that...)
  • the 3 versions are up to destroot and 2,0,3+universal
  • add variant nss

Changed 6 years ago by jul_bsd@…

Changed 6 years ago by jul_bsd@…

Attachment: patch-Makefile.in.diff added

comment:8 Changed 6 years ago by jul_bsd@…

sadly, running test mode 2,1/devel and also 2,0,3 gives

$ sudo suricata -c /opt/local/etc/suricata/suricata.yaml -T
30/8/2014 -- 20:07:45 - <Info> - Running suricata under test mode
30/8/2014 -- 20:07:45 - <Notice> - This is Suricata version 2.1beta1 RELEASE
/usr/share/file/magic/animation, 712: Warning: Printf format `l' is not valid for type `belong' in description `%ld x'
/usr/share/file/magic/animation, 713: Warning: Printf format `l' is not valid for type `belong' in description `%ld'
/usr/share/file/magic/animation, 720: Warning: Printf format `l' is not valid for type `belong' in description `%ld x'
/usr/share/file/magic/animation, 721: Warning: Printf format `l' is not valid for type `belong' in description `%ld'
/usr/share/file/magic/animation, 785: Warning: Current entry does not yet have a description for adding a MIME type
/usr/share/file/magic/animation, 787: Warning: Current entry does not yet have a description for adding a MIME 
[...]
/usr/share/file/magic/xwindows, 34: Warning: Printf format `h' is not valid for type `leshort' in description `version %hd'
/usr/share/file/magic/xwindows, 35: Warning: Printf format `h' is not valid for type `leshort' in description `.%hd'
30/8/2014 -- 20:07:45 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: File 5.19 supports only version 12 magic files. `/usr/share/file/magic.mgc' is version 7

comment:9 Changed 6 years ago by Schamschula (Marius Schamschula)

Cc: mschamschula@… added

Cc Me!

comment:10 Changed 6 years ago by jul_bsd@…

  • update to 2.0.4, destroot ok
  • v1 destroot nok

Changed 6 years ago by Schamschula (Marius Schamschula)

Attachment: Portfile-suricata.diff added

Update from 2.0.4 to 2.0.7

Changed 6 years ago by Schamschula (Marius Schamschula)

comment:11 Changed 6 years ago by Schamschula (Marius Schamschula)

Updated suricata to version 2.0.7. A number of patches have been included upstream, but a new patch is needed to build output-json.c.

Changed 6 years ago by Schamschula (Marius Schamschula)

Attachment: Portfile-suricata.2.diff added

Update post-destroot

comment:12 Changed 6 years ago by Schamschula (Marius Schamschula)

Copy a few more rules and files and a config file in post-destroot.

comment:13 Changed 6 years ago by jul_bsd@…

I merged your changes for 2.1.7 but

  • not sure you want rules files directly in etc, especially as from a security point of view, you will not use default set but other like EmergingThreats (that you can download w oinkmaster) and it includes them
  • the jansson header was already added in common.h but an update was needed
  • strlcat/copy patch included by upstream and not needed anymore
  • destroot/install is fine

but at configuration check, still have

# suricata -c /opt/local/etc/suricata/suricata.yaml -T 2>&1 |grep -v Warning
10/3/2015 -- 19:37:19 - <Info> - Running suricata under test mode
10/3/2015 -- 19:37:19 - <Notice> - This is Suricata version 2.0.7 RELEASE
10/3/2015 -- 19:37:19 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: File 5.22 supports only version 12 magic files. `/usr/share/file/magic.mgc' is version 7

which I referenced here https://redmine.openinfosecfoundation.org/issues/1268

did you met this issue? solved it?

Thanks

Changed 6 years ago by jul_bsd@…

Changed 6 years ago by jul_bsd@…

Attachment: Portfile added

Changed 6 years ago by jul_bsd@…

Attachment: oinkmaster-suricata.2.conf added

Changed 6 years ago by jul_bsd@…

Attachment: mp-suricata.conf added

comment:14 in reply to:  13 Changed 6 years ago by Schamschula (Marius Schamschula)

Replying to jul_bsd@…:

I merged your changes for 2.1.7 but

  • not sure you want rules files directly in etc, especially as from a security point of view, you will not use default set but other like EmergingThreats (that you can download w oinkmaster) and it includes them
  • the jansson header was already added in common.h but an update was needed
  • strlcat/copy patch included by upstream and not needed anymore
  • destroot/install is fine

but at configuration check, still have

# suricata -c /opt/local/etc/suricata/suricata.yaml -T 2>&1 |grep -v Warning
10/3/2015 -- 19:37:19 - <Info> - Running suricata under test mode
10/3/2015 -- 19:37:19 - <Notice> - This is Suricata version 2.0.7 RELEASE
10/3/2015 -- 19:37:19 - <Error> - [ERRCODE: SC_ERR_MAGIC_LOAD(197)] - magic_load failed: File 5.22 supports only version 12 magic files. `/usr/share/file/magic.mgc' is version 7

which I referenced here https://redmine.openinfosecfoundation.org/issues/1268

did you met this issue? solved it?

Thanks

As you noted, the changes here are not enough to get things working.

1) There currently is no oinkmaster port, so I downloaded it and put the perl script into ~/bin

2) I manually edited a few more things:

Make sure that logging to file is enabled in /opt/local/etc/suricata/suricata.yaml

 - file:
     enabled: yes
     filename: /opt/local/var/log/suricata/suricata.log

also use MacPort's libmagic:

#magic-file: /opt/local/share/misc/magic
magic-file: /usr/share/file/magic

to

magic-file: /opt/local/share/misc/magic
#magic-file: /usr/share/file/magic

comment:15 Changed 6 years ago by mkae (Marko Käning)

What's the status of this? Stable is by now at 2.0.8 and devel at 2.1beta4.

Last edited 6 years ago by mkae (Marko Käning) (previous) (diff)

comment:16 Changed 6 years ago by mkae (Marko Käning)

Cc: mk@… added

Cc Me!

comment:17 in reply to:  15 Changed 6 years ago by Schamschula (Marius Schamschula)

Replying to mk@…:

What's the status of this? Stable is by now at 2.0.8 and devel at 2.1beta4.

As this port has not been officially added, I don't run livecheck on it. I just updated my local Portfile to version 2.0.8. It built w/o any problems. My notes from comment:14 still apply.

Changed 6 years ago by Schamschula (Marius Schamschula)

comment:18 Changed 6 years ago by mkae (Marko Käning)

There is no port oinkmaster up to now and you copied its perl code into your ~/bin!?

But org.macports.oinkmaster-suricata.plist seems to assume it being installed below the MacPorts prefix. Obviously I am missing something here.

What about the SC_ERR_MAGIC_LOAD error? Is that fixed?

comment:19 in reply to:  18 Changed 6 years ago by Schamschula (Marius Schamschula)

Replying to mk@…:

There is no port oinkmaster up to now and you copied its perl code into your ~/bin!?

oinkmaster is just a perl script. I put it in ~/bin to keep it out of the /usr and the /opt trees. Needless to say, once there is a port it will be in /opt/local/bin

But org.macports.oinkmaster-suricata.plist seems to assume it being installed below the MacPorts prefix. Obviously I am missing something here.

There is not such a thing (yet). At least it didn't get installed on my machines.

What about the SC_ERR_MAGIC_LOAD error? Is that fixed?

I don't see that issue with 2.0.7 or 2.0.8. I've got File 5.23. I just ran the 'test' mode and saw no errors.

comment:20 Changed 6 years ago by mkae (Marko Käning)

So, it is only missing port oinkmaster which prevents publishing this port? (Ping.)

Last edited 6 years ago by mkae (Marko Käning) (previous) (diff)

Changed 5 years ago by Schamschula (Marius Schamschula)

comment:21 Changed 5 years ago by Schamschula (Marius Schamschula)

Updated to suricata 2.0.9:

  • stream: retransmission not detected (2.0.x)
  • Segmentation Fault at detect-engine-content-inspection.c:438
  • defrag: evasion issue
  • last_ack update issue leading to stream gaps (2.0.x)
  • 2.0.x backport: Leading whitespace in flowbits variable names
  • http_host payload validation erroring on uppercase PCRE metacharacters
  • 2.0.x backport: Add HUP coverage to output json-log
  • 2.0.x: address var parsing issue
  • stream_size <= and >= modifiers function as < and > (equality is not functional) (2.0.x)
  • Update bundled libhtp to 0.5.18

Changed 5 years ago by Schamschula (Marius Schamschula)

comment:22 in reply to:  20 Changed 5 years ago by Schamschula (Marius Schamschula)

Replying to mk@…:

So, it is only missing port oinkmaster which prevents publishing this port? (Ping.)

Created oinkmaster port: #48977

comment:23 Changed 5 years ago by jul_bsd@…

Hello

Sorry for the delayed answer. not much time for those in past months. oinkmaster port was part of the past submissions (#42859). never committed though.

Need to merge mschamschula@ work. also with brew formula (https://github.com/Homebrew/homebrew/blob/master/Library/Formula/suricata.rb). Magic issue seems fixed with a config change

Changed 5 years ago by Schamschula (Marius Schamschula)

comment:24 Changed 5 years ago by Schamschula (Marius Schamschula)

Updated to suricata 2.0.10.

Changed 5 years ago by Schamschula (Marius Schamschula)

comment:25 Changed 5 years ago by Schamschula (Marius Schamschula)

Updated to suricata 2.0.11.

Changed 5 years ago by Schamschula (Marius Schamschula)

Attachment: Portfile-suricata-3.0.diff added

Changed 5 years ago by Schamschula (Marius Schamschula)

Changed 5 years ago by Schamschula (Marius Schamschula)

Changed 5 years ago by Schamschula (Marius Schamschula)

Attachment: patch-src-util-debug.c.diff added

Changed 5 years ago by Schamschula (Marius Schamschula)

comment:26 Changed 5 years ago by Schamschula (Marius Schamschula)

Updated suricata-devel to the current "stable" branch, which is currently at version 3.0.

Fixed livecheck.

Changed 5 years ago by Schamschula (Marius Schamschula)

comment:27 Changed 5 years ago by Schamschula (Marius Schamschula)

Updated suricata-devel to version 3.0.1.

comment:28 Changed 4 years ago by Schamschula (Marius Schamschula)

I've stopped posting updates here. See

https://github.com/Schamschula/macports/tree/master/net/suricata

for the current version.

Note: See TracTickets for help on using tickets.