diff options
| author | Boris Samorodov <bsam@FreeBSD.org> | 2006-10-09 19:04:38 +0000 |
|---|---|---|
| committer | Boris Samorodov <bsam@FreeBSD.org> | 2006-10-09 19:04:38 +0000 |
| commit | 800e4e544330cb5d15e71a23274c9afbb514d82f (patch) | |
| tree | 29ca91074b942bd5826c26d990e594d6906c83df /security/sguil-sensor | |
| parent | Upgrade to version 5.2. (diff) | |
Sguil (pronounced "sgweel") is a graphical interface to snort
(www.snort.org), an open source intrusion detection system.
The actual interface and GUI server are written in tcl/tk
(www.tcl.tk). Sguil also relies on other open source software
in order to function properly.
The sensor list includes security/barnyard, security/snort,
security/sancp, tcpdump (a part of the OS) and devel/tcltls as
well as lang/tcl84 and lang/tclX. Care has been taken to ensure
that everything you need to build a working sguil operation is
in the FreeBSD ports system or part of the OS already.
Sguil currently functions as an analysis interface and has
no snort sensor or rule management capabilities.
WWW: http://sguil.sourceforge.net/index.php
pauls@utdallas.edu
PR: ports/95018
Submitted by: Paul Schmehl <pauls at utdallas.edu>
Notes
Notes:
svn path=/head/; revision=175129
Diffstat (limited to 'security/sguil-sensor')
| -rw-r--r-- | security/sguil-sensor/Makefile | 86 | ||||
| -rw-r--r-- | security/sguil-sensor/distinfo | 3 | ||||
| -rw-r--r-- | security/sguil-sensor/files/log_packets.conf | 30 | ||||
| -rw-r--r-- | security/sguil-sensor/files/patch-log_packets.sh | 49 | ||||
| -rw-r--r-- | security/sguil-sensor/files/patch-sensor_agent.tcl | 23 | ||||
| -rw-r--r-- | security/sguil-sensor/files/pkg-message.in | 28 | ||||
| -rw-r--r-- | security/sguil-sensor/files/sensor_agent.sh.in | 46 | ||||
| -rw-r--r-- | security/sguil-sensor/pkg-descr | 17 | ||||
| -rw-r--r-- | security/sguil-sensor/pkg-plist | 6 |
9 files changed, 288 insertions, 0 deletions
diff --git a/security/sguil-sensor/Makefile b/security/sguil-sensor/Makefile new file mode 100644 index 000000000000..2d29563deae3 --- /dev/null +++ b/security/sguil-sensor/Makefile @@ -0,0 +1,86 @@ +# New ports collection makefile for: sguil-sensor +# Date created: 23 Mar 2006 +# Whom: Paul Schmehl <pauls@utdallas.edu> +# +# $FreeBSD$ +# + +PORTNAME= sguil-sensor +PORTVERSION= 0.6.1 +CATEGORIES= security +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} +MASTER_SITE_SUBDIR= sguil + +MAINTAINER= pauls@utdallas.edu +COMMENT= Squil is a network security management program + +RUN_DEPENDS= snort:${PORTSDIR}/security/snort \ + barnyard:${PORTSDIR}/security/barnyard-sguil6 \ + ${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX + +OPTIONS= SANCP "Include sancp support" off \ + TLS "Include openssl support" off + +NO_BUILD= yes +USE_RC_SUBR= sensor_agent.sh +TCLSH_CMD?= tclsh8.4 +WRKSRC= ${WRKDIR}/sguil-${PORTVERSION} +SUB_LIST= SGUILDIR=${SGUILDIR} +SUB_FILES= pkg-message sensor_agent.sh +PLIST_SUB= SGUILDIR=${SGUILDIR} +SGUILDIR?= sguil-sensor + +PORTDOCS= CHANGES FAQ INSTALL INSTALL.openbsd LICENSE.QPL \ + OPENSSL.README TODO UPGRADE USAGE sguildb.dia + +.include <bsd.port.pre.mk> + +WITH_PCRE= true + +.if defined(WITH_SANCP) +RUN_DEPENDS+= sancp:${PORTSDIR}/security/sancp +PLIST_SUB+= USESANCP= +.else +PLIST_SUB+= USESANCP="@comment " +.endif + +.if defined(WITH_TLS) +LIB_DEPENDS+= tls:${PORTSDIR}/devel/tcltls +.endif + +post-patch: +.for f in sensor_agent.tcl + @${REINPLACE_CMD} -e 's:exec tclsh:exec ${PREFIX}/bin/${TCLSH_CMD}:g' \ + ${WRKSRC}/sensor/${f} +.endfor + +do-install: + @${MKDIR} ${PREFIX}/bin/${SGUILDIR} + ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/sensor_agent.tcl \ + ${PREFIX}/bin/${SGUILDIR}/sensor_agent.tcl +.for f in log_packets.sh + ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \ + ${PREFIX}/bin/${SGUILDIR}/${f} +.endfor +.for f in sensor_agent.conf + ${INSTALL_DATA} ${WRKSRC}/sensor/${f} \ + ${PREFIX}/etc/${f}-sample +.endfor +.for f in log_packets.conf + ${INSTALL_DATA} ${FILESDIR}/${f} \ + ${PREFIX}/etc/${f}-sample +.endfor +.if defined(WITH_SANCP) +.for f in sancp.conf + ${INSTALL_DATA} ${WRKSRC}/sensor/sancp/${f} \ + ${PREFIX}/etc/${f}-sample +.endfor +.endif +.if !defined(NOPORTDOCS) + @${MKDIR} ${DOCSDIR} + cd ${WRKSRC}/doc && ${INSTALL_DATA} \ + ${PORTDOCS} ${DOCSDIR} +.endif + @${CAT} ${PKGMESSAGE} + +.include <bsd.port.post.mk> diff --git a/security/sguil-sensor/distinfo b/security/sguil-sensor/distinfo new file mode 100644 index 000000000000..efab94c51741 --- /dev/null +++ b/security/sguil-sensor/distinfo @@ -0,0 +1,3 @@ +MD5 (sguil-sensor-0.6.1.tar.gz) = 62be71b0aa41ccacb7872839dc4bf5ad +SHA256 (sguil-sensor-0.6.1.tar.gz) = b1da0fffeaecd69b9d8eeeb27025fdc3493a2eabfec8ed4153f688f11ee226eb +SIZE (sguil-sensor-0.6.1.tar.gz) = 103441 diff --git a/security/sguil-sensor/files/log_packets.conf b/security/sguil-sensor/files/log_packets.conf new file mode 100644 index 000000000000..3ac53f68e54f --- /dev/null +++ b/security/sguil-sensor/files/log_packets.conf @@ -0,0 +1,30 @@ +# Conf file for the log_packets script +# Make sure you verify the location of +# each of the binaries on your OS + +HOSTNAME="myhost" +# Path to snort binary +SNORT_PATH="/usr/local/bin/snort" +# Directory to log pcap data to (date dirs will be created in here) +# Note: The path $HOSTNAME/dailylogs, will be appended to this. +LOG_DIR="/snort_data" +# Percentage of disk to try and maintain +MAX_DISK_USE=90 +# Interface to 'listen' to. +INTERFACE="eth0" +# Other options to use when starting snort +#OPTIONS="-u sguil -g sguil -m 122" +# Where to store the pid +PIDFILE="/var/run/snort_log-${HOSTNAME}.pid" +# How do we run ps +PS="ps awx" +# Where is grep +GREP="/usr/bin/grep" +#Add BPFs here. +#The below is an example of a filter for ignoring outbound HTTP from my network +# to the world. +#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)' + +#Some installs may need these +#LD_LIBRARY_PATH=/usr/local/lib/mysql +#export LD_LIBRARY_PATH diff --git a/security/sguil-sensor/files/patch-log_packets.sh b/security/sguil-sensor/files/patch-log_packets.sh new file mode 100644 index 000000000000..9396936bf21e --- /dev/null +++ b/security/sguil-sensor/files/patch-log_packets.sh @@ -0,0 +1,49 @@ +--- sensor/log_packets.sh.orig Fri Mar 24 13:12:18 2006 ++++ sensor/log_packets.sh Mon Mar 27 17:22:54 2006 +@@ -23,37 +23,16 @@ + ############################################################## + + +-# Edit these for your setup ++# You shouldn't need to edit anything in this script + +-# Sensors hostname. +-# Note: If running multiple snort instances, then this must be different +-# for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc) +-HOSTNAME="myhost" +-# Path to snort binary +-SNORT_PATH="/usr/local/bin/snort" +-# Directory to log pcap data to (date dirs will be created in here) +-# Note: The path $HOSTNAME/dailylogs, will be appended to this. +-LOG_DIR="/snort_data" +-# Percentage of disk to try and maintain +-MAX_DISK_USE=90 +-# Interface to 'listen' to. +-INTERFACE="eth0" +-# Other options to use when starting snort +-#OPTIONS="-u sguil -g sguil -m 122" +-# Where to store the pid +-PIDFILE="/var/run/snort_log-${HOSTNAME}.pid" +-# How do we run ps +-PS="ps awx" +-# Where is grep +-GREP="/usr/bin/grep" +-#Add BPFs here. +-#The below is an example of a filter for ignoring outbound HTTP from my network +-# to the world. +-#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)' +- +-#Some installs may need these +-#LD_LIBRARY_PATH=/usr/local/lib/mysql +-#export LD_LIBRARY_PATH ++CONF=/usr/local/etc/log_packets.conf ++if [ -r ${CONF} ]; then ++ . ${CONF} ++else ++ echo "Your conf file is either missing or the path " ++ echo "in the log_packets.sh script is incorrect." ++ exit 1 ++fi + + TZ=GMT + export TZ diff --git a/security/sguil-sensor/files/patch-sensor_agent.tcl b/security/sguil-sensor/files/patch-sensor_agent.tcl new file mode 100644 index 000000000000..a8ba9481c66d --- /dev/null +++ b/security/sguil-sensor/files/patch-sensor_agent.tcl @@ -0,0 +1,23 @@ +--- sensor/sensor_agent.tcl.orig Mon Mar 20 20:38:18 2006 ++++ sensor/sensor_agent.tcl Mon Mar 20 20:40:06 2006 +@@ -1005,16 +1005,16 @@ + } + } + # Parse the config file here +-# Default location is /etc/sensor_agent.conf or pwd ++# Default location is /usr/local/etc/sensor_agent.conf or pwd + if { ![info exists CONF_FILE] } { + # No conf file specified check the defaults +- if { [file exists /etc/sensor_agent.conf] } { +- set CONF_FILE /etc/sensor_agent.conf ++ if { [file exists /usr/local/etc/sensor_agent.conf] } { ++ set CONF_FILE /usr/local/etc/sensor_agent.conf + } elseif { [file exists ./sensor_agent.conf] } { + set CONF_FILE ./sensor_agent.conf + } else { + puts "Couldn't determine where the sensor_agent.tcl config file is" +- puts "Looked for /etc/sensor_agent.conf and ./sensor_agent.conf." ++ puts "Looked for /usr/local/etc/sensor_agent.conf and ./sensor_agent.conf." + DisplayUsage $argv0 + } + } diff --git a/security/sguil-sensor/files/pkg-message.in b/security/sguil-sensor/files/pkg-message.in new file mode 100644 index 000000000000..076dc620f6de --- /dev/null +++ b/security/sguil-sensor/files/pkg-message.in @@ -0,0 +1,28 @@ + *********************************** + * !!!!!!!!!!! WARNING !!!!!!!!!!! * + *********************************** + +If you already had barnyard installed, this port will NOT deinstall +it and install the barnyard-sguil6 port instead. You will need to +deinstall the barnyard port and install the barnyard-sguil6 port yourself +instead. This port WILL NOT WORK without the barnyard-sguil6 port!! + +You MUST edit the log_packets.conf file (located in %%PREFIX%%/etc/) +to fit your configuration before running the log_packets.sh script. +See the %%DOCSDIR%%/INSTALL doc for details on the +configuration and for croning the script. + +WARNING!!! Sguil et al will fill up your /tmp directory very +quickly. You should probably configure sguil et al to log to +another partition/location (e.g. /nsm/tmp/). + +You must ALSO edit the sensor_agent.conf file (located in +%%PREFIX%%/etc/) to reflect your configuration before +starting the sensor_agent. + +If you chose to run sancp, and you already had a sancp.conf file in +%%PREFIX%%/etc, copy it to sancp.conf.orig before creating the new one. +The new sancp.conf-sample file contains the settings for squil. +If you still want to maintain the customized sancp.conf file, then copy +the new sancp.conf-sample file to sguild-sancp.conf (for example) and +add sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf. diff --git a/security/sguil-sensor/files/sensor_agent.sh.in b/security/sguil-sensor/files/sensor_agent.sh.in new file mode 100644 index 000000000000..e87906716d25 --- /dev/null +++ b/security/sguil-sensor/files/sensor_agent.sh.in @@ -0,0 +1,46 @@ +#!/bin/sh +# + +# PROVIDE: sensor_agent +# REQUIRE: DAEMON +# KEYWORD: FreeBSD shutdown + +# Add the following lines to /etc/rc.conf to enable sensor_agent: +# sensor_agent_enable (bool): Set to YES to enable sensor_agent +# Default: NO +# sensor_agent_flags (str): Extra flags passed to sensor_agent +# Default: -D +# sensor_agent_conf (str): Sensor_agent configuration file +# Default: %%PREFIX%%/etc/sensor_agent.conf +# + +. %%RC_SUBR%% + +name="sensor_agent" +rcvar=`set_rcvar` +command="%%PREFIX%%/bin/%%SGUILDIR%%/sensor_agent.tcl" +procname="%%PREFIX%%/bin/tclsh8.4" +check_process="${command} /bin/sh" +stop_cmd="sensor_agent_stop" + +[ -z "$sensor_agent_enable" ] && sensor_agent_enable="NO" +[ -z "$sensor_agent_conf" ] && sensor_agent_conf="%%PREFIX%%/etc/sensor_agent.conf" +[ -z "$sensor_agent_flags" ] && sensor_agent_flags="-D" + +[ -n "$sensor_agent_conf" ] && sensor_agent_flags="$sensor_agent_flags -c $sensor_agent_conf" + +sensor_agent_stop() { + if [ -z "${rc_pid}" ]; then + echo "${name} not running?" + else + echo "Stopping ${name}" + kill ${sig_stop} ${rc_pid} + wait_for_pids ${rc_pid} + if [ -f "/var/run/${name}.pid" ]; then + `rm -f /var/run/${name}.pid` + fi + fi +} + +load_rc_config $name +run_rc_command "$1" diff --git a/security/sguil-sensor/pkg-descr b/security/sguil-sensor/pkg-descr new file mode 100644 index 000000000000..3a75ee67e126 --- /dev/null +++ b/security/sguil-sensor/pkg-descr @@ -0,0 +1,17 @@ +Sguil (pronounced "sgweel") is a graphical interface to snort +(www.snort.org), an open source intrusion detection system. +The actual interface and GUI server are written in tcl/tk +(www.tcl.tk). Sguil also relies on other open source software +in order to function properly. + +The sensor list includes security/barnyard, security/snort, +security/sancp, tcpdump (a part of the OS) and devel/tcltls as +well as lang/tcl84 and lang/tclX. Care has been taken to ensure +that everything you need to build a working sguil operation is +in the FreeBSD ports system or part of the OS already. + +Sguil currently functions as an analysis interface and has +no snort sensor or rule management capabilities. + +WWW: http://sguil.sourceforge.net/index.php +pauls@utdallas.edu diff --git a/security/sguil-sensor/pkg-plist b/security/sguil-sensor/pkg-plist new file mode 100644 index 000000000000..4c9ddae4003d --- /dev/null +++ b/security/sguil-sensor/pkg-plist @@ -0,0 +1,6 @@ +bin/%%SGUILDIR%%/log_packets.sh +bin/%%SGUILDIR%%/sensor_agent.tcl +etc/log_packets.conf-sample +%%USESANCP%%etc/sancp.conf-sample +etc/sensor_agent.conf-sample +@dirrm bin/%%SGUILDIR%% |