9 files changed, 288 insertions, 0 deletions
diff --git a/security/sguil-sensor/Makefile b/security/sguil-sensor/Makefile
new file mode 100644
index 000000000000..2d29563deae3
--- /dev/null
+++ b/security/sguil-sensor/Makefile
@@ -0,0 +1,86 @@
+# New ports collection makefile for:	sguil-sensor
+# Date created:				23 Mar 2006
+# Whom:					Paul Schmehl <pauls@utdallas.edu>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	sguil-sensor
+PORTVERSION=	0.6.1
+CATEGORIES=	security
+MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
+MASTER_SITE_SUBDIR=	sguil
+
+MAINTAINER=	pauls@utdallas.edu
+COMMENT=	Squil is a network security management program
+
+RUN_DEPENDS=	snort:${PORTSDIR}/security/snort \
+		barnyard:${PORTSDIR}/security/barnyard-sguil6 \
+		${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX
+
+OPTIONS=	SANCP "Include sancp support" off \
+		TLS "Include openssl support" off
+
+NO_BUILD=	yes
+USE_RC_SUBR=	sensor_agent.sh
+TCLSH_CMD?=	tclsh8.4
+WRKSRC=		${WRKDIR}/sguil-${PORTVERSION}
+SUB_LIST=	SGUILDIR=${SGUILDIR}
+SUB_FILES=	pkg-message sensor_agent.sh
+PLIST_SUB=	SGUILDIR=${SGUILDIR}
+SGUILDIR?=	sguil-sensor
+
+PORTDOCS=	CHANGES FAQ INSTALL INSTALL.openbsd LICENSE.QPL \
+		OPENSSL.README TODO UPGRADE USAGE sguildb.dia
+
+.include <bsd.port.pre.mk>
+
+WITH_PCRE=	true
+
+.if defined(WITH_SANCP)
+RUN_DEPENDS+=	sancp:${PORTSDIR}/security/sancp
+PLIST_SUB+=	USESANCP=
+.else
+PLIST_SUB+=	USESANCP="@comment "
+.endif
+
+.if defined(WITH_TLS)
+LIB_DEPENDS+=	tls:${PORTSDIR}/devel/tcltls
+.endif
+
+post-patch:
+.for f in sensor_agent.tcl
+	@${REINPLACE_CMD} -e 's:exec tclsh:exec ${PREFIX}/bin/${TCLSH_CMD}:g' \
+		${WRKSRC}/sensor/${f}
+.endfor
+
+do-install:
+	@${MKDIR} ${PREFIX}/bin/${SGUILDIR}
+	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/sensor_agent.tcl \
+		${PREFIX}/bin/${SGUILDIR}/sensor_agent.tcl
+.for f in log_packets.sh
+	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \
+		${PREFIX}/bin/${SGUILDIR}/${f}
+.endfor
+.for f in sensor_agent.conf
+	${INSTALL_DATA} ${WRKSRC}/sensor/${f} \
+		${PREFIX}/etc/${f}-sample
+.endfor
+.for f in log_packets.conf
+	${INSTALL_DATA} ${FILESDIR}/${f} \
+		${PREFIX}/etc/${f}-sample
+.endfor
+.if defined(WITH_SANCP)
+.for f in sancp.conf
+	${INSTALL_DATA} ${WRKSRC}/sensor/sancp/${f} \
+		${PREFIX}/etc/${f}-sample
+.endfor
+.endif
+.if !defined(NOPORTDOCS)
+	@${MKDIR} ${DOCSDIR}
+	cd ${WRKSRC}/doc && ${INSTALL_DATA} \
+		${PORTDOCS} ${DOCSDIR}
+.endif
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/sguil-sensor/distinfo b/security/sguil-sensor/distinfo
new file mode 100644
index 000000000000..efab94c51741
--- /dev/null
+++ b/security/sguil-sensor/distinfo
@@ -0,0 +1,3 @@
+MD5 (sguil-sensor-0.6.1.tar.gz) = 62be71b0aa41ccacb7872839dc4bf5ad
+SHA256 (sguil-sensor-0.6.1.tar.gz) = b1da0fffeaecd69b9d8eeeb27025fdc3493a2eabfec8ed4153f688f11ee226eb
+SIZE (sguil-sensor-0.6.1.tar.gz) = 103441
diff --git a/security/sguil-sensor/files/log_packets.conf b/security/sguil-sensor/files/log_packets.conf
new file mode 100644
index 000000000000..3ac53f68e54f
--- /dev/null
+++ b/security/sguil-sensor/files/log_packets.conf
@@ -0,0 +1,30 @@
+# Conf file for the log_packets script
+# Make sure you verify the location of
+# each of the binaries on your OS
+
+HOSTNAME="myhost"
+# Path to snort binary
+SNORT_PATH="/usr/local/bin/snort"
+# Directory to log pcap data to (date dirs will be created in here)
+# Note: The path $HOSTNAME/dailylogs, will be appended to this.
+LOG_DIR="/snort_data"
+# Percentage of disk to try and maintain
+MAX_DISK_USE=90
+# Interface to 'listen' to.
+INTERFACE="eth0"
+# Other options to use when starting snort
+#OPTIONS="-u sguil -g sguil -m 122"
+# Where to store the pid
+PIDFILE="/var/run/snort_log-${HOSTNAME}.pid"
+# How do we run ps
+PS="ps awx"
+# Where is grep
+GREP="/usr/bin/grep"
+#Add BPFs here.
+#The below is an example of a filter for ignoring outbound HTTP from my network
+# to the world.
+#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)'
+
+#Some installs may need these
+#LD_LIBRARY_PATH=/usr/local/lib/mysql
+#export LD_LIBRARY_PATH
diff --git a/security/sguil-sensor/files/patch-log_packets.sh b/security/sguil-sensor/files/patch-log_packets.sh
new file mode 100644
index 000000000000..9396936bf21e
--- /dev/null
+++ b/security/sguil-sensor/files/patch-log_packets.sh
@@ -0,0 +1,49 @@
+--- sensor/log_packets.sh.orig	Fri Mar 24 13:12:18 2006
++++ sensor/log_packets.sh	Mon Mar 27 17:22:54 2006
+@@ -23,37 +23,16 @@
+ ##############################################################
+ 
+ 
+-# Edit these for your setup
++# You shouldn't need to edit anything in this script
+ 
+-# Sensors hostname.
+-# Note: If running multiple snort instances, then this must be different
+-#       for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc)
+-HOSTNAME="myhost"
+-# Path to snort binary
+-SNORT_PATH="/usr/local/bin/snort"
+-# Directory to log pcap data to (date dirs will be created in here)
+-# Note: The path $HOSTNAME/dailylogs, will be appended to this.
+-LOG_DIR="/snort_data"
+-# Percentage of disk to try and maintain
+-MAX_DISK_USE=90
+-# Interface to 'listen' to.
+-INTERFACE="eth0"
+-# Other options to use when starting snort
+-#OPTIONS="-u sguil -g sguil -m 122"
+-# Where to store the pid
+-PIDFILE="/var/run/snort_log-${HOSTNAME}.pid"
+-# How do we run ps
+-PS="ps awx"
+-# Where is grep
+-GREP="/usr/bin/grep"
+-#Add BPFs here.
+-#The below is an example of a filter for ignoring outbound HTTP from my network
+-# to the world.
+-#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)'
+-
+-#Some installs may need these
+-#LD_LIBRARY_PATH=/usr/local/lib/mysql
+-#export LD_LIBRARY_PATH
++CONF=/usr/local/etc/log_packets.conf
++if [ -r ${CONF} ]; then
++  . ${CONF}
++else
++  echo "Your conf file is either missing or the path "
++  echo "in the log_packets.sh script is incorrect."
++  exit 1
++fi
+ 
+ TZ=GMT
+ export TZ
diff --git a/security/sguil-sensor/files/patch-sensor_agent.tcl b/security/sguil-sensor/files/patch-sensor_agent.tcl
new file mode 100644
index 000000000000..a8ba9481c66d
--- /dev/null
+++ b/security/sguil-sensor/files/patch-sensor_agent.tcl
@@ -0,0 +1,23 @@
+--- sensor/sensor_agent.tcl.orig	Mon Mar 20 20:38:18 2006
++++ sensor/sensor_agent.tcl	Mon Mar 20 20:40:06 2006
+@@ -1005,16 +1005,16 @@
+   }
+ }
+ # Parse the config file here
+-# Default location is /etc/sensor_agent.conf or pwd
++# Default location is /usr/local/etc/sensor_agent.conf or pwd
+ if { ![info exists CONF_FILE] } {
+   # No conf file specified check the defaults
+-  if { [file exists /etc/sensor_agent.conf] } {
+-    set CONF_FILE /etc/sensor_agent.conf
++  if { [file exists /usr/local/etc/sensor_agent.conf] } {
++    set CONF_FILE /usr/local/etc/sensor_agent.conf
+   } elseif { [file exists ./sensor_agent.conf] } {
+     set CONF_FILE ./sensor_agent.conf
+   } else {
+     puts "Couldn't determine where the sensor_agent.tcl config file is"
+-    puts "Looked for /etc/sensor_agent.conf and ./sensor_agent.conf."
++    puts "Looked for /usr/local/etc/sensor_agent.conf and ./sensor_agent.conf."
+     DisplayUsage $argv0
+   }
+ }
diff --git a/security/sguil-sensor/files/pkg-message.in b/security/sguil-sensor/files/pkg-message.in
new file mode 100644
index 000000000000..076dc620f6de
--- /dev/null
+++ b/security/sguil-sensor/files/pkg-message.in
@@ -0,0 +1,28 @@
+            ***********************************
+            * !!!!!!!!!!! WARNING !!!!!!!!!!! *
+            ***********************************
+
+If you already had barnyard installed, this port will NOT deinstall
+it and install the barnyard-sguil6 port instead.  You will need to
+deinstall the barnyard port and install the barnyard-sguil6 port yourself
+instead.  This port WILL NOT WORK without the barnyard-sguil6 port!!
+
+You MUST edit the log_packets.conf file (located in %%PREFIX%%/etc/)
+to fit your configuration before running the log_packets.sh script.
+See the %%DOCSDIR%%/INSTALL doc for details on the 
+configuration and for croning the script.  
+
+WARNING!!!  Sguil et al will fill up your /tmp directory very 
+quickly.  You should probably configure sguil et al to log to
+another partition/location (e.g. /nsm/tmp/).
+
+You must ALSO edit the sensor_agent.conf file (located in 
+%%PREFIX%%/etc/) to reflect your configuration before 
+starting the sensor_agent.
+
+If you chose to run sancp, and you already had a sancp.conf file in
+%%PREFIX%%/etc, copy it to sancp.conf.orig before creating the new one.
+The new sancp.conf-sample file contains the settings for squil.
+If you still want to maintain the customized sancp.conf file, then copy 
+the new sancp.conf-sample file to sguild-sancp.conf (for example) and 
+add sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf.
diff --git a/security/sguil-sensor/files/sensor_agent.sh.in b/security/sguil-sensor/files/sensor_agent.sh.in
new file mode 100644
index 000000000000..e87906716d25
--- /dev/null
+++ b/security/sguil-sensor/files/sensor_agent.sh.in
@@ -0,0 +1,46 @@
+#!/bin/sh
+# 
+
+# PROVIDE: sensor_agent
+# REQUIRE: DAEMON
+# KEYWORD: FreeBSD shutdown
+
+# Add the following lines to /etc/rc.conf to enable sensor_agent:
+# sensor_agent_enable (bool):	Set to YES to enable sensor_agent
+# 				Default: NO
+# sensor_agent_flags (str):         Extra flags passed to sensor_agent
+#                               Default: -D
+# sensor_agent_conf (str):	Sensor_agent configuration file
+#				Default: %%PREFIX%%/etc/sensor_agent.conf
+#
+
+. %%RC_SUBR%%
+
+name="sensor_agent"
+rcvar=`set_rcvar`
+command="%%PREFIX%%/bin/%%SGUILDIR%%/sensor_agent.tcl"
+procname="%%PREFIX%%/bin/tclsh8.4"
+check_process="${command} /bin/sh"
+stop_cmd="sensor_agent_stop"
+
+[ -z "$sensor_agent_enable" ]    && sensor_agent_enable="NO"
+[ -z "$sensor_agent_conf" ]      && sensor_agent_conf="%%PREFIX%%/etc/sensor_agent.conf"
+[ -z "$sensor_agent_flags" ]     && sensor_agent_flags="-D"
+
+[ -n "$sensor_agent_conf" ]      && sensor_agent_flags="$sensor_agent_flags -c $sensor_agent_conf"
+
+sensor_agent_stop() {
+  if [ -z "${rc_pid}" ]; then
+    echo "${name} not running?"
+  else
+    echo "Stopping ${name}"
+    kill ${sig_stop} ${rc_pid}
+    wait_for_pids ${rc_pid}
+    if [ -f "/var/run/${name}.pid" ]; then
+      `rm -f /var/run/${name}.pid`
+    fi
+  fi
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/security/sguil-sensor/pkg-descr b/security/sguil-sensor/pkg-descr
new file mode 100644
index 000000000000..3a75ee67e126
--- /dev/null
+++ b/security/sguil-sensor/pkg-descr
@@ -0,0 +1,17 @@
+Sguil (pronounced "sgweel") is a graphical interface to snort
+(www.snort.org), an open source intrusion detection system.
+The actual interface and GUI server are written in tcl/tk
+(www.tcl.tk). Sguil also relies on other open source software
+in order to function properly.
+
+The sensor list includes security/barnyard, security/snort, 
+security/sancp, tcpdump (a part of the OS) and devel/tcltls as 
+well as lang/tcl84 and lang/tclX.  Care has been taken to ensure 
+that everything you need to build a working sguil operation is 
+in the FreeBSD ports system or part of the OS already. 
+
+Sguil currently functions as an analysis interface and has
+no snort sensor or rule management capabilities.
+
+WWW: http://sguil.sourceforge.net/index.php
+pauls@utdallas.edu
diff --git a/security/sguil-sensor/pkg-plist b/security/sguil-sensor/pkg-plist
new file mode 100644
index 000000000000..4c9ddae4003d
--- /dev/null
+++ b/security/sguil-sensor/pkg-plist
@@ -0,0 +1,6 @@
+bin/%%SGUILDIR%%/log_packets.sh
+bin/%%SGUILDIR%%/sensor_agent.tcl
+etc/log_packets.conf-sample
+%%USESANCP%%etc/sancp.conf-sample
+etc/sensor_agent.conf-sample
+@dirrm bin/%%SGUILDIR%%