[meta-networking,1/3] snort: add recipe

Submitted by chunrong guo on Sept. 23, 2013, 9:06 a.m.

Details

Message ID 1379927191-21769-1-git-send-email-b40290@freescale.com
State Changes Requested
Headers show

Commit Message

chunrong guo Sept. 23, 2013, 9:06 a.m.
From: Chunrong Guo <B40290@freescale.com>

  *snort - a free lightweight network intrusion detection
         system for UNIX and Windows

Signed-off-by: Chunrong Guo <B40290@freescale.com>
---
 .../recipes-connectivity/snort/files/default       |   42 ++
 .../snort/files/disable-dap-address-space-id.patch |   52 +++
 .../snort/files/disable-inaddr-none.patch          |   75 ++++
 .../recipes-connectivity/snort/files/logrotate     |   12 +
 .../recipes-connectivity/snort/files/snort.init    |  425 ++++++++++++++++++++
 .../recipes-connectivity/snort/files/volatiles     |    2 +
 .../recipes-connectivity/snort/snort_2.9.4.6.bb    |   86 ++++
 7 files changed, 694 insertions(+), 0 deletions(-)
 create mode 100644 meta-networking/recipes-connectivity/snort/files/default
 create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
 create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
 create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate
 create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init
 create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles
 create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb

Patch hide | download patch | download mbox

diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default
new file mode 100644
index 0000000..afd3840
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/default
@@ -0,0 +1,42 @@ 
+# Parameters for the daemon
+# Add any additional parameteres here.
+PARAMS="-m 027 -D -d "
+#
+# Snort user
+# This user will be used to launch snort. Notice that the 
+# preinst script of the package might do changes to the user 
+# (home directory, User Name) when the package is upgraded or
+# reinstalled.  So, do *not* change this to 'root' or to any other user 
+# unless you are sure there is no problem with those changes being introduced.
+# 
+SNORTUSER="snort"
+#
+# Logging directory
+# Snort logs will be dropped here and this will be the home
+# directory for the SNORTUSER. If you change this value you should
+# change the /etc/logrotate.d/snort definition too, otherwise logs
+# will not be rotated properly.
+#
+LOGDIR="/var/log/snort"
+#
+# Snort group
+# This is the group that the snort user will be added to.
+#
+SNORTGROUP="snort"
+# 
+# Allow Snort's init.d script to work if the configured interfaces
+# are not available. Set this to yes if you configure Snort with
+# multiple interfaces but some might not be available on boot
+# (e.g. wireless interfaces)
+# 
+# Note: In order for this to work the 'iproute' package needs to 
+# be installed.
+ALLOW_UNAVAILABLE="no"
+
+# Local configs
+#
+LOCAL_SNORT_STARTUP=boot
+LOCAL_SNORT_HOME_NET="192.168.0.0/16"
+LOCAL_SNORT_INTERFACE=""
+LOCAL_SNORT_STATS_RCPT="root"
+LOCAL_SNORT_STATS_THRESHOLD="1"
diff --git a/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
new file mode 100644
index 0000000..39e5c9c
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
@@ -0,0 +1,52 @@ 
+Upstream-Status:Inappropriate [embedded specific]
+
+fix the below error:
+checking for dap address space id... configure: 
+configure: error: cannot run test program while cross compiling
+
+
+Signed-off-by: Chunrong Guo <B40290@freescale.com>
+
+--- a/configure.in	2013-08-23 00:06:37.239361932 -0500
++++ b/configure.in	2013-08-23 00:07:32.860266534 -0500
+@@ -679,23 +679,23 @@
+ 
+ AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta])
+ 
+-AC_MSG_CHECKING([for daq address space ID])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <daq.h>
+-]],
+-[[
+-   DAQ_PktHdr_t hdr;
+-   hdr.address_space_id = 0;
+-]])],
+-[have_daq_address_space_id="yes"],
+-[have_daq_address_space_id="no"])
+-AC_MSG_RESULT($have_daq_address_space_id)
+-if test "x$have_daq_address_space_id" = "xyes"; then
+-    AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
+-        [DAQ version supports address space ID in header.])
+-fi
++#AC_MSG_CHECKING([for daq address space ID])
++#AC_RUN_IFELSE(
++#[AC_LANG_PROGRAM(
++#[[
++##include <daq.h>
++#]],
++#[[
++#   DAQ_PktHdr_t hdr;
++#   hdr.address_space_id = 0;
++#]])],
++have_daq_address_space_id="yes"
++#[have_daq_address_space_id="no"])
++#AC_MSG_RESULT($have_daq_address_space_id)
++#if test "x$have_daq_address_space_id" = "xyes"; then
++#    AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
++#        [DAQ version supports address space ID in header.])
++#fi
+ 
+ # any sparc platform has to have this one defined.
+ AC_MSG_CHECKING(for sparc)
diff --git a/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
new file mode 100644
index 0000000..9dafe63
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
@@ -0,0 +1,75 @@ 
+Upstream-Status: Inappropriate [embedded specific]
+
+fix the below error:
+checking for INADDR_NONE... configure:
+configure: error: cannot run test program while cross compiling
+
+Signed-off-by: Chunrong Guo <B40290@freescale.com>
+
+
+--- a/configure.in	2013-08-21 03:56:17.197414789 -0500
++++ b/configure.in	2013-08-21 23:19:05.298553560 -0500
+@@ -281,25 +281,7 @@
+ AC_CHECK_TYPES([boolean])
+ 
+ # In case INADDR_NONE is not defined (like on Solaris)
+-have_inaddr_none="no"
+-AC_MSG_CHECKING([for INADDR_NONE])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <sys/types.h>
+-#include <netinet/in.h>
+-#include <arpa/inet.h>
+-]],
+-[[
+-	if (inet_addr("10,5,2") == INADDR_NONE);
+-    return 0;
+-]])],
+-[have_inaddr_none="yes"],
+-[have_inaddr_none="no"])
+-AC_MSG_RESULT($have_inaddr_none)
+-if test "x$have_inaddr_none" = "xno"; then
+-	AC_DEFINE([INADDR_NONE],[-1],[For INADDR_NONE definition])
+-fi
++have_inaddr_none="yes"
+ 
+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+ #include <stdio.h>
+@@ -397,21 +379,21 @@
+   fi
+ fi
+ 
+-AC_MSG_CHECKING([for pcap_lex_destroy])
+-AC_RUN_IFELSE(
+-[AC_LANG_PROGRAM(
+-[[
+-#include <pcap.h>
+-]],
+-[[
+-   pcap_lex_destroy();
+-]])],
+-[have_pcap_lex_destroy="yes"],
+-[have_pcap_lex_destroy="no"])
+-AC_MSG_RESULT($have_pcap_lex_destroy)
+-if test "x$have_pcap_lex_destroy" = "xyes"; then
+-    AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
+-fi
++#AC_MSG_CHECKING([for pcap_lex_destroy])
++#AC_RUN_IFELSE(
++#[AC_LANG_PROGRAM(
++#[[
++##include <pcap.h>
++#]],
++#[[
++#   pcap_lex_destroy();
++#]])],
++have_pcap_lex_destroy="yes"
++#[have_pcap_lex_destroy="no"])
++#AC_MSG_RESULT($have_pcap_lex_destroy)
++#if test "x$have_pcap_lex_destroy" = "xyes"; then
++#    AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
++#fi
+ 
+ AC_MSG_CHECKING([for pcap_lib_version])
+ AC_LINK_IFELSE(
diff --git a/meta-networking/recipes-connectivity/snort/files/logrotate b/meta-networking/recipes-connectivity/snort/files/logrotate
new file mode 100644
index 0000000..ef3e4af
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/logrotate
@@ -0,0 +1,12 @@ 
+/var/log/snort/*.log /var/log/snort/alert {
+    size 1M
+    missingok
+    compress
+    delaycompress
+    rotate 10
+    sharedscripts
+    postrotate
+	/etc/init.d/snort restart
+    endscript
+}
+
diff --git a/meta-networking/recipes-connectivity/snort/files/snort.init b/meta-networking/recipes-connectivity/snort/files/snort.init
new file mode 100755
index 0000000..af66619
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/snort.init
@@ -0,0 +1,425 @@ 
+#!/bin/sh -e
+#
+# Init.d script for Snort in OpenEmbedded, based on Debian's script
+#
+# Copyright (c) 2009 Roman I Khimov <khimov@altell.ru>
+#
+# Copyright (c) 2001 Christian Hammers 
+# Copyright (c) 2001-2002 Robert van der Meulen
+# Copyright (c) 2002-2004 Sander Smeenk <ssmeenk@debian.org>
+# Copyright (c) 2004-2007 Javier Fernandez-Sanguino <jfs@debian.org>
+#
+# This is free software; you may redistribute it and/or modify
+# it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2,
+# or (at your option) any later version.
+#
+# This is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License with
+# the Debian operating system, in /usr/share/common-licenses/GPL;  if
+# not, write to the Free Software Foundation, Inc., 59 Temple Place,
+# Suite 330, Boston, MA 02111-1307 USA
+#
+### BEGIN INIT INFO
+# Provides:          snort
+# Required-Start:    $time $network $local_fs
+# Required-Stop:     
+# Should-Start:      $syslog
+# Should-Stop:       
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Lightweight network intrusion detection system
+# Description:       Intrusion detection system that will
+#                    capture traffic from the network cards and will
+#                    match against a set of known attacks.
+### END INIT INFO
+
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+test $DEBIAN_SCRIPT_DEBUG && set -v -x
+
+DAEMON=/usr/bin/snort
+NAME=snort
+DESC="Network Intrusion Detection System"
+
+. /etc/default/snort
+COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP"
+
+test -x $DAEMON || exit 0
+test -z "$LOCAL_SNORT_HOME_NET" && LOCAL_SNORT_HOME_NET="192.168.0.0/16"
+
+# to find the lib files
+cd /etc/snort
+
+running()
+{
+        PIDFILE=$1
+# No pidfile, probably no daemon present
+        [ ! -f "$PIDFILE" ] && return 1
+        pid=`cat $PIDFILE`
+# No pid, probably no daemon present
+        [ -z "$pid" ] && return 1
+        [ ! -d /proc/$pid ] &&  return 1
+        cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
+# No daemon
+        [ "$cmd" != "$DAEMON" ] &&  return 1
+        return 0
+}
+
+
+check_log_dir() {
+# Does the logging directory belong to Snort?
+	# If we cannot determine the logdir return without error
+	# (we will not check it)
+	# This will only be used by people using /etc/default/snort
+	[ -n "$LOGDIR" ] || return 0
+	[ -n "$SNORTUSER" ] || return 0
+	if [ ! -e "$LOGDIR" ] ; then
+		echo "ERR: logging directory $LOGDIR does not exist"
+		return 1
+	elif [ ! -d "$LOGDIR" ] ; then
+		echo "ERR: logging directory $LOGDIR does not exist"
+		return 1
+	else
+		# Don't worry, be happy
+		true
+	fi
+	return 0
+}
+
+check_root()  {
+    if [ "$(id -u)" != "0" ]; then
+        echo "You must be root to start, stop or restart $NAME."
+        exit 4
+    fi
+}
+
+case "$1" in
+  start)
+        check_root
+	echo "Starting $DESC " "$NAME"
+
+        if [ -e /etc/snort/db-pending-config ] ; then
+		echo "/etc/snort/db-pending-config file found"
+		echo "Snort will not start as its database is not yet configured."
+		echo "Please configure the database as described in"
+		echo "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian"
+		echo "and remove /etc/snort/db-pending-config"
+		exit 6
+	fi
+
+        if ! check_log_dir; then
+		echo " will not start $DESC!"
+		exit 5
+	fi
+	if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+		shift
+		set +e
+		/etc/ppp/ip-up.d/snort "$@"
+		ret=$?
+                if  [ $ret -eq 0 ] ; then
+                  echo 0
+                else
+                  echo 1
+                fi
+		exit $ret
+	fi
+
+	# Usually, we start all interfaces
+	interfaces="$LOCAL_SNORT_INTERFACE"
+
+	# If we are requested to start a specific interface...
+	test "$2" && interfaces="$2"
+
+        # If the interfaces list is empty stop (no error)
+        if [ -z "$interfaces" ] ; then
+            echo "no interfaces configured, will not start"
+            echo 0
+            exit 0
+        fi
+
+	myret=0
+	got_instance=0
+	for interface in $interfaces; do
+		got_instance=1
+		echo "($interface"
+
+                # Check if the interface is available:
+                # - only if iproute is available
+                # - the interface exists 
+                # - the interface is up
+                if ! [ -x /sbin/ip ] || ( ip link show dev "$interface" >/dev/null 2>&1 && [ -n "`ip link show up "$interface" 2>/dev/null`" ] ) ; then
+
+		PIDFILE=/var/run/snort_$interface.pid
+                CONFIGFILE=/etc/snort/snort.$interface.conf
+
+                # Defaults:
+		fail="failed (check /var/log/syslog and /var/log/snort)"
+                run="yes"
+
+                if [ -e "$PIDFILE" ] && running $PIDFILE; then
+                        run="no" 
+                        # Do not start this instance, it is already runing
+                fi
+
+                if [ "$run" = "yes" ] ; then
+                    if [ ! -e "$CONFIGFILE" ]; then
+                        echo "no /etc/snort/snort.$interface.conf found, defaulting to snort.conf"
+                        CONFIGFILE=/etc/snort/snort.conf
+                    fi
+
+                    set +e
+                    /sbin/start-stop-daemon --start --quiet  \
+                        --pidfile "$PIDFILE" \
+                        --exec $DAEMON -- $COMMON $LOCAL_SNORT_OPTIONS \
+                        -c $CONFIGFILE \
+                        -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
+                        -i $interface >/dev/null
+                    ret=$?
+                    case "$ret" in
+			0)
+                                echo  "...done)"
+				;;
+			*)
+				echo "...ERROR: $fail)"
+				myret=$(expr "$myret" + 1)
+				;;
+                     esac
+                     set -e
+                else
+                        echo "...already running)"
+                fi
+
+                else
+                # What to do if the interface is not available
+                # or is not up
+                        if [ "$ALLOW_UNAVAILABLE" != "no" ] ; then 
+                            echo "...interface not available)"
+                        else 
+                            echo "...ERROR: interface not available)"
+                            myret=$(expr "$myret" + 1)
+                        fi
+                fi
+	done
+
+	if [ "$got_instance" = 0 ] && [ "$ALLOW_UNAVAILABLE" = "no" ]; then
+		echo "No snort instance found to be started!" >&2
+		exit 6
+	fi
+
+        if  [ $myret -eq 0 ] ; then
+            echo 0
+        else
+            echo 1
+        fi
+	exit $myret
+	;;
+  stop)
+        check_root
+        echo "Stopping $DESC " "$NAME"
+    
+	if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+		shift
+		set +e
+		/etc/ppp/ip-down.d/snort "$@"
+		ret=$?
+                if  [ $ret -eq 0 ] ; then
+                    echo 0
+                else
+                  echo 1
+                fi
+		exit $ret
+	fi
+
+	# Usually, we stop all current running interfaces
+	pidpattern=/var/run/snort_*.pid
+
+	# If we are requested to stop a specific interface...
+	test "$2" && pidpattern=/var/run/snort_"$2".pid
+
+	got_instance=0
+        myret=0
+	for PIDFILE in $pidpattern; do
+		# This check is also needed, if the above pattern doesn't match
+		test -f "$PIDFILE" || continue
+
+		got_instance=1
+		interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
+
+		echo "($interface"
+
+		set +e
+                if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then
+# Change ownership of the pidfile
+		    /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \
+			--pidfile "$PIDFILE" --exec $DAEMON >/dev/null
+                    ret=$?
+                    rm -f "$PIDFILE"
+                    rm -f "$PIDFILE.lck"
+                else
+                     echo "cannot read $PIDFILE"
+                     ret=4
+                fi
+		case "$ret" in
+			0)
+                                echo  "...done)"
+				;;
+			*)
+				echo "...ERROR)"
+				myret=$(expr "$myret" + 1)
+				;;
+		esac
+                set -e
+
+	done
+
+	if [ "$got_instance" = 0 ]; then
+		log_warning_msg "No running snort instance found"
+                exit 0 # LSB demands we don't exit with error here
+	fi
+        if  [ $myret -eq 0 ] ; then
+            echo 0
+        else
+            echo 1
+        fi
+	exit $myret
+	;;
+  restart|force-restart|reload|force-reload)
+        check_root
+	# Usually, we restart all current running interfaces
+	pidpattern=/var/run/snort_*.pid
+
+	# If we are requested to restart a specific interface...
+	test "$2" && pidpattern=/var/run/snort_"$2".pid
+
+	got_instance=0
+	for PIDFILE in $pidpattern; do
+		# This check is also needed, if the above pattern doesn't match
+		test -f "$PIDFILE" || continue
+
+		got_instance=1
+		interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
+		$0 stop $interface || true
+		$0 start $interface || true
+	done
+
+	if [ "$got_instance" = 0 ]; then
+		echo "No snort instance found to be stopped!" >&2
+                exit 6
+	fi
+	;;
+  status)
+# Non-root users can use this (if allowed to)
+        echo "Status of snort daemon(s)"
+	interfaces="$LOCAL_SNORT_INTERFACE"
+	# If we are requested to check for a specific interface...
+	test "$2" && interfaces="$2"
+        err=0
+        pid=0
+	for interface in $interfaces; do
+                echo " $interface "
+                pidfile=/var/run/snort_$interface.pid
+                if [ -f  "$pidfile" ] ; then
+                        if [ -r "$pidfile" ] ; then
+                            pidval=`cat $pidfile`
+                            pid=$(expr "$pid" + 1)
+                            if ps -p $pidval | grep -q snort; then
+                                echo "OK"
+                            else
+				echo "ERROR"
+				err=$(expr "$err" + 1)
+			    fi
+                         else
+	       		     echo "ERROR: cannot read status file"
+                             err=$(expr "$err" + 1)
+                         fi
+                 else
+                       echo "ERROR"
+                       err=$(expr "$err" + 1)
+                 fi
+        done
+        if [ $err -ne 0 ] ; then
+            if [ $pid -ne 0 ] ; then
+# More than one case where pidfile exists but no snort daemon
+# LSB demands a '1' exit value here
+                echo  1
+                exit 1
+            else
+# No pidfiles at all
+# LSB demands a '3' exit value here
+                echo  3
+                exit 3
+            fi
+        fi
+        echo  0
+        ;;
+  config-check)
+        echo "Checking $DESC configuration" 
+	if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
+		echo "Config-check is currently not supported for snort in Dialup configuration"
+                echo  3
+                exit 3
+	fi
+
+	# usually, we test all interfaces
+	interfaces="$LOCAL_SNORT_INTERFACE"
+	# if we are requested to test a specific interface...
+	test "$2" && interfaces="$2"
+
+	myret=0
+	got_instance=0
+	for interface in $interfaces; do
+		got_instance=1
+		echo "interface $interface"
+
+		CONFIGFILE=/etc/snort/snort.$interface.conf
+		if [ ! -e "$CONFIGFILE" ]; then
+			CONFIGFILE=/etc/snort/snort.conf
+		fi
+		COMMON=`echo $COMMON | sed -e 's/-D//'`
+		set +e
+                fail="INVALID"
+		if [ -r "$CONFIGFILE" ]; then
+                    $DAEMON -T $COMMON $LOCAL_SNORT_OPTIONS \
+			-c $CONFIGFILE \
+			-S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
+			-i $interface >/dev/null 2>&1
+                    ret=$?
+                else
+                    fail="cannot read $CONFIGFILE"
+                    ret=4
+                fi
+		set -e
+
+		case "$ret" in
+			0)
+                                echo "OK"
+				;;
+			*)
+                                echo "$fail"
+				myret=$(expr "$myret" + 1)
+				;;
+		esac
+	done
+	if [ "$got_instance" = 0 ]; then
+		echo "no snort instance found to be started!" >&2
+		exit 6
+	fi
+
+        if  [ $myret -eq 0 ] ; then
+            echo 0
+        else
+            echo 1
+        fi
+	exit $myret
+	;;
+  *)
+	echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}"
+	exit 1
+	;;
+esac
+exit 0
diff --git a/meta-networking/recipes-connectivity/snort/files/volatiles b/meta-networking/recipes-connectivity/snort/files/volatiles
new file mode 100644
index 0000000..e3ab51d
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/files/volatiles
@@ -0,0 +1,2 @@ 
+# <type> <owner> <group> <mode> <path> <linksource>
+d snort snort 0755 /var/log/snort none
\ No newline at end of file
diff --git a/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
new file mode 100644
index 0000000..5a165ef
--- /dev/null
+++ b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
@@ -0,0 +1,86 @@ 
+DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows."
+HOMEPAGE = "http://www.snort.org/"
+LICENSE = "GPL"
+LIC_FILES_CHKSUM = "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5"
+
+DEPENDS = "libpcap libpcre daq libdnet"
+
+SRC_URI = " ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \
+            file://disable-inaddr-none.patch \
+            file://disable-dap-address-space-id.patch \ 
+	    file://snort.init \
+	    file://default \
+            file://logrotate \
+	    file://volatiles \
+          "
+SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
+SRC_URI[tarball.sha256sum] = "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc"
+
+inherit autotools  gettext 
+
+EXTRA_OECONF = " \
+	--enable-gre \    
+	--enable-linux-smp-stats \
+	--enable-reload \
+	--enable-reload-error-restart \
+	--enable-targetbased \
+	--disable-static-daq \
+	"
+
+do_install_append() {
+	install -d ${D}/${sysconfdir}/snort/rules
+	install -d ${D}/${sysconfdir}/snort/preproc_rules
+	install -d ${D}/${sysconfdir}/default/volatiles
+	mkdir -p ${D}/${sysconfdir}/init.d
+	for i in map config conf dtd; do
+		cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/
+	done
+	cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/
+	install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort
+	install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort
+	install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort
+	mkdir -p ${D}/${localstatedir}/log/snort
+	install -d ${D}${sysconfdir}/logrotate.d
+	install -m 0644 ${WORKDIR}/logrotate ${D}${sysconfdir}/logrotate.d/snort
+}
+
+pkg_postinst_${PN}() {
+	grep -q ^snort: /etc/group || addgroup snort
+	grep -q ^snort: /etc/passwd || \
+		adduser --disabled-password --home=/var/log/snort/ --system \
+			--ingroup snort --no-create-home -g "snort" snort
+	${sysconfdir}/init.d/populate-volatile.sh update
+}
+
+PACKAGES =+ "${PN}-logrotate"
+FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort"
+FILES_${PN} += " \
+	${libdir}/snort_dynamicengine/*.so.* \
+	${libdir}/snort_dynamicpreprocessor/*.so.* \
+	${libdir}/snort_dynamicrules/*.so.* \
+	"
+FILES_${PN}-dbg += " \
+	${libdir}/snort_dynamicengine/.debug \
+	${libdir}/snort_dynamicpreprocessor/.debug \
+	${libdir}/snort_dynamicrules/.debug \
+	"
+FILES_${PN}-staticdev += " \
+	${libdir}/snort_dynamicengine/*.a \
+	${libdir}/snort_dynamicpreprocessor/*.a \
+	${libdir}/snort_dynamicrules/*.a \
+	${libdir}/snort/dynamic_preproc/*.a \
+	${libdir}/snort/dynamic_output/*.a \
+	"
+FILES_${PN}-dev += " \
+	${libdir}/snort_dynamicengine/*.la \
+	${libdir}/snort_dynamicpreprocessor/*.la \
+	${libdir}/snort_dynamicrules/*.la \
+	${libdir}/snort_dynamicengine/*.so \
+	${libdir}/snort_dynamicpreprocessor/*.so \
+	${libdir}/snort_dynamicrules/*.so \
+	${prefix}/src/snort_dynamicsrc \
+	"
+
+RRECOMMENDS_${PN} += "${PN}-logrotate"
+RRECOMMENDS_${PN} += "barnyard"
+RSUGGESTS_${PN}-logrotate += "logrotate"

Comments

Joe MacDonald Sept. 23, 2013, 4:58 p.m.
Hi Chunrong,

A few things with this one.

- can you be more specific with the LICENSE?

   WARNING: snort: No generic license file exists for: GPL in any provider

- my test build generated QA errors due to host libraries being used in
  the build:

   cc1: warning: include location "/usr/include/pcap" is unsafe for cross-compilation [-Wpoison-system-directories]
   cc1: warning: include location "/usr/include/pcap" is unsafe for cross-compilation [-Wpoison-system-directories]
   cc1: warning: include location "/usr/include/pcap" is unsafe for cross-compilation [-Wpoison-system-directories]
   cc1: warning: include location "/usr/include/pcap" is unsafe for cross-compilation [-Wpoison-system-directories]

- Is the pkg_postinst_${PN} action really necessary?  Can't you
  accomplish the same thing by inheriting useradd?  At worst, I think
  you'll only need the last line, directly invoking
  populate-volatile.sh.  Could be mistaken on that, though.

- Can you take another pass through the recipe itself, please?  There's
  some inconsistent formatting (specifically around SRC_URI) and
  minor whitespace issues (around EXTRA_OECONF, for sure, maybe
  elsewhere, I've only done a quick scan).

- While we're on the topic, I hate to ask, but any chance we could fix
  up the formatting on the initscript itself?  It's an indentation
  disaster.  Not your fault, I know, but I don't know that we'll ever go
  back to taking the debian one again and I'd rather it be clean for
  anyone who comes along later.

- There's one minor inconsistency in the logrotate file, too, can you
  make them all space-indented or all tab-indented please?

Thanks,

-J.

[[oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 17:06) b40290@freescale.com wrote:

> From: Chunrong Guo <B40290@freescale.com>
> 
>   *snort - a free lightweight network intrusion detection
>          system for UNIX and Windows
> 
> Signed-off-by: Chunrong Guo <B40290@freescale.com>
> ---
>  .../recipes-connectivity/snort/files/default       |   42 ++
>  .../snort/files/disable-dap-address-space-id.patch |   52 +++
>  .../snort/files/disable-inaddr-none.patch          |   75 ++++
>  .../recipes-connectivity/snort/files/logrotate     |   12 +
>  .../recipes-connectivity/snort/files/snort.init    |  425 ++++++++++++++++++++
>  .../recipes-connectivity/snort/files/volatiles     |    2 +
>  .../recipes-connectivity/snort/snort_2.9.4.6.bb    |   86 ++++
>  7 files changed, 694 insertions(+), 0 deletions(-)
>  create mode 100644 meta-networking/recipes-connectivity/snort/files/default
>  create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
>  create mode 100644 meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
>  create mode 100644 meta-networking/recipes-connectivity/snort/files/logrotate
>  create mode 100755 meta-networking/recipes-connectivity/snort/files/snort.init
>  create mode 100644 meta-networking/recipes-connectivity/snort/files/volatiles
>  create mode 100644 meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> 
> diff --git a/meta-networking/recipes-connectivity/snort/files/default b/meta-networking/recipes-connectivity/snort/files/default
> new file mode 100644
> index 0000000..afd3840
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/default
> @@ -0,0 +1,42 @@
> +# Parameters for the daemon
> +# Add any additional parameteres here.
> +PARAMS="-m 027 -D -d "
> +#
> +# Snort user
> +# This user will be used to launch snort. Notice that the 
> +# preinst script of the package might do changes to the user 
> +# (home directory, User Name) when the package is upgraded or
> +# reinstalled.  So, do *not* change this to 'root' or to any other user 
> +# unless you are sure there is no problem with those changes being introduced.
> +# 
> +SNORTUSER="snort"
> +#
> +# Logging directory
> +# Snort logs will be dropped here and this will be the home
> +# directory for the SNORTUSER. If you change this value you should
> +# change the /etc/logrotate.d/snort definition too, otherwise logs
> +# will not be rotated properly.
> +#
> +LOGDIR="/var/log/snort"
> +#
> +# Snort group
> +# This is the group that the snort user will be added to.
> +#
> +SNORTGROUP="snort"
> +# 
> +# Allow Snort's init.d script to work if the configured interfaces
> +# are not available. Set this to yes if you configure Snort with
> +# multiple interfaces but some might not be available on boot
> +# (e.g. wireless interfaces)
> +# 
> +# Note: In order for this to work the 'iproute' package needs to 
> +# be installed.
> +ALLOW_UNAVAILABLE="no"
> +
> +# Local configs
> +#
> +LOCAL_SNORT_STARTUP=boot
> +LOCAL_SNORT_HOME_NET="192.168.0.0/16"
> +LOCAL_SNORT_INTERFACE=""
> +LOCAL_SNORT_STATS_RCPT="root"
> +LOCAL_SNORT_STATS_THRESHOLD="1"
> diff --git a/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
> new file mode 100644
> index 0000000..39e5c9c
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/disable-dap-address-space-id.patch
> @@ -0,0 +1,52 @@
> +Upstream-Status:Inappropriate [embedded specific]
> +
> +fix the below error:
> +checking for dap address space id... configure: 
> +configure: error: cannot run test program while cross compiling
> +
> +
> +Signed-off-by: Chunrong Guo <B40290@freescale.com>
> +
> +--- a/configure.in	2013-08-23 00:06:37.239361932 -0500
> ++++ b/configure.in	2013-08-23 00:07:32.860266534 -0500
> +@@ -679,23 +679,23 @@
> + 
> + AC_CHECK_FUNCS([daq_hup_apply] [daq_acquire_with_meta])
> + 
> +-AC_MSG_CHECKING([for daq address space ID])
> +-AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM(
> +-[[
> +-#include <daq.h>
> +-]],
> +-[[
> +-   DAQ_PktHdr_t hdr;
> +-   hdr.address_space_id = 0;
> +-]])],
> +-[have_daq_address_space_id="yes"],
> +-[have_daq_address_space_id="no"])
> +-AC_MSG_RESULT($have_daq_address_space_id)
> +-if test "x$have_daq_address_space_id" = "xyes"; then
> +-    AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
> +-        [DAQ version supports address space ID in header.])
> +-fi
> ++#AC_MSG_CHECKING([for daq address space ID])
> ++#AC_RUN_IFELSE(
> ++#[AC_LANG_PROGRAM(
> ++#[[
> ++##include <daq.h>
> ++#]],
> ++#[[
> ++#   DAQ_PktHdr_t hdr;
> ++#   hdr.address_space_id = 0;
> ++#]])],
> ++have_daq_address_space_id="yes"
> ++#[have_daq_address_space_id="no"])
> ++#AC_MSG_RESULT($have_daq_address_space_id)
> ++#if test "x$have_daq_address_space_id" = "xyes"; then
> ++#    AC_DEFINE([HAVE_DAQ_ADDRESS_SPACE_ID],[1],
> ++#        [DAQ version supports address space ID in header.])
> ++#fi
> + 
> + # any sparc platform has to have this one defined.
> + AC_MSG_CHECKING(for sparc)
> diff --git a/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
> new file mode 100644
> index 0000000..9dafe63
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/disable-inaddr-none.patch
> @@ -0,0 +1,75 @@
> +Upstream-Status: Inappropriate [embedded specific]
> +
> +fix the below error:
> +checking for INADDR_NONE... configure:
> +configure: error: cannot run test program while cross compiling
> +
> +Signed-off-by: Chunrong Guo <B40290@freescale.com>
> +
> +
> +--- a/configure.in	2013-08-21 03:56:17.197414789 -0500
> ++++ b/configure.in	2013-08-21 23:19:05.298553560 -0500
> +@@ -281,25 +281,7 @@
> + AC_CHECK_TYPES([boolean])
> + 
> + # In case INADDR_NONE is not defined (like on Solaris)
> +-have_inaddr_none="no"
> +-AC_MSG_CHECKING([for INADDR_NONE])
> +-AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM(
> +-[[
> +-#include <sys/types.h>
> +-#include <netinet/in.h>
> +-#include <arpa/inet.h>
> +-]],
> +-[[
> +-	if (inet_addr("10,5,2") == INADDR_NONE);
> +-    return 0;
> +-]])],
> +-[have_inaddr_none="yes"],
> +-[have_inaddr_none="no"])
> +-AC_MSG_RESULT($have_inaddr_none)
> +-if test "x$have_inaddr_none" = "xno"; then
> +-	AC_DEFINE([INADDR_NONE],[-1],[For INADDR_NONE definition])
> +-fi
> ++have_inaddr_none="yes"
> + 
> + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
> + #include <stdio.h>
> +@@ -397,21 +379,21 @@
> +   fi
> + fi
> + 
> +-AC_MSG_CHECKING([for pcap_lex_destroy])
> +-AC_RUN_IFELSE(
> +-[AC_LANG_PROGRAM(
> +-[[
> +-#include <pcap.h>
> +-]],
> +-[[
> +-   pcap_lex_destroy();
> +-]])],
> +-[have_pcap_lex_destroy="yes"],
> +-[have_pcap_lex_destroy="no"])
> +-AC_MSG_RESULT($have_pcap_lex_destroy)
> +-if test "x$have_pcap_lex_destroy" = "xyes"; then
> +-    AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
> +-fi
> ++#AC_MSG_CHECKING([for pcap_lex_destroy])
> ++#AC_RUN_IFELSE(
> ++#[AC_LANG_PROGRAM(
> ++#[[
> ++##include <pcap.h>
> ++#]],
> ++#[[
> ++#   pcap_lex_destroy();
> ++#]])],
> ++have_pcap_lex_destroy="yes"
> ++#[have_pcap_lex_destroy="no"])
> ++#AC_MSG_RESULT($have_pcap_lex_destroy)
> ++#if test "x$have_pcap_lex_destroy" = "xyes"; then
> ++#    AC_DEFINE([HAVE_PCAP_LEX_DESTROY],[1],[Can cleanup lex buffer stack created by pcap bpf filter])
> ++#fi
> + 
> + AC_MSG_CHECKING([for pcap_lib_version])
> + AC_LINK_IFELSE(
> diff --git a/meta-networking/recipes-connectivity/snort/files/logrotate b/meta-networking/recipes-connectivity/snort/files/logrotate
> new file mode 100644
> index 0000000..ef3e4af
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/logrotate
> @@ -0,0 +1,12 @@
> +/var/log/snort/*.log /var/log/snort/alert {
> +    size 1M
> +    missingok
> +    compress
> +    delaycompress
> +    rotate 10
> +    sharedscripts
> +    postrotate
> +	/etc/init.d/snort restart
> +    endscript
> +}
> +
> diff --git a/meta-networking/recipes-connectivity/snort/files/snort.init b/meta-networking/recipes-connectivity/snort/files/snort.init
> new file mode 100755
> index 0000000..af66619
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/snort.init
> @@ -0,0 +1,425 @@
> +#!/bin/sh -e
> +#
> +# Init.d script for Snort in OpenEmbedded, based on Debian's script
> +#
> +# Copyright (c) 2009 Roman I Khimov <khimov@altell.ru>
> +#
> +# Copyright (c) 2001 Christian Hammers 
> +# Copyright (c) 2001-2002 Robert van der Meulen
> +# Copyright (c) 2002-2004 Sander Smeenk <ssmeenk@debian.org>
> +# Copyright (c) 2004-2007 Javier Fernandez-Sanguino <jfs@debian.org>
> +#
> +# This is free software; you may redistribute it and/or modify
> +# it under the terms of the GNU General Public License as
> +# published by the Free Software Foundation; either version 2,
> +# or (at your option) any later version.
> +#
> +# This is distributed in the hope that it will be useful, but
> +# WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License with
> +# the Debian operating system, in /usr/share/common-licenses/GPL;  if
> +# not, write to the Free Software Foundation, Inc., 59 Temple Place,
> +# Suite 330, Boston, MA 02111-1307 USA
> +#
> +### BEGIN INIT INFO
> +# Provides:          snort
> +# Required-Start:    $time $network $local_fs
> +# Required-Stop:     
> +# Should-Start:      $syslog
> +# Should-Stop:       
> +# Default-Start:     2 3 4 5
> +# Default-Stop:      0 1 6
> +# Short-Description: Lightweight network intrusion detection system
> +# Description:       Intrusion detection system that will
> +#                    capture traffic from the network cards and will
> +#                    match against a set of known attacks.
> +### END INIT INFO
> +
> +PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
> +
> +test $DEBIAN_SCRIPT_DEBUG && set -v -x
> +
> +DAEMON=/usr/bin/snort
> +NAME=snort
> +DESC="Network Intrusion Detection System"
> +
> +. /etc/default/snort
> +COMMON="$PARAMS -l $LOGDIR -u $SNORTUSER -g $SNORTGROUP"
> +
> +test -x $DAEMON || exit 0
> +test -z "$LOCAL_SNORT_HOME_NET" && LOCAL_SNORT_HOME_NET="192.168.0.0/16"
> +
> +# to find the lib files
> +cd /etc/snort
> +
> +running()
> +{
> +        PIDFILE=$1
> +# No pidfile, probably no daemon present
> +        [ ! -f "$PIDFILE" ] && return 1
> +        pid=`cat $PIDFILE`
> +# No pid, probably no daemon present
> +        [ -z "$pid" ] && return 1
> +        [ ! -d /proc/$pid ] &&  return 1
> +        cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1 |cut -d : -f 1`
> +# No daemon
> +        [ "$cmd" != "$DAEMON" ] &&  return 1
> +        return 0
> +}
> +
> +
> +check_log_dir() {
> +# Does the logging directory belong to Snort?
> +	# If we cannot determine the logdir return without error
> +	# (we will not check it)
> +	# This will only be used by people using /etc/default/snort
> +	[ -n "$LOGDIR" ] || return 0
> +	[ -n "$SNORTUSER" ] || return 0
> +	if [ ! -e "$LOGDIR" ] ; then
> +		echo "ERR: logging directory $LOGDIR does not exist"
> +		return 1
> +	elif [ ! -d "$LOGDIR" ] ; then
> +		echo "ERR: logging directory $LOGDIR does not exist"
> +		return 1
> +	else
> +		# Don't worry, be happy
> +		true
> +	fi
> +	return 0
> +}
> +
> +check_root()  {
> +    if [ "$(id -u)" != "0" ]; then
> +        echo "You must be root to start, stop or restart $NAME."
> +        exit 4
> +    fi
> +}
> +
> +case "$1" in
> +  start)
> +        check_root
> +	echo "Starting $DESC " "$NAME"
> +
> +        if [ -e /etc/snort/db-pending-config ] ; then
> +		echo "/etc/snort/db-pending-config file found"
> +		echo "Snort will not start as its database is not yet configured."
> +		echo "Please configure the database as described in"
> +		echo "/usr/share/doc/snort-{pgsql,mysql}/README-database.Debian"
> +		echo "and remove /etc/snort/db-pending-config"
> +		exit 6
> +	fi
> +
> +        if ! check_log_dir; then
> +		echo " will not start $DESC!"
> +		exit 5
> +	fi
> +	if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> +		shift
> +		set +e
> +		/etc/ppp/ip-up.d/snort "$@"
> +		ret=$?
> +                if  [ $ret -eq 0 ] ; then
> +                  echo 0
> +                else
> +                  echo 1
> +                fi
> +		exit $ret
> +	fi
> +
> +	# Usually, we start all interfaces
> +	interfaces="$LOCAL_SNORT_INTERFACE"
> +
> +	# If we are requested to start a specific interface...
> +	test "$2" && interfaces="$2"
> +
> +        # If the interfaces list is empty stop (no error)
> +        if [ -z "$interfaces" ] ; then
> +            echo "no interfaces configured, will not start"
> +            echo 0
> +            exit 0
> +        fi
> +
> +	myret=0
> +	got_instance=0
> +	for interface in $interfaces; do
> +		got_instance=1
> +		echo "($interface"
> +
> +                # Check if the interface is available:
> +                # - only if iproute is available
> +                # - the interface exists 
> +                # - the interface is up
> +                if ! [ -x /sbin/ip ] || ( ip link show dev "$interface" >/dev/null 2>&1 && [ -n "`ip link show up "$interface" 2>/dev/null`" ] ) ; then
> +
> +		PIDFILE=/var/run/snort_$interface.pid
> +                CONFIGFILE=/etc/snort/snort.$interface.conf
> +
> +                # Defaults:
> +		fail="failed (check /var/log/syslog and /var/log/snort)"
> +                run="yes"
> +
> +                if [ -e "$PIDFILE" ] && running $PIDFILE; then
> +                        run="no" 
> +                        # Do not start this instance, it is already runing
> +                fi
> +
> +                if [ "$run" = "yes" ] ; then
> +                    if [ ! -e "$CONFIGFILE" ]; then
> +                        echo "no /etc/snort/snort.$interface.conf found, defaulting to snort.conf"
> +                        CONFIGFILE=/etc/snort/snort.conf
> +                    fi
> +
> +                    set +e
> +                    /sbin/start-stop-daemon --start --quiet  \
> +                        --pidfile "$PIDFILE" \
> +                        --exec $DAEMON -- $COMMON $LOCAL_SNORT_OPTIONS \
> +                        -c $CONFIGFILE \
> +                        -S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
> +                        -i $interface >/dev/null
> +                    ret=$?
> +                    case "$ret" in
> +			0)
> +                                echo  "...done)"
> +				;;
> +			*)
> +				echo "...ERROR: $fail)"
> +				myret=$(expr "$myret" + 1)
> +				;;
> +                     esac
> +                     set -e
> +                else
> +                        echo "...already running)"
> +                fi
> +
> +                else
> +                # What to do if the interface is not available
> +                # or is not up
> +                        if [ "$ALLOW_UNAVAILABLE" != "no" ] ; then 
> +                            echo "...interface not available)"
> +                        else 
> +                            echo "...ERROR: interface not available)"
> +                            myret=$(expr "$myret" + 1)
> +                        fi
> +                fi
> +	done
> +
> +	if [ "$got_instance" = 0 ] && [ "$ALLOW_UNAVAILABLE" = "no" ]; then
> +		echo "No snort instance found to be started!" >&2
> +		exit 6
> +	fi
> +
> +        if  [ $myret -eq 0 ] ; then
> +            echo 0
> +        else
> +            echo 1
> +        fi
> +	exit $myret
> +	;;
> +  stop)
> +        check_root
> +        echo "Stopping $DESC " "$NAME"
> +    
> +	if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> +		shift
> +		set +e
> +		/etc/ppp/ip-down.d/snort "$@"
> +		ret=$?
> +                if  [ $ret -eq 0 ] ; then
> +                    echo 0
> +                else
> +                  echo 1
> +                fi
> +		exit $ret
> +	fi
> +
> +	# Usually, we stop all current running interfaces
> +	pidpattern=/var/run/snort_*.pid
> +
> +	# If we are requested to stop a specific interface...
> +	test "$2" && pidpattern=/var/run/snort_"$2".pid
> +
> +	got_instance=0
> +        myret=0
> +	for PIDFILE in $pidpattern; do
> +		# This check is also needed, if the above pattern doesn't match
> +		test -f "$PIDFILE" || continue
> +
> +		got_instance=1
> +		interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
> +
> +		echo "($interface"
> +
> +		set +e
> +                if [ ! -e "$PIDFILE" -o -r "$PIDFILE" ] ; then
> +# Change ownership of the pidfile
> +		    /sbin/start-stop-daemon --stop --retry 5 --quiet --oknodo \
> +			--pidfile "$PIDFILE" --exec $DAEMON >/dev/null
> +                    ret=$?
> +                    rm -f "$PIDFILE"
> +                    rm -f "$PIDFILE.lck"
> +                else
> +                     echo "cannot read $PIDFILE"
> +                     ret=4
> +                fi
> +		case "$ret" in
> +			0)
> +                                echo  "...done)"
> +				;;
> +			*)
> +				echo "...ERROR)"
> +				myret=$(expr "$myret" + 1)
> +				;;
> +		esac
> +                set -e
> +
> +	done
> +
> +	if [ "$got_instance" = 0 ]; then
> +		log_warning_msg "No running snort instance found"
> +                exit 0 # LSB demands we don't exit with error here
> +	fi
> +        if  [ $myret -eq 0 ] ; then
> +            echo 0
> +        else
> +            echo 1
> +        fi
> +	exit $myret
> +	;;
> +  restart|force-restart|reload|force-reload)
> +        check_root
> +	# Usually, we restart all current running interfaces
> +	pidpattern=/var/run/snort_*.pid
> +
> +	# If we are requested to restart a specific interface...
> +	test "$2" && pidpattern=/var/run/snort_"$2".pid
> +
> +	got_instance=0
> +	for PIDFILE in $pidpattern; do
> +		# This check is also needed, if the above pattern doesn't match
> +		test -f "$PIDFILE" || continue
> +
> +		got_instance=1
> +		interface=$(basename "$PIDFILE" .pid | sed -e 's/^snort_//')
> +		$0 stop $interface || true
> +		$0 start $interface || true
> +	done
> +
> +	if [ "$got_instance" = 0 ]; then
> +		echo "No snort instance found to be stopped!" >&2
> +                exit 6
> +	fi
> +	;;
> +  status)
> +# Non-root users can use this (if allowed to)
> +        echo "Status of snort daemon(s)"
> +	interfaces="$LOCAL_SNORT_INTERFACE"
> +	# If we are requested to check for a specific interface...
> +	test "$2" && interfaces="$2"
> +        err=0
> +        pid=0
> +	for interface in $interfaces; do
> +                echo " $interface "
> +                pidfile=/var/run/snort_$interface.pid
> +                if [ -f  "$pidfile" ] ; then
> +                        if [ -r "$pidfile" ] ; then
> +                            pidval=`cat $pidfile`
> +                            pid=$(expr "$pid" + 1)
> +                            if ps -p $pidval | grep -q snort; then
> +                                echo "OK"
> +                            else
> +				echo "ERROR"
> +				err=$(expr "$err" + 1)
> +			    fi
> +                         else
> +	       		     echo "ERROR: cannot read status file"
> +                             err=$(expr "$err" + 1)
> +                         fi
> +                 else
> +                       echo "ERROR"
> +                       err=$(expr "$err" + 1)
> +                 fi
> +        done
> +        if [ $err -ne 0 ] ; then
> +            if [ $pid -ne 0 ] ; then
> +# More than one case where pidfile exists but no snort daemon
> +# LSB demands a '1' exit value here
> +                echo  1
> +                exit 1
> +            else
> +# No pidfiles at all
> +# LSB demands a '3' exit value here
> +                echo  3
> +                exit 3
> +            fi
> +        fi
> +        echo  0
> +        ;;
> +  config-check)
> +        echo "Checking $DESC configuration" 
> +	if [ "$LOCAL_SNORT_STARTUP" = "dialup" ]; then
> +		echo "Config-check is currently not supported for snort in Dialup configuration"
> +                echo  3
> +                exit 3
> +	fi
> +
> +	# usually, we test all interfaces
> +	interfaces="$LOCAL_SNORT_INTERFACE"
> +	# if we are requested to test a specific interface...
> +	test "$2" && interfaces="$2"
> +
> +	myret=0
> +	got_instance=0
> +	for interface in $interfaces; do
> +		got_instance=1
> +		echo "interface $interface"
> +
> +		CONFIGFILE=/etc/snort/snort.$interface.conf
> +		if [ ! -e "$CONFIGFILE" ]; then
> +			CONFIGFILE=/etc/snort/snort.conf
> +		fi
> +		COMMON=`echo $COMMON | sed -e 's/-D//'`
> +		set +e
> +                fail="INVALID"
> +		if [ -r "$CONFIGFILE" ]; then
> +                    $DAEMON -T $COMMON $LOCAL_SNORT_OPTIONS \
> +			-c $CONFIGFILE \
> +			-S "HOME_NET=[$LOCAL_SNORT_HOME_NET]" \
> +			-i $interface >/dev/null 2>&1
> +                    ret=$?
> +                else
> +                    fail="cannot read $CONFIGFILE"
> +                    ret=4
> +                fi
> +		set -e
> +
> +		case "$ret" in
> +			0)
> +                                echo "OK"
> +				;;
> +			*)
> +                                echo "$fail"
> +				myret=$(expr "$myret" + 1)
> +				;;
> +		esac
> +	done
> +	if [ "$got_instance" = 0 ]; then
> +		echo "no snort instance found to be started!" >&2
> +		exit 6
> +	fi
> +
> +        if  [ $myret -eq 0 ] ; then
> +            echo 0
> +        else
> +            echo 1
> +        fi
> +	exit $myret
> +	;;
> +  *)
> +	echo "Usage: $0 {start|stop|restart|force-restart|reload|force-reload|status|config-check}"
> +	exit 1
> +	;;
> +esac
> +exit 0
> diff --git a/meta-networking/recipes-connectivity/snort/files/volatiles b/meta-networking/recipes-connectivity/snort/files/volatiles
> new file mode 100644
> index 0000000..e3ab51d
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/volatiles
> @@ -0,0 +1,2 @@
> +# <type> <owner> <group> <mode> <path> <linksource>
> +d snort snort 0755 /var/log/snort none
> \ No newline at end of file
> diff --git a/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> new file mode 100644
> index 0000000..5a165ef
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> @@ -0,0 +1,86 @@
> +DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows."
> +HOMEPAGE = "http://www.snort.org/"
> +LICENSE = "GPL"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5"
> +
> +DEPENDS = "libpcap libpcre daq libdnet"
> +
> +SRC_URI = " ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \
> +            file://disable-inaddr-none.patch \
> +            file://disable-dap-address-space-id.patch \ 
> +	    file://snort.init \
> +	    file://default \
> +            file://logrotate \
> +	    file://volatiles \
> +          "
> +SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
> +SRC_URI[tarball.sha256sum] = "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc"
> +
> +inherit autotools  gettext 
> +
> +EXTRA_OECONF = " \
> +	--enable-gre \    
> +	--enable-linux-smp-stats \
> +	--enable-reload \
> +	--enable-reload-error-restart \
> +	--enable-targetbased \
> +	--disable-static-daq \
> +	"
> +
> +do_install_append() {
> +	install -d ${D}/${sysconfdir}/snort/rules
> +	install -d ${D}/${sysconfdir}/snort/preproc_rules
> +	install -d ${D}/${sysconfdir}/default/volatiles
> +	mkdir -p ${D}/${sysconfdir}/init.d
> +	for i in map config conf dtd; do
> +		cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/
> +	done
> +	cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/
> +	install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort
> +	install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort
> +	install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort
> +	mkdir -p ${D}/${localstatedir}/log/snort
> +	install -d ${D}${sysconfdir}/logrotate.d
> +	install -m 0644 ${WORKDIR}/logrotate ${D}${sysconfdir}/logrotate.d/snort
> +}
> +
> +pkg_postinst_${PN}() {
> +	grep -q ^snort: /etc/group || addgroup snort
> +	grep -q ^snort: /etc/passwd || \
> +		adduser --disabled-password --home=/var/log/snort/ --system \
> +			--ingroup snort --no-create-home -g "snort" snort
> +	${sysconfdir}/init.d/populate-volatile.sh update
> +}
> +
> +PACKAGES =+ "${PN}-logrotate"
> +FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort"
> +FILES_${PN} += " \
> +	${libdir}/snort_dynamicengine/*.so.* \
> +	${libdir}/snort_dynamicpreprocessor/*.so.* \
> +	${libdir}/snort_dynamicrules/*.so.* \
> +	"
> +FILES_${PN}-dbg += " \
> +	${libdir}/snort_dynamicengine/.debug \
> +	${libdir}/snort_dynamicpreprocessor/.debug \
> +	${libdir}/snort_dynamicrules/.debug \
> +	"
> +FILES_${PN}-staticdev += " \
> +	${libdir}/snort_dynamicengine/*.a \
> +	${libdir}/snort_dynamicpreprocessor/*.a \
> +	${libdir}/snort_dynamicrules/*.a \
> +	${libdir}/snort/dynamic_preproc/*.a \
> +	${libdir}/snort/dynamic_output/*.a \
> +	"
> +FILES_${PN}-dev += " \
> +	${libdir}/snort_dynamicengine/*.la \
> +	${libdir}/snort_dynamicpreprocessor/*.la \
> +	${libdir}/snort_dynamicrules/*.la \
> +	${libdir}/snort_dynamicengine/*.so \
> +	${libdir}/snort_dynamicpreprocessor/*.so \
> +	${libdir}/snort_dynamicrules/*.so \
> +	${prefix}/src/snort_dynamicsrc \
> +	"
> +
> +RRECOMMENDS_${PN} += "${PN}-logrotate"
> +RRECOMMENDS_${PN} += "barnyard"
> +RSUGGESTS_${PN}-logrotate += "logrotate"
Joe MacDonald Sept. 23, 2013, 5:13 p.m.
Actually, something else just occurred to me, too.

[[oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 17:06) b40290@freescale.com wrote:

> diff --git a/meta-networking/recipes-connectivity/snort/files/volatiles b/meta-networking/recipes-connectivity/snort/files/volatiles
> new file mode 100644
> index 0000000..e3ab51d
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/files/volatiles
> @@ -0,0 +1,2 @@
> +# <type> <owner> <group> <mode> <path> <linksource>
> +d snort snort 0755 /var/log/snort none
> \ No newline at end of file

Since you're going to be in there again anyway, can you fix this, too?

> diff --git a/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> new file mode 100644
> index 0000000..5a165ef
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/snort/snort_2.9.4.6.bb
> @@ -0,0 +1,86 @@
> +DESCRIPTION = "snort - a free lightweight network intrusion detection system for UNIX and Windows."
> +HOMEPAGE = "http://www.snort.org/"
> +LICENSE = "GPL"
> +LIC_FILES_CHKSUM = "file://COPYING;md5=78fa8ef966b48fbf9095e13cc92377c5"
> +
> +DEPENDS = "libpcap libpcre daq libdnet"
> +
> +SRC_URI = " ${GENTOO_MIRROR}/${BP}.tar.gz;name=tarball \
> +            file://disable-inaddr-none.patch \
> +            file://disable-dap-address-space-id.patch \ 
> +	    file://snort.init \
> +	    file://default \
> +            file://logrotate \
> +	    file://volatiles \
> +          "

When you go back at this, can you also try to adopt the format laid out
by Peter here:

http://permalink.gmane.org/gmane.comp.handhelds.openembedded.core/41673

And I don't think the ";name=tarball" is required here.  Is it?

-J.

> +SRC_URI[tarball.md5sum] = "4111df01a4f21bd1d328a18b76d625bd"
> +SRC_URI[tarball.sha256sum] = "cfaa5390b1840aaaa68a6c05a7077dd92cb916e6186a014baa451d43cdb0b3bc"
> +
> +inherit autotools  gettext 
> +
> +EXTRA_OECONF = " \
> +	--enable-gre \    
> +	--enable-linux-smp-stats \
> +	--enable-reload \
> +	--enable-reload-error-restart \
> +	--enable-targetbased \
> +	--disable-static-daq \
> +	"
> +
> +do_install_append() {
> +	install -d ${D}/${sysconfdir}/snort/rules
> +	install -d ${D}/${sysconfdir}/snort/preproc_rules
> +	install -d ${D}/${sysconfdir}/default/volatiles
> +	mkdir -p ${D}/${sysconfdir}/init.d
> +	for i in map config conf dtd; do
> +		cp ${S}/etc/*.$i ${D}/${sysconfdir}/snort/
> +	done
> +	cp ${S}/preproc_rules/*.rules ${D}/${sysconfdir}/snort/preproc_rules/
> +	install -m 0644 ${WORKDIR}/default ${D}/${sysconfdir}/default/snort
> +	install -m 0644 ${WORKDIR}/volatiles ${D}/${sysconfdir}/default/volatiles/snort
> +	install -m 0755 ${WORKDIR}/snort.init ${D}/${sysconfdir}/init.d/snort
> +	mkdir -p ${D}/${localstatedir}/log/snort
> +	install -d ${D}${sysconfdir}/logrotate.d
> +	install -m 0644 ${WORKDIR}/logrotate ${D}${sysconfdir}/logrotate.d/snort
> +}
> +
> +pkg_postinst_${PN}() {
> +	grep -q ^snort: /etc/group || addgroup snort
> +	grep -q ^snort: /etc/passwd || \
> +		adduser --disabled-password --home=/var/log/snort/ --system \
> +			--ingroup snort --no-create-home -g "snort" snort
> +	${sysconfdir}/init.d/populate-volatile.sh update
> +}
> +
> +PACKAGES =+ "${PN}-logrotate"
> +FILES_${PN}-logrotate = "${sysconfdir}/logrotate.d/snort"
> +FILES_${PN} += " \
> +	${libdir}/snort_dynamicengine/*.so.* \
> +	${libdir}/snort_dynamicpreprocessor/*.so.* \
> +	${libdir}/snort_dynamicrules/*.so.* \
> +	"
> +FILES_${PN}-dbg += " \
> +	${libdir}/snort_dynamicengine/.debug \
> +	${libdir}/snort_dynamicpreprocessor/.debug \
> +	${libdir}/snort_dynamicrules/.debug \
> +	"
> +FILES_${PN}-staticdev += " \
> +	${libdir}/snort_dynamicengine/*.a \
> +	${libdir}/snort_dynamicpreprocessor/*.a \
> +	${libdir}/snort_dynamicrules/*.a \
> +	${libdir}/snort/dynamic_preproc/*.a \
> +	${libdir}/snort/dynamic_output/*.a \
> +	"
> +FILES_${PN}-dev += " \
> +	${libdir}/snort_dynamicengine/*.la \
> +	${libdir}/snort_dynamicpreprocessor/*.la \
> +	${libdir}/snort_dynamicrules/*.la \
> +	${libdir}/snort_dynamicengine/*.so \
> +	${libdir}/snort_dynamicpreprocessor/*.so \
> +	${libdir}/snort_dynamicrules/*.so \
> +	${prefix}/src/snort_dynamicsrc \
> +	"
> +
> +RRECOMMENDS_${PN} += "${PN}-logrotate"
> +RRECOMMENDS_${PN} += "barnyard"
> +RSUGGESTS_${PN}-logrotate += "logrotate"
Paul Eggleton Sept. 23, 2013, 5:56 p.m.
All,

I'm a bit confused; is this recipe supposed to be going into meta-networking 
or meta-security? Because patches have been sent recently to add it to both.

Cheers,
Paul
Joe MacDonald Sept. 23, 2013, 6:22 p.m.
Hey Paul,

[Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon 18:56) Paul Eggleton wrote:

> All,
> 
> I'm a bit confused; is this recipe supposed to be going into
> meta-networking or meta-security? Because patches have been sent
> recently to add it to both.

I had mentioned that I would accept snort into meta-networking if it
wasn't a good fit for meta-security since it was something I'd started
working on integrating anyway a while back.  I assumed that was the case
since it was sent to the list for meta-networking today.

I don't think we need copies in both places, though, and since it was
first aimed at meta-security, if it gets merged there, I won't merge it
here.

Hopefully nothing I've said here contradicts what the meta-security
maintainers would want to see.
Paul Eggleton Sept. 24, 2013, 5:16 p.m.
Hi Joe,

On Monday 23 September 2013 14:22:02 Joe MacDonald wrote:
> [Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon
> 18:56) Paul Eggleton wrote:
> > 
> > I'm a bit confused; is this recipe supposed to be going into
> > meta-networking or meta-security? Because patches have been sent
> > recently to add it to both.
> 
> I had mentioned that I would accept snort into meta-networking if it
> wasn't a good fit for meta-security since it was something I'd started
> working on integrating anyway a while back.  I assumed that was the case
> since it was sent to the list for meta-networking today.
> 
> I don't think we need copies in both places, though, and since it was
> first aimed at meta-security, if it gets merged there, I won't merge it
> here.
> 
> Hopefully nothing I've said here contradicts what the meta-security
> maintainers would want to see.

I would have thought it would go into meta-security myself; but ultimately 
it's up to you and Saul really. I just wanted to make sure we didn't somehow 
end up with it in both layers since we have patches for adding it to both.

Cheers,
Paul
Joe MacDonald Sept. 24, 2013, 6:10 p.m.
[Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.24 (Tue 18:16) Paul Eggleton wrote:

> Hi Joe,
> 
> On Monday 23 September 2013 14:22:02 Joe MacDonald wrote:
> > [Re: [oe] [meta-networking][PATCH 1/3] snort: add recipe] On 13.09.23 (Mon
> > 18:56) Paul Eggleton wrote:
> > > 
> > > I'm a bit confused; is this recipe supposed to be going into
> > > meta-networking or meta-security? Because patches have been sent
> > > recently to add it to both.
> > 
> > I had mentioned that I would accept snort into meta-networking if it
> > wasn't a good fit for meta-security since it was something I'd started
> > working on integrating anyway a while back.  I assumed that was the case
> > since it was sent to the list for meta-networking today.
> > 
> > I don't think we need copies in both places, though, and since it was
> > first aimed at meta-security, if it gets merged there, I won't merge it
> > here.
> > 
> > Hopefully nothing I've said here contradicts what the meta-security
> > maintainers would want to see.
> 
> I would have thought it would go into meta-security myself; but ultimately 
> it's up to you and Saul really. I just wanted to make sure we didn't somehow 
> end up with it in both layers since we have patches for adding it to both.

Yeah, I completely agree.  Since I'm using meta-security a bit now and
sending a few patches back, I'll keep an eye out and if the snort stuff
lands in there, I would not consider merging it with meta-networking.

Snort has always been in the same category for me as tcpdump, nmap and
etherape/wireshark.  A hugely useful network diagnostics tool.  But as
and IDS / IPS it makes sense for meta-security as well.

Either works for me.