add snort ebuild with snortsam support and initial patch for traffic redirection action

2012-05-20 21:08:17 +04:00
parent 3d7df5645e
commit 5602db911c
7 changed files with 1327 additions and 0 deletions
--- a/net-analyzer/snort/files/snort.confd.2
+++ b/net-analyzer/snort/files/snort.confd.2
@ -0,0 +1,16 @@
+# Config file for /etc/init.d/snort
+
+# The following options are now set in your snort.conf file:
+# config set_gid:
+# config set_uid:
+# config snaplen:
+# config bpf_file:
+# config logdir:
+
+# The only options that should be set here are SNORT_IFACE and SNORT_CONF.
+
+# This tell snort which interface to listen on (any for every interface)
+SNORT_IFACE="eth1"
+
+# Probably not this either
+SNORT_CONF="/etc/snort/snort.conf"
--- a/net-analyzer/snort/files/snort.rc11
+++ b/net-analyzer/snort/files/snort.rc11
@ -0,0 +1,57 @@
+#!/sbin/runscript
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snort/files/snort.rc11,v 1.1 2011/09/22 17:39:51 patrick Exp $
+
+opts="checkconfig reload"
+
+depend() {
+	need net
+	after mysql
+	after postgresql
+}
+
+checkconfig() {
+	if [ ! -e ${SNORT_CONF} ] ; then
+		eerror "You need a configuration file to run snort"
+		eerror "There is an example config in /etc/snort/snort.conf.distrib"
+		return 1
+	fi
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Starting snort"
+	start-stop-daemon --start --quiet --exec /usr/bin/snort \
+		-- --nolock-pidfile --pid-path /var/run/snort -D -i ${SNORT_IFACE} \
+		 -c ${SNORT_CONF} >/dev/null 2>&1
+	eend $?
+}
+
+stop() {
+	ebegin "Stopping snort"
+	start-stop-daemon --stop --quiet --pidfile /var/run/snort/snort_${SNORT_IFACE}.pid
+	# Snort needs a few seconds to fully shutdown
+	sleep 15
+	eend $?
+}
+
+reload() {
+
+	local SNORT_PID="`cat /var/run/snort/snort_${SNORT_IFACE}.pid`"
+	local SNORT_USER="`ps -p ${SNORT_PID} --no-headers -o user`"
+
+        if [ ! -f /var/run/snort/snort_${SNORT_IFACE}.pid ]; then
+        	eerror "Snort isn't running"
+                return 1
+	elif [ ${SNORT_USER} != root ]; then
+		eerror "Snort must be running as root for reload to work!"
+		return 1
+	else
+		checkconfig || return 1
+		ebegin "Reloading Snort"
+		start-stop-daemon --signal HUP --pidfile /var/run/snort/snort_${SNORT_IFACE}.pid
+        fi
+}
+
+
--- a/net-analyzer/snort/files/snortsam-2.9.2.2.diff.gz
+++ b/net-analyzer/snort/files/snortsam-2.9.2.2.diff.gz
--- a/net-analyzer/snort/files/snortsam-redirect-2.9.2.2.patch
+++ b/net-analyzer/snort/files/snortsam-redirect-2.9.2.2.patch
@ -0,0 +1,60 @@
+diff -ur snort-2.9.2.2-snortsam/src/output-plugins/spo_alert_fwsam.c snort-2.9.2.2/src/output-plugins/spo_alert_fwsam.c
+--- snort-2.9.2.2-snortsam/src/output-plugins/spo_alert_fwsam.c	2012-05-20 18:33:57.271278999 +0400
+++ snort-2.9.2.2/src/output-plugins/spo_alert_fwsam.c	2012-05-20 19:18:47.383364414 +0400
+@@ -515,6 +515,7 @@
+ 	optp->how=FWSAM_HOW_INOUT;			/* inbound and outbound block */
+ 	optp->who=FWSAM_WHO_SRC;			/* the source  */
+     optp->loglevel=FWSAM_LOG_LONGALERT; /* the log level default */
+	optp->action = FWSAM_STATUS_BLOCK; /* type of action */
+ 	/* parse the fwsam keywords */
+ 
+ #ifdef FWSAMDEBUG
+@@ -566,6 +567,17 @@
+ 					optp->duration=0;
+ 				else
+ 					possprob=TRUE;
+				if (!possprob)
+				{
+					char* tok = ap;
+					char* action = strtok(tok, ",");
+					action = strtok(NULL, ",");
+					if (action != NULL)
+					{
+						// set our custom action for redirecting traffic instead of blocking
+						optp->action = FWSAM_STATUS_REDIRECT;
+					}
+				}
+ 			}
+ 			else if(!*ap)
+ 				possprob=TRUE;
+@@ -879,7 +891,7 @@
+ 						sampacket.snortseqno[1]=(char)(station->myseqno>>8);
+ 						sampacket.fwseqno[0]=(char)station->stationseqno;/* fill station seqno */
+ 						sampacket.fwseqno[1]=(char)(station->stationseqno>>8);
+-						sampacket.status=FWSAM_STATUS_BLOCK;			/* set block mode */
+						sampacket.status=optp->action;				/* set action mode */
+ 						sampacket.version=FWSAM_PACKETVERSION;			/* set packet version */
+ 						sampacket.duration[0]=(char)optp->duration;		/* set duration */
+ 						sampacket.duration[1]=(char)(optp->duration>>8);
+diff -ur snort-2.9.2.2-snortsam/src/output-plugins/spo_alert_fwsam.h snort-2.9.2.2/src/output-plugins/spo_alert_fwsam.h
+--- snort-2.9.2.2-snortsam/src/output-plugins/spo_alert_fwsam.h	2012-05-20 18:33:57.270278999 +0400
+++ snort-2.9.2.2/src/output-plugins/spo_alert_fwsam.h	2012-05-20 19:02:01.695332482 +0400
+@@ -107,6 +107,10 @@
+ #define FWSAM_STATUS_BLOCK		3
+ #define FWSAM_STATUS_UNBLOCK	9
+ 
+// Custom action to redirect traffic instead of drop
+#define FWSAM_STATUS_REDIRECT	10
+
+
+ #define FWSAM_STATUS_OK			4	/* fw to snort */
+ #define FWSAM_STATUS_ERROR		5
+ #define FWSAM_STATUS_NEWKEY		6
+@@ -186,6 +190,7 @@
+ 	unsigned char	who;
+ 	unsigned char	how;
+ 	unsigned char	loglevel;
+	unsigned char	action; // type of action
+ }	FWsamOptions;
+ 
+ typedef struct _FWsamlistpointer