Sguil is an open source tool to implement Network

Security Monitoring (NSM).  NSM is the collection,
analysis, and escalation of indications and warnings
to detect and respond to intrusions.  NSM tools are
used more for network audit and specialized
applications than traditional alert-centric "intrusion
detection" systems.

Want to learn more about Network Security Monitoring
(NSM)? Then check out Richard Bejtlich's recently
released book, The Tao of Network Security Monitoring:
Beyond Intrusion Detection. An excerpt reads:

"Network security monitoring (NSM) equips security
staff to deal with the inevitable consequences of too
few resources and too many responsibilities. NSM collects
the data needed to generate better assessment, detection,
and response processes--resulting in decreased impact from
unauthorized activities."

WWW: http://sguil.sourceforge.net/index.php
pauls@utdallas.edu

PR:		ports/104227
Submitted by:	Paul Schmehl <pauls at utdallas.edu>

10 files changed, 383 insertions, 0 deletions

diff --git a/security/Makefile b/security/Makefile
index e1a1e7389e23..1c9896711bf6 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -624,6 +624,7 @@
     SUBDIR += secure_delete
     SUBDIR += sfs
     SUBDIR += sguil-sensor
+    SUBDIR += sguil-server
     SUBDIR += sha
     SUBDIR += shishi
     SUBDIR += shttpscanner
diff --git a/security/sguil-server/Makefile b/security/sguil-server/Makefile
new file mode 100644
index 000000000000..8cabebf2708a
--- /dev/null
+++ b/security/sguil-server/Makefile
@@ -0,0 +1,84 @@
+# New ports collection makefile for:	sguil-server
+# Date created:				9 Oct 2006
+# Whom:					Paul Schmehl <pauls@utdallas.edu>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	sguil-server
+PORTVERSION=	0.6.1
+CATEGORIES=	security
+MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
+MASTER_SITE_SUBDIR=	sguil
+
+MAINTAINER=	pauls@utdallas.edu
+COMMENT=	Squil is a network security management program
+
+RUN_DEPENDS=	p0f:${PORTSDIR}/net-mgmt/p0f \
+		tcpflow:${PORTSDIR}/net/tcpflow \
+		dtplite:${PORTSDIR}/devel/tcllib \
+		barnyard:${PORTSDIR}/security/barnyard-sguil6 \
+		${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX
+LIB_DEPENDS=	tls:${PORTSDIR}/devel/tcltls
+
+NO_BUILD=	yes
+USE_RC_SUBR=	sguild.sh
+TCLSH_CMD?=	${PREFIX}/bin/tclsh8.4
+SGUILDIR?=	sguil-server
+WRKSRC=		${WRKDIR}/sguil-${PORTVERSION}
+PATCH_WRKSRC=	${WRKSRC}/server
+PLIST_SUB=	SGUILDIR=${SGUILDIR}
+SUB_FILES=	pkg-message
+SUB_LIST=	SGUILDIR=${SGUILDIR} TCLSH=${TCLSH_CMD}
+LIBRARIES=	SguildAccess.tcl SguildEvent.tcl SguildReportBuilder.tcl \
+		SguildAutoCat.tcl SguildGenericDB.tcl SguildSendComms.tcl \
+		SguildClientCmdRcvd.tcl SguildHealthChecks.tcl SguildSensorAgentComms.tcl \
+		SguildConnect.tcl SguildLoaderd.tcl SguildSensorCmdRcvd.tcl \
+		SguildCreateDB.tcl SguildMysqlMerge.tcl SguildTranscript.tcl \
+		SguildEmailEvent.tcl SguildQueryd.tcl SguildUtils.tcl
+SCRIPTS=	create_ruledb.sql update_sguildb_v10-v11.sql update_sguildb_v8-v9.sql \
+		create_sguildb.sql update_sguildb_v5-v6.sql update_sguildb_v9-v10.sql \
+		migrate_event.tcl update_sguildb_v6-v7.sql migrate_sancp.tcl update_sguildb_v7-v8.sql
+CONFS=		autocat.conf sguild.access sguild.conf sguild.email sguild.queries sguild.reports sguild.users
+
+PORTDOCS=	CHANGES INSTALL INSTALL.openbsd LICENSE.QPL \
+		OPENSSL.README TODO USAGE sguildb.dia
+
+.include <bsd.port.pre.mk>
+
+MYSQLTCL_VER!=	cd ${PORTSDIR}/databases/mysqltcl && ${MAKE} -V PORTVERSION
+
+RUN_DEPENDS+=	${LOCALBASE}/lib/mysqltcl-${MYSQLTCL_VER}:${PORTSDIR}/databases/mysqltcl
+
+post-patch:
+.for f in archive_sguildb.tcl sguild contrib/incident_report.tcl
+	@${REINPLACE_CMD} -e 's:exec tclsh:exec ${TCLSH_CMD}:g' ${WRKSRC}/server/${f}
+.endfor
+
+do-install:
+	@${MKDIR} ${PREFIX}/etc/${SGUILDIR}
+	@${MKDIR} ${PREFIX}/lib/${SGUILDIR}
+	@${MKDIR} ${PREFIX}/share/${SGUILDIR}
+.for f in archive_sguildb.tcl sguild
+	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/server/${f} ${PREFIX}/bin/${f}
+.endfor
+.for f in incident_report.tcl
+	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/server/contrib/${f} ${PREFIX}/bin/${f}
+.endfor
+.for f in ${CONFS}
+	${INSTALL_DATA} ${WRKSRC}/server/${f} ${PREFIX}/etc/${SGUILDIR}/${f}-sample
+.endfor
+.for f in ${LIBRARIES}
+	${INSTALL_DATA} ${WRKSRC}/server/lib/${f} ${PREFIX}/lib/${SGUILDIR}/${f}
+.endfor
+.for f in ${SCRIPTS}
+	${INSTALL_DATA} ${WRKSRC}/server/sql_scripts/${f} ${PREFIX}/share/${SGUILDIR}/${f}
+.endfor
+post-install:
+.if !defined(NOPORTDOCS)
+	@${MKDIR} ${DOCSDIR}
+	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS} ${DOCSDIR}
+.endif
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/sguil-server/distinfo b/security/sguil-server/distinfo
new file mode 100644
index 000000000000..c551d6ad3998
--- /dev/null
+++ b/security/sguil-server/distinfo
@@ -0,0 +1,3 @@
+MD5 (sguil-server-0.6.1.tar.gz) = 27decbe3c6528bf2c86c74b35b8f7b3b
+SHA256 (sguil-server-0.6.1.tar.gz) = 22aea8f76da0530ae7ee9a68efe1de7615bec47a7702c93f8fe338d57590ce57
+SIZE (sguil-server-0.6.1.tar.gz) = 92901
diff --git a/security/sguil-server/files/patch-sguild b/security/sguil-server/files/patch-sguild
new file mode 100644
index 000000000000..e67292ba27f6
--- /dev/null
+++ b/security/sguil-server/files/patch-sguild
@@ -0,0 +1,105 @@
+--- sguild.orig	Tue Mar 28 04:36:05 2006
++++ sguild	Tue Mar 28 04:37:10 2006
+@@ -229,7 +229,7 @@
+   package require tls
+   # Check for certs
+   if {![info exists CERTS_PATH]} {
+-    set CERTS_PATH /etc/sguild/certs
++    set CERTS_PATH /usr/local/etc/sguil-server/certs
+   }
+   if {![file exists $CERTS_PATH] || ![file isdirectory $CERTS_PATH]} {
+     puts "ERROR: $CERTS_PATH does not exist or is not a directory"
+@@ -251,13 +251,13 @@
+ 
+ if { ![info exists CONF_FILE] } {
+   # No conf file specified check the defaults
+-  if { [file exists /etc/sguild/sguild.conf] } {
+-    set CONF_FILE /etc/sguild/sguild.conf
++  if { [file exists /usr/local/etc/sguil-server/sguild.conf] } {
++    set CONF_FILE /usr/local/etc/sguil-server/sguild.conf
+   } elseif { [file exists ./sguild.conf] } {
+     set CONF_FILE ./sguild.conf
+   } else {
+     puts "Couldn't determine where the sguil config file is"
+-    puts "Looked for ./sguild.conf and /etc/sguild/sguild.conf."
++    puts "Looked for ./sguild.conf and /usr/local/etc/sguil-server/sguild.conf."
+     DisplayUsage $argv0
+   }
+ }
+@@ -338,17 +338,17 @@
+ # Check for a valid USERS file
+ if { ![info exists USERS_FILE] } {
+   # No users file was specified. Go with the defaults
+-  if { [file exists /etc/sguild/sguild.users] } {
+-    set USERS_FILE "/etc/sguild/sguild.users"
++  if { [file exists /usr/local/etc/sguil-server/sguild.users] } {
++    set USERS_FILE "/usr/local/etc/sguil-server/sguild.users"
+   } elseif { [file exists ./sguild.users] } {
+     set USERS_FILE "./sguild.users"
+   } else {
+     if { [info exists ADDUSER] && $ADDUSER } {
+-      CreateUsersFile "/etc/sguild/sguild.users"
++      CreateUsersFile "/usr/local/etc/sguil-server/sguild.users"
+     } else {
+       set DEBUG 2
+       LogMessage "ERROR: Could not find a sguild.users file."
+-      LogMessage "       Checked in ./ and /etc/sguild/"
++      LogMessage "       Checked in ./ and /usr/local/etc/sguil-server/"
+       DisplayUsage $argv0
+     }
+   }
+@@ -376,8 +376,8 @@
+ # Load accessfile
+ if { ![info exists ACCESS_FILE] } {
+   # Check the defaults
+-  if { [file exists /etc/sguild/sguild.access] } {
+-    set ACCESS_FILE "/etc/sguild/sguild.access"
++  if { [file exists /usr/local/etc/sguil-server/sguild.access] } {
++    set ACCESS_FILE "/usr/local/etc/sguil-server/sguild.access"
+   } elseif { [file exists ./sguild.access] } {
+     set ACCESS_FILE "./sguild.access"
+   } else {
+@@ -391,8 +391,8 @@
+ }
+ # Load auto cat config
+ if { ![info exists AUTOCAT_FILE] } {
+-   if { [file exists /etc/sguild/autocat.conf] } {
+-     set AUTOCAT_FILE "/etc/sguild/autocat.conf"
++   if { [file exists /usr/local/etc/sguil-server/autocat.conf] } {
++     set AUTOCAT_FILE "/usr/local/etc/sguil-server/autocat.conf"
+    } else {
+      set AUTOCAT_FILE "./autocat.conf"
+    }
+@@ -402,8 +402,8 @@
+ }
+ # Load email config file
+ if { ![info exists EMAIL_FILE] } {
+-  if { [file exists /etc/sguild/sguild.email] } {
+-    set EMAIL_FILE "/etc/sguild/sguild.email"
++  if { [file exists /usr/local/etc/sguil-server/sguild.email] } {
++    set EMAIL_FILE "/usr/local/etc/sguil-server/sguild.email"
+   } else {
+     set EMAIL_FILE "./sguild.email"
+   }
+@@ -415,8 +415,8 @@
+ }
+ # Load global queries.
+ if { ![info exists GLOBAL_QRY_FILE] } {
+-  if { [file exists /etc/sguild/sguild.queries] } {
+-    set GLOBAL_QRY_FILE "/etc/sguild/sguild.queries"
++  if { [file exists /usr/local/etc/sguil-server/sguild.queries] } {
++    set GLOBAL_QRY_FILE "/usr/local/etc/sguil-server/sguild.queries"
+   } else {
+     set GLOBAL_QRY_FILE "./sguild.queries"
+   }
+@@ -428,8 +428,8 @@
+ }
+ # Load report queries.
+ if { ![info exists REPORT_QRY_FILE] } {
+-  if { [file exists /etc/sguild/sguild.reports] } {
+-    set REPORT_QRY_FILE "/etc/sguild/sguild.reports"
++  if { [file exists /usr/local/etc/sguil-server/sguild.reports] } {
++    set REPORT_QRY_FILE "/usr/local/etc/sguil-server/sguild.reports"
+   } else {
+     set REPORT_QRY_FILE "./sguild.reports"
+   }
diff --git a/security/sguil-server/files/patch-sguild.access b/security/sguil-server/files/patch-sguild.access
new file mode 100644
index 000000000000..97d9becda0de
--- /dev/null
+++ b/security/sguil-server/files/patch-sguild.access
@@ -0,0 +1,12 @@
+--- sguild.access.orig	Tue Mar 28 03:36:31 2006
++++ sguild.access	Tue Mar 28 03:37:44 2006
+@@ -4,7 +4,8 @@
+ # This file is used by sguild for access control. It is read upon init  #
+ # or when sguild receives a HUP signal.                                 #
+ #                                                                       #
+-# By default, sguild will look first for /etc/sguild/sguild.access,     #
++# By default, sguild will look first for                                #
++# /usrlocal//etc/sguild/sguild.access,                                  #
+ # then ./sguild.access unless the -A /path/to/sguild.access switch      #
+ # is used.                                                              #
+ #                                                                       #
diff --git a/security/sguil-server/files/patch-sguild.conf b/security/sguil-server/files/patch-sguild.conf
new file mode 100644
index 000000000000..6ee211408a0b
--- /dev/null
+++ b/security/sguil-server/files/patch-sguild.conf
@@ -0,0 +1,41 @@
+*** sguild.conf.orig	Tue Mar 28 02:38:13 2006
+--- sguild.conf	Tue Mar 28 02:39:47 2006
+***************
+*** 2,6 ****
+  
+  # Path the sguild libs
+! set SGUILD_LIB_PATH ./lib
+  
+  # DEBUG 0=off 1=important stuff 2=everything.  Option 2 is VERY chatty.
+--- 2,6 ----
+  
+  # Path the sguild libs
+! set SGUILD_LIB_PATH /usr/local/lib/sguil-server/
+  
+  # DEBUG 0=off 1=important stuff 2=everything.  Option 2 is VERY chatty.
+***************
+*** 61,65 ****
+  # You MUST have tcpflow installed to get xscripts
+  # http://www.circlemud.org/~jelson/software/tcpflow/
+! set TCPFLOW "/usr/bin/tcpflow"
+  
+  # p0f - (C) Michal Zalewski <lcamtuf@gis.net>, William Stearns <wstearns@pobox.com>
+--- 61,65 ----
+  # You MUST have tcpflow installed to get xscripts
+  # http://www.circlemud.org/~jelson/software/tcpflow/
+! set TCPFLOW "/usr/local/bin/tcpflow"
+  
+  # p0f - (C) Michal Zalewski <lcamtuf@gis.net>, William Stearns <wstearns@pobox.com>
+***************
+*** 72,76 ****
+  # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
+  # add any others you may need here.
+! set P0F_PATH "/usr/sbin/p0f"
+  
+  # Email config moved to sguild.email 
+--- 72,76 ----
+  # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
+  # add any others you may need here.
+! set P0F_PATH "/usr/local/bin/p0f"
+  
+  # Email config moved to sguild.email 
diff --git a/security/sguil-server/files/pkg-message.in b/security/sguil-server/files/pkg-message.in
new file mode 100644
index 000000000000..533087757019
--- /dev/null
+++ b/security/sguil-server/files/pkg-message.in
@@ -0,0 +1,30 @@
+         ***********************************
+         * !!!!!!!!!!! WARNING !!!!!!!!!!! *
+         ***********************************
+
+If you had existing config files in %%PREFIX%%/etc/%%SGUILDIR%%
+they were not overwritten.  If this is a first time install, you
+must copy the sample files to the corresponding conf file and 
+edit the various config files for your site.  See the INSTALL
+doc in %%DOCSDIR%% for details.
+
+The sql scripts for creating database tables were placed in
+the %%PREFIX%%/share/%%SGUILDIR%%/ directory.  PLEASE 
+NOTE: LOG_DIR is not set by this install.  You MUST create the 
+correct LOG_DIRS and put a copy of the snort rules you use in 
+LOG_DIR/rules.
+
+The sguild, archive_sguildb.tcl and incident_report.tcl scripts
+were placed in %%PREFIX%%/bin/.  The incident_report.tcl
+script is from the contrib section.  There is no documentation
+and the script's variables must be edited before it is used.
+
+A startup script, named sguild.sh was installed in
+%%PREFIX%%/etc/rc.d/.  To enable it, edit /etc/rc.conf
+per the instructions in the script.
+
+For general questions, see the sguil faq: 
+http://sguil.sourceforge.net/index.php?page=faq
+For detailed install instructions see Richard Bejtlich's
+excellent guide at his blog: 
+http://taosecurity.blogspot.com/2006/03/new-sguil-scripts-and-vm-i-have-not.html
diff --git a/security/sguil-server/files/sguild.sh.in b/security/sguil-server/files/sguild.sh.in
new file mode 100644
index 000000000000..5b8255ee2e7a
--- /dev/null
+++ b/security/sguil-server/files/sguild.sh.in
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# PROVIDE: sguild
+# REQUIRE: DAEMON
+# KEYWORD: FreeBSD shutdown
+
+# Add the following lines to /etc/rc.conf to enable sguild:
+# sguild_enable (bool):		Set to YES to enable sguild
+# 				Default: NO
+# sguild_flags (str):		Extra flags passed to sguild
+#				Default: -D
+# sguild_conf (str):		Sguild configuration file
+#				Default: %%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf
+
+. %%RC_SUBR%%
+
+name="sguild"
+rcvar=`set_rcvar`
+
+command="%%PREFIX%%/bin/${name}"
+procname="%%TCLSH%%"
+check_process="${command} /bin/sh"
+stop_cmd="sguild_stop"
+
+sguild_enable=${sguild_enable-NO}
+sguild_conf=${sguild_conf-%%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf}
+sguild_flags=${sguild_flags--D}
+[ -n "$sguild_conf" ] && sguild_flags="$sguild_flags -c $sguild_conf"
+
+sguild_stop() {
+  if [ -z "${rc_pid}" ]; then
+    echo "${name} not running?"
+  else
+    echo "Stopping ${name}."
+    `/bin/kill -9 ${rc_pid}`
+    wait_for_pids "${rc_pid}"
+    if [ -f "/var/run/${name}.pid" ]; then
+      `rm -f /var/run/${name}.pid`
+    fi    
+  fi
+}
+
+load_rc_config ${name}
+run_rc_command "$1"
diff --git a/security/sguil-server/pkg-descr b/security/sguil-server/pkg-descr
new file mode 100644
index 000000000000..5a17c0a57b8d
--- /dev/null
+++ b/security/sguil-server/pkg-descr
@@ -0,0 +1,22 @@
+Sguil is an open source tool to implement Network 
+Security Monitoring (NSM).  NSM is the collection, 
+analysis, and escalation of indications and warnings 
+to detect and respond to intrusions.  NSM tools are 
+used more for network audit and specialized 
+applications than traditional alert-centric "intrusion 
+detection" systems.
+
+Want to learn more about Network Security Monitoring 
+(NSM)? Then check out Richard Bejtlich's recently 
+released book, The Tao of Network Security Monitoring: 
+Beyond Intrusion Detection. An excerpt reads:
+
+"Network security monitoring (NSM) equips security 
+staff to deal with the inevitable consequences of too 
+few resources and too many responsibilities. NSM collects 
+the data needed to generate better assessment, detection, 
+and response processes--resulting in decreased impact from 
+unauthorized activities."
+
+WWW: http://sguil.sourceforge.net/index.php
+pauls@utdallas.edu
diff --git a/security/sguil-server/pkg-plist b/security/sguil-server/pkg-plist
new file mode 100644
index 000000000000..57c73c729ae5
--- /dev/null
+++ b/security/sguil-server/pkg-plist
@@ -0,0 +1,41 @@
+bin/archive_sguildb.tcl
+bin/incident_report.tcl
+bin/sguild
+etc/%%SGUILDIR%%/autocat.conf-sample
+etc/%%SGUILDIR%%/sguild.access-sample
+etc/%%SGUILDIR%%/sguild.conf-sample
+etc/%%SGUILDIR%%/sguild.email-sample
+etc/%%SGUILDIR%%/sguild.queries-sample
+etc/%%SGUILDIR%%/sguild.reports-sample
+etc/%%SGUILDIR%%/sguild.users-sample
+lib/%%SGUILDIR%%/SguildAccess.tcl
+lib/%%SGUILDIR%%/SguildAutoCat.tcl
+lib/%%SGUILDIR%%/SguildClientCmdRcvd.tcl
+lib/%%SGUILDIR%%/SguildConnect.tcl
+lib/%%SGUILDIR%%/SguildCreateDB.tcl
+lib/%%SGUILDIR%%/SguildEmailEvent.tcl
+lib/%%SGUILDIR%%/SguildEvent.tcl
+lib/%%SGUILDIR%%/SguildGenericDB.tcl
+lib/%%SGUILDIR%%/SguildHealthChecks.tcl
+lib/%%SGUILDIR%%/SguildLoaderd.tcl
+lib/%%SGUILDIR%%/SguildMysqlMerge.tcl
+lib/%%SGUILDIR%%/SguildQueryd.tcl
+lib/%%SGUILDIR%%/SguildReportBuilder.tcl
+lib/%%SGUILDIR%%/SguildSendComms.tcl
+lib/%%SGUILDIR%%/SguildSensorAgentComms.tcl
+lib/%%SGUILDIR%%/SguildSensorCmdRcvd.tcl
+lib/%%SGUILDIR%%/SguildTranscript.tcl
+lib/%%SGUILDIR%%/SguildUtils.tcl
+share/%%SGUILDIR%%/create_ruledb.sql
+share/%%SGUILDIR%%/create_sguildb.sql
+share/%%SGUILDIR%%/migrate_event.tcl
+share/%%SGUILDIR%%/migrate_sancp.tcl
+share/%%SGUILDIR%%/update_sguildb_v5-v6.sql
+share/%%SGUILDIR%%/update_sguildb_v6-v7.sql
+share/%%SGUILDIR%%/update_sguildb_v7-v8.sql
+share/%%SGUILDIR%%/update_sguildb_v8-v9.sql
+share/%%SGUILDIR%%/update_sguildb_v9-v10.sql
+share/%%SGUILDIR%%/update_sguildb_v10-v11.sql
+@dirrm share/%%SGUILDIR%%
+@unexec if [ ! -f %D/etc/%%SGUILDIR%%/sguild.conf ] ; then rmdir %D/etc/%%SGUILDIR%%; fi
+@dirrm lib/%%SGUILDIR%%