diff options
-rw-r--r-- | security/sguil-sensor/Makefile | 115 | ||||
-rw-r--r-- | security/sguil-sensor/distinfo | 4 | ||||
-rw-r--r-- | security/sguil-sensor/files/log_packets.conf | 35 | ||||
-rw-r--r-- | security/sguil-sensor/files/pads_agent.in | 50 | ||||
-rw-r--r-- | security/sguil-sensor/files/patch-log_packets.sh | 50 | ||||
-rw-r--r-- | security/sguil-sensor/files/patch-ossec_agent.tcl | 30 | ||||
-rw-r--r-- | security/sguil-sensor/files/patch-pads_agent.tcl | 39 | ||||
-rw-r--r-- | security/sguil-sensor/files/patch-pcap_agent-sancp.tcl | 35 | ||||
-rw-r--r-- | security/sguil-sensor/files/patch-pcap_agent.tcl | 35 | ||||
-rw-r--r-- | security/sguil-sensor/files/patch-sancp_agent.tcl | 30 | ||||
-rw-r--r-- | security/sguil-sensor/files/patch-snort_agent.tcl | 35 | ||||
-rw-r--r-- | security/sguil-sensor/files/pcap_agent-sancp.in | 32 | ||||
-rw-r--r-- | security/sguil-sensor/files/pcap_agent.in | 14 | ||||
-rw-r--r-- | security/sguil-sensor/files/pkg-message.in | 25 | ||||
-rw-r--r-- | security/sguil-sensor/files/sancp_agent.in | 14 | ||||
-rw-r--r-- | security/sguil-sensor/files/snort_agent.in | 14 | ||||
-rw-r--r-- | security/sguil-sensor/pkg-descr | 3 | ||||
-rw-r--r-- | security/sguil-sensor/pkg-plist | 36 |
18 files changed, 400 insertions, 196 deletions
diff --git a/security/sguil-sensor/Makefile b/security/sguil-sensor/Makefile index da3859115d6e..c52c88e41e3d 100644 --- a/security/sguil-sensor/Makefile +++ b/security/sguil-sensor/Makefile @@ -1,13 +1,8 @@ -# New ports collection makefile for: sguil-sensor -# Date created: 23 Mar 2006 -# Whom: Paul Schmehl <pauls@utdallas.edu> -# +# Created by: Paul Schmehl <pauls@utdallas.edu> # $FreeBSD$ -# PORTNAME= sguil-sensor -PORTVERSION= 0.7.0 -PORTREVISION= 3 +PORTVERSION= 0.8.0 CATEGORIES= security MASTER_SITES= SF/sguil/sguil/sguil-${PORTVERSION} @@ -15,104 +10,108 @@ MAINTAINER= pauls@utdallas.edu COMMENT= Sguil is a network security monitoring program LIB_DEPENDS= tls:${PORTSDIR}/devel/tcltls -RUN_DEPENDS= snort:${PORTSDIR}/security/snort \ - barnyard2:${PORTSDIR}/security/barnyard2 \ +RUN_DEPENDS= barnyard2:${PORTSDIR}/security/barnyard2-sguil \ ${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX -OPTIONS= SANCP "Include sancp sensor" off \ - PADS "Include pads sensor" off +OPTIONS_DEFINE= PADS SANCP +PADS_DESC= Include pads sensor +SANCP_DESC= Include sancp sensor + +LICENSE_NAME= QPLv1.0 +LICENSE_FILE= ${WRKSRC}/doc/LICENSE.QPL +LICENSE_PERMS= auto-accept NO_BUILD= yes -USE_RC_SUBR= example_agent pcap_agent snort_agent -TCLSH_CMD?= tclsh8.4 +USE_RC_SUBR= pcap_agent snort_agent +TCL_VER= 8.5 +TCLSH= tclsh${TCL_VER} WRKSRC= ${WRKDIR}/sguil-${PORTVERSION} -SUB_LIST= SGUILDIR=${SGUILDIR} +PATCH_WRKSRC= ${WRKSRC}/sensor +SGUILDIR?= sguil-sensor +SUB_LIST= SGUILDIR=${SGUILDIR} TCLSH=${TCLSH} SUB_FILES= pkg-message PLIST_SUB= SGUILDIR=${SGUILDIR} -SGUILDIR?= sguil-sensor -AGENTS= example_agent.tcl pads_agent.tcl pcap_agent.tcl sancp_agent.tcl snort_agent.tcl - -PORTDOCS= CHANGES FAQ INSTALL INSTALL.openbsd LICENSE.QPL \ - OPENSSL.README TODO UPGRADE USAGE sguildb.dia +AGENTS= pcap_agent.tcl snort_agent.tcl +CONFS= pcap_agent.conf snort_agent.conf +LOG_SCRIPTS= log_packets-daemonlogger.sh log_packets.sh +WITH_PCRE= true -.include <bsd.port.pre.mk> +PORTDOCS1= README +PORTDOCS2= README.daemonlogger +PORTDOCS3= CHANGES FAQ INSTALL INSTALL.openbsd OPENSSL.README \ + TODO UPGRADE USAGE sguildb.dia -WITH_PCRE= true +.include <bsd.port.options.mk> -.if defined(WITH_SANCP) +.if ${PORT_OPTIONS:MSANCP} +AGENTS+= sancp_agent.tcl pcap_agent-sancp.tcl +CONFS+= sancp_agent.conf sancp-indexed.conf pcap_agent-sancp.conf RUN_DEPENDS+= sancp:${PORTSDIR}/security/sancp -USE_RC_SUBR+= sancp_agent -PLIST_SUB+= USESANCP= +USE_RC_SUBR+= sancp_agent pcap_agent-sancp +PLIST_SUB+= USESANCP="" .else PLIST_SUB+= USESANCP="@comment " .endif -.if defined(WITH_PADS) +.if ${PORT_OPTIONS:MPADS} +AGENTS+= pads_agent.tcl +CONFS+= pads_agent.conf RUN_DEPENDS+= pads:${PORTSDIR}/net-mgmt/pads USE_RC_SUBR+= pads_agent -PLIST_SUB+= USEPADS= +PLIST_SUB+= USEPADS="" .else PLIST_SUB+= USEPADS="@comment " .endif post-patch: .for f in ${AGENTS} - @${REINPLACE_CMD} -e 's:exec tclsh:exec ${PREFIX}/bin/${TCLSH_CMD}:g' \ - ${WRKSRC}/sensor/${f} - @${REINPLACE_CMD} -e 's:/etc/:${PREFIX}/etc/${SGUILDIR}/:g' \ + @${REINPLACE_CMD} 's|/bin/sh|${PREFIX}/bin/${TCLSH}|' \ ${WRKSRC}/sensor/${f} .endfor do-install: @${MKDIR} ${PREFIX}/bin/${SGUILDIR} @${MKDIR} ${PREFIX}/etc/${SGUILDIR} -.for f in example_agent.tcl pcap_agent.tcl snort_agent.tcl + @${MKDIR} ${PREFIX}/share/${SGUILDIR} + @${MKDIR} ${PREFIX}/share/${SGUILDIR}/contrib + @${MKDIR} ${PREFIX}/share/${SGUILDIR}/init + (cd ${WRKSRC}/sensor/contrib && ${COPYTREE_SHARE} \* ${PREFIX}/share/${SGUILDIR}/contrib "! -name ossec_agent.tcl.orig") + (cd ${WRKSRC}/sensor/init && ${COPYTREE_SHARE} \* ${PREFIX}/share/${SGUILDIR}/init) +.for f in ${AGENTS} ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \ ${PREFIX}/bin/${SGUILDIR}/${f} .endfor -.for f in log_packets.sh +.for f in ${LOG_SCRIPTS} ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \ ${PREFIX}/bin/${SGUILDIR}/${f} .endfor -.for f in example_agent.conf pcap_agent.conf snort_agent.conf +.for f in ${CONFS} ${INSTALL_DATA} ${WRKSRC}/sensor/${f} \ ${PREFIX}/etc/${SGUILDIR}/${f}-sample .endfor -.for f in log_packets.conf - ${INSTALL_DATA} ${FILESDIR}/${f} \ - ${PREFIX}/etc/${SGUILDIR}/${f}-sample -.endfor -.if defined(WITH_SANCP) -.for f in sancp_agent.conf - ${INSTALL_DATA} ${WRKSRC}/sensor/${f} \ - ${PREFIX}/etc/${SGUILDIR}/${f}-sample +.if ${PORT_OPTIONS:MSANCP} +.for f in log_packets-sancp.sh + ${INSTALL_SCRIPT} -m 751 ${WRKSRC}/sensor/${f} \ + ${PREFIX}/bin/${SGUILDIR}/${f} .endfor .for f in sancp.conf ${INSTALL_DATA} ${WRKSRC}/sensor/sancp/${f} \ - ${PREFIX}/etc/${f}-sample -.endfor -.for f in sancp_agent.tcl - ${INSTALL_SCRIPT} ${WRKSRC}/sensor/${f} \ - ${PREFIX}/bin/${SGUILDIR}/${f} -.endfor -.endif -.if defined(WITH_PADS) -.for f in pads_agent.conf - ${INSTALL_DATA} ${WRKSRC}/sensor/${f} \ ${PREFIX}/etc/${SGUILDIR}/${f}-sample .endfor -.for f in pads_agent.tcl - ${INSTALL_SCRIPT} ${WRKSRC}/sensor/${f} \ - ${PREFIX}/bin/${SGUILDIR}/${f} -.endfor .endif post-install: -.if !defined(NOPORTDOCS) +.if ${PORT_OPTIONS:MDOCS} @${MKDIR} ${DOCSDIR} - cd ${WRKSRC}/doc && ${INSTALL_DATA} \ - ${PORTDOCS} ${DOCSDIR} + cd ${WRKSRC} && ${INSTALL_DATA} ${PORTDOCS1} ${DOCSDIR} + cd ${WRKSRC}/sensor && ${INSTALL_DATA} ${PORTDOCS2} ${DOCSDIR} + cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS3} ${DOCSDIR} +.if ${PORT_OPTIONS:MSANCP} +.for f in README.sancp_indexed_pcap + cd ${WRKSRC}/sensor && ${INSTALL_DATA} ${f} ${DOCSDIR} +.endfor +.endif .endif @${CAT} ${PKGMESSAGE} -.include <bsd.port.post.mk> +.include <bsd.port.mk> diff --git a/security/sguil-sensor/distinfo b/security/sguil-sensor/distinfo index 2ee618d5c14d..88953e35d324 100644 --- a/security/sguil-sensor/distinfo +++ b/security/sguil-sensor/distinfo @@ -1,2 +1,2 @@ -SHA256 (sguil-sensor-0.7.0.tar.gz) = c6f08b031df9de942fc38b35a4bfc7db13357e61b7290b526bad66fcbe3e4f3b -SIZE (sguil-sensor-0.7.0.tar.gz) = 68436 +SHA256 (sguil-sensor-0.8.0.tar.gz) = aa4617c4f9cf1d598c6d728afed50cd6f90dc5d1516a6eda8126401b7bba4be5 +SIZE (sguil-sensor-0.8.0.tar.gz) = 142829 diff --git a/security/sguil-sensor/files/log_packets.conf b/security/sguil-sensor/files/log_packets.conf deleted file mode 100644 index 64198df51392..000000000000 --- a/security/sguil-sensor/files/log_packets.conf +++ /dev/null @@ -1,35 +0,0 @@ -# Conf file for the log_packets script -# Make sure you verify the location of -# each of the binaries on your OS - -# Edit these for your setup - -# Sensors hostname. -# Note: If running multiple snort instances, then this must be different -# for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc) -HOSTNAME="myhost" -# Path to snort binary -SNORT_PATH="/usr/local/bin/snort" -# Directory to log pcap data to (date dirs will be created in here) -# Note: The path $HOSTNAME/dailylogs, will be appended to this. -LOG_DIR="/snort_data" -# Percentage of disk to try and maintain -MAX_DISK_USE=90 -# Interface to 'listen' to. -INTERFACE="eth0" -# Other options to use when starting snort -#OPTIONS="-u sguil -g sguil -m 122" -# Where to store the pid -PIDFILE="/var/run/snort_log-${HOSTNAME}.pid" -# How do we run ps -PS="ps awx" -# Where is grep -GREP="/usr/bin/grep" -#Add BPFs here. -#The below is an example of a filter for ignoring outbound HTTP from my network -# to the world. -#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)' - -#Some installs may need these -#LD_LIBRARY_PATH=/usr/local/lib/mysql -#export LD_LIBRARY_PATH diff --git a/security/sguil-sensor/files/pads_agent.in b/security/sguil-sensor/files/pads_agent.in index 757f03ee2e35..b1ef894abd5d 100644 --- a/security/sguil-sensor/files/pads_agent.in +++ b/security/sguil-sensor/files/pads_agent.in @@ -16,19 +16,51 @@ . /etc/rc.subr -load_rc_config pads_agent +name="pads_agent" +rcvar=${name}_enable +load_rc_config ${name} #set defaults -pads_agent_enable=${pads_agent_enable:-"NO"} -pads_agent_conf=${pads_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/pads_agent.conf"} -pads_agent_flags=${pads_agent_flags:-"-D"} +: ${pads_agent_enable:="NO"} +: ${pads_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pads_agent.conf"} +: ${pads_agent_flags:="-D -c ${pads_agent_conf}"} -name="pads_agent" -rcvar=pads_agent_enable command="%%PREFIX%%/bin/%%SGUILDIR%%/pads_agent.tcl" -command_args="-c ${pads_agent_conf} ${pads_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" +procname="%%PREFIX%%/bin/%%TCLSH%%" pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" + +start_precmd="pads_agent_ck4fifo" +stop_postcmd="pads_agent_rmfifo" + +pads_agent_ck4fifo() +{ + LOG_DIR=`grep "LOG_DIR " ${pads_agent_conf} | awk '{print $3}'` + HOSTNAME=`grep "HOSTNAME " ${pads_agent_conf} | awk '{print $3}'` + PADS_FIFO=${LOG_DIR}/${HOSTNAME}/pads.fifo + + if [ ! -p ${PADS_FIFO} ]; then + echo "${PADS_FIFO} does not exist. Creating now....." + /usr/bin/mkfifo ${PADS_FIFO} + fi + echo "Checking for ${PADS_FIFO}...." + if [ -p ${PADS_FIFO} ]; then + echo "Confirmed! ${PADS_FIFO} exists." + else + echo "I tried to create ${PADS_FIFO} and failed." + echo "You will need to create it manually before starting ${name}." + fi +} + +pads_agent_rmfifo() +{ + LOG_DIR=`grep "LOG_DIR " ${pads_agent_conf} | awk '{print $3}'` + HOSTNAME=`grep "HOSTNAME " ${pads_agent_conf} | awk '{print $3}'` + PADS_FIFO=${LOG_DIR}/${HOSTNAME}/pads.fifo + + if [ -p ${PADS_FIFO} ]; then + /bin/rm ${PADS_FIFO} + echo "Removing ${PADS_FIFO}...." + fi +} run_rc_command "$1" diff --git a/security/sguil-sensor/files/patch-log_packets.sh b/security/sguil-sensor/files/patch-log_packets.sh deleted file mode 100644 index 25db8524772a..000000000000 --- a/security/sguil-sensor/files/patch-log_packets.sh +++ /dev/null @@ -1,50 +0,0 @@ ---- sensor/log_packets.sh.orig 2008-04-03 22:16:22.000000000 -0500 -+++ sensor/log_packets.sh 2008-04-03 22:22:20.000000000 -0500 -@@ -22,38 +22,16 @@ - # # - ############################################################## - -+# You shouldn't need to edit anything in this script - --# Edit these for your setup -- --# Sensors hostname. --# Note: If running multiple snort instances, then this must be different --# for each instance (ie sensor1, sensor2, sensor-eth0, sensor-eth1, etc) --HOSTNAME="myhost" --# Path to snort binary --SNORT_PATH="/usr/local/bin/snort" --# Directory to log pcap data to (date dirs will be created in here) --# Note: The path $HOSTNAME/dailylogs, will be appended to this. --LOG_DIR="/snort_data" --# Percentage of disk to try and maintain --MAX_DISK_USE=90 --# Interface to 'listen' to. --INTERFACE="eth0" --# Other options to use when starting snort --#OPTIONS="-u sguil -g sguil -m 122" --# Where to store the pid --PIDFILE="/var/run/snort_log-${HOSTNAME}.pid" --# How do we run ps --PS="ps awx" --# Where is grep --GREP="/usr/bin/grep" --#Add BPFs here. --#The below is an example of a filter for ignoring outbound HTTP from my network --# to the world. --#FILTER='not \( src net 67.11.255.148/32 and dst port 80 and "tcp[0:2] > 1024" \) and not \( src port 80 and dst net 67.11.255.148/32 and "tcp[2:2] > 1024"\)' -- --#Some installs may need these --#LD_LIBRARY_PATH=/usr/local/lib/mysql --#export LD_LIBRARY_PATH -+CONF=/usr/local/etc/sguil-sensor/log_packets.conf -+if [ -r ${CONF} ]; then -+ . ${CONF} -+else -+ echo "Your conf file is either missing or the path " -+ echo "in the log_packets.sh script is incorrect." -+ exit 1 -+fi - - TZ=GMT - export TZ diff --git a/security/sguil-sensor/files/patch-ossec_agent.tcl b/security/sguil-sensor/files/patch-ossec_agent.tcl new file mode 100644 index 000000000000..055eb96f5a79 --- /dev/null +++ b/security/sguil-sensor/files/patch-ossec_agent.tcl @@ -0,0 +1,30 @@ +--- contrib/ossec_agent/ossec_agent.tcl.orig 2012-12-17 22:47:18.000000000 +0000 ++++ contrib/ossec_agent/ossec_agent.tcl 2012-12-17 22:48:45.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # OSSEC agent for Sguil 0.7.0. Based on the "example_agent.tcl" code + # distributed with sguil. +@@ -593,9 +591,9 @@ + if { ![info exists CONF_FILE] } { + + # No conf file specified check the defaults +- if { [file exists /etc/ossec_agent.conf] } { ++ if { [file exists /usr/local/etc/sguil-sensor/ossec_agent.conf] } { + +- set CONF_FILE /etc/ossec_agent.conf ++ set CONF_FILE /usr/local/etc/sguil-sensor/ossec_agent.conf + + } elseif { [file exists ./ossec_agent.conf] } { + +@@ -604,7 +602,7 @@ + } else { + + puts "Couldn't determine where the ossec_agent.tcl config file is" +- puts "Looked for /etc/ossec_agent.conf and ./ossec_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/ossec_agent.conf and ./ossec_agent.conf." + DisplayUsage $argv0 + + } diff --git a/security/sguil-sensor/files/patch-pads_agent.tcl b/security/sguil-sensor/files/patch-pads_agent.tcl new file mode 100644 index 000000000000..ba35aadbcd14 --- /dev/null +++ b/security/sguil-sensor/files/patch-pads_agent.tcl @@ -0,0 +1,39 @@ +--- pads_agent.tcl.orig 2012-12-19 21:25:26.000000000 +0000 ++++ pads_agent.tcl 2012-12-19 21:27:37.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: pads_agent.tcl,v 1.13 2011/02/17 02:55:48 bamm Exp $ # + +@@ -332,7 +330,7 @@ + id process group set + if {[fork]} {exit 0} + set PID [id process] +- if { ![info exists PID_FILE] } { set PID_FILE "/var/run/sensor_agent.pid" } ++ if { ![info exists PID_FILE] } { set PID_FILE "/var/run/pads_agent.pid" } + set PID_DIR [file dirname $PID_FILE] + if { ![file exists $PID_DIR] || ![file isdirectory $PID_DIR] || ![file writable $PID_DIR] } { + puts "ERROR: Directory $PID_DIR does not exists or is not writable." +@@ -380,16 +378,16 @@ + } + } + # Parse the config file here +-# Default location is /etc/pads_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/pads_agent.conf or pwd + if { ![info exists CONF_FILE] } { + # No conf file specified check the defaults +- if { [file exists /etc/pads_agent.conf] } { +- set CONF_FILE /etc/pads_agent.conf ++ if { [file exists /usr/local/etc/sguil-sensor/pads_agent.conf] } { ++ set CONF_FILE /usr/local/etc/sguil-sensor/pads_agent.conf + } elseif { [file exists ./pads_agent.conf] } { + set CONF_FILE ./pads_agent.conf + } else { + puts "Couldn't determine where the sensor_agent.tcl config file is" +- puts "Looked for /etc/pads_agent.conf and ./pads_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/pads_agent.conf and ./pads_agent.conf." + DisplayUsage $argv0 + } + } diff --git a/security/sguil-sensor/files/patch-pcap_agent-sancp.tcl b/security/sguil-sensor/files/patch-pcap_agent-sancp.tcl new file mode 100644 index 000000000000..5299ef6ca03e --- /dev/null +++ b/security/sguil-sensor/files/patch-pcap_agent-sancp.tcl @@ -0,0 +1,35 @@ +--- pcap_agent-sancp.tcl.orig 2012-12-17 22:36:43.000000000 +0000 ++++ pcap_agent-sancp.tcl 2012-12-17 22:38:22.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: pcap_agent-sancp.tcl,v 1.2 2008/05/29 19:25:50 hanashi Exp $ # + +@@ -754,13 +752,13 @@ + } + + # Parse the config file here +-# Default location is /etc/pcap_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/pcap_agent.conf or pwd + if { ![info exists CONF_FILE] } { + + # No conf file specified check the defaults +- if { [file exists /etc/pcap_agent.conf] } { ++ if { [file exists /usr/local/etc/sguil-sensor/pcap_agent.conf] } { + +- set CONF_FILE /etc/pcap_agent.conf ++ set CONF_FILE /usr/local/etc/sguil-sensor/pcap_agent.conf + + } elseif { [file exists ./pcap_agent.conf] } { + +@@ -769,7 +767,7 @@ + } else { + + puts "Couldn't determine where the pcap_agent.tcl config file is" +- puts "Looked for /etc/pcap_agent.conf and ./pcap_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/pcap_agent.conf and ./pcap_agent.conf." + DisplayUsage $argv0 + + } diff --git a/security/sguil-sensor/files/patch-pcap_agent.tcl b/security/sguil-sensor/files/patch-pcap_agent.tcl new file mode 100644 index 000000000000..be279eb7a309 --- /dev/null +++ b/security/sguil-sensor/files/patch-pcap_agent.tcl @@ -0,0 +1,35 @@ +--- pcap_agent.tcl.orig 2012-12-17 22:31:44.000000000 +0000 ++++ pcap_agent.tcl 2012-12-17 22:42:50.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: pcap_agent.tcl,v 1.13 2011/03/10 22:03:33 bamm Exp $ # + +@@ -771,13 +769,13 @@ + } + + # Parse the config file here +-# Default location is /etc/pcap_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/pcap_agent.conf or pwd + if { ![info exists CONF_FILE] } { + + # No conf file specified check the defaults +- if { [file exists /etc/pcap_agent.conf] } { ++ if { [file exists /usr/local/etc/sguil-sensor/pcap_agent.conf] } { + +- set CONF_FILE /etc/pcap_agent.conf ++ set CONF_FILE /usr/local/etc/sguil-sensor/pcap_agent.conf + + } elseif { [file exists ./pcap_agent.conf] } { + +@@ -786,7 +784,7 @@ + } else { + + puts "Couldn't determine where the pcap_agent.tcl config file is" +- puts "Looked for /etc/pcap_agent.conf and ./pcap_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/pcap_agent.conf and ./pcap_agent.conf." + DisplayUsage $argv0 + + } diff --git a/security/sguil-sensor/files/patch-sancp_agent.tcl b/security/sguil-sensor/files/patch-sancp_agent.tcl new file mode 100644 index 000000000000..7facc81230bd --- /dev/null +++ b/security/sguil-sensor/files/patch-sancp_agent.tcl @@ -0,0 +1,30 @@ +--- sancp_agent.tcl.orig 2012-12-17 22:43:39.000000000 +0000 ++++ sancp_agent.tcl 2012-12-17 22:44:56.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: sancp_agent.tcl,v 1.15 2011/03/10 22:03:33 bamm Exp $ # + +@@ -582,16 +580,16 @@ + } + } + # Parse the config file here +-# Default location is /etc/sancp_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/sancp_agent.conf or pwd + if { ![info exists CONF_FILE] } { + # No conf file specified check the defaults +- if { [file exists /etc/sancp_agent.conf] } { +- set CONF_FILE /etc/sancp_agent.conf ++ if { [file exists /usr/local/etc/sguil-sensor/sancp_agent.conf] } { ++ set CONF_FILE /usr/local/etc/sguil-sensor/sancp_agent.conf + } elseif { [file exists ./sancp_agent.conf] } { + set CONF_FILE ./sancp_agent.conf + } else { + puts "Couldn't determine where the sancp_agent.tcl config file is" +- puts "Looked for /etc/sancp_agent.conf and ./sancp_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/sancp_agent.conf and ./sancp_agent.conf." + DisplayUsage $argv0 + } + } diff --git a/security/sguil-sensor/files/patch-snort_agent.tcl b/security/sguil-sensor/files/patch-snort_agent.tcl new file mode 100644 index 000000000000..a8cb13ce6853 --- /dev/null +++ b/security/sguil-sensor/files/patch-snort_agent.tcl @@ -0,0 +1,35 @@ +--- snort_agent.tcl.orig 2012-12-17 22:33:35.000000000 +0000 ++++ snort_agent.tcl 2012-12-17 22:39:39.000000000 +0000 +@@ -1,6 +1,4 @@ + #!/bin/sh +-# Run tcl from users PATH \ +-exec tclsh "$0" "$@" + + # $Id: snort_agent.tcl,v 1.9 2011/02/17 02:55:48 bamm Exp $ # + +@@ -680,13 +678,13 @@ + } + + # Parse the config file here +-# Default location is /etc/snort_agent.conf or pwd ++# Default location is /usr/local/etc/sguil-sensor/snort_agent.conf or pwd + if { ![info exists CONF_FILE] } { + + # No conf file specified check the defaults +- if { [file exists /etc/snort_agent.conf] } { ++ if { [file exists /usr/local/etc/sguil-sensor/snort_agent.conf] } { + +- set CONF_FILE /etc/snort_agent.conf ++ set CONF_FILE /usr/local/etc/sguil-sensor/snort_agent.conf + + } elseif { [file exists ./snort_agent.conf] } { + +@@ -695,7 +693,7 @@ + } else { + + puts "Couldn't determine where the snort_agent.tcl config file is" +- puts "Looked for /etc/snort_agent.conf and ./snort_agent.conf." ++ puts "Looked for /usr/local/etc/sguil-sensor/snort_agent.conf and ./snort_agent.conf." + DisplayUsage $argv0 + + } diff --git a/security/sguil-sensor/files/pcap_agent-sancp.in b/security/sguil-sensor/files/pcap_agent-sancp.in new file mode 100644 index 000000000000..24b53584dfc0 --- /dev/null +++ b/security/sguil-sensor/files/pcap_agent-sancp.in @@ -0,0 +1,32 @@ +#!/bin/sh + +# $FreeBSD$ + +# PROVIDE: pcap_agent-sancp +# REQUIRE: DAEMON +# KEYWORD: shutdown + +# Add the following line to /etc/rc.conf to enable pcap_agent-sancp: +# pcap_agent-sancp_enable (bool): Set to YES to enable pcap_agent-sancp +# Default: NO +# pcap_agent-sancp_conf (str): Pads_agent configuration file +# Default: %%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent-sancp.conf +# pcap_agent-sancp_flags (str): Default: -D +# + +. /etc/rc.subr + +name="pcap_agent-sancp" +rcvar=pcap_agent-sancp_enable +load_rc_config pcap_agent-sancp + +#set defaults +: ${pcap_agent-sancp_enable:="NO"} +: ${pcap_agent-sancp_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent-sancp.conf"} +: ${pcap_agent-sancp_flags:="-D -c ${pcap_agent-sancp_conf}"} + +command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent-sancp.tcl" +procname="%%PREFIX%%/bin/%%TCLSH%%" +pidfile="/var/run/${name}.pid" + +run_rc_command "$1" diff --git a/security/sguil-sensor/files/pcap_agent.in b/security/sguil-sensor/files/pcap_agent.in index 264c2ab4b865..1307a2a4748f 100644 --- a/security/sguil-sensor/files/pcap_agent.in +++ b/security/sguil-sensor/files/pcap_agent.in @@ -16,19 +16,17 @@ . /etc/rc.subr +name="pcap_agent" +rcvar=pcap_agent_enable load_rc_config pcap_agent #set defaults -pcap_agent_enable=${pcap_agent_enable:-"NO"} -pcap_agent_conf=${pcap_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent.conf"} -pcap_agent_flags=${pcap_agent_flags:-"-D"} +: ${pcap_agent_enable:="NO"} +: ${pcap_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/pcap_agent.conf"} +: ${pcap_agent_flags:="-D -c ${pcap_agent_conf}"} -name="pcap_agent" -rcvar=pcap_agent_enable command="%%PREFIX%%/bin/%%SGUILDIR%%/pcap_agent.tcl" -command_args="-c ${pcap_agent_conf} ${pcap_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" +procname="%%PREFIX%%/bin/%%TCLSH%%" pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" run_rc_command "$1" diff --git a/security/sguil-sensor/files/pkg-message.in b/security/sguil-sensor/files/pkg-message.in index b328081cd744..c75df8704dca 100644 --- a/security/sguil-sensor/files/pkg-message.in +++ b/security/sguil-sensor/files/pkg-message.in @@ -2,13 +2,11 @@ * !!!!!!!!!!! WARNING !!!!!!!!!!! * *********************************** -If you already had barnyard installed, this port will NOT deinstall -it and install the barnyard-sguil6 port instead. You will need to -deinstall the barnyard port and install the barnyard-sguil6 port yourself -instead. This port WILL NOT WORK without the barnyard-sguil6 port!! +If you already had barnyard2 installed, this port will NOT deinstall +it and install the barnyard2-sguil port instead. You will need to +deinstall the barnyard2 port and install the barnyard2-sguil port yourself +instead. This port WILL NOT WORK without the barnyard2-sguil port!! -You MUST edit the log_packets.conf file (located in %%PREFIX%%/etc/%%SGUILDIR%%) -to fit your configuration before running the log_packets.sh script. See the %%DOCSDIR%%/INSTALL doc for details on the configuration and for croning the script. @@ -16,13 +14,18 @@ WARNING!!! Sguil et al will fill up your /tmp directory very quickly. You should probably configure sguil et al to log to another partition/location (e.g. /nsm/tmp/). -You must ALSO edit all of the sensor conf fileis (located in +You must ALSO edit all of the sensor conf files (located in %%PREFIX%%/%%SGUILDIR%%/etc/) to reflect your configuration before starting the sensor_agents. +A number of ancilliary things have been installed in +%%PREFIX%%/share/%%SGUILDIR%%. + If you chose to run sancp, and you already had a sancp.conf file in %%PREFIX%%/etc, copy it to sancp.conf.orig before creating the new one. -The new sancp.conf-sample file contains the settings for squil. -If you still want to maintain the customized sancp.conf file, then copy -the new sancp.conf-sample file to sguild-sancp.conf (for example) and -add sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf. +The new sancp.conf-sample file contains the settings for squil. NOTE: +the conf file is for sancp 1.5.3. It may need additional edits to work +with the current ports version of sancp. If you still want to maintain +the customized sancp.conf file, then copy the new sancp.conf-sample +file to sguild-sancp.conf (for example) and add +sancp_conf=%%PREFIX%%/etc/sguild-sancp.conf to /etc/rc.conf. diff --git a/security/sguil-sensor/files/sancp_agent.in b/security/sguil-sensor/files/sancp_agent.in index 7b93fd4f6c39..2ecfb27d8e87 100644 --- a/security/sguil-sensor/files/sancp_agent.in +++ b/security/sguil-sensor/files/sancp_agent.in @@ -16,19 +16,17 @@ . /etc/rc.subr +name="sancp_agent" +rcvar=sancp_agent_enable load_rc_config sancp_agent #set defaults -sancp_agent_enable=${sancp_agent_enable:-"NO"} -sancp_agent_conf=${sancp_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/sancp_agent.conf"} -sancp_agent_flags=${sancp_agent_flags:-"-D"} +: ${sancp_agent_enable:="NO"} +: ${sancp_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/sancp_agent.conf"} +: ${sancp_agent_flags:="-D -c ${sancp_agent_conf}"} -name="sancp_agent" -rcvar=sancp_agent_enable command="%%PREFIX%%/bin/%%SGUILDIR%%/sancp_agent.tcl" -command_args="-c ${sancp_agent_conf} ${sancp_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" +procname="%%PREFIX%%/bin/%%TCLSH%%" pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" run_rc_command "$1" diff --git a/security/sguil-sensor/files/snort_agent.in b/security/sguil-sensor/files/snort_agent.in index 154f738118f7..28df9adb2ee9 100644 --- a/security/sguil-sensor/files/snort_agent.in +++ b/security/sguil-sensor/files/snort_agent.in @@ -16,19 +16,17 @@ . /etc/rc.subr +name="snort_agent" +rcvar=snort_agent_enable load_rc_config snort_agent #set defaults -snort_agent_enable=${snort_agent_enable:-"NO"} -snort_agent_conf=${snort_agent_conf:-"%%PREFIX%%/etc/%%SGUILDIR%%/snort_agent.conf"} -snort_agent_flags=${snort_agent_flags:-"-D"} +: ${snort_agent_enable:="NO"} +: ${snort_agent_conf:="%%PREFIX%%/etc/%%SGUILDIR%%/snort_agent.conf"} +: ${snort_agent_flags:="-D -c ${snort_agent_conf}"} -name="snort_agent" -rcvar=snort_agent_enable command="%%PREFIX%%/bin/%%SGUILDIR%%/snort_agent.tcl" -command_args="-c ${snort_agent_conf} ${snort_agent_flags}" -procname="%%PREFIX%%/bin/tclsh8.4" +procname="%%PREFIX%%/bin/%%TCLSH%%" pidfile="/var/run/${name}.pid" -check_pidfile="${pidfile} ${procname} /bin/sh" run_rc_command "$1" diff --git a/security/sguil-sensor/pkg-descr b/security/sguil-sensor/pkg-descr index 8158cec9a80a..8700cb449820 100644 --- a/security/sguil-sensor/pkg-descr +++ b/security/sguil-sensor/pkg-descr @@ -4,7 +4,7 @@ The actual interface and GUI server are written in tcl/tk (www.tcl.tk). Sguil also relies on other open source software in order to function properly. -The sensor list includes security/barnyard, security/snort, +The sensor list includes security/barnyard2-sguil, security/snort, security/sancp, net-mgmt/pads, tcpdump (a part of the OS) and devel/tcltls as well as lang/tcl84 and lang/tclX. Care has been taken to ensure that everything you need to build @@ -15,4 +15,3 @@ Sguil currently functions as an analysis interface and has rule management capabilities. WWW: http://sguil.sourceforge.net/index.php -pauls@utdallas.edu diff --git a/security/sguil-sensor/pkg-plist b/security/sguil-sensor/pkg-plist index 223cd0b37e4c..135ceb35bf63 100644 --- a/security/sguil-sensor/pkg-plist +++ b/security/sguil-sensor/pkg-plist @@ -1,15 +1,41 @@ +bin/%%SGUILDIR%%/log_packets-daemonlogger.sh bin/%%SGUILDIR%%/log_packets.sh -bin/%%SGUILDIR%%/example_agent.tcl bin/%%SGUILDIR%%/pcap_agent.tcl bin/%%SGUILDIR%%/snort_agent.tcl -etc/%%SGUILDIR%%/example_agent.conf-sample etc/%%SGUILDIR%%/pcap_agent.conf-sample etc/%%SGUILDIR%%/snort_agent.conf-sample -etc/%%SGUILDIR%%/log_packets.conf-sample +share/%%SGUILDIR%%/contrib/ossec_agent/README +share/%%SGUILDIR%%/contrib/ossec_agent/ossec_agent.conf +share/%%SGUILDIR%%/contrib/ossec_agent/ossec_agent.tcl +share/%%SGUILDIR%%/contrib/portscan_loader/Makefile +share/%%SGUILDIR%%/contrib/portscan_loader/portscan_loader.c +share/%%SGUILDIR%%/init/sensoragent +%%PORTDOCS%%%%DOCSDIR%%/CHANGES +%%PORTDOCS%%%%DOCSDIR%%/FAQ +%%PORTDOCS%%%%DOCSDIR%%/INSTALL +%%PORTDOCS%%%%DOCSDIR%%/INSTALL.openbsd +%%PORTDOCS%%%%DOCSDIR%%/OPENSSL.README +%%PORTDOCS%%%%DOCSDIR%%/README +%%PORTDOCS%%%%DOCSDIR%%/TODO +%%PORTDOCS%%%%DOCSDIR%%/UPGRADE +%%PORTDOCS%%%%DOCSDIR%%/USAGE +%%PORTDOCS%%%%DOCSDIR%%/sguildb.dia +%%PORTDOCS%%%%DOCSDIR%%/README.daemonlogger %%USEPADS%%bin/%%SGUILDIR%%/pads_agent.tcl %%USEPADS%%etc/%%SGUILDIR%%/pads_agent.conf-sample -%%USESANCP%%etc/sancp.conf-sample +%%USESANCP%%bin/%%SGUILDIR%%/log_packets-sancp.sh +%%USESANCP%%bin/%%SGUILDIR%%/pcap_agent-sancp.tcl %%USESANCP%%bin/%%SGUILDIR%%/sancp_agent.tcl %%USESANCP%%etc/%%SGUILDIR%%/sancp_agent.conf-sample -@dirrm bin/%%SGUILDIR%% +%%USESANCP%%etc/%%SGUILDIR%%/sancp-indexed.conf-sample +%%USESANCP%%etc/%%SGUILDIR%%/pcap_agent-sancp.conf-sample +%%USESANCP%%etc/%%SGUILDIR%%/sancp.conf-sample +%%USESANCP%%%%DOCSDIR%%/README.sancp_indexed_pcap +@dirrm share/%%SGUILDIR%%/init +@dirrm share/%%SGUILDIR%%/contrib/portscan_loader +@dirrm share/%%SGUILDIR%%/contrib/ossec_agent +@dirrm share/%%SGUILDIR%%/contrib +@dirrm share/%%SGUILDIR%% @dirrmtry etc/%%SGUILDIR%% +@dirrm bin/%%SGUILDIR%% +%%PORTDOCS%%@dirrm %%DOCSDIR%% |