aboutsummaryrefslogtreecommitdiffstats
path: root/security/sancp
diff options
context:
space:
mode:
authorniels <niels@FreeBSD.org>2005-06-08 04:56:27 +0800
committerniels <niels@FreeBSD.org>2005-06-08 04:56:27 +0800
commitc32321a057d688a2aa655235fbe1d114b707f8b0 (patch)
tree8f999a6db14c34347ce98d244943e33813a73c72 /security/sancp
parent706287a67096a3b371155765edf0eaf7e8d32841 (diff)
downloadfreebsd-ports-graphics-c32321a057d688a2aa655235fbe1d114b707f8b0.tar.gz
freebsd-ports-graphics-c32321a057d688a2aa655235fbe1d114b707f8b0.tar.zst
freebsd-ports-graphics-c32321a057d688a2aa655235fbe1d114b707f8b0.zip
New port based on submission by Paul Schmehl
Sancp is a network security tool designed to collect statistical information regarding network traffic, as well as, collect the traffic itself in pcap format, all for the purpose of: auditing, historical analysis, and network activity discovery. PR: ports/77426 Submitted by: Paul Schmehl Approved by: nectar (mentor)
Diffstat (limited to 'security/sancp')
-rw-r--r--security/sancp/Makefile45
-rw-r--r--security/sancp/distinfo2
-rw-r--r--security/sancp/files/sancp.sh36
-rw-r--r--security/sancp/pkg-deinstall28
-rw-r--r--security/sancp/pkg-descr12
-rw-r--r--security/sancp/pkg-install42
-rw-r--r--security/sancp/pkg-message39
-rw-r--r--security/sancp/pkg-plist7
8 files changed, 211 insertions, 0 deletions
diff --git a/security/sancp/Makefile b/security/sancp/Makefile
new file mode 100644
index 00000000000..65ce225d724
--- /dev/null
+++ b/security/sancp/Makefile
@@ -0,0 +1,45 @@
+# New ports collection makefile for: sancp
+# Date created: 10 Feb 2005
+# Whom: Paul Schmehl <pauls@utdallas.edu>
+#
+# $FreeBSD$
+#
+
+PORTNAME= sancp
+PORTVERSION= 1.6.1
+CATEGORIES= security
+MASTER_SITES= http://www.metre.net/files/
+
+MAINTAINER= pauls@utdallas.edu
+COMMENT= A network connection profiler
+
+ALL_TARGET= final
+USE_REINPLACE= yes
+USE_RC_SUBR= yes
+RC_SCRIPTS_SUB= PREFIX=${PREFIX} RC_SUBR=${RC_SUBR}
+
+PORTDOCS= CHANGES INSTALL ISSUES README SETUP fields.LIST
+
+.include <bsd.port.pre.mk>
+
+post-patch:
+ @${SED} ${RC_SCRIPTS_SUB:S/$/!g/:S/^/ -e s!%%/:S/=/%%!/} \
+ ${FILESDIR}/sancp.sh > ${WRKDIR}/sancp.sh
+
+post-install:
+ ${SH} ${PKGINSTALL}
+ ${INSTALL_PROGRAM} ${WRKSRC}/sancp ${PREFIX}/bin
+ ${INSTALL_SCRIPT} -m 755 ${WRKDIR}/sancp.sh ${PREFIX}/etc/rc.d/sancp.sh
+.for f in sancp.conf
+ ${INSTALL_DATA} ${WRKSRC}/etc/sancp/${f} ${PREFIX}/etc/${f}-sample
+ [ -f ${PREFIX}/etc/${f} ] || \
+ ${INSTALL_DATA} ${WRKSRC}/etc/sancp/${f} ${PREFIX}/etc/${f}
+.endfor
+.if !defined(NOPORTDOCS)
+ @${MKDIR} ${DOCSDIR}
+ cd ${WRKSRC} && ${INSTALL_DATA} LICENSE ${DOCSDIR}
+ cd ${WRKSRC}/docs/ && ${INSTALL_DATA} ${PORTDOCS} ${DOCSDIR}
+.endif
+ @${SED} 's|%%PREFIX%%|${PREFIX}|' ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/sancp/distinfo b/security/sancp/distinfo
new file mode 100644
index 00000000000..76947b4d419
--- /dev/null
+++ b/security/sancp/distinfo
@@ -0,0 +1,2 @@
+MD5 (sancp-1.6.1.tar.gz) = b83e2f4abb2bf7b10fd874aa58f6324c
+SIZE (sancp-1.6.1.tar.gz) = 69986
diff --git a/security/sancp/files/sancp.sh b/security/sancp/files/sancp.sh
new file mode 100644
index 00000000000..f8be90c0e11
--- /dev/null
+++ b/security/sancp/files/sancp.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+#
+
+# PROVIDE: sancp
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: FreeBSD shutdown
+
+# Add the following lines to /etc/rc.conf to enable sancp:
+# sancp_enable (bool): Set to YES to enable sancp
+# Default: NO
+# sancp_flags (str): Extra flags passed to sancp
+# Default: -D
+# sancp_interface (str): Network interface to sniff
+# Default: ""
+# sancp_conf (str): Sancp configuration file
+# Default: %%PREFIX%%/etc/sancp.conf
+#
+
+. %%RC_SUBR%%
+
+name="sancp"
+rcvar=`set_rcvar`
+
+command="%%PREFIX%%/bin/sancp"
+
+load_rc_config $name
+
+[ -z "$sancp_enable" ] && sancp_enable="NO"
+[ -z "$sancp_conf" ] && sancp_conf="%%PREFIX%%/etc/sancp.conf"
+[ -z "$sancp_flags" ] && sancp_flags="-D"
+
+[ -n "$sancp_interface" ] && sancp_flags="$sancp_flags -i $sancp_interface"
+[ -n "$sancp_conf" ] && sancp_flags="$sancp_flags -c $sancp_conf"
+
+run_rc_command "$1"
diff --git a/security/sancp/pkg-deinstall b/security/sancp/pkg-deinstall
new file mode 100644
index 00000000000..143ec1bc244
--- /dev/null
+++ b/security/sancp/pkg-deinstall
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+PATH=/bin:/usr/sbin
+USER=sancp
+GROUP=${USER}
+LOG_DIR=/var/log/sancp
+
+# Remove the log directory
+if [ -d ${LOG_DIR} ];
+then
+ rmdir ${LOG_DIR} >/dev/null 2>&1;
+fi
+
+if pw user show "${USER}" >/dev/null 2>&1; then
+ if ! pw userdel ${USER} ;
+ then
+ echo "Unable to remove user: ${USER}, remove it manually"
+ fi
+fi
+
+
+if pw group show "${GROUP}" >/dev/null 2>&1; then
+ if ! pw groupdel ${GROUP} ;
+ then
+ echo "Unable to remove group: ${GROUP}, remove it manually"
+ fi
+fi
+
diff --git a/security/sancp/pkg-descr b/security/sancp/pkg-descr
new file mode 100644
index 00000000000..659dd3137fd
--- /dev/null
+++ b/security/sancp/pkg-descr
@@ -0,0 +1,12 @@
+Sancp is a network security tool designed to collect
+statistical information regarding network traffic, as
+well as, collect the traffic itself in pcap format, all
+for the purpose of: auditing, historical analysis, and
+network activity discovery. Rules can be used to distinguish
+normal from abnormal traffic and support tagging connections
+with: rule id, node id, and status id. From an intrusion
+detection standpoint, every connection is an event that must
+be validated through some means. Sancp uses rules to identify,
+record, and tag traffic of interest. 'Tagging' a connection
+is a new feature since v1.4.0 Connections ('stats') can be
+loaded into a database for further analysis.
diff --git a/security/sancp/pkg-install b/security/sancp/pkg-install
new file mode 100644
index 00000000000..5a20c14d416
--- /dev/null
+++ b/security/sancp/pkg-install
@@ -0,0 +1,42 @@
+#!/bin/sh
+
+PATH=/bin:/usr/sbin
+USER=sancp
+GROUP=${USER}
+LOG_DIR=/var/log/sancp
+
+if [ ! -d ${LOG_DIR} ]; then mkdir ${LOG_DIR}; fi
+
+if pw group show "${GROUP}" 2>/dev/null; then
+ echo "You already have a group \"${GROUP}\", so I will use it."
+else
+ if pw groupadd ${GROUP}; then
+ echo "Added group \"${GROUP}\"."
+ else
+ echo "Adding group \"${GROUP}\" failed..."
+ exit 1
+ fi
+fi
+
+if pw user show "${USER}" 2>/dev/null; then
+ echo "You already have a user \"${USER}\", so I will use it."
+ if pw usermod ${USER} -d ${LOG_DIR}
+ then
+ echo "Changed home directory of \"${USER}\" to \"${LOG_DIR}\""
+ else
+ echo "Changing home directory of \"${USER}\" to \"${LOG_DIR}\" failed..."
+ exit 1
+ fi
+else
+ if pw useradd ${USER} -g ${GROUP} -h - \
+ -d ${LOG_DIR} -s /sbin/nologin -c "SANCP Daemon"
+ then
+ echo "Added user \"${USER}\"."
+ else
+ echo "Adding user \"${USER}\" failed..."
+ exit 1
+ fi
+fi
+
+chown -R ${USER}:${GROUP} ${LOG_DIR}
+chmod 750 ${LOG_DIR}
diff --git a/security/sancp/pkg-message b/security/sancp/pkg-message
new file mode 100644
index 00000000000..fa346b069aa
--- /dev/null
+++ b/security/sancp/pkg-message
@@ -0,0 +1,39 @@
+ ***********************************
+ * !!!!!!!!!!! WARNING !!!!!!!!!!! *
+ ***********************************
+
+A startup script, named sancp.sh-sample was installed in
+%%PREFIX%%/etc/rc.d/. Create a copy named sancp.sh in the
+same directory and enable the script in /etc/rc.conf using
+the usual rc.subr syntax. See rc.conf(5) or go to
+http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-rcng.html
+
+Configuration files named sancp.conf-sample and sancp.conf
+were installed in %%PREFIX%%/etc. See the INSTALL doc, located in
+%%PREFIX%%/share/doc/sancp/ for details on configuration
+options or type "sancp -h" on the commandline.
+
+Note that if you are installing sancp for use with sguil, the
+sancp.conf file will not be altered unless it is identical to
+the sancp.conf-sample file. In that case, during the
+sguil-sensor install, the sancp.conf file will be overwritten with
+the one that comes with squil. That file needs no editing. If the
+sancp.conf has been altered (you used sancp for something else) a
+new conf file, named sguil-sancp.conf-sample will be installed in the
+%%PREFIX%%/etc/rc.d/directory. You should use that one for sguil.
+
+Some of the configuration options for sancp are:
+
+-? or -h this help screen
+-c <filename> specify the configuration/rules filename
+-d <directory> specify the directory for output files
+-i <device> set the network device to listen on (default: 'any')
+-g <gid> set a group identity
+-u <uid> set a user identity
+-D (daemon) forks, prints msgs to syslog only and overrides -C option
+-F <bpf filename> file containing a bpf filter expression, overrides (alternative to -B)
+-V display version
+
+If you're running sguil, you probably want to use the following flags:
+sancp_flags="-D -P -R -u sancp -g sancp -d /var/log/sancp"
+(don't forget to specify the conf file and interface as well)
diff --git a/security/sancp/pkg-plist b/security/sancp/pkg-plist
new file mode 100644
index 00000000000..71bb3ff88a5
--- /dev/null
+++ b/security/sancp/pkg-plist
@@ -0,0 +1,7 @@
+bin/sancp
+etc/sancp.conf-sample
+etc/rc.d/sancp.sh
+%%DOCSDIR%%/LICENSE
+@unexec if [ -f %D/etc/sancp.conf ] && ! cmp -s %D/etc/sancp.conf %D/etc/sancp.conf-sample; then rm -f %D/etc/sancp.conf; fi
+@unexec if [ -d /var/log/sancp/ ] && ! rmdir /var/log/sancp/ >/dev/null 2>&1; then echo "WARNING: Unable to remove log dir '/var/log/sancp/', its probably not empty" ; fi
+@unexec if [ -f %D/etc/sancp.conf ]; then echo "WARNING: The %D/etc/sancp.conf file was not removed!"; fi