After seeing Carlos' mail on misc@ about Suricata I thought I'd try running it but ran into some problems, I've included a diff below for some of them:
- the default config file doesn't work due to a typo - suricata-update and the default config don't use the directories setup in PLIST - some of the configs don't have @sample entries, some of these result in warnings at startup, plus there are unnecessary extra copies of the basic default rules that aren't needed - the patches that add support for running as non-root were lost in the update to 5.0.0 (some small other tweaks; adjust pkg-readme wording a bit, move the sphinx-build patch to a symlink which is easier to remove later when we want to, build with libmaxminddb support, drop old Makefile fragment for rust-libc that isn't needed any more, add debug packages). There's still a problem though (the existing package is also affected, it's not introduced by my changes) - after running for a minute or two I hit a SIGABRT due to trying to unlock an already-unlocked mutex. Since I was only going to give this software a quick spin about 6 hours ago and not really serious about running it I'm not going to spend any more time tracking it down ;) so I'll just leave this here for now. Anyway I think at least some of my diff should go in, pledge "stdio rpath wpath cpath fattr unix dns bpf" does not in any way make up for loss of running as root. (diff below, after the backtraces). # suricata -vvvvvv -i em0 Warning: Invalid/No global_log_level assigned by user. Falling back on the default_log_level "Info" 29/1/2021 -- 22:54:00 - <Notice> - This is Suricata version 6.0.1 RELEASE running in SYSTEM mode 29/1/2021 -- 22:54:00 - <Info> - CPUs/cores online: 4 29/1/2021 -- 22:54:00 - <Info> - Found an MTU of 1500 for 'em0' 29/1/2021 -- 22:54:00 - <Info> - Found an MTU of 1500 for 'em0' 29/1/2021 -- 22:54:01 - <Info> - fast output device (regular) initialized: fast.log 29/1/2021 -- 22:54:01 - <Info> - stats output device (regular) initialized: stats.log 29/1/2021 -- 22:54:01 - <Info> - Running in live mode, activating unix socket 29/1/2021 -- 22:54:01 - <Info> - 12 rule files processed. 291 rules successfully loaded, 0 rules failed 29/1/2021 -- 22:54:01 - <Info> - Threshold config parsed: 0 rule(s) found 29/1/2021 -- 22:54:01 - <Info> - 291 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 119 inspect application layer, 104 are decoder event only 29/1/2021 -- 22:54:01 - <Info> - Using 1 live device(s). 29/1/2021 -- 22:54:01 - <Info> - using interface em0 29/1/2021 -- 22:54:01 - <Info> - running in 'auto' checksum mode. Detection of interface state will require 1000ULL packets 29/1/2021 -- 22:54:01 - <Info> - Found an MTU of 1500 for 'em0' 29/1/2021 -- 22:54:01 - <Info> - Set snaplen to 1524 for 'em0' 29/1/2021 -- 22:54:01 - <Info> - RunModeIdsPcapAutoFp initialised 29/1/2021 -- 22:54:01 - <Info> - Running in live mode, activating unix socket 29/1/2021 -- 22:54:01 - <Info> - Using unix socket file '/var/run/suricata/suricata-command.socket' 29/1/2021 -- 22:54:01 - <Notice> - all 5 packet processing threads, 4 management threads initialized, engine started. 29/1/2021 -- 22:54:01 - <Info> - No packets with invalid checksum, assuming checksum offloading is NOT used [just over 1 minute delay] Abort trap (core dumped) The last entry in fast.log was >30 seconds before the SIGABRT so doesn't seem directly related. # egdb suricata suricata.core GNU gdb (GDB) 7.12.1 Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-unknown-openbsd6.8". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from suricata...Reading symbols from /usr/local/bin/.debug/suricata.dbg...done. done. [New process 354168] [New process 126037] [New process 362781] [New process 272260] [New process 438475] [New process 244823] [New process 442167] [New process 228043] [New process 397721] [New process 209514] [New process 100143] Core was generated by `suricata'. Program terminated with signal SIGABRT, Aborted. #0 thrkill () at /tmp/-:3 3 /tmp/-: No such file or directory. [Current thread is 1 (process 354168)] (gdb) bt #0 thrkill () at /tmp/-:3 #1 0x000006a9c68844ee in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51 #2 0x000006a9c68b7a6c in _libc_pthread_mutex_unlock (mutexp=<optimized out>) at /usr/src/lib/libc/thread/rthread_mutex.c:265 #3 0x000006a6f7ebd530 in CheckWorkQueue (tv=<optimized out>, fw=0x6a959eca800, detect_thread=0x6a941bb4c00, counters=0x6a9d0e9b7c8, fq=0x6a9d0e9b7e0) at flow-worker.c:202 #4 0x000006a6f7ebd032 in FlowWorkerProcessInjectedFlows (tv=0x6a9f217c900, fw=0x6a959eca800, p=<optimized out>, detect_thread=0x6a941bb4c00) at flow-worker.c:447 #5 FlowWorker (tv=0x6a9f217c900, p=0x6a9d926a660, data=0x6a959eca800) at flow-worker.c:570 #6 0x000006a6f7f07b90 in TmThreadsSlotVarRun (tv=0x6a9f217c900, p=0x6a9d926a660, slot=<optimized out>) at tm-threads.c:117 #7 0x000006a6f7f0abf2 in TmThreadsSlotVar (td=0x6a9f217c900) at tm-threads.c:452 #8 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #9 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 (gdb) thread apply all bt Thread 11 (process 100143): #0 _thread_sys_select () at /tmp/-:3 #1 0x000006a9c691539e in _libc_select_cancel (nfds=7, readfds=0x6a96e13aca0, writefds=0x0, exceptfds=0x6a9c690414a <_thread_sys_select+10>, timeout=0x6a96e13ad20) at /usr/src/lib/libc/sys/w_select.c:28 #2 0x000006a6f7f0cb68 in UnixMain (this=<optimized out>) at unix-manager.c:650 #3 UnixManager (th_v=0x6a9f217cc00, thread_data=<optimized out>) at unix-manager.c:1125 #4 0x000006a6f7f0b2e6 in TmThreadsManagement (td=0x6a9f217cc00) at tm-threads.c:541 #5 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #6 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Thread 10 (process 209514): #0 futex () at /tmp/-:3 #1 0x000006a9c68d3d65 in _twait (p=0x6a9720ec240, val=0, clockid=0, abs=0x6a9ad7ec8f0) at /usr/src/lib/libc/thread/synch.h:34 #2 _rthread_cond_timedwait (cond=0x6a9720ec240, mutexp=0x6a9dfd1b150, abs=0x6a9ad7ec8f0) at /usr/src/lib/libc/thread/rthread_cond.c:106 #3 0x000006a6f7e39536 in StatsMgmtThread (arg=0x6a9f217ca00) at counters.c:415 #4 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #5 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Thread 9 (process 397721): #0 futex () at /tmp/-:3 #1 0x000006a9c68d3d65 in _twait (p=0x6a9dfd1b5a0, val=0, clockid=0, abs=0x6a903ddf430) at /usr/src/lib/libc/thread/synch.h:34 #2 _rthread_cond_timedwait (cond=0x6a9dfd1b5a0, mutexp=0x6a938964000, abs=0x6a903ddf430) at /usr/src/lib/libc/thread/rthread_cond.c:106 #3 0x000006a6f7e392f5 in StatsWakeupThread (arg=0x6a9f217c100) at counters.c:487 #4 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #5 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Thread 8 (process 228043): #0 _thread_sys_nanosleep () at /tmp/-:3 #1 0x000006a9c68dba2e in _libc_nanosleep_cancel (timeout=0x6a9c5c73f78, remainder=0x0) at /usr/src/lib/libc/sys/w_nanosleep.c:27 #2 0x000006a9c68fd357 in usleep (useconds=<optimized out>) at /usr/src/lib/libc/gen/usleep.c:46 #3 0x000006a6f7eba23b in FlowRecycler (th_v=<optimized out>, thread_data=0x6a91aa05370) at flow-manager.c:1210 #4 0x000006a6f7f0b2e6 in TmThreadsManagement (td=0x6a9e586f600) at tm-threads.c:541 #5 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #6 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 ---Type <return> to continue, or q <return> to quit--- Thread 7 (process 442167): #0 _thread_sys_nanosleep () at /tmp/-:3 #1 0x000006a9c68dba2e in _libc_nanosleep_cancel (timeout=0x6a9382562f8, remainder=0x0) at /usr/src/lib/libc/sys/w_nanosleep.c:27 #2 0x000006a9c68fd357 in usleep (useconds=<optimized out>) at /usr/src/lib/libc/gen/usleep.c:46 #3 0x000006a6f7eb9eac in FlowManager (th_v=0x6a9596d0d00, thread_data=0x6a9bab51480) at flow-manager.c:1014 #4 0x000006a6f7f0b2e6 in TmThreadsManagement (td=0x6a9596d0d00) at tm-threads.c:541 #5 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #6 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Thread 6 (process 244823): #0 0x000006a6f7e5ee57 in DetectEngineInspectRulePacketMatches (det_ctx=0x6a9892e1800, engine=0x6a9df536ec0, s=0x6a922820e00, p=0x6a9c3d3a660, _alert_flags=0x6a96b8bef10 "") at detect-engine.c:1385 #1 0x000006a6f7e5ec28 in DetectEnginePktInspectionRun (tv=<optimized out>, det_ctx=0x6a9892e1800, s=0x6a922820e00, f=<optimized out>, p=0x6a9c3d3a660, alert_flags=0x6a96b8bef10 "") at detect-engine.c:1465 #2 0x000006a6f7e4f2b3 in DetectRulePacketRules (tv=0x6a9e586f500, de_ctx=<optimized out>, det_ctx=0x6a9892e1800, p=0x6a9c3d3a660, pflow=0x6a93549a600, scratch=<optimized out>) at detect.c:797 #3 DetectRun (th_v=0x6a9e586f500, de_ctx=<optimized out>, det_ctx=<optimized out>, p=<optimized out>) at detect.c:130 #4 0x000006a6f7e4e7bf in DetectFlow (tv=0x6a9e586f500, de_ctx=0x6a9df536ec0, det_ctx=0x6a9892e1800, p=0x6a9c3d3a660) at detect.c:1599 #5 Detect (tv=0x6a9e586f500, p=0x6a9c3d3a660, data=<optimized out>) at detect.c:1673 #6 0x000006a6f7ebcf29 in FlowWorker (tv=0x6a9e586f500, p=0x6a9c3d3a660, data=0x6a981b8f000) at flow-worker.c:540 #7 0x000006a6f7f07b90 in TmThreadsSlotVarRun (tv=0x6a9e586f500, p=0x6a9c3d3a660, slot=<optimized out>) at tm-threads.c:117 #8 0x000006a6f7f0abf2 in TmThreadsSlotVar (td=0x6a9e586f500) at tm-threads.c:452 #9 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #10 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Thread 5 (process 438475): #0 futex () at /tmp/-:3 #1 0x000006a9c68d3d65 in _twait (p=0x6a913487d40, val=4078, clockid=0, abs=0x0) at /usr/src/lib/libc/thread/synch.h:34 #2 _rthread_cond_timedwait (cond=0x6a913487d40, mutexp=0x6a9d19143d8, abs=0x0) at /usr/src/lib/libc/thread/rthread_cond.c:106 #3 0x000006a6f7f06029 in TmqhInputFlow (tv=<optimized out>) at tmqh-flow.c:104 #4 0x000006a6f7f0abdc in TmThreadsSlotVar (td=0x6a9596d0100) at tm-threads.c:448 #5 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #6 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Thread 4 (process 272260): #0 futex () at /tmp/-:3 #1 0x000006a9c68d3d65 in _twait (p=0x6a913487e20, val=4608, clockid=0, abs=0x0) at /usr/src/lib/libc/thread/synch.h:34 ---Type <return> to continue, or q <return> to quit--- #2 _rthread_cond_timedwait (cond=0x6a913487e20, mutexp=0x6a9d1914fd8, abs=0x0) at /usr/src/lib/libc/thread/rthread_cond.c:106 #3 0x000006a6f7f06029 in TmqhInputFlow (tv=<optimized out>) at tmqh-flow.c:104 #4 0x000006a6f7f0abdc in TmThreadsSlotVar (td=0x6a9596d0500) at tm-threads.c:448 #5 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #6 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Thread 3 (process 362781): #0 _thread_sys_read () at /tmp/-:3 #1 0x000006a9c687d92e in _libc_read_cancel (fd=5, buf=0x6a942002000, nbytes=32768) at /usr/src/lib/libc/sys/w_read.c:27 #2 0x000006a9e8b1adbc in pcap_read (p=0x6a9a7299600, cnt=64, callback=0x6a6f7ef0070 <PcapCallbackLoop>, user=0x6a95376e300 "") at /usr/src/lib/libpcap/pcap-bpf.c:92 #3 0x000006a6f7eef61f in ReceivePcapLoop (tv=0x6a9e04fe900, data=0x6a95376e300, slot=<optimized out>) at source-pcap.c:322 #4 0x000006a6f7f0af12 in TmThreadsSlotPktAcqLoop (td=0x6a9e04fe900) at tm-threads.c:312 #5 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #6 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Thread 2 (process 126037): #0 _thread_sys_nanosleep () at /tmp/-:3 #1 0x000006a9c68dba2e in _libc_nanosleep_cancel (timeout=0x7f7ffffc31b8, remainder=0x0) at /usr/src/lib/libc/sys/w_nanosleep.c:27 #2 0x000006a9c68fd357 in usleep (useconds=<optimized out>) at /usr/src/lib/libc/gen/usleep.c:46 #3 0x000006a6f7f050bf in SuricataMainLoop (suri=<optimized out>) at suricata.c:2661 #4 SuricataMain (argc=<optimized out>, argv=<optimized out>) at suricata.c:2823 #5 0x000006a6f7e00a21 in ___start () #6 0x0000000000000000 in ?? () Thread 1 (process 354168): #0 thrkill () at /tmp/-:3 #1 0x000006a9c68844ee in _libc_abort () at /usr/src/lib/libc/stdlib/abort.c:51 #2 0x000006a9c68b7a6c in _libc_pthread_mutex_unlock (mutexp=<optimized out>) at /usr/src/lib/libc/thread/rthread_mutex.c:265 #3 0x000006a6f7ebd530 in CheckWorkQueue (tv=<optimized out>, fw=0x6a959eca800, detect_thread=0x6a941bb4c00, counters=0x6a9d0e9b7c8, fq=0x6a9d0e9b7e0) at flow-worker.c:202 #4 0x000006a6f7ebd032 in FlowWorkerProcessInjectedFlows (tv=0x6a9f217c900, fw=0x6a959eca800, p=<optimized out>, detect_thread=0x6a941bb4c00) at flow-worker.c:447 #5 FlowWorker (tv=0x6a9f217c900, p=0x6a9d926a660, data=0x6a959eca800) at flow-worker.c:570 #6 0x000006a6f7f07b90 in TmThreadsSlotVarRun (tv=0x6a9f217c900, p=0x6a9d926a660, slot=<optimized out>) at tm-threads.c:117 #7 0x000006a6f7f0abf2 in TmThreadsSlotVar (td=0x6a9f217c900) at tm-threads.c:452 #8 0x000006a9594b7b91 in _rthread_start (v=<optimized out>) at /usr/src/lib/librthread/rthread.c:96 #9 0x000006a9c687f95a in __tfork_thread () at /usr/src/lib/libc/arch/amd64/sys/tfork_thread.S:84 Index: Makefile =================================================================== RCS file: /cvs/ports/security/suricata/Makefile,v retrieving revision 1.36 diff -u -p -r1.36 Makefile --- Makefile 27 Dec 2020 14:01:53 -0000 1.36 +++ Makefile 29 Jan 2021 22:42:15 -0000 @@ -4,6 +4,7 @@ COMMENT = high performance network IDS, SURICATA_V = 6.0.1 SUPDATE_V = 1.2.0 +REVISION = 0 DISTNAME = suricata-${SURICATA_V} CATEGORIES = security @@ -21,8 +22,8 @@ MASTER_SITES = https://www.openinfosecfo # uses pledge() WANTLIB += ${COMPILER_LIBCXX} c iconv jansson lz4 lzma m magic -WANTLIB += net nspr4 nss3 nssutil3 pcap pcre plc4 plds4 smime3 -WANTLIB += ssl3 yaml-0 z +WANTLIB += maxminddb net nspr4 nss3 nssutil3 pcap pcre plc4 plds4 +WANTLIB += smime3 ssl3 yaml-0 z MODULES = lang/python MODPY_VERSION = ${MODPY_DEFAULT_VERSION_3} @@ -42,42 +43,44 @@ LIB_DEPENDS = archivers/lz4 \ devel/libmagic \ devel/pcre \ net/libnet/1.1 \ + net/libmaxminddb \ security/nss COMPILER = base-clang ports-gcc +DEBUG_PACKAGES = ${BUILD_PACKAGES} -CONFIGURE_STYLE = gnu +CONFIGURE_STYLE = autoconf +AUTOCONF_VERSION = 2.69 +AUTOMAKE_VERSION = 1.15 CONFIGURE_ENV = ac_cv_path_HAVE_PDFLATEX= \ ac_cv_path_HAVE_GIT_CMD= \ CARGO_HOME=${WRKBUILD}/cargo-home CONFIGURE_ARGS = --disable-gccmarch-native \ + --enable-geoip \ --enable-ipfw SUBST_VARS = VARBASE SURICATA_V SUPDATE_V -post-patch: - # permit patching libc-rs to support sparc64 - # (could be removed with libc>=0.2.63) - sed -i 's/"files":{[^}]*}/"files":{}/' \ - ${WRKSRC}/rust/vendor/libc/.cargo-checksum.json - pre-configure: ${SUBST_CMD} ${WRKSRC}/configure \ ${WRKSRC}/doc/userguide/Makefile.in \ - ${WRKSRC}/suricata-update/doc/Makefile + ${WRKSRC}/suricata-update/doc/Makefile \ + ${WRKSRC}/suricata-update/suricata/update/config.py \ + ${WRKSRC}/suricata-update/suricata/update/parsers.py + ln -fs ${PREFIX}/bin/sphinx-build${MODPY_BIN_SUFFIX} \ + ${WRKDIR}/bin/sphinx-build # Remove auto-generated file (present iff git was installed) pre-install: rm -f ${WRKSRC}/suricata-update/suricata/update/revision.py post-install: - ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/suricata/rules + ${INSTALL_DATA_DIR} ${PREFIX}/share/examples/suricata ${INSTALL_DATA} ${WRKSRC}/*.config ${PREFIX}/share/examples/suricata ${INSTALL_DATA} ${WRKSRC}/suricata.yaml ${PREFIX}/share/examples/suricata - ${INSTALL_DATA} ${WRKSRC}/rules/*.rules ${PREFIX}/share/examples/suricata/rules - # nothing particularly useful in there as of 5.0.1 + # nothing particularly useful in there as of 6.0.1 rm -r ${PREFIX}/share/doc/suricata .include <bsd.port.mk> Index: patches/patch-configure =================================================================== RCS file: patches/patch-configure diff -N patches/patch-configure --- patches/patch-configure 27 Dec 2020 14:01:53 -0000 1.4 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-configure,v 1.4 2020/12/27 14:01:53 gonzalo Exp $ - -Fix path to sphinx-build - -Index: configure ---- configure.orig -+++ configure -@@ -28600,7 +28600,7 @@ $as_echo "#define CLS 64" >>confdefs.h - - # sphinx for documentation - # Extract the first word of "sphinx-build", so it can be a program name with args. --set dummy sphinx-build; ac_word=$2 -+set dummy sphinx-build${MODPY_BIN_SUFFIX}; ac_word=$2 - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 - $as_echo_n "checking for $ac_word... " >&6; } - if ${ac_cv_path_HAVE_SPHINXBUILD+:} false; then : Index: patches/patch-configure_ac =================================================================== RCS file: patches/patch-configure_ac diff -N patches/patch-configure_ac --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-configure_ac 29 Jan 2021 22:42:15 -0000 @@ -0,0 +1,16 @@ +$OpenBSD$ + +To remove the pid file, its directory must be writable by suricata user. + +Index: configure.ac +--- configure.ac.orig ++++ configure.ac +@@ -2743,7 +2743,7 @@ if test "$WINDOWS_PATH" = "yes"; then + fi + else + EXPAND_VARIABLE(localstatedir, e_logdir, "/log/suricata/") +- EXPAND_VARIABLE(localstatedir, e_rundir, "/run/") ++ EXPAND_VARIABLE(localstatedir, e_rundir, "/run/suricata/") + EXPAND_VARIABLE(localstatedir, e_logfilesdir, "/log/suricata/files") + EXPAND_VARIABLE(localstatedir, e_logcertsdir, "/log/suricata/certs") + EXPAND_VARIABLE(sysconfdir, e_sysconfdir, "/suricata/") Index: patches/patch-doc_userguide_Makefile_in =================================================================== RCS file: patches/patch-doc_userguide_Makefile_in diff -N patches/patch-doc_userguide_Makefile_in --- patches/patch-doc_userguide_Makefile_in 27 Dec 2020 14:01:53 -0000 1.3 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-doc_userguide_Makefile_in,v 1.3 2020/12/27 14:01:53 gonzalo Exp $ - -Fix path to sphinx-build - -Index: doc/userguide/Makefile.in ---- doc/userguide/Makefile.in.orig -+++ doc/userguide/Makefile.in -@@ -374,7 +374,7 @@ EXTRA_DIST = _static 3rd-party-integration acknowledge - what-is-suricata.rst $(am__append_1) - @HAVE_SPHINXBUILD_TRUE@dist_man1_MANS = suricata.1 - @HAVE_SURICATA_MAN_TRUE@dist_man1_MANS = suricata.1 --@HAVE_SPHINXBUILD_TRUE@SPHINX_BUILD = sphinx-build -q -+@HAVE_SPHINXBUILD_TRUE@SPHINX_BUILD = sphinx-build${MODPY_BIN_SUFFIX} -q - all: all-am - - .SUFFIXES: Index: patches/patch-src_suricata_c =================================================================== RCS file: patches/patch-src_suricata_c diff -N patches/patch-src_suricata_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_suricata_c 29 Jan 2021 22:42:15 -0000 @@ -0,0 +1,16 @@ +$OpenBSD$ + +Use setresuid/gid() directly to change user and group. Otherwise +Suricata uses libcap-ng on Linux and runs as root elsewhere. + +Index: src/suricata.c +--- src/suricata.c.orig ++++ src/suricata.c +@@ -2818,6 +2818,7 @@ int SuricataMain(int argc, char **argv) + + PostRunStartedDetectSetup(&suricata); + ++ SCSetUserID(suricata.userid, suricata.groupid); + SCPledge(); + SuricataMainLoop(&suricata); + Index: patches/patch-src_util-privs_c =================================================================== RCS file: patches/patch-src_util-privs_c diff -N patches/patch-src_util-privs_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_util-privs_c 29 Jan 2021 22:42:15 -0000 @@ -0,0 +1,36 @@ +$OpenBSD$ + +Use setresuid/gid() directly to change user and group. Otherwise +Suricata uses libcap-ng on Linux and runs as root elsewhere. + +Index: src/util-privs.c +--- src/util-privs.c.orig ++++ src/util-privs.c +@@ -237,6 +237,27 @@ int SCGetGroupID(const char *group_name, uint32_t *gid + return 0; + } + ++int SCSetUserID(const uint32_t uid, const uint32_t gid) ++{ ++ int ret = setresgid(gid, gid, gid); ++ ++ if (ret != 0) { ++ SCLogError(SC_ERR_GID_FAILED, "unable to set the group ID," ++ " check permissions!! gid=%u ret=%i errno=%i", gid, ret, errno); ++ exit(EXIT_FAILURE); ++ } ++ ++ ret = setresuid(uid, uid, uid); ++ ++ if (ret != 0) { ++ SCLogError(SC_ERR_UID_FAILED, "unable to set the user ID," ++ " check permissions!! uid=%u ret=%i errno=%i", uid, ret, errno); ++ exit(EXIT_FAILURE); ++ } ++ ++ return 0; ++} ++ + #ifdef __OpenBSD__ + int SCPledge(void) + { Index: patches/patch-src_util-privs_h =================================================================== RCS file: patches/patch-src_util-privs_h diff -N patches/patch-src_util-privs_h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_util-privs_h 29 Jan 2021 22:42:15 -0000 @@ -0,0 +1,16 @@ +$OpenBSD$ + +Use setresuid/gid() directly to change user and group. Otherwise +Suricata uses libcap-ng on Linux and runs as root elsewhere. + +Index: src/util-privs.h +--- src/util-privs.h.orig ++++ src/util-privs.h +@@ -93,6 +93,7 @@ void SCDropMainThreadCaps(uint32_t , uint32_t ); + + int SCGetUserID(const char *, const char *, uint32_t *, uint32_t *); + int SCGetGroupID(const char *, uint32_t *); ++int SCSetUserID(const uint32_t uid, const uint32_t gid); + + #ifdef __OpenBSD__ + int SCPledge(void); Index: patches/patch-suricata-update_doc_Makefile =================================================================== RCS file: patches/patch-suricata-update_doc_Makefile diff -N patches/patch-suricata-update_doc_Makefile --- patches/patch-suricata-update_doc_Makefile 26 Nov 2019 10:44:34 -0000 1.1 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,16 +0,0 @@ -$OpenBSD: patch-suricata-update_doc_Makefile,v 1.1 2019/11/26 10:44:34 jasper Exp $ - -Fix path to sphinx-build - -Index: suricata-update/doc/Makefile ---- suricata-update/doc/Makefile.orig -+++ suricata-update/doc/Makefile -@@ -3,7 +3,7 @@ - - # You can set these variables from the command line. - SPHINXOPTS = --SPHINXBUILD = sphinx-build -+SPHINXBUILD = sphinx-build${MODPY_BIN_SUFFIX} - SPHINXAPIDOC = sphinx-apidoc - PAPER = - BUILDDIR = _build Index: patches/patch-suricata-update_suricata_update_config_py =================================================================== RCS file: patches/patch-suricata-update_suricata_update_config_py diff -N patches/patch-suricata-update_suricata_update_config_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-suricata-update_suricata_update_config_py 29 Jan 2021 22:42:15 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: suricata-update/suricata/update/config.py +--- suricata-update/suricata/update/config.py.orig ++++ suricata-update/suricata/update/config.py +@@ -31,7 +31,7 @@ except: + + logger = logging.getLogger() + +-DEFAULT_DATA_DIRECTORY = "/var/lib/suricata" ++DEFAULT_DATA_DIRECTORY = "${VARBASE}/suricata" + + # Cache directory - relative to the data directory. + CACHE_DIRECTORY = os.path.join("update", "cache") Index: patches/patch-suricata-update_suricata_update_parsers_py =================================================================== RCS file: patches/patch-suricata-update_suricata_update_parsers_py diff -N patches/patch-suricata-update_suricata_update_parsers_py --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-suricata-update_suricata_update_parsers_py 29 Jan 2021 22:42:15 -0000 @@ -0,0 +1,14 @@ +$OpenBSD$ + +Index: suricata-update/suricata/update/parsers.py +--- suricata-update/suricata/update/parsers.py.orig ++++ suricata-update/suricata/update/parsers.py +@@ -41,7 +41,7 @@ global_arg = [ + 'help': "Be quiet, warning and error messages only"}), + (("-D", "--data-dir"), + {'metavar': '<directory>', 'dest': 'data_dir', +- 'help': "Data directory (default: /var/lib/suricata)"}), ++ 'help': "Data directory (default: ${VARBASE}/suricata)"}), + (("-c", "--config"), + {'metavar': '<filename>', + 'help': "configuration file (default: %s)" % (default_update_yaml)}), Index: patches/patch-suricata_yaml_in =================================================================== RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v retrieving revision 1.9 diff -u -p -r1.9 patch-suricata_yaml_in --- patches/patch-suricata_yaml_in 27 Dec 2020 14:01:53 -0000 1.9 +++ patches/patch-suricata_yaml_in 29 Jan 2021 22:42:15 -0000 @@ -1,9 +1,12 @@ $OpenBSD: patch-suricata_yaml_in,v 1.9 2020/12/27 14:01:53 gonzalo Exp $ -After reload allow to write log files or use syslog. -Switch user and group to avoid running as root. -To remove pid file its directory must be writable by suricata user. -Remove rules files not present by default. +- After reload allow to write log files or use syslog. +- Switch user and group to avoid running as root. +- To remove pid file its directory must be writable by suricata user. +- Comment-out suricata-update rules and add config for bundled rules +so the package can be used directly. See pkg-readme for information +about downloading rules. + Index: suricata.yaml.in --- suricata.yaml.in.orig @@ -80,7 +83,7 @@ Index: suricata.yaml.in # Lua Output Support - execute lua script to generate alert and event # output. -@@ -558,13 +567,13 @@ logging: +@@ -558,12 +567,12 @@ logging: enabled: yes # type: json - file: @@ -91,23 +94,24 @@ Index: suricata.yaml.in # type: json - syslog: - enabled: no -- facility: local5 + enabled: yes -+ facility:ulocal5 + facility: local5 format: "[%i] <%d> -- " # type: json +@@ -988,9 +997,9 @@ asn1-max-frames: 256 + ## -@@ -991,6 +1000,9 @@ asn1-max-frames: 256 - #run-as: - # user: suri - # group: suri + # Run Suricata with a specific user-id and group-id: +-#run-as: +-# user: suri +-# group: suri +run-as: + user: _suricata + group: _suricata # Some logging modules will use that name in event as identifier. The default # value is the hostname -@@ -999,7 +1011,7 @@ asn1-max-frames: 256 +@@ -999,7 +1008,7 @@ asn1-max-frames: 256 # Default location of the pid file. The pid file is only used in # daemon mode (start Suricata with -D). If not running in daemon mode # the --pidfile command line option must be used to create a pid file. @@ -116,21 +120,42 @@ Index: suricata.yaml.in # Daemon working directory # Suricata will change directory to this one if provided -@@ -1859,7 +1871,19 @@ napatech: - default-rule-path: @e_defaultruledir@ +@@ -1852,14 +1861,38 @@ napatech: + # + hashmode: hash5tuplesorted ++ ++## Enable one or other of the two sections: ++ ++ + ## + ## Configure Suricata to load Suricata-Update managed rules. + ## ++#default-rule-path: ${VARBASE}/suricata/rules ++#rule-files: ++# - suricata.rules + +-default-rule-path: @e_defaultruledir@ +- ++## ++## Configure Suricata to use basic bundled rules. ++## ++default-rule-path: @e_sysconfdir@rules rule-files: - - suricata.rules -+ + - app-layer-events.rules + - decoder-events.rules -+ #- dnp3-events.rules ++ - dhcp-events.rules ++ - dnp3-events.rules + - dns-events.rules + - files.rules + - http-events.rules -+ #- modbus-events.rules -+ #- nfs-events.rules -+ #- ntp-events.rules ++ - ipsec-events.rules ++ - kerberos-events.rules ++ - modbus-events.rules ++ - nfs-events.rules ++ - ntp-events.rules ++ - smb-events.rules + - smtp-events.rules + - stream-events.rules + - tls-events.rules Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/suricata/pkg/PLIST,v retrieving revision 1.14 diff -u -p -r1.14 PLIST --- pkg/PLIST 23 Oct 2020 12:58:42 -0000 1.14 +++ pkg/PLIST 29 Jan 2021 22:42:15 -0000 @@ -80,6 +80,7 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/suricata/update/${MODPY_PYCACHE}notes.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/suricata/update/${MODPY_PYCACHE}osinfo.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/suricata/update/${MODPY_PYCACHE}parsers.${MODPY_PYC_MAGIC_TAG}pyc +lib/python${MODPY_VERSION}/site-packages/suricata/update/${MODPY_PYCACHE}revision.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/suricata/update/${MODPY_PYCACHE}rule.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/suricata/update/${MODPY_PYCACHE}sources.${MODPY_PYC_MAGIC_TAG}pyc lib/python${MODPY_VERSION}/site-packages/suricata/update/${MODPY_PYCACHE}util.${MODPY_PYC_MAGIC_TAG}pyc @@ -144,6 +145,7 @@ lib/python${MODPY_VERSION}/site-packages lib/python${MODPY_VERSION}/site-packages/suricata/update/notes.py lib/python${MODPY_VERSION}/site-packages/suricata/update/osinfo.py lib/python${MODPY_VERSION}/site-packages/suricata/update/parsers.py +lib/python${MODPY_VERSION}/site-packages/suricata/update/revision.py lib/python${MODPY_VERSION}/site-packages/suricata/update/rule.py lib/python${MODPY_VERSION}/site-packages/suricata/update/sources.py lib/python${MODPY_VERSION}/site-packages/suricata/update/util.py @@ -155,67 +157,55 @@ ${MODPY_COMMENT}lib/python${MODPY_VERSIO lib/python${MODPY_VERSION}/site-packages/suricatasc/${MODPY_PYCACHE}__init__.${MODPY_PYC_MAGIC_TAG}pyc @man man/man1/suricata.1 share/doc/pkg-readmes/${PKGSTEM} -@sample ${SYSCONFDIR}/suricata/ -@sample ${SYSCONFDIR}/suricata/rules/ share/examples/suricata/ -share/examples/suricata/rules/ -share/examples/suricata/rules/app-layer-events.rules -@sample ${SYSCONFDIR}/suricata/rules/app-layer-events.rules -share/examples/suricata/rules/decoder-events.rules -@sample ${SYSCONFDIR}/suricata/rules/decoder-events.rules -share/examples/suricata/rules/dhcp-events.rules -share/examples/suricata/rules/dnp3-events.rules -@sample ${SYSCONFDIR}/suricata/rules/dnp3-events.rules -share/examples/suricata/rules/dns-events.rules -@sample ${SYSCONFDIR}/suricata/rules/dns-events.rules -share/examples/suricata/rules/files.rules -@sample ${SYSCONFDIR}/suricata/rules/files.rules -share/examples/suricata/rules/http-events.rules -@sample ${SYSCONFDIR}/suricata/rules/http-events.rules -share/examples/suricata/rules/ipsec-events.rules -share/examples/suricata/rules/kerberos-events.rules -share/examples/suricata/rules/modbus-events.rules -@sample ${SYSCONFDIR}/suricata/rules/modbus-events.rules -share/examples/suricata/rules/nfs-events.rules -@sample ${SYSCONFDIR}/suricata/rules/nfs-events.rules -share/examples/suricata/rules/ntp-events.rules -@sample ${SYSCONFDIR}/suricata/rules/ntp-events.rules -share/examples/suricata/rules/smb-events.rules -share/examples/suricata/rules/smtp-events.rules -@sample ${SYSCONFDIR}/suricata/rules/smtp-events.rules -share/examples/suricata/rules/stream-events.rules -@sample ${SYSCONFDIR}/suricata/rules/stream-events.rules -share/examples/suricata/rules/tls-events.rules -@sample ${SYSCONFDIR}/suricata/rules/tls-events.rules +@sample ${SYSCONFDIR}/suricata/ share/examples/suricata/suricata.yaml @sample ${SYSCONFDIR}/suricata/suricata.yaml share/examples/suricata/threshold.config @sample ${SYSCONFDIR}/suricata/threshold.config -@owner _suricata -@group _suricata -@sample ${VARBASE}/suricata/ -@sample ${VARBASE}/suricata/log/ -@sample ${VARBASE}/suricata/run/ -@sample ${VARBASE}/log/suricata/ -@owner -@group share/suricata/ share/suricata/classification.config +@sample ${SYSCONFDIR}/suricata/classification.config share/suricata/reference.config +@sample ${SYSCONFDIR}/suricata/reference.config share/suricata/rules/ +@sample ${SYSCONFDIR}/suricata/rules/ share/suricata/rules/app-layer-events.rules +@sample ${SYSCONFDIR}/suricata/rules/app-layer-events.rules share/suricata/rules/decoder-events.rules +@sample ${SYSCONFDIR}/suricata/rules/decoder-events.rules share/suricata/rules/dhcp-events.rules +@sample ${SYSCONFDIR}/suricata/rules/dhcp-events.rules share/suricata/rules/dnp3-events.rules +@sample ${SYSCONFDIR}/suricata/rules/dnp3-events.rules share/suricata/rules/dns-events.rules +@sample ${SYSCONFDIR}/suricata/rules/dns-events.rules share/suricata/rules/files.rules +@sample ${SYSCONFDIR}/suricata/rules/files.rules share/suricata/rules/http-events.rules +@sample ${SYSCONFDIR}/suricata/rules/http-events.rules share/suricata/rules/ipsec-events.rules +@sample ${SYSCONFDIR}/suricata/rules/ipsec-events.rules share/suricata/rules/kerberos-events.rules +@sample ${SYSCONFDIR}/suricata/rules/kerberos-events.rules share/suricata/rules/modbus-events.rules +@sample ${SYSCONFDIR}/suricata/rules/modbus-events.rules share/suricata/rules/nfs-events.rules +@sample ${SYSCONFDIR}/suricata/rules/nfs-events.rules share/suricata/rules/ntp-events.rules +@sample ${SYSCONFDIR}/suricata/rules/ntp-events.rules share/suricata/rules/smb-events.rules +@sample ${SYSCONFDIR}/suricata/rules/smb-events.rules share/suricata/rules/smtp-events.rules +@sample ${SYSCONFDIR}/suricata/rules/smtp-events.rules share/suricata/rules/stream-events.rules +@sample ${SYSCONFDIR}/suricata/rules/stream-events.rules share/suricata/rules/tls-events.rules +@sample ${SYSCONFDIR}/suricata/rules/tls-events.rules +@owner _suricata +@group _suricata +@sample ${VARBASE}/suricata/ +@sample ${VARBASE}/log/suricata/ +@sample ${VARBASE}/run/suricata/ +@owner +@group Index: pkg/README =================================================================== RCS file: /cvs/ports/security/suricata/pkg/README,v retrieving revision 1.7 diff -u -p -r1.7 README --- pkg/README 29 Mar 2019 16:53:21 -0000 1.7 +++ pkg/README 29 Jan 2021 22:42:15 -0000 @@ -4,55 +4,42 @@ $OpenBSD: README,v 1.7 2019/03/29 16:53: | Running ${PKGSTEM} on OpenBSD +----------------------------------------------------------------------- -Starting suricata +Starting Suricata ================= - -For normal use, you need to set first your interface and enable the +For normal use, you need to first set your interface and enable the daemon: # rcctl enable suricata # rcctl set suricata flags -i em0 -And you need the rules, these rules are expected to be present in the -${SYSCONFDIR}/suricata/rules directory as defined in -${SYSCONFDIR}/suricata/suricata.yaml. +The default configuration uses a very basic set of rules bundled with +Suricata and installed in the ${SYSCONFDIR}/suricata/rules directory. +A standard installation uses additional rules as shown in the following +section. Rule management =============== - -It is possible to download and install rules manually, but there is a -much easier and quicker way to do so. There are special programs which -you can use for downloading and installing rules. - -After installing the new rulesets described below, restart suricata to -pick up the new rules: - -# rcctl restart suricata - -Note that the installed rules have to be updated regularly by the program -used to fetch them initially. For example use cron to update the rules -every 24h. +It is possible to download and install rules manually, but it is easier +and quicker to use one of the available tools to do this. suricata-update --------------- +suricata-update is the recommended way to install and update rules. +By default it will download the new rules into ${VARBASE}/suricata/rules -suricata-update is the recommended way to install and update rules for -suricata. By default it will download the new rules into -${VARBASE}/suricata/rules/ . - -Modify ${SYSCONFDIR}/suricata/suricata.yaml like this: +Edit ${SYSCONFDIR}/suricata/suricata.yaml and replace the existing default-rule-path +and rule-files sections with this: default-rule-path: ${VARBASE}/suricata/rules/ rule-files: - suricata.rules -And restart suricata: +And restart Suricata: # rcctl restart suricata Oinkmaster ---------- - The other common method is with Oinkmaster which can be installed with: # pkg_add oinkmaster @@ -71,24 +58,37 @@ And you can download as follow: # cd /etc && oinkmaster -C ${SYSCONFDIR}/oinkmaster.conf \ -o ${SYSCONFDIR}/suricata/rules +After updating rules +-------------------- +After installing the new rulesets with one of the above methods, restart +Suricata to pick them up: + +# rcctl restart suricata + +Note that the installed rules have to be updated regularly by the program +used to fetch them initially. For example use cron to update the rules +every 24h. + Inline mode (IPS) ================= +The default configuration captures packets via pcap on a network interface +and runs detection methods. -In order to run suricata "inline" in Intrusion Prevention mode, the following -needs to be added to `/etc/pf.conf`: +Suricata can also run "inline" in Intrusion Prevention mode. To do this, +add the following to /etc/pf.conf: pass out quick on egress inet proto tcp to port 80 divert-packet port 700 -Adjust this to match what traffic suricata will need to inspect as well as the -port to divert to. - -To enable inline ipfw mode of suricata on port 700: +Adjust this to match what traffic Suricata will need to inspect as well as +the divert port use. Configure to enable inline mode on divert port 700 +like this: # rcctl set suricata flags -d 700 -Outbound packets don't have a correct checksum yet due to checksum offloading, -therefore suricata will log "SURICATA TCPv4 invalid checksum" and ignore these -packets. To workaround this set the following in suricata.yaml: +Outbound packets might not have a correct checksum yet due to checksum +offloading, therefore Suricata will log "SURICATA TCPv4 invalid checksum" +and ignore these packets. This can be worked around with the following +setting in suricata.yaml: stream: checksum-validation: yes @@ -98,5 +98,5 @@ Also adjust the configuration to drop pa - drop: enabled: yes -(Re)start suricata for the changes to take effect. Note that ipfw mode is +(Re)start Suricata for the changes to take effect. Note that IPS mode is mutually exclusive with pcap live mode (-i). Index: pkg/suricata.rc =================================================================== RCS file: /cvs/ports/security/suricata/pkg/suricata.rc,v retrieving revision 1.2 diff -u -p -r1.2 suricata.rc --- pkg/suricata.rc 15 Feb 2018 16:19:41 -0000 1.2 +++ pkg/suricata.rc 29 Jan 2021 22:42:15 -0000 @@ -6,4 +6,8 @@ daemon="${TRUEPREFIX}/bin/suricata -D" . /etc/rc.d/rc.subr +rc_pre() { + /usr/bin/install -d -o _suricata -g _suricata -m 0750 /var/run/suricata +} + rc_cmd $1
