#
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2009 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
include $(TOPDIR)/rules.mk
PKG_NAME:=snort
-PKG_VERSION:=2.4.4
+PKG_VERSION:=2.8.4.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://www.snort.org/dl/current/
-PKG_MD5SUM:=9dc9060d1f2e248663eceffadfc45e7e
+PKG_SOURCE_URL:=http://dl.snort.org/snort-current/
+PKG_MD5SUM:=63f4e76ae96a2d133f4c7b741bad5458
include $(INCLUDE_DIR)/package.mk
URL:=http://www.snort.org/
endef
+define Package/snort/Default/description
+ Snort is an open source network intrusion detection and prevention system.
+ It is capable of performing real-time traffic analysis, alerting, blocking
+ and packet logging on IP networks. It utilizes a combination of protocol
+ analysis and pattern matching in order to detect anomalies, misuse and
+ attacks.
+endef
+
define Package/snort
$(call Package/snort/Default)
endef
+define Package/snort/description
+ $(call Package/snort/Default/description)
+endef
+
define Package/snort-mysql
$(call Package/snort/Default)
DEPENDS+= +libmysqlclient
TITLE+= (MySQL)
endef
+define Package/snort-mysql/description
+ $(call Package/snort/Default/description)
+ This package contains snort with support for logging to a MySQL database.
+endef
+
define Package/snort-pgsql
$(call Package/snort/Default)
DEPENDS+= +libpq
TITLE+= (PostgreSQL)
endef
+define Package/snort-pgsql/description
+ $(call Package/snort/Default/description)
+ This package contains snort with support for logging to a PostgreSQL database.
+endef
define Compile/Template
--- /dev/null
+--- a/configure
++++ b/configure
+@@ -20770,8 +20770,7 @@
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+ See \`config.log' for more details." >&5
+ echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+- { (exit 1); exit 1; }; }
++See \`config.log' for more details." >&2;} }
+ else
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+@@ -22981,8 +22980,7 @@
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+ See \`config.log' for more details." >&5
+ echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+- { (exit 1); exit 1; }; }
++See \`config.log' for more details." >&2;} }
+ else
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+@@ -23766,8 +23764,7 @@
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+ See \`config.log' for more details." >&5
+ echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+- { (exit 1); exit 1; }; }
++See \`config.log' for more details." >&2;} }
+ else
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+@@ -23854,8 +23851,7 @@
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+ See \`config.log' for more details." >&5
+ echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+- { (exit 1); exit 1; }; }
++See \`config.log' for more details." >&2;} }
+ else
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+diff -urN snort-2.8.4.1/configure snort-2.8.4.1.new/configure
+--- snort-2.8.4.1/configure 2009-04-21 21:39:16.000000000 +0200
++++ snort-2.8.4.1.new/configure 2009-07-12 19:59:26.000000000 +0200
+@@ -23766,8 +23766,7 @@
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+ See \`config.log' for more details." >&5
+ echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+- { (exit 1); exit 1; }; }
++See \`config.log' for more details." >&2;} }
+ else
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+--- snort-2.8.4.1/configure 2009-07-12 20:33:36.000000000 +0200
++++ snort-2.8.4.1.new/configure 2009-07-12 20:34:10.000000000 +0200
+@@ -24651,8 +24651,7 @@
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+ See \`config.log' for more details." >&5
+ echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+- { (exit 1); exit 1; }; }
++See \`config.log' for more details." >&2;} }
+ else
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
+@@ -24719,8 +24718,7 @@
+ { { echo "$as_me:$LINENO: error: cannot run test program while cross compiling
+ See \`config.log' for more details." >&5
+ echo "$as_me: error: cannot run test program while cross compiling
+-See \`config.log' for more details." >&2;}
+- { (exit 1); exit 1; }; }
++See \`config.log' for more details." >&2;} }
+ else
+ cat >conftest.$ac_ext <<_ACEOF
+ /* confdefs.h. */
---- snort-2.3.2-orig/etc/snort.conf 2005-03-10 23:04:38.000000000 +0100
-+++ snort-2.3.2-1/etc/snort.conf 2005-04-04 20:01:41.000000000 +0200
+Index: snort-2.8.4.1/etc/snort.conf
+===================================================================
+--- snort-2.8.4.1.orig/etc/snort.conf 2009-04-21 21:39:51.000000000 +0200
++++ snort-2.8.4.1/etc/snort.conf 2009-07-12 19:54:47.000000000 +0200
@@ -6,6 +6,7 @@
#
###################################################
+# Most preprocessors and rules were disabled to save memory.
# You can take the following steps to create your own custom configuration:
#
- # 1) Set the network variables for your network
-@@ -41,10 +42,10 @@
+ # 1) Set the variables for your network
+@@ -43,10 +44,10 @@
# or you can specify the variable to be any IP address
# like this:
# Configure your server lists. This allows snort to only look for attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
-@@ -106,7 +107,7 @@
+@@ -107,8 +108,8 @@
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
-var RULE_PATH ../rules
+-var PREPROC_RULE_PATH ../preproc_rules
+var RULE_PATH /etc/snort/rules
++var PREPROC_RULE_PATH /etc/snort/preproc_rules
# Configure the snort decoder
# ============================
-@@ -297,11 +298,11 @@
+@@ -307,11 +308,11 @@
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
-preprocessor http_inspect: global \
- iis_unicode_map unicode.map 1252
+#preprocessor http_inspect: global \
-+# iis_unicode_map unicode.map 1252
++# iis_unicode_map unicode.map 1252
-preprocessor http_inspect_server: server default \
- profile all ports { 80 8080 8180 } oversize_dir_length 500
#
# Example unique server configuration
-@@ -335,7 +336,7 @@
+@@ -345,7 +346,7 @@
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
# bo: Back Orifice detector
# -------------------------
-@@ -347,7 +348,7 @@
- # ----- -------------------
- # 1 Back Orifice traffic detected
+@@ -368,7 +369,7 @@
+ # 3 Back Orifice Server Traffic Detected
+ # 4 Back Orifice Snort Buffer Attack
-preprocessor bo
+#preprocessor bo
- # telnet_decode: Telnet negotiation string normalizer
- # ---------------------------------------------------
-@@ -359,7 +360,7 @@
- # This preprocessor requires no arguments.
- # Portscan uses Generator ID 109 and does not generate any SID currently.
+ # ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
+ # ---------------------------------------------------------------------------
+@@ -391,32 +392,32 @@
+ # or use commandline option
+ # --dynamic-preprocessor-lib <full path to libsf_ftptelnet_preproc.so>
--preprocessor telnet_decode
-+#preprocessor telnet_decode
+-preprocessor ftp_telnet: global \
+- encrypted_traffic yes \
+- inspection_type stateful
+-
+-preprocessor ftp_telnet_protocol: telnet \
+- normalize \
+- ayt_attack_thresh 200
++#preprocessor ftp_telnet: global \
++# encrypted_traffic yes \
++# inspection_type stateful
++
++#preprocessor ftp_telnet_protocol: telnet \
++# normalize \
++# ayt_attack_thresh 200
+
+ # This is consistent with the FTP rules as of 18 Sept 2004.
+ # CWD can have param length of 200
+ # MODE has an additional mode of Z (compressed)
+ # Check for string formats in USER & PASS commands
+ # Check nDTM commands that set modification time on the file.
+-preprocessor ftp_telnet_protocol: ftp server default \
+- def_max_param_len 100 \
+- alt_max_param_len 200 { CWD } \
+- cmd_validity MODE < char ASBCZ > \
+- cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
+- chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
+- telnet_cmds yes \
+- data_chan
+-
+-preprocessor ftp_telnet_protocol: ftp client default \
+- max_resp_len 256 \
+- bounce yes \
+- telnet_cmds yes
++#preprocessor ftp_telnet_protocol: ftp server default \
++# def_max_param_len 100 \
++# alt_max_param_len 200 { CWD } \
++# cmd_validity MODE < char ASBCZ > \
++# cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
++# chk_str_fmt { USER PASS RNFR RNTO SITE MKD } \
++# telnet_cmds yes \
++# data_chan
++
++#preprocessor ftp_telnet_protocol: ftp client default \
++# max_resp_len 256 \
++# bounce yes \
++# telnet_cmds yes
+
+ # smtp: SMTP normalizer, protocol enforcement and buffer overflow
+ # ---------------------------------------------------------------------------
+@@ -434,15 +435,15 @@
+ # or use commandline option
+ # --dynamic-preprocessor-lib <full path to libsf_smtp_preproc.so>
+
+-preprocessor smtp: \
+- ports { 25 587 691 } \
+- inspection_type stateful \
+- normalize cmds \
+- normalize_cmds { EXPN VRFY RCPT } \
+- alt_max_command_line_len 260 { MAIL } \
+- alt_max_command_line_len 300 { RCPT } \
+- alt_max_command_line_len 500 { HELP HELO ETRN } \
+- alt_max_command_line_len 255 { EXPN VRFY }
++#preprocessor smtp: \
++# ports { 25 587 691 } \
++# inspection_type stateful \
++# normalize cmds \
++# normalize_cmds { EXPN VRFY RCPT } \
++# alt_max_command_line_len 260 { MAIL } \
++# alt_max_command_line_len 300 { RCPT } \
++# alt_max_command_line_len 500 { HELP HELO ETRN } \
++# alt_max_command_line_len 255 { EXPN VRFY }
- # Flow-Portscan: detect a variety of portscans
- # ---------------------------------------
-@@ -455,9 +456,9 @@
- # are still watched as scanner hosts. The 'ignore_scanned' option is
- # used to tune alerts from very active hosts such as syslog servers, etc.
+ # sfPortscan
+ # ----------
+@@ -498,9 +499,9 @@
+ # false alerts, especially under heavy load with dropped packets; which is why
+ # the option is off by default.
#
-preprocessor sfportscan: proto { all } \
- memcap { 10000000 } \
# arpspoof
#----------------------------------------
-@@ -642,41 +643,41 @@
+@@ -623,9 +624,9 @@
+ # or use commandline option
+ # --dynamic-preprocessor-lib <full path to libsf_dns_preproc.so>
+
+-preprocessor dns: \
+- ports { 53 } \
+- enable_rdata_overflow
++#preprocessor dns: \
++# ports { 53 } \
++# enable_rdata_overflow
+
+ # SSL
+ #----------------------------------------
+@@ -649,7 +650,7 @@
+ # To add reassembly on port 443 to Stream5, use 'port both 443' in the
+ # Stream5 configuration.
+
+-preprocessor ssl: noinspect_encrypted, trustservers
++#preprocessor ssl: noinspect_encrypted, trustservers
+
+
+ ####################################################################
+@@ -811,41 +812,41 @@
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
-@@ -684,11 +685,11 @@
- # include $RULE_PATH/porn.rules
- # include $RULE_PATH/info.rules
- # include $RULE_PATH/icmp-info.rules
-- include $RULE_PATH/virus.rules
-+# include $RULE_PATH/virus.rules
- # include $RULE_PATH/chat.rules
- # include $RULE_PATH/multimedia.rules
+@@ -859,7 +860,7 @@
# include $RULE_PATH/p2p.rules
+ # include $RULE_PATH/spyware-put.rules
+ # include $RULE_PATH/specific-threats.rules
-include $RULE_PATH/experimental.rules
+#include $RULE_PATH/experimental.rules
- # Include any thresholding or suppression commands. See threshold.conf in the
- # <snort src>/etc directory for details. Commands don't necessarily need to be
+ # include $PREPROC_RULE_PATH/preprocessor.rules
+ # include $PREPROC_RULE_PATH/decoder.rules