Date: Thu, 26 Nov 2009 00:41:05 +0100 (CET) From: olli hauer <ohauer@gmx.de> To: FreeBSD-gnats-submit@FreeBSD.org Cc: ohauer@gmx.de Subject: ports/140881: [patch] port security/snortsam update to version 2.68 Message-ID: <20091125234106.149AD26145@u18-124.dsl.vianetworks.de> Resent-Message-ID: <200911252350.nAPNo132035427@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 140881 >Category: ports >Synopsis: [patch] port security/snortsam update to version 2.68 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Wed Nov 25 23:50:01 UTC 2009 >Closed-Date: >Last-Modified: >Originator: olli hauer <ohauer@gmx.de> >Release: FreeBSD 8.0-RELEASE amd64 >Organization: >Environment: >Description: Update snortsam to version 2.68 Additional: use the Makefile instead makesnortsam.sh patches to make the pf2 plugin even more proof (will be included in next official release) some small patches to correct the pf2 documentation some small other patches we will see in the next release For more information see http://snortsam.net/news.html If this patch is committed PR ports/139460 can be closed Since PR ports/139460 is now open since 6 weeks I will be happy to take maintainership if the old maintainer does not respond or has no time. In this case please remove http://www.freebsdbrasil.com.br/~urisso/files/snortsam/ from MASTER_SITES. I've made build and function test (mostly pf2 plugin) on this platforms FreeBSD 6.4 7.1 7.2 8.0 9.0 i386 FreeBSD 7.2 8.0 amd64 OpenBSD 4.5 4.6 i386 NetBSD 5.0 (i386) If the diff is mangled somewhere (~750 lines) contact me direct, I will send the whole port or the patch as tar/gz . -- olli hauer >How-To-Repeat: >Fix: --- patch_snortsam-2.68.txt begins here --- diff -Nru snortsam/Makefile snortsam/Makefile --- snortsam/Makefile 2008-09-04 01:02:16.000000000 +0200 +++ snortsam/Makefile 2009-11-25 23:44:51.000000000 +0100 @@ -6,7 +6,7 @@ # PORTNAME= snortsam -PORTVERSION= 2.60 +PORTVERSION= 2.68 CATEGORIES= security MASTER_SITES= http://www.snortsam.net/files/snortsam/ \ http://www.freebsdbrasil.com.br/~urisso/files/snortsam/ @@ -15,53 +15,76 @@ MAINTAINER= urisso@bsd.com.br COMMENT= SnortSam is a output plugin for Snort -WRKSRC= ${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME} +OPTIONS= IPFW "checks if configured tables are available" on \ + SAMTOOL "install samtool" on \ + DEBUG "build with verbose messages" off + +.include <bsd.port.pre.mk> +USE_RC_SUBR= snortsam.sh +SUB_FILES= pkg-message HAS_CONFIGURE= yes NO_BUILD= yes +CONFIGURE_SCRIPT= src/Makefile +WRKSRC= ${WRKDIR}/${PKGNAMEPREFIX}${PORTNAME} -SYSCONFDIR= ${PREFIX}/etc/snortsam - -CONFIGURE_SCRIPT= makesnortsam.sh - -USE_RC_SUBR= snortsam.sh +CONFIG_DIR?= ${PREFIX}/etc/snortsam PLIST_DIRS= etc/snortsam -PLIST_FILES= etc/snortsam/rootservers.cfg etc/snortsam/snortsam.conf.sample sbin/snortsam sbin/snortsam-debug -PORTDOCS= INSTALL README README.conf README.snmp_interface_down +PLIST_FILES= sbin/snortsam \ + etc/snortsam/snortsam.conf.sample \ + etc/snortsam/country-rootservers.conf.sample \ + etc/snortsam/opsec.conf.sample \ + etc/snortsam/rootservers.cfg.sample -OPTIONS= IPFW "Enable IPFW table checking if it set deny rules" on +.if defined(WITH_SAMTOOL) +PLIST_FILES+= sbin/samtool +.endif -.include <bsd.port.pre.mk> +PORTDOCS= AUTHORS BUGS CREDITS FAQ INSTALL LICENSE README README.ciscoacl \ + README.conf README.iptables README.netscreen README.pf README.pf2 \ + README.rules README.slackware README.snmp_interface_down README.wgrd \ + README_8signs.rtf TODO .if defined(WITHOUT_IPFW) -PATCH_SITES+=http://www.freebsdbrasil.com.br/~urisso/files/snortsam/:ipfw -PATCHFILES+=ssp_ipfw2.c.diff:ipfw +EXTRA_PATCHES+= ${FILESDIR}/ssp_ipfw2_no_table_check.patch .endif -post-extract: - @${CAT} ${PATCHDIR}/pkg-message-snortsam - @sleep 5 +.if defined(WITH_DEBUG) +DEBUG=-DDEBUG +.endif pre-configure: - ${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/conf/snortsam.conf.sample - ${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/docs/README.conf - ${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/src/snortsam.c - ${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam.conf|g' ${WRKSRC}/contrib/snortsam-state.c - ${CHMOD} +x ${WRKSRC}/makesnortsam.sh + @${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam/snortsam.conf|g' ${WRKSRC}/conf/snortsam.conf.sample + @${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam/snortsam.conf|g' ${WRKSRC}/docs/README.conf + @${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam/snortsam.conf|g' ${WRKSRC}/src/snortsam.h + @${REINPLACE_CMD} -e 's|/etc/snortsam.conf|/usr/local/etc/snortsam/snortsam.conf|g' ${WRKSRC}/contrib/snortsam-state.c + @${CHMOD} +x ${WRKSRC}/makesnortsam.sh + +do-configure: + @cd ${WRKSRC}/src && ${MAKE} ${DEBUG} + @cd ${WRKSRC}/src && ${MAKE} samtool ${DEBUG} +# no access to snortsam.conf and samtool for non root users! do-install: - ${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin - ${INSTALL_PROGRAM} ${WRKSRC}/snortsam-debug ${PREFIX}/sbin - ${MKDIR} ${SYSCONFDIR} - ${INSTALL_DATA} ${WRKSRC}/conf/snortsam.conf.sample ${SYSCONFDIR}/snortsam.conf.sample - ${INSTALL_DATA} ${WRKSRC}/conf/*rootservers.cfg ${SYSCONFDIR}/ + @${INSTALL_PROGRAM} ${WRKSRC}/snortsam ${PREFIX}/sbin +.if defined(WITH_SAMTOOL) + @${INSTALL} -o root -g wheel -m 500 ${WRKSRC}/samtool ${PREFIX}/sbin +.endif + @${MKDIR} ${CONFIG_DIR} + @${INSTALL_DATA} -m 600 ${WRKSRC}/conf/snortsam.conf.sample ${CONFIG_DIR}/snortsam.conf.sample + @${INSTALL_DATA} ${WRKSRC}/conf/opsec.conf ${CONFIG_DIR}/opsec.conf.sample + @${INSTALL_DATA} ${WRKSRC}/conf/rootservers.cfg ${CONFIG_DIR}/rootservers.cfg.sample + @${INSTALL_DATA} ${WRKSRC}/conf/country-rootservers.conf ${CONFIG_DIR}/country-rootservers.conf.sample .if !defined(NOPORTDOCS) + @${MKDIR} ${DOCSDIR} .for f in ${PORTDOCS} - ${MKDIR} ${DOCSDIR} - ${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR} + @${INSTALL_DATA} ${WRKSRC}/docs/${f} ${DOCSDIR} .endfor .endif +post-install: + @${CAT} ${PKGMESSAGE} + .include <bsd.port.post.mk> diff -Nru snortsam/distinfo snortsam/distinfo --- snortsam/distinfo 2008-09-04 01:02:16.000000000 +0200 +++ snortsam/distinfo 2009-11-17 22:28:39.000000000 +0100 @@ -1,6 +1,3 @@ -MD5 (snortsam-src-2.60.tar.gz) = 5fdc69b18938237ac943beeb7f6c105a -SHA256 (snortsam-src-2.60.tar.gz) = 65c44a91487f533f66291b1dd41f06237d21ba7c9e43a27d8784e2915c2771f4 -SIZE (snortsam-src-2.60.tar.gz) = 1982833 -MD5 (ssp_ipfw2.c.diff) = bcc60c6d27805db5d96c284189cefee8 -SHA256 (ssp_ipfw2.c.diff) = 29355590da907bb4c9f3e259c460c1c29d7a0e6cb201290ffc904c246c8ef3e4 -SIZE (ssp_ipfw2.c.diff) = 1193 +MD5 (snortsam-src-2.68.tar.gz) = b01996727132d61dec8d95416d8f9f00 +SHA256 (snortsam-src-2.68.tar.gz) = 19719455d1b84ea3354a9362ae8d812a2241a623150ae10a2c2df13596340e98 +SIZE (snortsam-src-2.68.tar.gz) = 1971299 diff -Nru snortsam/files/patch-conf__snortsam.conf.sample snortsam/files/patch-conf__snortsam.conf.sample --- snortsam/files/patch-conf__snortsam.conf.sample 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-conf__snortsam.conf.sample 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,18 @@ +--- ./conf/snortsam.conf.sample.orig 2009-11-08 23:34:43.000000000 +0100 ++++ ./conf/snortsam.conf.sample 2009-11-11 19:49:45.000000000 +0100 +@@ -629,13 +629,13 @@ + # + # + # +-# pf2 <anchor> <table> <kill> <log> ++# pf2 <anchor> <table> <kill> + # + # This plugin will use an ioctl syscall to control the pf device in order to + # block the host by adding the IP into a pf table. Additional active pf + # states to/from the host will be killed. + # +-# Example: pf2 anchor=snortsam table=block kill=all log=1 ++# Example: pf2 anchor=snortsam table=block kill=all + # + # + # diff -Nru snortsam/files/patch-docs__README.conf snortsam/files/patch-docs__README.conf --- snortsam/files/patch-docs__README.conf 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-docs__README.conf 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,18 @@ +--- ./docs/README.conf.orig 2009-11-08 23:34:05.000000000 +0100 ++++ ./docs/README.conf 2009-11-10 09:49:27.000000000 +0100 +@@ -629,13 +629,13 @@ + + + +-pf2 <anchor> <table> <kill> <log> ++pf2 <anchor> <table> <kill> + + This plugin will use an ioctl syscall to control the pf device in order to + block the host by adding the host IP into a pf table. Additional active pf + states to/from the host will be killed. + +- Example: pf2 anchor=snortsam table=block kill=all log=1 ++ Example: pf2 anchor=snortsam table=block kill=all + + + diff -Nru snortsam/files/patch-docs__README.pf2 snortsam/files/patch-docs__README.pf2 --- snortsam/files/patch-docs__README.pf2 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-docs__README.pf2 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,50 @@ +--- ./docs/README.pf2.orig 2009-11-08 23:34:23.000000000 +0100 ++++ ./docs/README.pf2 2009-11-11 22:28:15.000000000 +0100 +@@ -19,7 +19,7 @@ + + OpenBSD > 4.0 + FreeBSD > 6.0 with pf support (as module or compiled into the kernel) +-NetBSD ? with pf support ++NetBSD ? with pf support (tested on NetBSD 5.0 i386) + + + 3. Options. +@@ -42,35 +42,26 @@ + kill=[string] default: kill=all + + Kill the pf states from/to the IP address we receive to block, +- else existing connections stay alive. If log is enabled, the +- number of killed states will be logged. ++ else existing connections stay alive. + Valid options are: + all : kill all states to/from the IP address + dir : kill only states alerted with the direction + no : kill no states, (keep existing connections open) + + +-log=0/1 default: log=0 +- +- If a IP is added/removed from a table snortsam will log a message in the +- file given with the logfile statement configured in snortsam.conf. +- +- + Example pf2 config lines in snortsam.cfg: + ------------------------------------------ +-1) pf2 anchor=snortsam table=block log=1 ++1) pf2 anchor=snortsam table=block + - the tables blockin and blockout inside the anchor snortsam will be used. + - kill all existing pf states from/to the IP address. +- - log event to the file specified as logfile in snortsam config. + + 2) pf2 anchor=notused table=badguy kill=dir + - the tables badguyin and badguyout outside any anchor will be used. + - kill only existing pf states in the received direction. + +-3) pf2 log=1 anchor=none kill=no ++3) pf2 anchor=none kill=no + - tables blockin and blockout outside any anchor will be used. + - no pf states will be killed. +- - log event to the file specified as logfile in snortsam config. + + + pf.conf for examples above: diff -Nru snortsam/files/patch-makesnortsam.sh snortsam/files/patch-makesnortsam.sh --- snortsam/files/patch-makesnortsam.sh 2008-09-04 01:02:16.000000000 +0200 +++ snortsam/files/patch-makesnortsam.sh 1970-01-01 01:00:00.000000000 +0100 @@ -1,13 +0,0 @@ ---- makesnortsam.sh.old 2008-08-03 00:04:24.000000000 -0300 -+++ makesnortsam.sh 2008-08-03 00:04:57.000000000 -0300 -@@ -11,8 +11,8 @@ - # Under Solaris, the OPSEC stuff is linked dynamically. - # On other platforms, statically. - --BSDTHREADLIB='-lc_r' --#BSDTHREADLIB='-lpthread' -+#BSDTHREADLIB='-lc_r' -+BSDTHREADLIB='-lpthread' - - systype=`uname` - diff -Nru snortsam/files/patch-snortsam.h snortsam/files/patch-snortsam.h --- snortsam/files/patch-snortsam.h 2008-09-04 01:02:16.000000000 +0200 +++ snortsam/files/patch-snortsam.h 1970-01-01 01:00:00.000000000 +0100 @@ -1,16 +0,0 @@ ---- src/snortsam.h.old 2008-08-03 00:08:34.000000000 -0300 -+++ src/snortsam.h 2008-08-03 00:10:58.000000000 -0300 -@@ -178,10 +178,10 @@ - #define safecopy(dst,src) _safecp(dst,sizeof(dst),src) - - #ifdef WIN32 --#define FWSAMCONFIGFILE "snortsam.cfg" --#define FWSAMHISTORYFILE "snortsam.sta" -+#define FWSAMCONFIGFILE "/usr/local/etc/snortsam.cfg" -+#define FWSAMHISTORYFILE "/var/db/snortsam.sta" - #else --#define FWSAMCONFIGFILE "/etc/snortsam.conf" -+#define FWSAMCONFIGFILE "/usr/local/etc/snortsam.conf" - #define FWSAMHISTORYFILE "/var/db/snortsam.state" - #endif - diff -Nru snortsam/files/patch-src__Makefile snortsam/files/patch-src__Makefile --- snortsam/files/patch-src__Makefile 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-src__Makefile 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,35 @@ +--- ./src/Makefile.orig 2009-10-14 02:33:45.000000000 +0200 ++++ ./src/Makefile 2009-11-17 21:57:30.000000000 +0100 +@@ -16,6 +16,14 @@ + # uncomment for OPSEC support + #OPSEC = -opsec + ++# OpenBSD only: Default is now the new pf2 plugin. ++# To build the old pf plugin uncomment PFPLUGIN ++#PFPLUGIN = -DUSE_SSP_PF ++ ++.if defined(DEBUG) ++DEBUG = -DFWSAMDEBUG ++.endif ++ + # generic plugins for all builds + SSP_GENERIC = ssp_fwexec.o ssp_ciscoacl.o ssp_cisco_nullroute.o ssp_email.o \ + ssp_opsec.o ssp_fwsam.o ssp_pix.o ssp_netscreen.o ssp_wgrd.o \ +@@ -38,7 +46,7 @@ + SYSTYPE = `uname` + + # OS specific flags +-OBSD_CFLAGS = -DBSD ++OBSD_CFLAGS = -DBSD ${PFPLUGIN} + OBSD_LDFLAGS = -lpthread + BSD_CFLAGS = -DBSD + BSD_LDFLAGS = -lpthread +@@ -150,7 +158,7 @@ + $(CC) $(LDFLAGS) -o ../$(PROG) $(OBJS) + + clean: +- rm -f ../$(PROG) *.o ++ rm -f ../$(PROG) ../${SAMTOOL} *.o + + $(SAMTOOL): samtool.o twofish.o + case "$(SYSTYPE)" in \ diff -Nru snortsam/files/patch-src__plugins.h snortsam/files/patch-src__plugins.h --- snortsam/files/patch-src__plugins.h 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-src__plugins.h 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,30 @@ +--- ./src/plugins.h.orig 2009-11-08 23:52:16.000000000 +0100 ++++ ./src/plugins.h 2009-11-15 22:19:21.000000000 +0100 +@@ -279,7 +279,8 @@ + }, + #endif + /* ------------------------------------------------------------ */ +-#if defined(OpenBSD) ++#ifdef USE_SSP_PF ++#if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD) + /* PF Plugin */ + { NULL, + PFParse, +@@ -294,7 +295,9 @@ + "3.5" + }, + #endif ++#endif /* USE_SSP_PF */ + /* ------------------------------------------------------------ */ ++#ifndef USE_SSP_PF + #if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD) + /* PF2 Plugin */ + { NULL, +@@ -310,6 +313,7 @@ + "3.2" + }, + #endif ++#endif /* !USE_SSP_PF */ + /* ------------------------------------------------------------ */ + #ifdef FreeBSD + /* IPFW2 Plugin */ diff -Nru snortsam/files/patch-src__ssp_cisco_nullroute2.h snortsam/files/patch-src__ssp_cisco_nullroute2.h --- snortsam/files/patch-src__ssp_cisco_nullroute2.h 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-src__ssp_cisco_nullroute2.h 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,16 @@ +--- ./src/ssp_cisco_nullroute2.h.orig 2009-10-14 02:33:45.000000000 +0200 ++++ ./src/ssp_cisco_nullroute2.h 2009-11-15 23:51:34.000000000 +0100 +@@ -48,10 +48,9 @@ + + #define CNRPWLEN 50 /* Maximum password length */ + #define CNRNETWAIT 20 /* Network timeout in sec */ +-#define RTAGVAL_LEN 10 /* Maximum length for route-tag */ +-#define RTAGVAL_MIN 1 /* Minimum value for route-tag */ +-#define RTAGVAL_MAX 4294967295 /* Maximum value for route-tag */ +- ++#define RTAGVAL_LEN 10UL /* Maximum length for route-tag */ ++#define RTAGVAL_MIN 1UL /* Minimum value for route-tag */ ++#define RTAGVAL_MAX 4294967295UL /* Maximum value for route-tag */ + + typedef struct _cnr2data /* List of Routers */ + { struct in_addr ip; diff -Nru snortsam/files/patch-src__ssp_pf.c snortsam/files/patch-src__ssp_pf.c --- snortsam/files/patch-src__ssp_pf.c 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-src__ssp_pf.c 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,25 @@ +--- ./src/ssp_pf.c.orig 2009-11-08 23:38:48.000000000 +0100 ++++ ./src/ssp_pf.c 2009-11-15 22:20:11.000000000 +0100 +@@ -34,10 +34,12 @@ + * SnortSam will expire the blocks itself since PF does not have + * automatic time-out functionality. + * +- * It Works on OpenBSD3_0, 3_1, 3_2, 3_3, 3_4 and FreeBSD-5.1. ++ * It Works on OpenBSD >= 3_3, and for FreeBSD >= 5.1. ++ * For newer *BSD versions use the PF2 plugin. + */ + +-#ifdef OpenBSD ++#ifndef USE_SSP_PF ++#if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD) + + #ifndef __SSP_PF_C__ + #define __SSP_PF_C__ +@@ -636,5 +638,6 @@ + + #endif /* __SSP_PF_C__ */ + +-#endif /* OpenBSD */ ++#endif /* OpenBSD || FreeBSD || NetBSD */ ++#endif /* USE_SSP_PF */ + diff -Nru snortsam/files/patch-src__ssp_pf.h snortsam/files/patch-src__ssp_pf.h --- snortsam/files/patch-src__ssp_pf.h 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-src__ssp_pf.h 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,30 @@ +--- ./src/ssp_pf.h.orig 2009-11-08 23:38:48.000000000 +0100 ++++ ./src/ssp_pf.h 2009-11-15 22:18:07.000000000 +0100 +@@ -35,7 +35,8 @@ + */ + + +-#ifdef OpenBSD ++#ifndef USE_SSP_PF ++#if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD) + + #ifndef __SSP_PF_H__ + #define __SSP_PF_H__ +@@ -47,9 +48,6 @@ + #include <net/pfvar.h> + #include <sys/param.h> + +-/* Making New Code the default now. Please remove define on OpenBSD older +- than 3_3. */ +-#define USENEWCODE + + typedef struct _pfdata + { +@@ -84,5 +82,5 @@ + + #endif /* __SSP_PF_H__ */ + +-#endif /* OpenBSD */ +- ++#endif /* OpenBSD || FreeBSD || NetBSD */ ++#endif /* USE_SSP_PF */ diff -Nru snortsam/files/patch-src__ssp_pf2.c snortsam/files/patch-src__ssp_pf2.c --- snortsam/files/patch-src__ssp_pf2.c 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-src__ssp_pf2.c 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,258 @@ +--- ./src/ssp_pf2.c.orig 2009-11-08 23:38:48.000000000 +0100 ++++ ./src/ssp_pf2.c 2009-11-15 22:17:50.000000000 +0100 +@@ -40,6 +40,7 @@ + * simplify it and make it portable. + */ + ++#ifndef USE_SSP_PF + #if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD) + + #ifndef __SSP_PF2_C__ +@@ -107,6 +108,7 @@ + PF2DATA *pfp = NULL; + char msg[STRBUFSIZE + 2]; + char tbuf[PF_TABLE_NAME_SIZE]; ++ int pfdev; + opt_pf2 options[3]={ + {"anchor", "", 1}, + {"table", "", 1}, +@@ -119,12 +121,12 @@ + + PF2val_count += 1; + if (PF2val_count > 1) { +- snprintf(msg, sizeof(msg) - 1, "Error: [%s: %lu] line ignored ! More than one pf2 statements configured.", file, line); ++ snprintf(msg, sizeof(msg) - 1, "Info: [%s: %lu] line ignored ! More than one pf2 statements configured.", file, line); + logmessage(1, msg, "pf2", 0); + return; + } + +- if (*val) ++ if (val != NULL && *val) + { + if(parse_opts(val, options, " \t", "=", (sizeof(options)/sizeof(opt_pf2)))<0) + { +@@ -157,8 +159,11 @@ + safecopy(pfp->anchorname, options[PF2_OPT_ANCHOR].v.value_s); /* save anchorname */ + /* if PF2use_anchor == FALSE then tables from the main pf section will be used */ + if ((strncmp(options[PF2_OPT_ANCHOR].v.value_s, "notused", MAX_OPT_VALUE)==0) || +- (strncmp(options[PF2_OPT_ANCHOR].v.value_s, "none", MAX_OPT_VALUE)==0)) ++ (strncmp(options[PF2_OPT_ANCHOR].v.value_s, "none", MAX_OPT_VALUE)==0)) { + PF2use_anchor = FALSE; ++ /* If anchor is not used, wipe none/notused with zeros */ ++ bzero(&(pfp->anchorname), sizeof(pfp->anchorname)); ++ } + } + + /* Check Table */ +@@ -202,6 +207,30 @@ + logmessage(1, msg, "pf2", 0); + } + ++ ++ /* check if we can open PFDEV, else disable the plugin */ ++ pfdev = open(PFDEV, O_RDWR); ++ if (pfdev == -1) { ++ snprintf(msg, sizeof(msg) - 1, "Error: cannot open device \"%s\" ! PF2 Plugin disabled.", PFDEV); ++ logmessage(1, msg, "pf2", 0); ++ free(pfp); ++ plugindatalist->data=NULL; ++ return; ++ } ++ ++ /* ++ * check if anchor and tables exist. ++ * We could disable the plugin if anchor/tables do not exist, but we will throw an error ++ * showing what is missing at start time and for every block/unblock request. ++ */ ++ if(PF2use_anchor) ++ lookup_anchor(pfdev, pfp->anchorname); ++ lookup_table(pfdev, pfp->tablein, pfp->anchorname); ++ lookup_table(pfdev, pfp->tableout, pfp->anchorname); ++ ++ if(pfdev) ++ close(pfdev); ++ + #ifdef FWSAMDEBUG + printf("Debug: [pf2] Adding PF: \n"); + printf("\tanchor=%s\n\ttables=%s,%s\n\tkill=%s\n", +@@ -258,7 +287,8 @@ + /* open the pf device */ + pfdev = open(PFDEV, O_RDWR); + if (pfdev == -1) { +- logmessage(1, "Error: cannot open packet filter device", "pf2", 0); ++ snprintf(msg, sizeof(msg) - 1, "Error: cannot open device %s", PFDEV); ++ logmessage(1, msg, "pf2", 0); + return; + } + +@@ -267,7 +297,7 @@ + return; + } + +- if(!status.running) { ++ if (!status.running) { + /* even pf is not enabled, we can add IP's to pf tables if they exist */ + logmessage(1, "Info: pf is not enabled", "pf2", 0); + } +@@ -279,9 +309,11 @@ + logmessage(3, msg, "pf2", 0); + + if (tin) ++ if ( lookup_table(pfdev, pfp->tablein, pfp->anchorname)==0 ) + change_table(pfdev, 1, pfp->tablein, pfp->anchorname, ipsrc); + + if (tout) ++ if ( lookup_table(pfdev, pfp->tableout, pfp->anchorname)==0 ) + change_table(pfdev, 1, pfp->tableout, pfp->anchorname, ipsrc); + + /* kill PF states after IP is placed in table */ +@@ -294,9 +326,11 @@ + logmessage(3, msg, "pf2", 0); + + if (tin) ++ if ( lookup_table(pfdev, pfp->tablein, pfp->anchorname)==0 ) + change_table(pfdev, 0, pfp->tablein, pfp->anchorname, ipsrc); + + if (tout) ++ if ( lookup_table(pfdev, pfp->tableout, pfp->anchorname)==0 ) + change_table(pfdev, 0, pfp->tableout, pfp->anchorname, ipsrc); + } + close(pfdev); +@@ -348,6 +382,7 @@ + return (0); + } + ++ + /* Kill ipsrc state(s) from PF statefull table, so we can catch the IP with the + * configured tables. If states are not killed existing connections stay open as + * long they have a valid entry in the PF state. +@@ -360,7 +395,7 @@ + struct pf_addr pfa; + struct pfioc_state_kill psk; + sa_family_t saf; /* stafe AF_INET family */ +- int killed=0, killed_src=0, killed_dst=0; ++ unsigned long killed=0, killed_src=0, killed_dst=0; + + bzero(&pfa, sizeof(pfa)); + bzero(&psk, sizeof(psk)); +@@ -387,9 +422,13 @@ + logmessage(1, msg, "pf2", 0); + } + else { ++#if OpenBSD >= 200811 /* since OpenBSD4_4 killed states returned in psk_killed */ ++ killed_src += psk.psk_killed; ++#else + killed_src += psk.psk_af; ++#endif + #ifdef FWSAMDEBUG +- printf("Debug: [pf2] killed %d (tin) states for host %s\n", psk.psk_af, ipsrc); ++ printf("Debug: [pf2] killed %lu (tin) states for host %s\n", killed_src, ipsrc); + #endif + } + psk.psk_af = saf; /* restore AF_INET */ +@@ -397,7 +436,7 @@ + + /* Kill all states to pfa */ + if (tout || PF2_KILL_STATE_ALL) { +- bzero(&psk.psk_src, sizeof(psk.psk_src)); /* clear source address field set before for incomming */ ++ bzero(&psk.psk_src, sizeof(psk.psk_src)); /* clear source address field (set before for incomming) */ + memcpy(&psk.psk_dst.addr.v.a.addr, &pfa, sizeof(psk.psk_dst.addr.v.a.addr)); + memset(&psk.psk_dst.addr.v.a.mask, 0xff, sizeof(psk.psk_dst.addr.v.a.mask)); + if (ioctl(pfdev, DIOCKILLSTATES, &psk)) { +@@ -405,22 +444,90 @@ + logmessage(1, msg, "pf2", 0); + } + else { ++#if OpenBSD >= 200811 /* since OpenBSD4_4 killed states returned in psk_killed */ ++ killed_dst += psk.psk_killed; ++#else + killed_dst += psk.psk_af; ++#endif + #ifdef FWSAMDEBUG +- printf("Debug: [pf2] killed %d (tout) states for host %s\n", psk.psk_af, ipsrc); ++ printf("Debug: [pf2] killed %lu (tout) states for host %s\n", killed_dst, ipsrc); + #endif + } + } +- snprintf(msg, sizeof(msg) - 1, "Info: Blocking ip %s", ipsrc); +- logmessage(3, msg, "pf2", 0); + +- snprintf(msg, sizeof(msg) - 1, "Info: Killed %d PF state(s) (in: %d, out: %d) for host %s", +- killed_src + killed_dst, killed_src, killed_dst, ipsrc); +- logmessage(3, msg, "pf2", 0); ++ if ((killed_src + killed_dst)>0) { ++ snprintf(msg, sizeof(msg) - 1, "Info: Killed %lu PF state(s) (in: %lu, out: %lu) for host %s", ++ killed_src + killed_dst, killed_src, killed_dst, ipsrc); ++ logmessage(3, msg, "pf2", 0); ++ } + return(0); + } /* pf2_kill_states */ + ++ ++/* check if anchor exist */ ++int ++lookup_anchor(int dev, const char *anchorname) ++{ ++ struct pfioc_ruleset pr; ++ char msg[STRBUFSIZE + 2]; ++ ++ bzero(&pr, sizeof(pr)); ++ strlcpy(pr.path, anchorname, sizeof(pr.path)); ++ if (ioctl(dev, DIOCGETRULESETS, &pr)) { ++ if (errno == EINVAL){ ++ snprintf(msg, sizeof(msg) - 1, "Error: anchor \"%s\" not found", anchorname); ++ logmessage(1, msg, "pf2", 0); ++ return (-1); ++ } ++ } ++#ifdef FWSAMDEBUG ++ printf("Debug: [pf2] lookup_anchor: found anchor %s\n", anchorname); ++#endif ++ return (0); ++} ++ ++ ++/* check if table exist */ ++int ++lookup_table(int dev, const char *tablename, const char *anchorname) ++{ ++ struct pfioc_table io; ++ struct pfr_table table; ++ struct pfr_addr pfa; ++ char msg[STRBUFSIZE + 2]; ++ ++ if (strlen(tablename) == 0) ++ return(-1); ++ ++ bzero(&io, sizeof(io)); ++ bzero(&table, sizeof(table)); ++ bzero(&pfa, sizeof(pfa)); ++ ++ strlcpy(table.pfrt_anchor, anchorname, sizeof(table.pfrt_anchor)); ++ strlcpy(table.pfrt_name, tablename, sizeof(table.pfrt_name)); ++ ++ io.pfrio_table = table; ++ io.pfrio_esize = sizeof(pfa); ++ ++#ifdef FWSAMDEBUG ++ printf("Debug: [pf2] lookup_table: anchor=%s table=%s\n", io.pfrio_table.pfrt_anchor, io.pfrio_table.pfrt_name); ++#endif ++ ++ if (ioctl(dev, DIOCRGETADDRS, &io)) { ++ snprintf(msg, sizeof(msg) - 1, "Error: table \"%s\" not found, anchor=%s table=%s", ++ io.pfrio_table.pfrt_name, io.pfrio_table.pfrt_anchor, io.pfrio_table.pfrt_name); ++ logmessage(1, msg, "pf2", 0); ++ return(-1); ++ } ++ ++#ifdef FWSAMDEBUG ++ printf("Debug: [pf2] table \"%s\" contains [%d] entries\n", io.pfrio_table.pfrt_name, io.pfrio_size); ++#endif ++ return(0); ++} ++ + #endif /* __SSP_PF2_C__ */ + + #endif /* OpenBSD || FreeBSD || NetBSD */ ++#endif /* !USE_SSP_PF */ + /* vim: set ts=8 sw=4: */ diff -Nru snortsam/files/patch-src__ssp_pf2.h snortsam/files/patch-src__ssp_pf2.h --- snortsam/files/patch-src__ssp_pf2.h 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/patch-src__ssp_pf2.h 2009-11-17 22:14:19.000000000 +0100 @@ -0,0 +1,24 @@ +--- ./src/ssp_pf2.h.orig 2009-11-08 23:38:48.000000000 +0100 ++++ ./src/ssp_pf2.h 2009-11-15 22:18:34.000000000 +0100 +@@ -35,6 +35,7 @@ + * + */ + ++#ifndef USE_SSP_PF + #if defined(OpenBSD) || defined(FreeBSD) || defined(NetBSD) + + #ifndef __SSP_PF2_H__ +@@ -77,9 +78,11 @@ + + void PF2Parse(char *,char *,unsigned long,DATALIST *); + void PF2Block(BLOCKINFO *, void *,unsigned long); +-int pf2_kill_states(int, const char *, int, int ); ++int pf2_kill_states(int, const char *, int, int); ++int lookup_anchor(int, const char *); ++int lookup_table(int, const char *, const char *); + + #endif /* __SSP_PF2_H__ */ + + #endif /* OpenBSD || FreeBSD || NetBSD */ +- ++#endif /* !USE_SSP_PF */ diff -Nru snortsam/files/pkg-message-snortsam snortsam/files/pkg-message-snortsam --- snortsam/files/pkg-message-snortsam 2008-09-04 01:02:16.000000000 +0200 +++ snortsam/files/pkg-message-snortsam 1970-01-01 01:00:00.000000000 +0100 @@ -1,10 +0,0 @@ - -============================================================ -NOTE: Make sure that your SNORT installation it is defined - output plugin SNORTSAM for don't cause errors while - building SNORTSAM system. If exists some OLD SNORT - installation WITHOUT supports for interaction between - SNORT and SNORTSAM. PLEASE reconfigure WITH that this - feature and rebuild a new installation. -============================================================= - diff -Nru snortsam/files/pkg-message.in snortsam/files/pkg-message.in --- snortsam/files/pkg-message.in 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/pkg-message.in 2009-11-25 23:03:27.000000000 +0100 @@ -0,0 +1,16 @@ +================================================================ +NOTE: SNORT have to be build with OPTION SNORTSAM. + + To enable snortsam as output plugin for snort a config + line like the follwing shoud be present in snort.conf + + output alert_fwsam: <snortsambox>:<port>/<password> + + With samtool it is possible to send alerts to snortsam, + this way you can adjust and test your FW rules. + + For more information read the INSTALL, FAQ and + README files in %%DOCSDIR%% + +============================================================== + diff -Nru snortsam/files/ssp_ipfw2_no_table_check.patch snortsam/files/ssp_ipfw2_no_table_check.patch --- snortsam/files/ssp_ipfw2_no_table_check.patch 1970-01-01 01:00:00.000000000 +0100 +++ snortsam/files/ssp_ipfw2_no_table_check.patch 2009-11-25 20:43:36.000000000 +0100 @@ -0,0 +1,18 @@ +--- src/ssp_ipfw2.c.orig 2008-04-26 21:53:21.000000000 +0200 ++++ src/ssp_ipfw2.c 2009-11-14 22:03:41.000000000 +0100 +@@ -91,6 +91,7 @@ + } + } + } ++#if defined(ENABLE_IPFW_TABLE_CHECK) + /* Check if inbound table exists */ + snprintf(chk,sizeof(chk)-1,"/sbin/ipfw show | grep -q \"deny ip from any to table(%u) via %s\"",ipfw2p->in_table,ipfw2p->interface); + if(system(chk)) +@@ -110,6 +111,7 @@ + } + } + ++#endif /* ENABLE_IPFW_TABLE_CHECK */ + #ifdef FWSAMDEBUG + if(plugindatalist->data) + printf("Debug: [ipfw2] Adding IPFW2: i/f '%s', tables %u (in) and %u (out)\n", ipfw2p->interface, ipfw2p->in_table,ipfw2p->out_table); diff -Nru snortsam/pkg-descr snortsam/pkg-descr --- snortsam/pkg-descr 2008-09-04 01:02:16.000000000 +0200 +++ snortsam/pkg-descr 2009-11-25 21:22:51.000000000 +0100 @@ -1,5 +1,6 @@ -SnortSam is a plugin for Snort, an open-source light-weight -Intrusion Detection System (IDS). The plugin allows for -automated blocking of IP addresses on many firewalls. +SnortSam is an intelligent agent that allows the popular +open-source Intrusion Detection System called Snort to block +intruding connections by reconfiguration of many firewalls +and Cisco devices. WWW: http://www.snortsam.net --- patch_snortsam-2.68.txt ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091125234106.149AD26145>