From patchwork Thu Mar 14 21:26:00 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Fabrice Fontaine <fontaine.fabrice@gmail.com>
X-Patchwork-Id: 1056712
Return-Path: <buildroot-bounces@busybox.net>
X-Original-To: incoming-buildroot@patchwork.ozlabs.org
Delivered-To: patchwork-incoming-buildroot@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=busybox.net
	(client-ip=140.211.166.133; helo=hemlock.osuosl.org;
	envelope-from=buildroot-bounces@busybox.net;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="gHvNsdm7"; dkim-atps=neutral
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 44L1xP66rCz9s3q
	for <incoming-buildroot@patchwork.ozlabs.org>;
	Fri, 15 Mar 2019 08:26:49 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by hemlock.osuosl.org (Postfix) with ESMTP id 6A6628826F;
	Thu, 14 Mar 2019 21:26:46 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id cQ3pSZV6oi8R; Thu, 14 Mar 2019 21:26:44 +0000 (UTC)
Received: from ash.osuosl.org (ash.osuosl.org [140.211.166.34])
	by hemlock.osuosl.org (Postfix) with ESMTP id 17AE788262;
	Thu, 14 Mar 2019 21:26:44 +0000 (UTC)
X-Original-To: buildroot@lists.busybox.net
Delivered-To: buildroot@osuosl.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
	by ash.osuosl.org (Postfix) with ESMTP id 133F71BF38A
	for <buildroot@lists.busybox.net>;
	Thu, 14 Mar 2019 21:26:43 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by silver.osuosl.org (Postfix) with ESMTP id 0D07A22115
	for <buildroot@lists.busybox.net>;
	Thu, 14 Mar 2019 21:26:43 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
	by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id XhhVznejQ+KF for <buildroot@lists.busybox.net>;
	Thu, 14 Mar 2019 21:26:42 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from mail-wm1-f65.google.com (mail-wm1-f65.google.com
	[209.85.128.65])
	by silver.osuosl.org (Postfix) with ESMTPS id ACDDC220FB
	for <buildroot@buildroot.org>; Thu, 14 Mar 2019 21:26:41 +0000 (UTC)
Received: by mail-wm1-f65.google.com with SMTP id c13so7764245wmb.0
	for <buildroot@buildroot.org>; Thu, 14 Mar 2019 14:26:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=QC5r7xAh98QY1MAHevt7x5kQOtbb21WKJ2yG/C57FhU=;
	b=gHvNsdm7VD4y/R0YBtSsTpSQqryTsdzTYlYlDegPsF4MsRGyFKB+zBzHeXaylzLuOI
	EvqI/3UaDhYL8MFw7L5b1M2liPmyEhB6uyDprtRh6XE7jOoQQlpXUJ6QYoThHU4G2gFG
	Qzd4tsjRPiwu9OX9bF3jukJJL19NaNlFGsUE2ypMSb6YbcDejUDw68AFs5yJxeJjYbtQ
	KMVX0XCSxXWnal0dM2yV/fvSA2wD4Z1zeT5vkoenY3isQPwW2WDdSX2goBEtkb6o6Mld
	geiOzR/Skm8dBHoxA+6C80oSMz9ixBDeZ5WTpnVEoxoETyTkfj4MyNN7R494QUXSgmOD
	mAkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=QC5r7xAh98QY1MAHevt7x5kQOtbb21WKJ2yG/C57FhU=;
	b=j9/BMRkXYdHXvyqRl756RHIeCh6ashqpQBnV+jpPUwHDBjj5T690yHKizE0v+yhTy6
	BNIOlFFqTxPKxipJUF4jFedGNdpbKB37x00EDiXVwZjyiN6t4/tjz9/3L9Uj224dq2LK
	j2rawGmD4WZyglTxO9+fYSSyLMNUjGFSTbRGwPswS8VW5DRJ6ajtuwLvF0Dkwt51xi/w
	cNXSDUGttTew6juFzQqjoPKvyPxZb3fc0dfvqcmwfXPc52j0G2N9nrqCgJdPjPSmYR5J
	WvwIkGnfJU8crWyQ9gWSTSoJLBq4+a1DsrbdpWdSQoNVH/0eIVtsDroWUpUEBuOoAy4b
	aKhA==
X-Gm-Message-State: APjAAAW5z+bq41liGvUTw752qYBShGExEMtUYrl/IzE6TBxk5h/FDyu/
	juBNCKttHQsl9Toa3UFPq7bfwg6e
X-Google-Smtp-Source: 
 APXvYqwSKsERz0HCTIS7+kJc5y3OpXWXiEsrbDqDRj/5Rxx89J8EA1/6w6VP+whVR0dkzaq2kldGFw==
X-Received: by 2002:a1c:e0d7:: with SMTP id
	x206mr346673wmg.152.1552598799888;
	Thu, 14 Mar 2019 14:26:39 -0700 (PDT)
Received: from localhost.localdomain ([80.12.34.164])
	by smtp.gmail.com with ESMTPSA id
	a24sm4209296wmm.1.2019.03.14.14.26.38
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Thu, 14 Mar 2019 14:26:39 -0700 (PDT)
From: Fabrice Fontaine <fontaine.fabrice@gmail.com>
To: buildroot@buildroot.org
Date: Thu, 14 Mar 2019 22:26:00 +0100
Message-Id: <20190314212600.20918-2-fontaine.fabrice@gmail.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20190314212600.20918-1-fontaine.fabrice@gmail.com>
References: <20190314212600.20918-1-fontaine.fabrice@gmail.com>
Subject: [Buildroot] [PATCH 2/2] package/suricata: new package
X-BeenThere: buildroot@busybox.net
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion and development of buildroot <buildroot.busybox.net>
List-Unsubscribe: <http://lists.busybox.net/mailman/options/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=unsubscribe>
List-Archive: <http://lists.busybox.net/pipermail/buildroot/>
List-Post: <mailto:buildroot@busybox.net>
List-Help: <mailto:buildroot-request@busybox.net?subject=help>
List-Subscribe: <http://lists.busybox.net/mailman/listinfo/buildroot>,
	<mailto:buildroot-request@busybox.net?subject=subscribe>
Cc: Fabrice Fontaine <fontaine.fabrice@gmail.com>
MIME-Version: 1.0
Errors-To: buildroot-bounces@busybox.net
Sender: "buildroot" <buildroot-bounces@busybox.net>

Suricata is a free and open source, mature, fast and robust
network threat detection engine.

The Suricata engine is capable of real time intrusion
detection (IDS), inline intrusion prevention (IPS), network
security monitoring (NSM) and offline pcap processing.

https://suricata-ids.org

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
 DEVELOPERS                        |   1 +
 package/Config.in                 |   1 +
 package/suricata/Config.in        |  22 +++++++
 package/suricata/S99suricata      |  39 ++++++++++++
 package/suricata/suricata.hash    |   6 ++
 package/suricata/suricata.mk      | 131 ++++++++++++++++++++++++++++++++++++++
 package/suricata/suricata.service |  13 ++++
 7 files changed, 213 insertions(+)
 create mode 100644 package/suricata/Config.in
 create mode 100644 package/suricata/S99suricata
 create mode 100644 package/suricata/suricata.hash
 create mode 100644 package/suricata/suricata.mk
 create mode 100644 package/suricata/suricata.service

diff --git a/DEVELOPERS b/DEVELOPERS
index 24737b858f..a9bec63849 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -818,6 +818,7 @@ F:	package/oprofile/
 F:	package/pcmanfm/
 F:	package/rygel/
 F:	package/safeclib/
+F:	package/suricata/
 F:	package/tinycbor/
 F:	package/tinydtls/
 F:	package/tinymembench/
diff --git a/package/Config.in b/package/Config.in
index bb57afab08..4538ac8307 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2018,6 +2018,7 @@ endif
 	source "package/sslh/Config.in"
 	source "package/strongswan/Config.in"
 	source "package/stunnel/Config.in"
+	source "package/suricata/Config.in"
 	source "package/tcpdump/Config.in"
 	source "package/tcping/Config.in"
 	source "package/tcpreplay/Config.in"
diff --git a/package/suricata/Config.in b/package/suricata/Config.in
new file mode 100644
index 0000000000..2add34956e
--- /dev/null
+++ b/package/suricata/Config.in
@@ -0,0 +1,22 @@
+config BR2_PACKAGE_SURICATA
+	bool "suricata"
+	depends on BR2_USE_MMU # fork()
+	depends on BR2_USE_WCHAR
+	depends on BR2_TOOLCHAIN_HAS_THREADS
+	select BR2_PACKAGE_LIBHTP
+	select BR2_PACKAGE_LIBPCAP
+	select BR2_PACKAGE_LIBYAML
+	select BR2_PACKAGE_PCRE
+	help
+	  Suricata is a free and open source, mature, fast and robust
+	  network threat detection engine.
+
+	  The Suricata engine is capable of real time intrusion
+	  detection (IDS), inline intrusion prevention (IPS), network
+	  security monitoring (NSM) and offline pcap processing.
+
+	  https://suricata-ids.org
+
+comment "suricata needs a toolchain w/ wchar, threads"
+	depends on BR2_USE_MMU
+	depends on !BR2_USE_WCHAR || !BR2_TOOLCHAIN_HAS_THREADS
diff --git a/package/suricata/S99suricata b/package/suricata/S99suricata
new file mode 100644
index 0000000000..35a034b179
--- /dev/null
+++ b/package/suricata/S99suricata
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+NAME=suricata
+PIDFILE=/var/run/$NAME.pid
+DAEMON=/usr/bin/$NAME
+DAEMON_ARGS="-c /etc/suricata/suricata.yaml -i eth0"
+
+start() {
+	printf "Starting $NAME: "
+	mkdir -p /var/log/suricata
+	start-stop-daemon -S -q -m -b -p $PIDFILE --exec $DAEMON -- $DAEMON_ARGS
+	[ $? = 0 ] && echo "OK" || echo "FAIL"
+}
+stop() {
+	printf "Stopping $NAME: "
+	start-stop-daemon -K -q -p $PIDFILE
+	[ $? = 0 ] && echo "OK" || echo "FAIL"
+}
+restart() {
+	stop
+	start
+}
+
+case "$1" in
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart|reload)
+	restart
+	;;
+  *)
+	echo "Usage: $0 {start|stop|restart}"
+	exit 1
+esac
+
+exit $?
diff --git a/package/suricata/suricata.hash b/package/suricata/suricata.hash
new file mode 100644
index 0000000000..44ada0115a
--- /dev/null
+++ b/package/suricata/suricata.hash
@@ -0,0 +1,6 @@
+# Locally computed:
+sha256 6cda6c80b753ce36483c6be535358b971f3890b9aa27a58c2d2f7e89dd6c6aa0  suricata-4.1.3.tar.gz
+
+# Hash for license files:
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  COPYING
+sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  LICENSE
diff --git a/package/suricata/suricata.mk b/package/suricata/suricata.mk
new file mode 100644
index 0000000000..4b1e90435a
--- /dev/null
+++ b/package/suricata/suricata.mk
@@ -0,0 +1,131 @@
+################################################################################
+#
+# suricata
+#
+################################################################################
+
+SURICATA_VERSION = 4.1.3
+SURICATA_SITE = https://www.openinfosecfoundation.org/download
+SURICATA_LICENSE = GPL-2.0
+SURICATA_LICENSE_FILES = COPYING LICENSE
+
+SURICATA_DEPENDENCIES = \
+	host-pkgconf \
+	$(if $(BR2_PACKAGE_JANSSON),jansson) \
+	$(if $(BR2_PACKAGE_LIBCAP_NG),libcap-ng) \
+	$(if $(BR2_PACKAGE_LIBEVENT),libevent) \
+	libhtp \
+	$(if $(BR2_PACKAGE_LIBNFNETLINK),libnfnetlink) \
+	libpcap \
+	libyaml \
+	$(if $(BR2_PACKAGE_LZ4),lz4) \
+	$(if $(BR2_PACKAGE_LZMA),lzma) \
+	pcre
+
+SURICATA_CONF_OPTS = \
+	--disable-pie \
+	--disable-rust \
+	--disable-suricata-update \
+	--enable-non-bundled-htp
+
+# install: install binaries
+# install-conf: install initial configuration files
+# install-full: install binaries, configuration and rules (rules will be
+#               download through wget/curl)
+SURICATA_INSTALL_TARGET_OPTS = DESTDIR=$(TARGET_DIR) install install-conf
+
+ifeq ($(BR2_PACKAGE_FILE),y)
+SURICATA_DEPENDENCIES += file
+SURICATA_CONF_OPTS += --enable-libmagic
+else
+SURICATA_CONF_OPTS += --disable-libmagic
+endif
+
+ifeq ($(BR2_PACKAGE_GEOIP),y)
+SURICATA_DEPENDENCIES += geoip
+SURICATA_CONF_OPTS += --enable-geoip
+else
+SURICATA_CONF_OPTS += --disable-geoip
+endif
+
+ifeq ($(BR2_PACKAGE_HIREDIS),y)
+SURICATA_DEPENDENCIES += hiredis
+SURICATA_CONF_OPTS += --enable-hiredis
+else
+SURICATA_CONF_OPTS += --disable-hiredis
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNET),y)
+SURICATA_DEPENDENCIES += libnet
+SURICATA_CONF_OPTS += --with-libnet-includes=$(STAGING_DIR)/usr/include
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNETFILTER_LOG),y)
+SURICATA_DEPENDENCIES += libnetfilter_log
+SURICATA_CONF_OPTS += --enable-nflog
+else
+SURICATA_CONF_OPTS += --disable-nflog
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNETFILTER_QUEUE),y)
+SURICATA_DEPENDENCIES += libnetfilter_queue
+SURICATA_CONF_OPTS += --enable-nfqueue
+else
+SURICATA_CONF_OPTS += --disable-nfqueue
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNSPR),y)
+SURICATA_DEPENDENCIES += libnspr
+SURICATA_CONF_OPTS += --enable-nspr
+else
+SURICATA_CONF_OPTS += --disable-nspr
+endif
+
+ifeq ($(BR2_PACKAGE_LIBNSS),y)
+SURICATA_DEPENDENCIES += libnss
+SURICATA_CONF_OPTS += --enable-nss
+else
+SURICATA_CONF_OPTS += --disable-nss
+endif
+
+ifeq ($(BR2_PACKAGE_LUA),y)
+SURICATA_CONF_OPTS += --enable-lua
+SURICATA_DEPENDENCIES += lua
+else
+SURICATA_CONF_OPTS += --disable-lua
+endif
+
+ifeq ($(BR2_PACKAGE_LUAJIT),y)
+SURICATA_CONF_OPTS += --enable-luajit
+SURICATA_DEPENDENCIES += luajit
+else
+SURICATA_CONF_OPTS += --disable-luajit
+endif
+
+ifeq ($(BR2_PACKAGE_PYTHON),y)
+SURICATA_CONF_OPTS += --enable-python
+SURICATA_DEPENDENCIES += python
+else
+SURICATA_CONF_OPTS += --disable-python
+endif
+
+ifeq ($(BR2_TOOLCHAIN_HAS_SSP),y)
+SURICATA_CONF_OPTS += --enable-gccprotect
+else
+SURICATA_CONF_OPTS += --disable-gccprotect
+endif
+
+define SURICATA_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 0755 package/suricata/S99suricata \
+		$(TARGET_DIR)/etc/init.d/S99suricata
+endef
+
+define SURICATA_INSTALL_INIT_SYSTEMD
+	$(INSTALL) -D -m 644 package/suricata/suricata.service \
+		$(TARGET_DIR)/usr/lib/systemd/system/suricata.service
+	mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
+	ln -sf ../../../../usr/lib/systemd/system/suricata.service \
+		$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/suricata.service
+endef
+
+$(eval $(autotools-package))
diff --git a/package/suricata/suricata.service b/package/suricata/suricata.service
new file mode 100644
index 0000000000..ca0be02dae
--- /dev/null
+++ b/package/suricata/suricata.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Suricata Intrusion Detection Service
+After=network.target
+
+[Service]
+ExecStartPre=/bin/rm -f /var/run/suricata.pid
+ExecStartPre=/usr/bin/mkdir -p /var/log/suricata
+ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid
+ExecReload=/bin/kill -USR2 $MAINPID
+Restart=always
+
+[Install]
+WantedBy=multi-user.target