I'm currently working on a VM image of FreeBSD 6.0 with the components needed for a demonstration Sguil sensor, server, and database deployment. I'm using a minimal FreeBSD installation; /usr, for example, began at 100 MB.
I intend to install as many Sguil components as possible using precompiled packages. Unfortunately, the Barnyard package used to read Snort unified output spool files does not contain support for the latest version of Sguil. To deal with this problem, I am creating a custom Sguil package.
I'm not building the package on the host that will eventually run Barnyard. That host, gruden, does not have a compiler and other development tools. Instead I'm working on the package on another FreeBSD 6.0/i386 host, sguilref. First I see what packages Barnyard needs to build.
sguilref:/usr/ports/security/barnyard# make pretty-print-build-depends-list
This port requires package(s) "autoconf-2.59_2 m4-1.4.3 perl-5.8.7" to build.
I know sguilref has these packages already installed, so I am ready to start. First I retrieve the source code with 'make fetch'.
sguilref:/usr/ports/security/barnyard# make fetch
===> WARNING: Vulnerability database out of date, checking anyway
===> Found saved configuration for barnyard-0.2.0
=> barnyard-0.2.0.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from http://heanet.dl.sourceforge.net/sourceforge/barnyard/.
barnyard-0.2.0.tar.gz 100% of 157 kB 107 kBps
Now I extract it.
sguilref:/usr/ports/security/barnyard# make extract
===> WARNING: Vulnerability database out of date, checking anyway
===> Found saved configuration for barnyard-0.2.0
===> Extracting for barnyard-0.2.0
=> MD5 Checksum OK for barnyard-0.2.0.tar.gz.
=> No SHA256 checksum recorded for barnyard-0.2.0.tar.gz.
At this point I need to edit the Makefile. I make a copy called Makefile.orig for reference. Then I edit the Makefile to include a new option, WITH_SGUIL, that I will be able to use when invoking 'make'. You can see the contents of the new Makefile with the diff command.
sguilref:/usr/ports/security/barnyard# diff -u Makefile.orig Makefile
--- Makefile.orig Wed Dec 28 11:30:24 2005
+++ Makefile Wed Dec 28 11:34:05 2005
@@ -18,7 +18,8 @@
RUN_DEPENDS= ${LOCALBASE}/bin/snort:${PORTSDIR}/security/snort
OPTIONS= MYSQL "Enable MySQL support" off - POSTGRESQL "Enable PostgreSQL support" off
+ POSTGRESQL "Enable PostgreSQL support" off + SGUIL "Enable Sguil support" off
USE_AUTOCONF_VER= 259
USE_AUTOHEADER_VER= 259
@@ -43,6 +44,11 @@
.if defined(WITH_POSTGRESQL)
USE_PGSQL= yes
CONFIGURE_ARGS+= --enable-postgres
+.endif
+
+.if defined(WITH_SGUIL)
+USE_SGUIL= yes
+CONFIGURE_ARGS+= --enable-tcl --with-tcl=/usr/local/lib/tcl8.4
.endif
post-patch:
Now I am ready to copy the patches from my Sguil source distribution.
sguilref:/usr/ports/security/barnyard# cd work/barnyard-0.2.0
sguilref:/usr/ports/security/barnyard/work/barnyard-0.2.0# cp
/usr/local/src/sguil-0.6.0p1/sensor/barnyard_mods/op_sguil.* src/output-plugins/
sguilref:/usr/ports/security/barnyard/work/barnyard-0.2.0# cp
/usr/local/src/sguil-0.6.0p1/sensor/barnyard_mods/configure.in .
Now I can apply those patches.
sguilref:/usr/ports/security/barnyard/work/barnyard-0.2.0# cd src/output-plugins/
sguilref:/usr/ports/security/barnyard/work/barnyard-0.2.0/src/output-plugins# patch
-p0 < /usr/local/src/sguil-0.6.0p1/sensor/barnyard_mods/op_plugbase.c.patch
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|*** op_plugbase.c.old Sun Mar 28 18:14:19 2004
|--- op_plugbase.c Mon Apr 4 10:39:54 2005
--------------------------
Patching file op_plugbase.c using Plan A...
Hunk #1 succeeded at 27.
Hunk #2 succeeded at 47.
done
With the right files patched, I can make a custom Barnyard package.
sguilref:/usr/ports/security/barnyard/work/barnyard-0.2.0/src/output-plugins# cd ../../../..
sguilref:/usr/ports/security/barnyard# make package WITH_SGUIL=yes
===> Patching for barnyard-0.2.0
===> Applying FreeBSD patches for barnyard-0.2.0
===> barnyard-0.2.0 depends on file: /usr/local/bin/autoconf259 - found
===> Configuring for barnyard-0.2.0
...edited...
checking for tclsh8.4... tclsh8.4
checking for the tcl version number... 8.4, patchlevel .11
...edited...
===> Registering installation for barnyard-0.2.0
===> Building package for barnyard-0.2.0
Creating package /usr/ports/packages/All/barnyard-0.2.0.tbz
Registering depends: snort-2.4.3_1 pcre-6.4.
Creating bzip'd tar ball in '/usr/ports/packages/All/barnyard-0.2.0.tbz'
Now I have a custom Barnyard package in /usr/ports/packages/All/barnyard-0.2.0.tbz. The last step is to see what packages Barnyard needs when it runs.
sguilref:/usr/ports/security/barnyard# make pretty-print-run-depends-list
This port requires package(s) "pcre-6.4 snort-2.4.3_1" to run.
I know that pcre-6.4 and snort-2.4.3_1 will be installed when I put Snort on this system. That means I can do a 'pkg_add barnyard-0.2.0.tbz' and the process will only look for pcre-6.4 and snort-2.4.3_1, which will be installed prior to Barnyard.
I plan to submit these steps to the Barnyard package maintainer to see if he might be able to get them merged.
0 komentar:
Posting Komentar