# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4

PortSystem      1.0
PortGroup       legacysupport 1.1
PortGroup       openssl 1.0

# strndup
legacysupport.newest_darwin_requires_legacy 10

name            snort
version         2.9.20
revision        0
checksums       rmd160  9c74b009d72816c30557449df5c9d7294a31aa1a \
                sha256  29400e13f53b1831e0b8b10ec1224a1cbaa6dc1533a5322a20dd80bb84b4981c \
                size    7009894

categories      net
maintainers     nomaintainer
license         GPL-2
description     Open Source Network Intrusion Detection System
long_description \
    Snort is an open source network intrusion detection system, capable \
    of performing real-time traffic analysis and packet logging on IP \
    networks. It can perform protocol analysis, content \
    searching/matching and can be used to detect a variety of attacks \
    and probes, such as buffer overflows, stealth port scans, CGI \
    attacks, SMB probes, OS fingerprinting attempts, and much more.
homepage        https://www.snort.org/
platforms       darwin freebsd
master_sites    ${homepage}downloads/snort/

depends_build   port:pkgconfig

depends_lib     port:daq \
                path:lib/libluajit-5.1.2.dylib:luajit \
                port:nghttp2

patchfiles      dynamic_lookup-11.patch

add_users snort group=snort home=${prefix}/var/snort shell=/sbin/nologin realname=Snort\ user

# snort interface, defined outside variants below so that `port lint` succeeds
set interface en0

# provide snort interface as port variants
variant if_en0 \
    conflicts if_en1 \
    description "Snort launch daemon interface en0" {
        set interface en0
}

variant if_en1 \
    conflicts if_en0 \
    description "Snort launch daemon interface en1" {
        set interface en1
}

if { ![variant_isset if_en0] && ![variant_isset if_en1] } {
    default_variants +if_en0
}

startupitem.create  yes
startupitem.executable \
    ${prefix}/bin/${name} \
        -u snort -g snort \
        -d \
        -e \
        -l ${prefix}/var/log/snort \
        --pid-path ${prefix}/var/run \
        -i ${interface} \
        -c ${prefix}/etc/snort/snort.conf
startupitem.pidfile "${prefix}/var/run/snort_${interface}.pid"
#startupitem.start   "${prefix}/share/${name}/snort.sh"
#startupitem.stop    "/bin/kill \$(cat ${prefix}/var/run/snort_*.pid)"

destroot.asroot yes
post-destroot {
    # Copy Snort's etc/ files
    xinstall -d -m 755 ${destroot}${prefix}/etc/${name}
    xinstall {*}[glob ${worksrcpath}/etc/*.map] ${destroot}${prefix}/etc/${name}
    xinstall {*}[glob ${worksrcpath}/etc/*.conf*] ${destroot}${prefix}/etc/${name}
    xinstall -d -m 755 ${destroot}${prefix}/share/examples/${name}
    file rename ${destroot}${prefix}/etc/${name}/snort.conf ${destroot}${prefix}/share/examples/${name}/snort.conf.dist

    # fix snort.conf.dist
    reinplace "s|dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/|dynamicpreprocessor directory ${prefix}/lib/snort_dynamicpreprocessor/|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist
    reinplace "s|dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so|dynamicengine ${prefix}/lib/snort_dynamicengine/libsf_engine.dylib|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist
    reinplace "s|dynamicdetection directory /usr/local/lib/snort_dynamicrule/|dynamicdetection directory ${prefix}/lib/snort_dynamicrule/|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist
    reinplace "s|dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so|dynamicdetection file ${prefix}/lib/snort_dynamicrule/libdynamicexamplerule.dylib|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist
    reinplace "s|_LIST_PATH ../rules|_LIST_PATH ${prefix}/etc/snort|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist

    xinstall -d ${destroot}${prefix}/share/${name}
    xinstall -m 755 ${filespath}/snort.sh \
        ${destroot}${prefix}/share/${name}/snort.sh
    reinplace "s|__PREFIX__|${prefix}|g" \
        ${destroot}${prefix}/share/${name}/snort.sh

    xinstall -d ${destroot}${prefix}/lib/snort_dynamicrules
    destroot.keepdirs-append ${destroot}${prefix}/lib/snort_dynamicrules
    reinplace "s|/usr/local/lib/snort_dynamicrules|${prefix}/lib/snort_dynamicrules|" \
        ${destroot}${prefix}/share/examples/${name}/snort.conf.dist
    reinplace "s|dynamicengine ${prefix}/lib/snort_dynamicengine/libsf_engine.dylib|dynamicengine ${prefix}/lib/snort_dynamicengine/libsf_engine.so|" \
        ${destroot}${prefix}/share/examples/${name}/snort.conf.dist
    xinstall -d ${destroot}${prefix}/etc/snort/rules
    destroot.keepdirs-append ${destroot}${prefix}/etc/snort/rules
    reinplace "s|var RULE_PATH ../rules|var RULE_PATH /rules|" \
        ${destroot}${prefix}/share/examples/${name}/snort.conf.dist
    xinstall -d -o snort ${destroot}${prefix}/var/log/snort
    destroot.keepdirs-append ${destroot}${prefix}/var/log/snort
}

post-activate {
    if {![file exists ${prefix}/etc/snort/snort.conf ]} {
        copy ${prefix}/share/examples/${name}/snort.conf.dist ${prefix}/etc/snort/snort.conf
        system "touch ${prefix}/etc/snort/rules/local.rules"
        system "touch ${prefix}/etc/snort/white_list.rules"
        system "touch ${prefix}/etc/snort/black_list.rules"
    }
}

notes "
            ***** File locations *****

The Snort database schemas -> ${prefix}/share/${name}/schemas
The snort.conf sample file -> ${prefix}/share/examples/${name}/snort.conf.dist
If it doesn't exist before, the sample config is copied to ${prefix}/etc/snort.conf

NOTE: Make sure you do not change the location of the snort.conf file or the startup scripts will not be able to find it.

*Please download rules from https://www.snort.org/downloads/#rule-downloads either manually or with oinkmaster.*
Oinkmaster is the recommended way with regular updates.

Change at least your HOME_NET in snort.conf and Validate your config with
    $ snort -T -c ${prefix}/etc/snort/snort.conf

By default ${prefix}/share/${name}/snort.sh is configured to listen only on ${interface} interface.
If you want to listen multiple interface, you need to start one snort instance per interface (or bond them)

    $ grep 'Snort rules read' /var/log/system.log
    $ egrep '^output' ${prefix}/etc/snort/snort.conf
If you get empty touched logs, try also to set:
    ipvar EXTERNAL_NET !\$HOME_NET
instead of any

You can test that snort is functioning by using these tools:
ftp http://\$EXTERNAL_HOST/cmd.exe
ftp http://lteo.net/cmd.exe
http://testmyids.com
nmap, IDSWakeup, pytbull, metasploit

To use blacklist/whitelist, see
http://blog.securitymonks.com/2009/07/19/blacklisting-with-snort/
http://systemnoise.com/wordpress/?p=89
http://labs.snort.org/iplists/

"

livecheck.type      regex
livecheck.url       ${homepage}downloads
livecheck.regex     >${name}-(\[0-9.\]+)${extract.suffix}<