net-analyzer/suricata: Updated suricata logging and added logrotate file

I've also bumped revision number, as there are many changes, and those fixes
should finally close bug 602590.

Thanks to Vieri <rentorbuy@yahoo.com> for support.

Package-Manager: Portage-2.3.3, Repoman-2.3.1

5 files changed, 189 insertions, 18 deletions

diff --git a/net-analyzer/suricata/files/suricata-3.2-conf b/net-analyzer/suricata/files/suricata-3.2-conf
index d900ade85258..fc6885d25309 100644
--- a/net-analyzer/suricata/files/suricata-3.2-conf
+++ b/net-analyzer/suricata/files/suricata-3.2-conf
@@ -41,11 +41,6 @@ SURICATA_OPTS="-i eth0"
 
 # Log paths listed here will be created by the init script and will override the log path
 # set in the yaml file, if present.
-# SURICATA_LOG_PATH_q0="/var/log/suricata/q0"
-# SURICATA_LOG_PATH_q1="/var/log/suricata/q1"
-# SURICATA_LOG_PATH="/var/log/suricata"
-# SURICATA_LOG_FILE="suricata.log"
-
-# You can view all the available options you can set with --set
-# and check the full config settings in an easily parsable format.
-# SURICATA_DUMP=1
+# SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log"
+# SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log"
+# SURICATA_LOG_FILE="/var/log/suricata/suricata.log"
diff --git a/net-analyzer/suricata/files/suricata-3.2-init b/net-analyzer/suricata/files/suricata-3.2-init
index 3ec6afd68f72..1717dbb32729 100644
--- a/net-analyzer/suricata/files/suricata-3.2-init
+++ b/net-analyzer/suricata/files/suricata-3.2-init
@@ -12,18 +12,23 @@ if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
     [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
     SURICATAPID="/var/run/suricata/suricata.${SURICATA}.pid"
     eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
-    eval SURICATALOGPATH=\$SURICATA_LOG_PATH_${SURICATAID}
+    eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
 else
     SURICATACONF=${SURICATA_CONF}
     [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
     SURICATAPID="/var/run/suricata/suricata.pid"
     SURICATAOPTS=${SURICATA_OPTS}
-    SURICATALOGPATH=${SURICATA_LOG_PATH}
+    SURICATALOGPATH=${SURICATA_LOG_FILE}
 fi
 [ -e ${SURICATACONF} ] && SURICATAOPTS="${SURICATAOPTS} -c ${SURICATACONF}"
 
-extra_commands="checkconfig"
+description="Suricata IDS/IPS"
+extra_commands="checkconfig dump"
+description_checkconfig="Check config for ${SVCNAME}"
+description_dump="List all config values that can be used with --set"
 extra_started_commands="reload relog"
+description_reload="Live rule and config reload"
+description_relog="Close and re-open all log files"
 
 depend() {
 	need net
@@ -41,10 +46,12 @@ checkconfig() {
 		checkpath -d /var/run/suricata
 	fi
 	if [ ${#SURICATALOGPATH} -gt 0 ]; then
+		SURICATALOGFILE=$( basename ${SURICATA_LOG_FILE} )
+		SURICATALOGFILE=${SURICATALOGFILE:-suricata.log}
+		SURICATALOGPATH=$( dirname ${SURICATALOGPATH} )
 		if [ ! -d "${SURICATALOGPATH}" ] ; then
 			checkpath -d "${SURICATALOGPATH}"
 		fi
-		SURICATALOGFILE=${SURICATA_LOG_FILE:-suricata.log}
 		SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
 		SURICATALOGPATH="-l ${SURICATALOGPATH}"
 	fi
@@ -77,12 +84,6 @@ checkpidinfo() {
 
 start() {
 	checkconfig || return 1
-	if [ $((SURICATA_DUMP)) -eq 1 ]; then
-	    einfo "Dumping ${SVCNAME} config values and quitting."
-	    ${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH}
-	    einfo "You need to disable SURICATA_DUMP to start ${SVCNAME}."
-	    return 1
-	fi
 	ebegin "Starting ${SVCNAME}"
 	start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \
 		-- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH} >/dev/null 2>&1
@@ -145,3 +146,10 @@ relog() {
 	start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
 	eend $?
 }
+
+dump() {
+	checkconfig || return 1
+	ebegin "Dumping ${SVCNAME} config values and quitting."
+	${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH}
+	eend $?
+}
diff --git a/net-analyzer/suricata/files/suricata-logrotate b/net-analyzer/suricata/files/suricata-logrotate
new file mode 100644
index 000000000000..0dc145ba4162
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-logrotate
@@ -0,0 +1,6 @@
+/var/log/suricata/* {
+	missingok
+	postrotate
+		/etc/init.d/suricata reload
+	endscript
+}
diff --git a/net-analyzer/suricata/metadata.xml b/net-analyzer/suricata/metadata.xml
index e538ae141435..58878c64f05c 100644
--- a/net-analyzer/suricata/metadata.xml
+++ b/net-analyzer/suricata/metadata.xml
@@ -14,5 +14,6 @@
     <flag name="nfqueue">Enable NFQUEUE support for inline IDP</flag>
     <flag name="redis">Enable Redis support</flag>
     <flag name="rules">Install default ruleset</flag>
+    <flag name="logrotate">Install logrotate rule</flag>
   </use>
 </pkgmetadata>
diff --git a/net-analyzer/suricata/suricata-3.2-r1.ebuild b/net-analyzer/suricata/suricata-3.2-r1.ebuild
new file mode 100644
index 000000000000..816a69d13a89
--- /dev/null
+++ b/net-analyzer/suricata/suricata-3.2-r1.ebuild
@@ -0,0 +1,161 @@
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI=5
+
+inherit autotools eutils user
+
+DESCRIPTION="High performance Network IDS, IPS and Network Security Monitoring engine"
+HOMEPAGE="http://suricata-ids.org/"
+SRC_URI="http://www.openinfosecfoundation.org/download/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+af-packet control-socket cuda debug +detection geoip hardened logrotate lua luajit nflog +nfqueue redis +rules test"
+
+DEPEND="
+	>=dev-libs/jansson-2.2
+	dev-libs/libpcre
+	dev-libs/libyaml
+	net-libs/libnet:*
+	net-libs/libnfnetlink
+	dev-libs/nspr
+	dev-libs/nss
+	>=net-libs/libhtp-0.5.20
+	net-libs/libpcap
+	sys-apps/file
+	cuda?       ( dev-util/nvidia-cuda-toolkit )
+	geoip?      ( dev-libs/geoip )
+	lua?        ( dev-lang/lua:* )
+	luajit?     ( dev-lang/luajit:* )
+	nflog?      ( net-libs/libnetfilter_log )
+	nfqueue?    ( net-libs/libnetfilter_queue )
+	redis?      ( dev-libs/hiredis )
+	logrotate?      ( app-admin/logrotate )
+"
+# #446814
+#	prelude?    ( dev-libs/libprelude )
+#	pfring?     ( sys-process/numactl net-libs/pf_ring)
+RDEPEND="${DEPEND}"
+
+pkg_setup() {
+	enewgroup ${PN}
+	enewuser ${PN} -1 -1 /var/lib/${PN} "${PN}"
+}
+
+src_prepare() {
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		"--localstatedir=/var/" \
+		"--enable-non-bundled-htp" \
+		$(use_enable af-packet) \
+		$(use_enable detection) \
+		$(use_enable nfqueue) \
+		$(use_enable test coccinelle) \
+		$(use_enable test unittests) \
+		$(use_enable control-socket unix-socket)
+	)
+
+	if use cuda ; then
+		myeconfargs+=( $(use_enable cuda) )
+	fi
+	if use geoip ; then
+		myeconfargs+=( $(use_enable geoip) )
+	fi
+	if use hardened ; then
+		myeconfargs+=( $(use_enable hardened gccprotect) )
+	fi
+	if use nflog ; then
+		myeconfargs+=( $(use_enable nflog) )
+	fi
+	if use redis ; then
+		myeconfargs+=( $(use_enable redis hiredis) )
+	fi
+	# not supported yet (no pfring in portage)
+# 	if use pfring ; then
+# 		myeconfargs+=( $(use_enable pfring) )
+# 	fi
+	# no libprelude in portage
+# 	if use prelude ; then
+# 		myeconfargs+=( $(use_enable prelude) )
+# 	fi
+	if use lua ; then
+		myeconfargs+=( $(use_enable lua) )
+	fi
+	if use luajit ; then
+		myeconfargs+=( $(use_enable luajit) )
+	fi
+
+# this should be used when pf_ring use flag support will be added
+# 	LIBS+="-lrt -lnuma"
+
+	# avoid upstream configure script trying to add -march=native to CFLAGS
+	myeconfargs+=( --enable-gccmarch-native=no )
+
+	if use debug ; then
+		myeconfargs+=( $(use_enable debug) )
+		# so we can get a backtrace according to "reporting bugs" on upstream web site
+		CFLAGS="-ggdb -O0" econf LIBS="${LIBS}" ${myeconfargs[@]}
+	else
+		econf LIBS="${LIBS}" ${myeconfargs[@]}
+	fi
+}
+
+src_install() {
+	emake DESTDIR="${D}" install
+
+	insinto "/etc/${PN}"
+	doins {classification,reference,threshold}.config suricata.yaml
+
+	if use rules ; then
+		insinto "/etc/${PN}/rules"
+		doins rules/*.rules
+	fi
+
+	dodir "/var/lib/${PN}"
+	dodir "/var/log/${PN}"
+	dodir "/var/log/${PN}" \
+		"/var/lib/${PN}"
+
+	fowners -R ${PN}: "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+	fperms 750 "/var/lib/${PN}" "/var/log/${PN}" "/etc/${PN}"
+
+	newinitd "${FILESDIR}/${P}-init" ${PN}
+	newconfd "${FILESDIR}/${P}-conf" ${PN}
+
+	if use logrotate; then
+		insopts -m0644
+		insinto /etc/logrotate.d
+		newins "${FILESDIR}"/${PN}.logrotate ${PN}
+	fi
+}
+
+pkg_postinst() {
+	elog "The ${PN} init script expects to find the path to the configuration"
+	elog "file as well as extra options in /etc/conf.d."
+	elog ""
+	elog "To create more than one ${PN} service, simply create a new .yaml file for it"
+	elog "then create a symlink to the init script from a link called"
+	elog "${PN}.foo - like so"
+	elog "   cd /etc/${PN}"
+	elog "   ${EDITOR##*/} suricata-foo.yaml"
+	elog "   cd /etc/init.d"
+	elog "   ln -s ${PN} ${PN}.foo"
+	elog "Then edit /etc/conf.d/${PN} and make sure you specify sensible options for foo."
+	elog ""
+	elog "You can create as many ${PN}.foo* services as you wish."
+
+	if use logrotate; then
+		elog "You enabled the logrotate USE flag. Please make sure you correctly set up the ${PN} logortate config file in /etc/logrotate.d/."
+	fi
+
+	if use debug; then
+		elog "You enabled the debug USE flag. Please read this link to report bugs upstream:"
+		elog "https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs"
+	fi
+}