net-analyzer/suricata: bump to 5.0.1

Further clean-up of old ebuilds, tools are no longer optional, there is
now a config phase to download an initial rule set using
suricata-update.

Closes: https://bugs.gentoo.org/703184
Package-Manager: Portage-2.3.79, Repoman-2.3.16
Signed-off-by: Marek Szuba <marecki@gentoo.org>

6 files changed, 261 insertions, 2 deletions

diff --git a/net-analyzer/suricata/files/suricata-5.0.1-conf b/net-analyzer/suricata/files/suricata-5.0.1-conf
new file mode 100644
index 000000000000..7f22113dbf0d
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.1-conf
@@ -0,0 +1,62 @@
+# Config file for /etc/init.d/suricata*
+
+# Where config files are stored. Default:
+
+# SURICATA_DIR="/etc/suricata"
+
+# Pass options to each suricata service.
+#
+# You can launch more than one service at the same time with different options.
+# This can be useful in a multi-queue gateway, for example.
+# You can expand on the Suricata inline example found at:
+# http://suricata.readthedocs.io/en/latest/setting-up-ipsinline-for-linux.html
+# Instead of configuring iptables to send traffic to just one queue, you can configure it to "load balance"
+# on several queues. You can then have a Suricata instance processing traffic for each queue.
+# This should help improve performance on the gateway/firewall.
+#
+# Suppose you configured iptables to use queues 0 and 1 named q0 and q1. You can now do the following:
+# ln -s /etc/init.d/suricata /etc/init.d/suricata.q0
+# ln -s /etc/init.d/suricata /etc/init.d/suricata.q1
+# cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q0.yaml
+# cp /etc/suricata/suricata.yaml /etc/suricata/suricata-q1.yaml
+#
+# Edit both suricata-q{0,1}.yaml files and set values accordingly.
+# You can override these yaml config file names with SURICATA_CONF* below (optional).
+# This allows you to use the same yaml config file for multiple instances as long as you override
+# sensible options such as the log file paths.
+# SURICATA_CONF_q0="suricata-queues.yaml"
+# SURICATA_CONF_q1="suricata-queues.yaml"
+# SURICATA_CONF="suricata.yaml"
+
+# You can define the options here:
+# NB: avoid using -l, -c, --user, --group and setting logging.outputs.1.file.filename as the init script will try to set them for you.
+
+# SURICATA_OPTS_q0="-q 0"
+# SURICATA_OPTS_q1="-q 1"
+
+# If you want to use ${SURICATA_DIR}/suricata.yaml and start the service with /etc/init.d/suricata
+# then you can set:
+
+SURICATA_OPTS="--af-packet"
+
+# Log paths listed here will be created by the init script and will override the log path
+# set in the yaml file, if present.
+# SURICATA_LOG_FILE_q0="/var/log/suricata/q0/suricata.log"
+# SURICATA_LOG_FILE_q1="/var/log/suricata/q1/suricata.log"
+# SURICATA_LOG_FILE="/var/log/suricata/suricata.log"
+
+# Run as user/group.
+# Do not define if you want to run as root or as the user defined in the yaml config file (run-as).
+# The ebuild should have created the dedicated user/group suricata:suricata for you to specify here below.
+# SURICATA_USER_q0="suricata"
+# SURICATA_GROUP_q0="suricata"
+# SURICATA_USER_q1="suricata"
+# SURICATA_GROUP_q1="suricata"
+# SURICATA_USER="suricata"
+# SURICATA_GROUP="suricata"
+
+# Suricata processes can take a long time to shut down.
+# If necessary, adjust timeout in seconds to be used when calling stop from the init script.
+# Examples:
+# SURICATA_MAX_WAIT_ON_STOP="300"
+# SURICATA_MAX_WAIT_ON_STOP="SIGTERM/30"
diff --git a/net-analyzer/suricata/files/suricata-5.0.1-init b/net-analyzer/suricata/files/suricata-5.0.1-init
new file mode 100644
index 000000000000..89f92803cedf
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.1-init
@@ -0,0 +1,147 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+SURICATA_BIN=/usr/bin/suricata
+SURICATA_DIR=${SURICATA_DIR:-/etc/suricata}
+SURICATA=${SVCNAME#*.}
+SURICATAID=$(shell_var "${SURICATA}")
+if [ -n "${SURICATA}" ] && [ ${SVCNAME} != "suricata" ]; then
+    eval SURICATACONF=\$SURICATA_CONF_${SURICATAID}
+    [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata-${SURICATA}.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
+    SURICATAPID="/run/suricata/suricata.${SURICATA}.pid"
+    eval SURICATAOPTS=\$SURICATA_OPTS_${SURICATAID}
+    eval SURICATALOGPATH=\$SURICATA_LOG_FILE_${SURICATAID}
+    eval SURICATAUSER=\$SURICATA_USER_${SURICATAID}
+    eval SURICATAGROUP=\$SURICATA_GROUP_${SURICATAID}
+else
+    SURICATACONF=${SURICATA_CONF}
+    [ ${#SURICATACONF} -eq 0 ] && SURICATACONF="${SURICATA_DIR}/suricata.yaml" || SURICATACONF="${SURICATA_DIR}/${SURICATACONF}"
+    SURICATAPID="/run/suricata/suricata.pid"
+    SURICATAOPTS=${SURICATA_OPTS}
+    SURICATALOGPATH=${SURICATA_LOG_FILE}
+    SURICATAUSER=${SURICATA_USER}
+    SURICATAGROUP=${SURICATA_GROUP}
+fi
+SURICATAUSER=${SURICATAUSER:-${SURICATA_USER}}
+SURICATAGROUP=${SURICATAGROUP:-${SURICATA_GROUP}}
+[ -e ${SURICATACONF} ] && SURICATAOPTS="-c ${SURICATACONF} ${SURICATAOPTS}"
+[[ -z "${SURICATA_MAX_WAIT_ON_STOP// }" ]] || SURICATA_RETRY="--retry ${SURICATA_MAX_WAIT_ON_STOP}"
+
+description="Suricata IDS/IPS"
+extra_commands="checkconfig dump"
+description_checkconfig="Check config for ${SVCNAME}"
+description_dump="List all config values that can be used with --set"
+extra_started_commands="reload relog"
+description_reload="Live rule and config reload"
+description_relog="Close and re-open all log files"
+
+depend() {
+	need net
+	after mysql
+	after postgresql
+}
+
+checkconfig() {
+	if [ ! -d "/run/suricata" ] ; then
+		checkpath -d /run/suricata
+	fi
+	if [ ${#SURICATALOGPATH} -gt 0 ]; then
+		SURICATALOGFILE=$( basename ${SURICATALOGPATH} )
+		SURICATALOGFILE=${SURICATALOGFILE:-suricata.log}
+		SURICATALOGPATH=$( dirname ${SURICATALOGPATH} )
+		if [ ! -d "${SURICATALOGPATH}" ] ; then
+			checkpath -d "${SURICATALOGPATH}"
+		fi
+		if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ] && [ -e "${SURICATALOGPATH}" ]; then
+			chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}" || return 1
+			chown ${SURICATAUSER}:${SURICATAGROUP} "${SURICATALOGPATH}"/* >/dev/null 2>&1 3>&1
+		fi
+		SURICATAOPTS="${SURICATAOPTS} --set logging.outputs.1.file.filename=${SURICATALOGPATH}/${SURICATALOGFILE}"
+		SURICATALOGPATH="-l ${SURICATALOGPATH}"
+	fi
+	if [ ! -e ${SURICATACONF} ] ; then
+		einfo "The configuration file ${SURICATACONF} was not found."
+		einfo "If this is OK then make sure you set enough options for ${SVCNAME} in /etc/conf.d/suricata."
+		einfo "Take a look at the suricata arguments --set and --dump-config."
+	fi
+	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+		einfo "${SVCNAME} will run as user ${SURICATAUSER}:${SURICATAGROUP}."
+		SURICATAOPTS="${SURICATAOPTS} --user=${SURICATAUSER} --group=${SURICATAGROUP}"
+	fi
+}
+
+initpidinfo() {
+	[ -e ${SURICATAPID} ] && SUR_PID="$(cat ${SURICATAPID})"
+	if [ ${#SUR_PID} -gt 0 ]; then
+	    SUR_PID_CHECK="$(ps -eo pid | grep -c ${SUR_PID})"
+	    SUR_USER="$(ps -p ${SUR_PID} --no-headers -o user)"
+	fi
+}
+
+checkpidinfo() {
+	initpidinfo
+        if [ ! -e ${SURICATAPID} ]; then
+        	eerror "${SVCNAME} isn't running"
+                return 1
+	elif [ ${#SUR_PID} -eq 0 ] || [ $((SUR_PID_CHECK)) -ne 1 ]; then
+		eerror "Could not determine PID of ${SVCNAME}! Did the service crash?"
+		return 1
+	elif [ ${#SUR_USER} -eq 0 ]; then
+		eerror "Unable to determine user running ${SVCNAME}!"
+		return 1
+	elif [ "x${SUR_USER}" != "xroot" ]; then
+		ewarn "${SVCNAME} may need to be running as root or as a priviledged user for the extra commands reload and relog to work."
+        fi
+}
+
+start() {
+	checkconfig || return 1
+	ebegin "Starting ${SVCNAME}"
+	start-stop-daemon --start --quiet --exec ${SURICATA_BIN} \
+		-- --pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH} >/dev/null 2>&1
+	local SUR_EXIT=$?
+	if [ $((SUR_EXIT)) -ne 0 ]; then
+	    einfo "Could not start ${SURICATA_BIN} with:"
+	    einfo "--pidfile ${SURICATAPID} -D ${SURICATAOPTS} ${SURICATALOGPATH}"
+	    einfo "Exit code ${SUR_EXIT}"
+	fi
+	eend ${SUR_EXIT}
+}
+
+stop() {
+	ebegin "Stopping ${SVCNAME}"
+	start-stop-daemon --stop ${SURICATA_RETRY} --quiet --pidfile ${SURICATAPID} >/dev/null 2>&1
+	eend $?
+}
+
+reload() {
+	checkpidinfo || return 1
+	checkconfig || return 1
+	ebegin "Sending USR2 signal to ${SVCNAME} to perform a live rule and config reload."
+	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+		start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal USR2 --pidfile ${SURICATAPID}
+	else
+		start-stop-daemon --signal USR2 --pidfile ${SURICATAPID}
+	fi
+	eend $?
+}
+
+relog() {
+	checkpidinfo || return 1
+	checkconfig || return 1
+	ebegin "Sending HUP signal to ${SVCNAME} to close and re-open all log files."
+	if [ ${#SURICATAUSER} -gt 0 ] && [ ${#SURICATAGROUP} -gt 0 ]; then
+		start-stop-daemon --user ${SURICATAUSER} --group ${SURICATAGROUP} --signal HUP --pidfile ${SURICATAPID}
+	else
+		start-stop-daemon --signal HUP --pidfile ${SURICATAPID}
+	fi
+	eend $?
+}
+
+dump() {
+	checkconfig || return 1
+	ebegin "Dumping ${SVCNAME} config values and quitting."
+	${SURICATA_BIN} --dump-config --pidfile ${SURICATAPID} ${SURICATAOPTS} ${SURICATALOGPATH}
+	eend $?
+}
diff --git a/net-analyzer/suricata/files/suricata-5.0.1_configure-no-lz4-automagic.patch b/net-analyzer/suricata/files/suricata-5.0.1_configure-no-lz4-automagic.patch
new file mode 100644
index 000000000000..5efce46f6d9f
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.1_configure-no-lz4-automagic.patch
@@ -0,0 +1,23 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -2292,7 +2292,11 @@
+     fi
+ 
+ # Check for lz4
+-enable_liblz4="yes"
++AC_ARG_ENABLE(lz4,
++       AS_HELP_STRING([--enable-lz4], [Enable compressed pcap logging using liblz4]),
++       [enable_liblz4=$enableval],
++       [enable_liblz4=yes])
++if test "x$enable_liblz4" != "xno"; then
+ AC_CHECK_LIB(lz4, LZ4F_createCompressionContext, , enable_liblz4="no")
+ 
+ if test "$enable_liblz4" = "no"; then
+@@ -2306,6 +2310,7 @@
+     echo "               yum install lz4-devel"
+     echo
+ fi
++fi
+ 
+ # get cache line size
+     AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no")
diff --git a/net-analyzer/suricata/files/suricata-5.0.1_default-config.patch b/net-analyzer/suricata/files/suricata-5.0.1_default-config.patch
new file mode 100644
index 000000000000..ef1b1f63ad4f
--- /dev/null
+++ b/net-analyzer/suricata/files/suricata-5.0.1_default-config.patch
@@ -0,0 +1,27 @@
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -203,8 +203,9 @@
+             # https://suricata.readthedocs.io/en/latest/output/eve/eve-json-output.html#dns-v1-format
+ 
+             # As of Suricata 5.0, version 2 of the eve dns output
+-            # format is the default.
+-            #version: 2
++            # format is the default - but the daemon produces a warning to that effect
++            # at start-up if this isn't explicitly set.
++            version: 2
+ 
+             # Enable/disable this logger. Default: enabled.
+             #enabled: yes
+@@ -978,9 +979,9 @@
+ ##
+ 
+ # Run suricata as user and group.
+-#run-as:
+-#  user: suri
+-#  group: suri
++run-as:
++  user: suricata
++  group: suricata
+ 
+ # Some logging module will use that name in event as identifier. The default
+ # value is the hostname
diff --git a/net-analyzer/suricata/files/suricata.service b/net-analyzer/suricata/files/suricata.service
index 294ec6373481..1fb056957ec5 100644
--- a/net-analyzer/suricata/files/suricata.service
+++ b/net-analyzer/suricata/files/suricata.service
@@ -3,7 +3,7 @@ Description=Suricata IDS/IDP daemon
 After=network.target
 Requires=network.target
 Documentation=man:suricata(8) man:suricatasc(8)
-Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki
+Documentation=https://suricata.readthedocs.io/
 
 [Service]
 Environment=OPTIONS='-c /etc/suricata/suricata.yaml --af-packet'
diff --git a/net-analyzer/suricata/files/suricata.tmpfiles b/net-analyzer/suricata/files/suricata.tmpfiles
index 46fe50842978..a6e784cc37c7 100644
--- a/net-analyzer/suricata/files/suricata.tmpfiles
+++ b/net-analyzer/suricata/files/suricata.tmpfiles
@@ -1 +1 @@
-d	/var/run/suricata	- - - -
+d	/run/suricata	- - - -