From bfad8f97c7294b19ae58c9ffe6a21a482d785aef Mon Sep 17 00:00:00 2001 From: Tommaso Bailetti Date: Mon, 18 May 2026 13:04:13 +0200 Subject: [PATCH 1/5] chore: updated snort --- packages/snort3/Makefile | 44 +++++++++--------- packages/snort3/files/snort.init | 8 ++++ packages/snort3/files/snort.json | 27 +++++++++++ .../101-OpenWrt-package-modifications.patch | 45 +++++++++++++++++++ ...c-advertise-vectorscan-not-hyperscan.patch | 11 +++++ 5 files changed, 111 insertions(+), 24 deletions(-) create mode 100644 packages/snort3/files/snort.json create mode 100644 packages/snort3/patches/101-OpenWrt-package-modifications.patch create mode 100644 packages/snort3/patches/200-cosmetic-advertise-vectorscan-not-hyperscan.patch diff --git a/packages/snort3/Makefile b/packages/snort3/Makefile index 76fda8f70..cf3078978 100644 --- a/packages/snort3/Makefile +++ b/packages/snort3/Makefile @@ -6,12 +6,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=snort3 -PKG_VERSION:=3.9.5.0 -PKG_RELEASE:=6 +PKG_VERSION:=3.10.0.0 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/snort3/snort3/tar.gz/$(PKG_VERSION)? -PKG_HASH:=e2e36a8db2c4c26a6ff58ea58839339260319eba25d0eb901ddb7210f4fa4b4c +PKG_HASH:=fbd6619e612998330f8459486158a3ea571473218628d9011982aaf238e480e2 PKG_MAINTAINER:=W. Michael Petullo , John Audia PKG_LICENSE:=GPL-2.0-only @@ -28,8 +28,9 @@ define Package/snort3 DEPENDS:=+libstdcpp +libdaq3 +libdnet +libopenssl +libpcap +libpcre2 \ +libpthread +libuuid +zlib +libhwloc +USE_MUSL:libtirpc @HAS_LUAJIT_ARCH +luajit +libatomic \ +kmod-nft-queue +liblzma +ucode +ucode-mod-fs +ucode-mod-uci \ - +PACKAGE_gperftools-runtime:gperftools-runtime \ - +PACKAGE_hyperscan-runtime:hyperscan-runtime + +PACKAGE_gperftools:gperftools \ + +PACKAGE_vectorscan:vectorscan + USERID:=snort=975:snort=975 TITLE:=Lightweight Network Intrusion Detection System URL:=http://www.snort.org/ MENU:=1 @@ -41,6 +42,14 @@ define Package/snort3/description and packet logging on IP networks. It utilizes a combination of protocol analysis and pattern matching in order to detect anomalies, misuse and attacks. + + Note: + When compiling from source, and if your target supports them, optionally + enable runtime dependencies for improved performance: + - gperftools + - vectorscan + These are not enabled by default and must be manually selected in menuconfig + to take advantage of their benefits. endef CMAKE_OPTIONS += \ @@ -57,9 +66,9 @@ CMAKE_OPTIONS += \ -DMAKE_TEXT_DOC:BOOL=NO \ -DHAVE_LIBUNWIND=OFF \ -DHAVE_LZMA=ON \ - -DENABLE_TCMALLOC=$(if $(CONFIG_PACKAGE_gperftools-runtime),ON,OFF) \ - -DENABLE_HYPERSCAN=$(if $(CONFIG_PACKAGE_hyperscan-runtime),ON,OFF) \ - $(if $(CONFIG_PACKAGE_hyperscan-runtime),-DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs) + -DENABLE_TCMALLOC=$(if $(CONFIG_PACKAGE_gperftools),ON,OFF) \ + -DENABLE_HYPERSCAN=$(if $(CONFIG_PACKAGE_vectorscan),ON,OFF) \ + $(if $(CONFIG_PACKAGE_vectorscan),-DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs) TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/daq3 @@ -103,22 +112,9 @@ define Package/snort3/install $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/snort.config $(1)/etc/config/snort - - sed \ - -i \ - -e "/^-- HOME_NET and EXTERNAL_NET/ i -- The values for the two variables HOME_NET and EXTERNAL_NET have been" \ - -e "/^-- HOME_NET and EXTERNAL_NET/ i -- moved to /etc/config/snort, so do not modify them here without good" \ - -e "/^-- HOME_NET and EXTERNAL_NET/ i -- reason.\n" \ - -e 's/^\(HOME_NET\s\+=\)/--\1/g' \ - -e 's/^\(EXTERNAL_NET\s\+=\)/--\1/g' \ - $(1)/etc/snort/snort.lua - sed \ - -i -e "s/^\\(RULE_PATH\\s\\+=\\).*/\\1 'rules'/g" \ - -e "s/^\\(BUILTIN_RULE_PATH\\s\\+=\\).*/\\1 'builtin_rules'/g" \ - -e "s/^\\(PLUGIN_RULE_PATH\\s\\+=\\).*/\\1 'so_rules'/g" \ - -e "s/^\\(WHITE_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \ - -e "s/^\\(BLACK_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \ - $(1)/etc/snort/snort_defaults.lua + + $(INSTALL_DIR) $(1)/etc/capabilities + $(INSTALL_CONF) ./files/snort.json $(1)/etc/capabilities/snort.json endef $(eval $(call BuildPackage,snort3)) diff --git a/packages/snort3/files/snort.init b/packages/snort3/files/snort.init index 7b2d82610..9e250f36a 100644 --- a/packages/snort3/files/snort.init +++ b/packages/snort3/files/snort.init @@ -110,6 +110,14 @@ start_service() { procd_set_param env SNORT_LUA_PATH="$config_dir" procd_set_param file $CONFIGFILE fi + [ -x /sbin/ujail -a -e /etc/capabilities/snort.json ] && { + chown -R snort:snort "$config_dir" + procd_add_jail snort + procd_set_param capabilities /etc/capabilities/snort.json + procd_set_param user snort + procd_set_param group snort + procd_set_param no_new_privs 1 + } procd_set_param respawn procd_set_param stdout 1 procd_set_param stderr 1 diff --git a/packages/snort3/files/snort.json b/packages/snort3/files/snort.json new file mode 100644 index 000000000..aacfd7e16 --- /dev/null +++ b/packages/snort3/files/snort.json @@ -0,0 +1,27 @@ +{ + "bounding": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK" + ], + "effective": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK" + ], + "ambient": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK" + ], + "permitted": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK" + ], + "inheritable": [ + "CAP_NET_ADMIN", + "CAP_NET_RAW", + "CAP_IPC_LOCK" + ] +} diff --git a/packages/snort3/patches/101-OpenWrt-package-modifications.patch b/packages/snort3/patches/101-OpenWrt-package-modifications.patch new file mode 100644 index 000000000..13e0b07cb --- /dev/null +++ b/packages/snort3/patches/101-OpenWrt-package-modifications.patch @@ -0,0 +1,45 @@ +--- a/lua/snort.lua ++++ b/lua/snort.lua +@@ -19,13 +19,17 @@ + -- 1. configure defaults + + --------------------------------------------------------------------------- + ++-- The values for the two variables HOME_NET and EXTERNAL_NET have been ++-- moved to /etc/config/snort, so do not modify them here without good ++-- reason. ++ + -- HOME_NET and EXTERNAL_NET must be set now + -- setup the network addresses you are protecting +-HOME_NET = 'any' ++--HOME_NET = 'any' + + -- set up the external network addresses. + -- (leave as "any" in most situations) +-EXTERNAL_NET = 'any' ++--EXTERNAL_NET = 'any' + + include 'snort_defaults.lua' + +--- a/lua/snort_defaults.lua ++++ b/lua/snort_defaults.lua +@@ -19,13 +19,13 @@ + + --------------------------------------------------------------------------- + + -- Path to your rules files (this can be a relative path) +-RULE_PATH = '../rules' +-BUILTIN_RULE_PATH = '../builtin_rules' +-PLUGIN_RULE_PATH = '../so_rules' ++RULE_PATH = 'rules' ++BUILTIN_RULE_PATH = 'builtin_rules' ++PLUGIN_RULE_PATH = 'so_rules' + + -- If you are using reputation preprocessor set these +-WHITE_LIST_PATH = '../lists' +-BLACK_LIST_PATH = '../lists' ++WHITE_LIST_PATH = 'lists' ++BLACK_LIST_PATH = 'lists' + + --------------------------------------------------------------------------- + -- default networks - used in Talos rules diff --git a/packages/snort3/patches/200-cosmetic-advertise-vectorscan-not-hyperscan.patch b/packages/snort3/patches/200-cosmetic-advertise-vectorscan-not-hyperscan.patch new file mode 100644 index 000000000..11803a4b5 --- /dev/null +++ b/packages/snort3/patches/200-cosmetic-advertise-vectorscan-not-hyperscan.patch @@ -0,0 +1,11 @@ +--- a/src/main/process.cc ++++ b/src/main/process.cc +@@ -704,7 +704,7 @@ int DisplayBanner() + LogMessage(" Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n"); + LogMessage(" Using DAQ version %s\n", daq_version_string()); + #ifdef HAVE_HYPERSCAN +- LogMessage(" Using Hyperscan version %s\n", hs_version()); ++ LogMessage(" Using Vectorscan version %s\n", hs_version()); + #endif + #ifdef HAVE_JEMALLOC + const char* jv; From 4064492b44f914a119a00f671ce6eff662c6019e Mon Sep 17 00:00:00 2001 From: Tommaso Bailetti Date: Mon, 18 May 2026 15:13:27 +0200 Subject: [PATCH 2/5] build: added missing vectorscan --- config/snort3.conf | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/config/snort3.conf b/config/snort3.conf index 4bc2c7e13..2d1db92d6 100644 --- a/config/snort3.conf +++ b/config/snort3.conf @@ -1,10 +1,6 @@ -CONFIG_PACKAGE_gperftools-runtime=y -CONFIG_PACKAGE_hyperscan-runtime=y +CONFIG_PACKAGE_gperftools=y +CONFIG_PACKAGE_vectorscan=y CONFIG_PACKAGE_libunwind=y CONFIG_PACKAGE_kmod-nfnetlink-queue=y -CONFIG_PACKAGE_kmod-nft-queue=y -CONFIG_PACKAGE_libdaq3=y -CONFIG_PACKAGE_libdnet=y -CONFIG_PACKAGE_libhwloc=y CONFIG_PACKAGE_libpciaccess=y CONFIG_PACKAGE_snort3=y From 3eadfb0d2fd7494bd9a9d3157a62700d8afa5284 Mon Sep 17 00:00:00 2001 From: Tommaso Bailetti Date: Mon, 18 May 2026 16:37:19 +0200 Subject: [PATCH 3/5] added back packages for no reason --- config/snort3.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/snort3.conf b/config/snort3.conf index 2d1db92d6..346514054 100644 --- a/config/snort3.conf +++ b/config/snort3.conf @@ -2,5 +2,9 @@ CONFIG_PACKAGE_gperftools=y CONFIG_PACKAGE_vectorscan=y CONFIG_PACKAGE_libunwind=y CONFIG_PACKAGE_kmod-nfnetlink-queue=y +CONFIG_PACKAGE_kmod-nft-queue=y +CONFIG_PACKAGE_libdaq3=y +CONFIG_PACKAGE_libdnet=y +CONFIG_PACKAGE_libhwloc=y CONFIG_PACKAGE_libpciaccess=y CONFIG_PACKAGE_snort3=y From 9efa96959feecc9887f2039bfddc188d9d95b22e Mon Sep 17 00:00:00 2001 From: Tommaso Bailetti Date: Mon, 18 May 2026 17:04:58 +0200 Subject: [PATCH 4/5] removed jail, removed unused patch --- packages/snort3/files/snort.init | 16 ++++----- ...OMPILE_LIT-to-work-around-upstream-b.patch | 34 ------------------- 2 files changed, 8 insertions(+), 42 deletions(-) delete mode 100644 packages/snort3/patches/100-remove-HAVE_HS_COMPILE_LIT-to-work-around-upstream-b.patch diff --git a/packages/snort3/files/snort.init b/packages/snort3/files/snort.init index 9e250f36a..00d872ffa 100644 --- a/packages/snort3/files/snort.init +++ b/packages/snort3/files/snort.init @@ -110,14 +110,14 @@ start_service() { procd_set_param env SNORT_LUA_PATH="$config_dir" procd_set_param file $CONFIGFILE fi - [ -x /sbin/ujail -a -e /etc/capabilities/snort.json ] && { - chown -R snort:snort "$config_dir" - procd_add_jail snort - procd_set_param capabilities /etc/capabilities/snort.json - procd_set_param user snort - procd_set_param group snort - procd_set_param no_new_privs 1 - } + # [ -x /sbin/ujail -a -e /etc/capabilities/snort.json ] && { + # chown -R snort:snort "$config_dir" + # procd_add_jail snort + # procd_set_param capabilities /etc/capabilities/snort.json + # procd_set_param user snort + # procd_set_param group snort + # procd_set_param no_new_privs 1 + # } procd_set_param respawn procd_set_param stdout 1 procd_set_param stderr 1 diff --git a/packages/snort3/patches/100-remove-HAVE_HS_COMPILE_LIT-to-work-around-upstream-b.patch b/packages/snort3/patches/100-remove-HAVE_HS_COMPILE_LIT-to-work-around-upstream-b.patch deleted file mode 100644 index 23b8e20cf..000000000 --- a/packages/snort3/patches/100-remove-HAVE_HS_COMPILE_LIT-to-work-around-upstream-b.patch +++ /dev/null @@ -1,34 +0,0 @@ -From bf87399e720ec5e5adf9d74a17d86781b1e41428 Mon Sep 17 00:00:00 2001 -From: graysky -Date: Mon, 8 Jan 2024 13:00:28 -0500 -Subject: [PATCH] Hack: fix build with hyperscan - -Workaround to build until upstream bug is fixed[1]. - -1. https://github.com/intel/hyperscan/issues/388 - ---- - cmake/sanity_checks.cmake | 1 - - config.cmake.h.in | 1 - - 2 files changed, 2 deletions(-) - ---- a/cmake/sanity_checks.cmake -+++ b/cmake/sanity_checks.cmake -@@ -136,7 +136,6 @@ if (HS_FOUND) - cmake_push_check_state(RESET) - set(CMAKE_REQUIRED_INCLUDES ${HS_INCLUDE_DIRS}) - set(CMAKE_REQUIRED_LIBRARIES ${HS_LIBRARIES}) -- check_function_exists(hs_compile_lit HAVE_HS_COMPILE_LIT) - cmake_pop_check_state() - endif() - endif() ---- a/config.cmake.h.in -+++ b/config.cmake.h.in -@@ -127,7 +127,6 @@ - - /* hyperscan available */ - #cmakedefine HAVE_HYPERSCAN 1 --#cmakedefine HAVE_HS_COMPILE_LIT 1 - - /* iconv available */ - #cmakedefine HAVE_ICONV 1 From 7f7da2dcfe969e1b06473bf6c81ee9e887f3039e Mon Sep 17 00:00:00 2001 From: Tommaso Bailetti Date: Tue, 19 May 2026 14:10:09 +0200 Subject: [PATCH 5/5] removed capabilities, snort seems not to like running inside a jail --- packages/snort3/Makefile | 3 --- packages/snort3/files/snort.init | 16 ++++++++-------- packages/snort3/files/snort.json | 27 --------------------------- 3 files changed, 8 insertions(+), 38 deletions(-) delete mode 100644 packages/snort3/files/snort.json diff --git a/packages/snort3/Makefile b/packages/snort3/Makefile index cf3078978..96788c744 100644 --- a/packages/snort3/Makefile +++ b/packages/snort3/Makefile @@ -112,9 +112,6 @@ define Package/snort3/install $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/snort.config $(1)/etc/config/snort - - $(INSTALL_DIR) $(1)/etc/capabilities - $(INSTALL_CONF) ./files/snort.json $(1)/etc/capabilities/snort.json endef $(eval $(call BuildPackage,snort3)) diff --git a/packages/snort3/files/snort.init b/packages/snort3/files/snort.init index 00d872ffa..9e250f36a 100644 --- a/packages/snort3/files/snort.init +++ b/packages/snort3/files/snort.init @@ -110,14 +110,14 @@ start_service() { procd_set_param env SNORT_LUA_PATH="$config_dir" procd_set_param file $CONFIGFILE fi - # [ -x /sbin/ujail -a -e /etc/capabilities/snort.json ] && { - # chown -R snort:snort "$config_dir" - # procd_add_jail snort - # procd_set_param capabilities /etc/capabilities/snort.json - # procd_set_param user snort - # procd_set_param group snort - # procd_set_param no_new_privs 1 - # } + [ -x /sbin/ujail -a -e /etc/capabilities/snort.json ] && { + chown -R snort:snort "$config_dir" + procd_add_jail snort + procd_set_param capabilities /etc/capabilities/snort.json + procd_set_param user snort + procd_set_param group snort + procd_set_param no_new_privs 1 + } procd_set_param respawn procd_set_param stdout 1 procd_set_param stderr 1 diff --git a/packages/snort3/files/snort.json b/packages/snort3/files/snort.json deleted file mode 100644 index aacfd7e16..000000000 --- a/packages/snort3/files/snort.json +++ /dev/null @@ -1,27 +0,0 @@ -{ - "bounding": [ - "CAP_NET_ADMIN", - "CAP_NET_RAW", - "CAP_IPC_LOCK" - ], - "effective": [ - "CAP_NET_ADMIN", - "CAP_NET_RAW", - "CAP_IPC_LOCK" - ], - "ambient": [ - "CAP_NET_ADMIN", - "CAP_NET_RAW", - "CAP_IPC_LOCK" - ], - "permitted": [ - "CAP_NET_ADMIN", - "CAP_NET_RAW", - "CAP_IPC_LOCK" - ], - "inheritable": [ - "CAP_NET_ADMIN", - "CAP_NET_RAW", - "CAP_IPC_LOCK" - ] -}