chore: updated snort

config/snort3.conf

@@ -1,5 +1,5 @@
-CONFIG_PACKAGE_gperftools-runtime=y
-CONFIG_PACKAGE_hyperscan-runtime=y
+CONFIG_PACKAGE_gperftools=y
+CONFIG_PACKAGE_vectorscan=y
 CONFIG_PACKAGE_libunwind=y
 CONFIG_PACKAGE_kmod-nfnetlink-queue=y
 CONFIG_PACKAGE_kmod-nft-queue=y

packages/snort3/Makefile

@@ -6,12 +6,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=snort3
-PKG_VERSION:=3.9.5.0
-PKG_RELEASE:=6
+PKG_VERSION:=3.10.0.0
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://codeload.github.com/snort3/snort3/tar.gz/$(PKG_VERSION)?
-PKG_HASH:=e2e36a8db2c4c26a6ff58ea58839339260319eba25d0eb901ddb7210f4fa4b4c
+PKG_HASH:=fbd6619e612998330f8459486158a3ea571473218628d9011982aaf238e480e2
 
 PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>, John Audia <therealgraysky@proton.me>
 PKG_LICENSE:=GPL-2.0-only
@@ -28,8 +28,9 @@ define Package/snort3
   DEPENDS:=+libstdcpp +libdaq3 +libdnet +libopenssl +libpcap +libpcre2 \
     +libpthread +libuuid +zlib +libhwloc +USE_MUSL:libtirpc @HAS_LUAJIT_ARCH +luajit +libatomic \
     +kmod-nft-queue +liblzma +ucode +ucode-mod-fs +ucode-mod-uci \
-    +PACKAGE_gperftools-runtime:gperftools-runtime \
-    +PACKAGE_hyperscan-runtime:hyperscan-runtime
+    +PACKAGE_gperftools:gperftools \
+    +PACKAGE_vectorscan:vectorscan
+  USERID:=snort=975:snort=975
   TITLE:=Lightweight Network Intrusion Detection System
   URL:=http://www.snort.org/
   MENU:=1
@@ -41,6 +42,14 @@ define Package/snort3/description
   and packet logging on IP networks.  It utilizes a combination of protocol
   analysis and pattern matching in order to detect anomalies, misuse and
   attacks.
+
+  Note:
+    When compiling from source, and if your target supports them, optionally
+    enable runtime dependencies for improved performance:
+      - gperftools
+      - vectorscan
+    These are not enabled by default and must be manually selected in menuconfig
+    to take advantage of their benefits.
 endef
 
 CMAKE_OPTIONS += \
@@ -57,9 +66,9 @@ CMAKE_OPTIONS += \
 	-DMAKE_TEXT_DOC:BOOL=NO \
 	-DHAVE_LIBUNWIND=OFF \
 	-DHAVE_LZMA=ON \
-	-DENABLE_TCMALLOC=$(if $(CONFIG_PACKAGE_gperftools-runtime),ON,OFF) \
-	-DENABLE_HYPERSCAN=$(if $(CONFIG_PACKAGE_hyperscan-runtime),ON,OFF) \
-	$(if $(CONFIG_PACKAGE_hyperscan-runtime),-DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs)
+	-DENABLE_TCMALLOC=$(if $(CONFIG_PACKAGE_gperftools),ON,OFF) \
+	-DENABLE_HYPERSCAN=$(if $(CONFIG_PACKAGE_vectorscan),ON,OFF) \
+	$(if $(CONFIG_PACKAGE_vectorscan),-DHS_INCLUDE_DIRS=$(STAGING_DIR)/usr/include/hs)
 
 TARGET_CFLAGS += -I$(STAGING_DIR)/usr/include/daq3
 
@@ -103,22 +112,6 @@ define Package/snort3/install
 
 	$(INSTALL_DIR) $(1)/etc/config
 	$(INSTALL_CONF) ./files/snort.config $(1)/etc/config/snort
-
-	sed \
-		-i \
-		-e "/^-- HOME_NET and EXTERNAL_NET/ i -- The values for the two variables HOME_NET and EXTERNAL_NET have been" \
-		-e "/^-- HOME_NET and EXTERNAL_NET/ i -- moved to /etc/config/snort, so do not modify them here without good" \
-		-e "/^-- HOME_NET and EXTERNAL_NET/ i -- reason.\n" \
-		-e 's/^\(HOME_NET\s\+=\)/--\1/g' \
-		-e 's/^\(EXTERNAL_NET\s\+=\)/--\1/g' \
-		$(1)/etc/snort/snort.lua
-	sed \
-		-i -e "s/^\\(RULE_PATH\\s\\+=\\).*/\\1 'rules'/g" \
-		-e "s/^\\(BUILTIN_RULE_PATH\\s\\+=\\).*/\\1 'builtin_rules'/g" \
-		-e "s/^\\(PLUGIN_RULE_PATH\\s\\+=\\).*/\\1 'so_rules'/g" \
-		-e "s/^\\(WHITE_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \
-		-e "s/^\\(BLACK_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \
-		$(1)/etc/snort/snort_defaults.lua
 endef
 
 $(eval $(call BuildPackage,snort3))

packages/snort3/files/snort.init

@@ -110,6 +110,14 @@ start_service() {
 		procd_set_param env SNORT_LUA_PATH="$config_dir"
 		procd_set_param file $CONFIGFILE
 	fi
+	[ -x /sbin/ujail -a -e /etc/capabilities/snort.json ] && {
+		chown -R snort:snort "$config_dir"
+		procd_add_jail snort
+		procd_set_param capabilities /etc/capabilities/snort.json
+		procd_set_param user snort
+		procd_set_param group snort
+		procd_set_param no_new_privs 1
+	}
 	procd_set_param respawn
 	procd_set_param stdout 1
 	procd_set_param stderr 1

packages/snort3/patches/101-OpenWrt-package-modifications.patch

@@ -0,0 +1,45 @@
+--- a/lua/snort.lua
++++ b/lua/snort.lua
+@@ -19,13 +19,17 @@
+ -- 1. configure defaults
+
+ ---------------------------------------------------------------------------
+
++-- The values for the two variables HOME_NET and EXTERNAL_NET have been
++-- moved to /etc/config/snort, so do not modify them here without good
++-- reason.
++
+ -- HOME_NET and EXTERNAL_NET must be set now
+ -- setup the network addresses you are protecting
+-HOME_NET = 'any'
++--HOME_NET = 'any'
+
+ -- set up the external network addresses.
+ -- (leave as "any" in most situations)
+-EXTERNAL_NET = 'any'
++--EXTERNAL_NET = 'any'
+
+ include 'snort_defaults.lua'
+
+--- a/lua/snort_defaults.lua
++++ b/lua/snort_defaults.lua
+@@ -19,13 +19,13 @@
+
+ ---------------------------------------------------------------------------
+
+ -- Path to your rules files (this can be a relative path)
+-RULE_PATH = '../rules'
+-BUILTIN_RULE_PATH = '../builtin_rules'
+-PLUGIN_RULE_PATH = '../so_rules'
++RULE_PATH = 'rules'
++BUILTIN_RULE_PATH = 'builtin_rules'
++PLUGIN_RULE_PATH = 'so_rules'
+
+ -- If you are using reputation preprocessor set these
+-WHITE_LIST_PATH = '../lists'
+-BLACK_LIST_PATH = '../lists'
++WHITE_LIST_PATH = 'lists'
++BLACK_LIST_PATH = 'lists'
+
+ ---------------------------------------------------------------------------
+ -- default networks - used in Talos rules

packages/snort3/patches/200-cosmetic-advertise-vectorscan-not-hyperscan.patch

@@ -0,0 +1,11 @@
+--- a/src/main/process.cc
++++ b/src/main/process.cc
+@@ -704,7 +704,7 @@ int DisplayBanner()
+     LogMessage("           Copyright (C) 1998-2013 Sourcefire, Inc., et al.\n");
+     LogMessage("           Using DAQ version %s\n", daq_version_string());
+ #ifdef HAVE_HYPERSCAN
+-    LogMessage("           Using Hyperscan version %s\n", hs_version());
++    LogMessage("           Using Vectorscan version %s\n", hs_version());
+ #endif
+ #ifdef HAVE_JEMALLOC
+     const char* jv;