debian/0000755000000000000000000000000012257774710007202 5ustar debian/copyright0000644000000000000000000000711012204702126011114 0ustar This work was packaged for Debian by: Pierre Chifflier on Sat, 30 Jan 2010 18:25:05 +0100 It was downloaded from http://www.openinfosecfoundation.org/ Copyright: Open Information Security Foundation Team License: This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License version 2 as published by the Free Software Foundation see `/usr/share/common-licenses/GPL-2'. The Debian packaging is: Copyright (C) 2010 Pierre Chifflier and is licensed under the GPL version 2, see `/usr/share/common-licenses/GPL-2'. Other files/licences: src/queue.h is Copyright (c) 1991, 1993 The Regents of the University of California and is licensed under BSD (3-clause) license. src/util-fix_checksum.h src/util-fix_checksum.c are Copyright (c) 2001 Daniel Hartmeier, Copyright (c) 2002 - 2008 Henning Brauer and are licensed under BSD (2-clause) license. src/action-globals.h src/alert-debuglog.c src/alert-debuglog.h src/alert-fastlog.c src/alert-fastlog.h src/alert-unified-alert.c src/alert-unified-alert.h src/alert-unified-log.c src/alert-unified-log.h src/app-layer-detect-proto.c src/app-layer-http.c src/app-layer-parser.c src/app-layer-tls.c src/debug.h src/decode.c src/decode-ethernet.c src/decode-ethernet.h src/decode-events.h src/decode.h src/decode-icmpv4.c src/decode-icmpv4.h src/decode-icmpv6.c src/decode-icmpv6.h src/decode-ipv4.h src/decode-ipv6.c src/decode-ipv6.h src/decode-sll.c src/decode-sll.h src/decode-tcp.c src/decode-tcp.h src/decode-udp.c src/decode-udp.h src/detect-content.c src/detect-engine-address-ipv4.c src/detect-engine-address-ipv4.h src/detect-engine-address-ipv6.c src/detect-engine-address-ipv6.h src/detect-engine.c src/detect-engine-port.c src/detect-engine-proto.c src/detect-flowvar.c src/detect-pktvar.c src/detect-uricontent.c src/flow-alert-sid.h src/flow-bit.h src/flow.c src/flow.h src/flow-hash.c src/flow-hash.h src/flow-private.h src/flow-queue.c src/flow-queue.h src/flow-util.c src/flow-util.h src/log-httplog.c src/log-httplog.h src/packet-queue.c src/packet-queue.h src/pkt-var.h src/respond-reject.c src/respond-reject.h src/respond-reject-libnet11.c src/respond-reject-libnet11.h src/source-nfq.c src/source-nfq.h src/source-nfq-prototypes.h src/source-pcap.c src/source-pcap-file.c src/source-pcap-file.h src/source-pcap.h src/source-pfring.c src/source-pfring.h src/stream.c src/stream-tcp.c src/stream-tcp.h src/stream-tcp-reassemble.c src/stream-tcp-reassemble.h src/suricata.c src/suricata-common.h src/suricata.h src/threadvars.h src/tm-modules.c src/tmqh-flow.h src/tmqh-nfq.c src/tmqh-nfq.h src/tmqh-packetpool.h src/tmqh-simple.h src/tm-queuehandlers.c src/tm-queuehandlers.h src/util-binsearch.h src/util-bloomfilter.c src/util-bloomfilter-counting.c src/util-bloomfilter-counting.h src/util-bloomfilter.h src/util-cidr.h src/util-hash.c src/util-hash.h src/util-hashlist.c src/util-hashlist.h src/util-mpm-b2g.c src/util-mpm-b3g.c src/util-mpm.h src/util-mpm-wumanber.c src/util-mpm-wumanber.h src/util-pool.c src/util-pool.h src/util-print.c src/util-print.h Copyright (c) 2008 by Victor Julien doxygen.cfg Copyright 2005 Dorr H. Clark - Santa Clara University This software source is made available under the "THE BEER-WARE LICENSE" dclark@applmath.scu.edu wrote this file. As long as you retain this notice you can do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return. - Dorr H. Clark debian/suricata.manpages0000644000000000000000000000002212204702126012504 0ustar debian/suricata.8 debian/compat0000644000000000000000000000000212204702126010360 0ustar 9 debian/control0000644000000000000000000000253612257773543010616 0ustar Source: suricata Section: net Priority: optional Maintainer: Pierre Chifflier Build-Depends: debhelper (>= 9), autotools-dev, dh-autoreconf, libhtp-dev (>= 0.2.3), libhtp-dev (<< 0.5), libnet1-dev | libnet-dev, libnspr4-dev, libnss3-dev, libpcap-dev, libpcre3-dev, libyaml-dev, libnetfilter-queue-dev, libprelude-dev, zlib1g-dev | libz-dev, libcap-ng-dev, libmagic-dev, libjansson-dev, libluajit-5.1-dev [i386 amd64 powerpc mips armel armhf], python X-Python-Version: >= 2.6 Standards-Version: 3.9.5 Homepage: http://www.openinfosecfoundation.org/ Package: suricata Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${python:Depends} Conflicts: libhtp1 (>= 0.5) Recommends: oinkmaster, snort-rules-default, python Description: Next Generation Intrusion Detection and Prevention Tool Suricata is a network Intrusion Detection System (IDS). It is based on rules (and is fully compatible with snort rules) to detect a variety of attacks / probes by searching packet content. . This new Engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards. . This version has inline (NFQUEUE) support enabled. debian/rules0000755000000000000000000000323212257773527010267 0ustar #!/usr/bin/make -f # -*- makefile -*- # debian/rules file for Suricata # Written by Pierre Chifflier # This file was originally written by Joey Hess and Craig Small. # As a special exception, when this file is copied by dh-make into a # dh-make output file, you may use that output file without restriction. # This special exception was added by Craig Small in version 0.37 of dh-make. # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,+bindnow DEB_DESTDIR = $(CURDIR)/debian/suricata ARCH ?= $(shell dpkg --print-architecture) DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) LUAJIT_ARCHS = i386 amd64 powerpc mips armel armhf ifneq (,$(findstring $(ARCH),$(LUAJIT_ARCHS))) ENABLE_LUAJIT="--enable-luajit" endif CONFIGURE_ARGS = --enable-af-packet --enable-nfqueue --enable-prelude \ --enable-non-bundled-htp --enable-gccprotect --disable-gccmarch-native \ --with-libnss-includes=/usr/include/nss --with-libnss-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ --with-libnspr-includes=/usr/include/nspr --with-libnspr-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \ $(ENABLE_LUAJIT) override_dh_auto_install: dh_auto_install --destdir=$(DEB_DESTDIR) rm -rf $(DEB_DESTDIR)/usr/lib/python*;\ (cd scripts/suricatasc &&\ python -B setup.py install --install-layout=deb --prefix $(DEB_DESTDIR)/usr) override_dh_auto_configure: dh_auto_configure -- $(CONFIGURE_ARGS) sed \ -e 's|^default-rule-path: .*$$|default-rule-path: /etc/snort/rules|' \ suricata.yaml > suricata-debian.yaml override_dh_clean: rm -f suricata-debian.yaml dh_clean %: dh $@ --parallel --with autotools-dev,autoreconf,python2 debian/changelog0000644000000000000000000001537212257774645011073 0ustar suricata (1.4.7-1) unstable; urgency=low * Imported Upstream version 1.4.7 * Bump Standards Version to 3.9.5 * Run autoreconf during build to fix some errors caused by different autotools versions -- Pierre Chifflier Sun, 29 Dec 2013 11:29:57 +0100 suricata (1.4.6-1) unstable; urgency=low * Imported Upstream version 1.4.6 -- Pierre Chifflier Sun, 06 Oct 2013 18:52:34 +0200 suricata (1.4.5-1) unstable; urgency=low * Imported Upstream version 1.4.5 * Prepare transition for suricata 2.0 by conflicting with libhtp >= 0.5 -- Pierre Chifflier Tue, 20 Aug 2013 16:44:45 +0200 suricata (1.4.3-1) unstable; urgency=low * Imported Upstream version 1.4.3 -- Pierre Chifflier Thu, 04 Jul 2013 11:50:13 +0200 suricata (1.4.2-1) unstable; urgency=low * Imported Upstream version 1.4.2 -- Pierre Chifflier Wed, 29 May 2013 16:24:52 +0200 suricata (1.4.1-1) unstable; urgency=low * Imported Upstream version 1.4.1 * Install python control script (add dependency on python, and use dh_python2 for build) * Bump Standards Version to 3.9.4 * Fix removal of pid file in init script (Closes: #700547) Thanks to Игорь Козинов . * Add support for af-packet mode in init script (Closes: #697928). Thanks to Jamie Strandboge . -- Pierre Chifflier Tue, 21 May 2013 12:42:45 +0200 suricata (1.4-3) unstable; urgency=low * Add configure flag for luajit only on supported architectures -- Pierre Chifflier Sat, 22 Dec 2012 16:38:41 +0100 suricata (1.4-2) unstable; urgency=low * Fix error in init script, stop trying to manage suricata pid file * Use arch-specific build dependencies for libluajit-5.1-dev, it is not available on all architectures -- Pierre Chifflier Sat, 22 Dec 2012 15:39:57 +0100 suricata (1.4-1) unstable; urgency=low * Imported Upstream version 1.4 * Enable Jansson and LuaJIT support, and add libjansson-dev libluajit-5.1-dev to build-deps * Add python to recommends, for the suricatasc script * Create /var/run/suricata directory when starting daemon -- Pierre Chifflier Fri, 14 Dec 2012 00:02:51 +0100 suricata (1.3.5-1) unstable; urgency=low * Imported Upstream version 1.3.5 -- Pierre Chifflier Thu, 06 Dec 2012 21:13:56 +0100 suricata (1.3.4-1) unstable; urgency=low * Imported Upstream version 1.3.4 -- Pierre Chifflier Sat, 17 Nov 2012 09:56:08 +0100 suricata (1.3.3-1) unstable; urgency=low * Imported Upstream version 1.3.3 -- Pierre Chifflier Sat, 03 Nov 2012 09:38:36 +0100 suricata (1.3.2-1) unstable; urgency=low * Imported Upstream version 1.3.2 -- Pierre Chifflier Sat, 13 Oct 2012 12:18:33 +0200 suricata (1.3-1) unstable; urgency=low * Imported Upstream version 1.3 * Add build-dependency on libnss3-dev and libnspr4-dev * Bump Standards Version to 3.9.3 -- Pierre Chifflier Sun, 22 Jul 2012 22:27:36 +0200 suricata (1.2.1-2) unstable; urgency=low * Use override targets in rules files (Closes: #666330) * Add support for parallel build in debian/rules -- Pierre Chifflier Thu, 12 Apr 2012 01:56:48 +0200 suricata (1.2.1-1) unstable; urgency=low * Imported Upstream version 1.2.1 * Add libmagic-dev to build-deps * Convert to DH version 9 - Switch from hardening-wrapper to dpkg-buildflags -- Pierre Chifflier Mon, 23 Jan 2012 21:47:26 +0100 suricata (1.1.1-2) unstable; urgency=low * Add *.config files to default installation * Trigger rebuild with libhtp versioned symbols -- Pierre Chifflier Thu, 05 Jan 2012 08:20:24 +0100 suricata (1.1.1-1) unstable; urgency=low * Imported Upstream version 1.1.1 * Add configure option --enable-af-packet -- Pierre Chifflier Wed, 07 Dec 2011 21:52:53 +0100 suricata (1.1-1) unstable; urgency=low * Imported Upstream version 1.1 * Add instructions on getting new rules using oinkmaster * Add Recommends on oinkmaster * Move snort-rules-default to Recommends -- Pierre Chifflier Thu, 17 Nov 2011 23:20:51 +0100 suricata (1.0.5-1) unstable; urgency=low * Imported Upstream version 1.0.5 -- Pierre Chifflier Wed, 27 Jul 2011 08:20:25 +0200 suricata (1.0.4-1) unstable; urgency=low * Imported Upstream version 1.0.4 * Bump Standards Version to 3.9.2 * Enable hardening-wrapper -- Pierre Chifflier Sat, 25 Jun 2011 13:45:44 +0200 suricata (1.0.3-1) unstable; urgency=low * Imported Upstream version 1.0.3 -- Pierre Chifflier Wed, 13 Apr 2011 16:59:32 +0200 suricata (1.0.2-2) unstable; urgency=low * Add init script (thanks to Edward Fjellskål) * Switch to dpkg-source 3.0 (quilt) format -- Pierre Chifflier Sun, 19 Dec 2010 18:35:50 +0100 suricata (1.0.2-1) unstable; urgency=low * New Upstream version 1.0.2 (Closes: #598389) -- Pierre Chifflier Wed, 29 Sep 2010 10:02:52 +0200 suricata (1.0.1-1) unstable; urgency=low * Imported Upstream version 1.0.1 (Closes: #591559) * Bump Standards version to 3.9.1 * Create /var/log/suricata (Closes: #590861) -- Pierre Chifflier Wed, 11 Aug 2010 14:45:14 +0200 suricata (1.0.0-1) unstable; urgency=low * Imported Upstream version 1.0.0 * Remove arch=native flag from build (Closes: #587714) * Bump Standards version to 3.9.0 -- Pierre Chifflier Thu, 01 Jul 2010 21:28:41 +0200 suricata (0.9.2-1) unstable; urgency=low * Imported Upstream version 0.9.2 -- Pierre Chifflier Sat, 19 Jun 2010 17:39:14 +0200 suricata (0.9.1-1) unstable; urgency=low * Imported Upstream version 0.9.1 * Update watch file -- Pierre Chifflier Wed, 26 May 2010 23:09:07 +0200 suricata (0.9.0-1) unstable; urgency=low * Imported Upstream version 0.9.0 * Add libcap-ng-dev to build-deps -- Pierre Chifflier Sun, 09 May 2010 10:43:44 +0200 suricata (0.8.2-1) unstable; urgency=low * Imported Upstream version 0.8.2 * Force selection of external libhtp during build * Enable Prelude support * Update watch file -- Pierre Chifflier Sun, 02 May 2010 10:50:05 +0200 suricata (0.8.0-2) unstable; urgency=low * Update debian/copyright to include all files -- Pierre Chifflier Sun, 21 Feb 2010 21:45:33 +0100 suricata (0.8.0-1) unstable; urgency=low * Initial release (Closes: #563422) -- Pierre Chifflier Sat, 30 Jan 2010 18:25:05 +0100 debian/suricata.dirs0000644000000000000000000000004612204702126011660 0ustar etc/suricata usr/bin var/log/suricata debian/README.Debian0000644000000000000000000000260112204702126011222 0ustar Suricata for Debian ------------------- The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field. This is considered as a beta release. To run the engine with default configuration on interface eth0 (in live mode), run the following command (as root): suricata -c /etc/suricata/suricata.yaml -i eth0 To run in live NFQUEUE mode, use (as root): suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID You can also run suricata on a PCAP file: suricata -c /etc/suricata/suricata.yaml -r file.pcap Updating Rules -------------- The default configuration use the snort-rules-default package (with all rules loaded), and all logging modules activated. You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs. Using rules from the snort-rules-default package will not provide up-to-date rules. The recommended method is to install oinkmaster, configure it to get Emerging Threats (ET), ET Pro or VRT rules. Edit ``/etc/oinkmaster.conf`` and use the following URL: http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz For more help, see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster -- Pierre Chifflier Thu, 17 Nov 2011 22:58:00 +0100 debian/suricata.default0000644000000000000000000000126012204702126012342 0ustar # Default config for Suricata # set to yes to start the server in the init.d script RUN=no # Configuration file to load SURCONF=/etc/suricata/suricata-debian.yaml # Listen mode: pcap, nfqueue or af-packet # depending on this value, only one of the two following options # will be used (af-packet uses neither). # Please note that IPS mode is only available when using nfqueue LISTENMODE=nfqueue # Interface to listen on (for pcap mode) IFACE=eth0 # Queue number to listen on (for nfqueue mode) NFQUEUE=0 # Load Google TCMALLOC if libtcmalloc-minimal0 is installed # This _might_ give you very very small performance gain.... TCMALLOC="YES" # Pid file PIDFILE=/var/run/suricata.pid debian/suricata.install0000644000000000000000000000014612204702126012366 0ustar suricata-debian.yaml /etc/suricata classification.config /etc/suricata reference.config /etc/suricata debian/suricata.80000644000000000000000000000426612204702126011076 0ustar .\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH SURICATA 8 "February 2010" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME suricata \- Next Generation Intrusion Detection and Prevention Tool .SH SYNOPSIS .B suricata .RI [ options ] .br .SH DESCRIPTION .B suricata is a network Intrusion Detection System (IDS). It is based on rules (and is fully compatible with snort rules) to detect a variety of attacks / probes by searching packet content. This new Engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards. It supports acquiring packets through NFQUEUE, PCAP (live or offline) etc. .PP .SH OPTIONS .IP "-c config_file" Use configuration file .I config_file .IP "-i interface" Sniff packets on .I interface. .IP "-r file" Read the tcpdump-formatted file .I tcpdump-file. This will cause Suricata to read and process the file fed to it. This is useful for offline analysis. .IP "-q queue_id" Sniff packets sent by the kernel through NFQUEUE. This allows running Suricata in inline mode (IPS) for packets captured by iptables using the NFQUEUE target. .IP "-s signatures" Path to the signatures file. .IP "-l log_dir" Path to the default log directory. .IP "-D" Run as daemon .IP "--init-errors-fatal" Enable fatal failure on signature init error. .SH SEE ALSO .BR tcpdump (1), .BR pcap (3). .SH AUTHOR suricata was written by the Open Information Security Foundation. .PP This manual page was written by Pierre Chifflier , for the Debian project (and may be used by others). debian/source/0000755000000000000000000000000012204702126010462 5ustar debian/source/format0000644000000000000000000000001412204702126011670 0ustar 3.0 (quilt) debian/suricata.init0000644000000000000000000001016712204702126011667 0ustar #!/bin/sh -e # ### BEGIN INIT INFO # Provides: suricata # Required-Start: $time $network $local_fs $remote_fs # Required-Stop: $remote_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Next Generation IDS/IPS # Description: Intrusion detection system that will # capture traffic from the network cards and will # match against a set of known attacks. ### END INIT INFO . /lib/lsb/init-functions # Source function library. if test -f /etc/default/suricata; then . /etc/default/suricata else echo "/etc/default/suricata is missing... bailing out!" fi # We'll add up all the options above and use them NAME=suricata DAEMON=/usr/bin/$NAME # Use this if you want the user to explicitly set 'RUN' in # /etc/default/ if [ "x$RUN" != "xyes" ] ; then log_failure_msg "$NAME disabled, please adjust the configuration to your needs " log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it." exit 0 fi check_root() { if [ "$(id -u)" != "0" ]; then log_failure_msg "You must be root to start, stop or restart $NAME." exit 4 fi } check_nfqueue() { if [ ! -e /proc/net/netfilter/nf_queue ]; then log_failure_msg "NFQUEUE support not found !" log_failure_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel" exit 5 fi } check_run_dir() { if [ ! -d /var/run/suricata ]; then mkdir /var/run/suricata chmod 0755 /var/run/suricata fi } check_root case "$LISTENMODE" in nfqueue) IDMODE="IPS (nfqueue)" LISTEN_OPTIONS=" -q $NFQUEUE" check_nfqueue ;; pcap) IDMODE="IDS (pcap)" LISTEN_OPTIONS=" -i $IFACE" ;; af-packet) IDMODE="IDS (af-packet)" LISTEN_OPTIONS=" --af-packet" ;; *) echo "Unsupported listen mode $LISTENMODE, aborting" exit 1 ;; esac SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D" # See how we were called. case "$1" in start) if [ -f $PIDFILE ]; then PID1=`cat $PIDFILE` if kill -0 "$PID1" 2>/dev/null; then echo "$NAME is already running with PID $PID1" exit 0 fi fi check_run_dir echo -n "Starting suricata in $IDMODE mode..." if [ -f /usr/lib/libtcmalloc_minimal.so.0 ] && [ "x$TCMALLOC" = "xYES" ]; then export LD_PRELOAD="/usr/lib/libtcmalloc_minimal.so.0" #echo "Using googles tcmalloc for minor performance boost!?!" fi $DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 & echo " done." ;; stop) echo -n "Stopping suricata: " if [ -f $PIDFILE ]; then PID2=`cat $PIDFILE` else echo " No PID file found; not running?" exit 0; fi start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON if [ -n "$PID2" ]; then kill "$PID2" ret=$? sleep 2 if kill -0 "$PID2" 2>/dev/null; then ret=$? echo -n "Waiting . " cnt=0 while kill -0 "$PID2" 2>/dev/null; do ret=$? cnt=`expr "$cnt" + 1` if [ "$cnt" -gt 10 ]; then kill -9 "$PID2" break fi sleep 2 echo -n ". " done fi fi if [ -e $PIDFILE ]; then rm $PIDFILE > /dev/null 2>&1 fi echo " done." ;; status) # Check if running... if [ -s $PIDFILE ]; then PID3=`cat $PIDFILE` if kill -0 "$PID3" 2>/dev/null; then echo "$NAME is running with PID $PID3" exit 0 else echo "PID file $PIDFILE exists, but process not running!" fi else echo "$NAME not running!" fi ;; restart) $0 stop $0 start ;; force-reload) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 esac exit 0 debian/watch0000644000000000000000000000055512204702126010220 0ustar # watch control file for uscan # run the "uscan" command to check for upstream updates and more. # See uscan(1) for format # Compulsory line, this is a version 3 file version=3 #http://www.openinfosecfoundation.org/downloads/ suricata-([\d\.]*)\.tar\.gz http://www.openinfosecfoundation.org/index.php/download-suricata [^"]*/download/suricata-([\d\.]*)\.tar\.gz