9 files changed, 382 insertions, 0 deletions

diff --git a/security/sguil-server/Makefile b/security/sguil-server/Makefile
new file mode 100644
index 000000000000..8cabebf2708a
--- /dev/null
+++ b/security/sguil-server/Makefile
@@ -0,0 +1,84 @@
+# New ports collection makefile for:	sguil-server
+# Date created:				9 Oct 2006
+# Whom:					Paul Schmehl <pauls@utdallas.edu>
+#
+# $FreeBSD$
+#
+
+PORTNAME=	sguil-server
+PORTVERSION=	0.6.1
+CATEGORIES=	security
+MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
+MASTER_SITE_SUBDIR=	sguil
+
+MAINTAINER=	pauls@utdallas.edu
+COMMENT=	Squil is a network security management program
+
+RUN_DEPENDS=	p0f:${PORTSDIR}/net-mgmt/p0f \
+		tcpflow:${PORTSDIR}/net/tcpflow \
+		dtplite:${PORTSDIR}/devel/tcllib \
+		barnyard:${PORTSDIR}/security/barnyard-sguil6 \
+		${LOCALBASE}/lib/tclx8.4/tclx.tcl:${PORTSDIR}/lang/tclX
+LIB_DEPENDS=	tls:${PORTSDIR}/devel/tcltls
+
+NO_BUILD=	yes
+USE_RC_SUBR=	sguild.sh
+TCLSH_CMD?=	${PREFIX}/bin/tclsh8.4
+SGUILDIR?=	sguil-server
+WRKSRC=		${WRKDIR}/sguil-${PORTVERSION}
+PATCH_WRKSRC=	${WRKSRC}/server
+PLIST_SUB=	SGUILDIR=${SGUILDIR}
+SUB_FILES=	pkg-message
+SUB_LIST=	SGUILDIR=${SGUILDIR} TCLSH=${TCLSH_CMD}
+LIBRARIES=	SguildAccess.tcl SguildEvent.tcl SguildReportBuilder.tcl \
+		SguildAutoCat.tcl SguildGenericDB.tcl SguildSendComms.tcl \
+		SguildClientCmdRcvd.tcl SguildHealthChecks.tcl SguildSensorAgentComms.tcl \
+		SguildConnect.tcl SguildLoaderd.tcl SguildSensorCmdRcvd.tcl \
+		SguildCreateDB.tcl SguildMysqlMerge.tcl SguildTranscript.tcl \
+		SguildEmailEvent.tcl SguildQueryd.tcl SguildUtils.tcl
+SCRIPTS=	create_ruledb.sql update_sguildb_v10-v11.sql update_sguildb_v8-v9.sql \
+		create_sguildb.sql update_sguildb_v5-v6.sql update_sguildb_v9-v10.sql \
+		migrate_event.tcl update_sguildb_v6-v7.sql migrate_sancp.tcl update_sguildb_v7-v8.sql
+CONFS=		autocat.conf sguild.access sguild.conf sguild.email sguild.queries sguild.reports sguild.users
+
+PORTDOCS=	CHANGES INSTALL INSTALL.openbsd LICENSE.QPL \
+		OPENSSL.README TODO USAGE sguildb.dia
+
+.include <bsd.port.pre.mk>
+
+MYSQLTCL_VER!=	cd ${PORTSDIR}/databases/mysqltcl && ${MAKE} -V PORTVERSION
+
+RUN_DEPENDS+=	${LOCALBASE}/lib/mysqltcl-${MYSQLTCL_VER}:${PORTSDIR}/databases/mysqltcl
+
+post-patch:
+.for f in archive_sguildb.tcl sguild contrib/incident_report.tcl
+	@${REINPLACE_CMD} -e 's:exec tclsh:exec ${TCLSH_CMD}:g' ${WRKSRC}/server/${f}
+.endfor
+
+do-install:
+	@${MKDIR} ${PREFIX}/etc/${SGUILDIR}
+	@${MKDIR} ${PREFIX}/lib/${SGUILDIR}
+	@${MKDIR} ${PREFIX}/share/${SGUILDIR}
+.for f in archive_sguildb.tcl sguild
+	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/server/${f} ${PREFIX}/bin/${f}
+.endfor
+.for f in incident_report.tcl
+	${INSTALL_SCRIPT} -m 751 ${WRKSRC}/server/contrib/${f} ${PREFIX}/bin/${f}
+.endfor
+.for f in ${CONFS}
+	${INSTALL_DATA} ${WRKSRC}/server/${f} ${PREFIX}/etc/${SGUILDIR}/${f}-sample
+.endfor
+.for f in ${LIBRARIES}
+	${INSTALL_DATA} ${WRKSRC}/server/lib/${f} ${PREFIX}/lib/${SGUILDIR}/${f}
+.endfor
+.for f in ${SCRIPTS}
+	${INSTALL_DATA} ${WRKSRC}/server/sql_scripts/${f} ${PREFIX}/share/${SGUILDIR}/${f}
+.endfor
+post-install:
+.if !defined(NOPORTDOCS)
+	@${MKDIR} ${DOCSDIR}
+	cd ${WRKSRC}/doc && ${INSTALL_DATA} ${PORTDOCS} ${DOCSDIR}
+.endif
+	@${CAT} ${PKGMESSAGE}
+
+.include <bsd.port.post.mk>
diff --git a/security/sguil-server/distinfo b/security/sguil-server/distinfo
new file mode 100644
index 000000000000..c551d6ad3998
--- /dev/null
+++ b/security/sguil-server/distinfo
@@ -0,0 +1,3 @@
+MD5 (sguil-server-0.6.1.tar.gz) = 27decbe3c6528bf2c86c74b35b8f7b3b
+SHA256 (sguil-server-0.6.1.tar.gz) = 22aea8f76da0530ae7ee9a68efe1de7615bec47a7702c93f8fe338d57590ce57
+SIZE (sguil-server-0.6.1.tar.gz) = 92901
diff --git a/security/sguil-server/files/patch-sguild b/security/sguil-server/files/patch-sguild
new file mode 100644
index 000000000000..e67292ba27f6
--- /dev/null
+++ b/security/sguil-server/files/patch-sguild
@@ -0,0 +1,105 @@
+--- sguild.orig	Tue Mar 28 04:36:05 2006
++++ sguild	Tue Mar 28 04:37:10 2006
+@@ -229,7 +229,7 @@
+   package require tls
+   # Check for certs
+   if {![info exists CERTS_PATH]} {
+-    set CERTS_PATH /etc/sguild/certs
++    set CERTS_PATH /usr/local/etc/sguil-server/certs
+   }
+   if {![file exists $CERTS_PATH] || ![file isdirectory $CERTS_PATH]} {
+     puts "ERROR: $CERTS_PATH does not exist or is not a directory"
+@@ -251,13 +251,13 @@
+ 
+ if { ![info exists CONF_FILE] } {
+   # No conf file specified check the defaults
+-  if { [file exists /etc/sguild/sguild.conf] } {
+-    set CONF_FILE /etc/sguild/sguild.conf
++  if { [file exists /usr/local/etc/sguil-server/sguild.conf] } {
++    set CONF_FILE /usr/local/etc/sguil-server/sguild.conf
+   } elseif { [file exists ./sguild.conf] } {
+     set CONF_FILE ./sguild.conf
+   } else {
+     puts "Couldn't determine where the sguil config file is"
+-    puts "Looked for ./sguild.conf and /etc/sguild/sguild.conf."
++    puts "Looked for ./sguild.conf and /usr/local/etc/sguil-server/sguild.conf."
+     DisplayUsage $argv0
+   }
+ }
+@@ -338,17 +338,17 @@
+ # Check for a valid USERS file
+ if { ![info exists USERS_FILE] } {
+   # No users file was specified. Go with the defaults
+-  if { [file exists /etc/sguild/sguild.users] } {
+-    set USERS_FILE "/etc/sguild/sguild.users"
++  if { [file exists /usr/local/etc/sguil-server/sguild.users] } {
++    set USERS_FILE "/usr/local/etc/sguil-server/sguild.users"
+   } elseif { [file exists ./sguild.users] } {
+     set USERS_FILE "./sguild.users"
+   } else {
+     if { [info exists ADDUSER] && $ADDUSER } {
+-      CreateUsersFile "/etc/sguild/sguild.users"
++      CreateUsersFile "/usr/local/etc/sguil-server/sguild.users"
+     } else {
+       set DEBUG 2
+       LogMessage "ERROR: Could not find a sguild.users file."
+-      LogMessage "       Checked in ./ and /etc/sguild/"
++      LogMessage "       Checked in ./ and /usr/local/etc/sguil-server/"
+       DisplayUsage $argv0
+     }
+   }
+@@ -376,8 +376,8 @@
+ # Load accessfile
+ if { ![info exists ACCESS_FILE] } {
+   # Check the defaults
+-  if { [file exists /etc/sguild/sguild.access] } {
+-    set ACCESS_FILE "/etc/sguild/sguild.access"
++  if { [file exists /usr/local/etc/sguil-server/sguild.access] } {
++    set ACCESS_FILE "/usr/local/etc/sguil-server/sguild.access"
+   } elseif { [file exists ./sguild.access] } {
+     set ACCESS_FILE "./sguild.access"
+   } else {
+@@ -391,8 +391,8 @@
+ }
+ # Load auto cat config
+ if { ![info exists AUTOCAT_FILE] } {
+-   if { [file exists /etc/sguild/autocat.conf] } {
+-     set AUTOCAT_FILE "/etc/sguild/autocat.conf"
++   if { [file exists /usr/local/etc/sguil-server/autocat.conf] } {
++     set AUTOCAT_FILE "/usr/local/etc/sguil-server/autocat.conf"
+    } else {
+      set AUTOCAT_FILE "./autocat.conf"
+    }
+@@ -402,8 +402,8 @@
+ }
+ # Load email config file
+ if { ![info exists EMAIL_FILE] } {
+-  if { [file exists /etc/sguild/sguild.email] } {
+-    set EMAIL_FILE "/etc/sguild/sguild.email"
++  if { [file exists /usr/local/etc/sguil-server/sguild.email] } {
++    set EMAIL_FILE "/usr/local/etc/sguil-server/sguild.email"
+   } else {
+     set EMAIL_FILE "./sguild.email"
+   }
+@@ -415,8 +415,8 @@
+ }
+ # Load global queries.
+ if { ![info exists GLOBAL_QRY_FILE] } {
+-  if { [file exists /etc/sguild/sguild.queries] } {
+-    set GLOBAL_QRY_FILE "/etc/sguild/sguild.queries"
++  if { [file exists /usr/local/etc/sguil-server/sguild.queries] } {
++    set GLOBAL_QRY_FILE "/usr/local/etc/sguil-server/sguild.queries"
+   } else {
+     set GLOBAL_QRY_FILE "./sguild.queries"
+   }
+@@ -428,8 +428,8 @@
+ }
+ # Load report queries.
+ if { ![info exists REPORT_QRY_FILE] } {
+-  if { [file exists /etc/sguild/sguild.reports] } {
+-    set REPORT_QRY_FILE "/etc/sguild/sguild.reports"
++  if { [file exists /usr/local/etc/sguil-server/sguild.reports] } {
++    set REPORT_QRY_FILE "/usr/local/etc/sguil-server/sguild.reports"
+   } else {
+     set REPORT_QRY_FILE "./sguild.reports"
+   }
diff --git a/security/sguil-server/files/patch-sguild.access b/security/sguil-server/files/patch-sguild.access
new file mode 100644
index 000000000000..97d9becda0de
--- /dev/null
+++ b/security/sguil-server/files/patch-sguild.access
@@ -0,0 +1,12 @@
+--- sguild.access.orig	Tue Mar 28 03:36:31 2006
++++ sguild.access	Tue Mar 28 03:37:44 2006
+@@ -4,7 +4,8 @@
+ # This file is used by sguild for access control. It is read upon init  #
+ # or when sguild receives a HUP signal.                                 #
+ #                                                                       #
+-# By default, sguild will look first for /etc/sguild/sguild.access,     #
++# By default, sguild will look first for                                #
++# /usrlocal//etc/sguild/sguild.access,                                  #
+ # then ./sguild.access unless the -A /path/to/sguild.access switch      #
+ # is used.                                                              #
+ #                                                                       #
diff --git a/security/sguil-server/files/patch-sguild.conf b/security/sguil-server/files/patch-sguild.conf
new file mode 100644
index 000000000000..6ee211408a0b
--- /dev/null
+++ b/security/sguil-server/files/patch-sguild.conf
@@ -0,0 +1,41 @@
+*** sguild.conf.orig	Tue Mar 28 02:38:13 2006
+--- sguild.conf	Tue Mar 28 02:39:47 2006
+***************
+*** 2,6 ****
+  
+  # Path the sguild libs
+! set SGUILD_LIB_PATH ./lib
+  
+  # DEBUG 0=off 1=important stuff 2=everything.  Option 2 is VERY chatty.
+--- 2,6 ----
+  
+  # Path the sguild libs
+! set SGUILD_LIB_PATH /usr/local/lib/sguil-server/
+  
+  # DEBUG 0=off 1=important stuff 2=everything.  Option 2 is VERY chatty.
+***************
+*** 61,65 ****
+  # You MUST have tcpflow installed to get xscripts
+  # http://www.circlemud.org/~jelson/software/tcpflow/
+! set TCPFLOW "/usr/bin/tcpflow"
+  
+  # p0f - (C) Michal Zalewski <lcamtuf@gis.net>, William Stearns <wstearns@pobox.com>
+--- 61,65 ----
+  # You MUST have tcpflow installed to get xscripts
+  # http://www.circlemud.org/~jelson/software/tcpflow/
+! set TCPFLOW "/usr/local/bin/tcpflow"
+  
+  # p0f - (C) Michal Zalewski <lcamtuf@gis.net>, William Stearns <wstearns@pobox.com>
+***************
+*** 72,76 ****
+  # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
+  # add any others you may need here.
+! set P0F_PATH "/usr/sbin/p0f"
+  
+  # Email config moved to sguild.email 
+--- 72,76 ----
+  # Path the the p0f binary. Switches -q and -s <filename> are appended on exec,
+  # add any others you may need here.
+! set P0F_PATH "/usr/local/bin/p0f"
+  
+  # Email config moved to sguild.email 
diff --git a/security/sguil-server/files/pkg-message.in b/security/sguil-server/files/pkg-message.in
new file mode 100644
index 000000000000..533087757019
--- /dev/null
+++ b/security/sguil-server/files/pkg-message.in
@@ -0,0 +1,30 @@
+         ***********************************
+         * !!!!!!!!!!! WARNING !!!!!!!!!!! *
+         ***********************************
+
+If you had existing config files in %%PREFIX%%/etc/%%SGUILDIR%%
+they were not overwritten.  If this is a first time install, you
+must copy the sample files to the corresponding conf file and 
+edit the various config files for your site.  See the INSTALL
+doc in %%DOCSDIR%% for details.
+
+The sql scripts for creating database tables were placed in
+the %%PREFIX%%/share/%%SGUILDIR%%/ directory.  PLEASE 
+NOTE: LOG_DIR is not set by this install.  You MUST create the 
+correct LOG_DIRS and put a copy of the snort rules you use in 
+LOG_DIR/rules.
+
+The sguild, archive_sguildb.tcl and incident_report.tcl scripts
+were placed in %%PREFIX%%/bin/.  The incident_report.tcl
+script is from the contrib section.  There is no documentation
+and the script's variables must be edited before it is used.
+
+A startup script, named sguild.sh was installed in
+%%PREFIX%%/etc/rc.d/.  To enable it, edit /etc/rc.conf
+per the instructions in the script.
+
+For general questions, see the sguil faq: 
+http://sguil.sourceforge.net/index.php?page=faq
+For detailed install instructions see Richard Bejtlich's
+excellent guide at his blog: 
+http://taosecurity.blogspot.com/2006/03/new-sguil-scripts-and-vm-i-have-not.html
diff --git a/security/sguil-server/files/sguild.sh.in b/security/sguil-server/files/sguild.sh.in
new file mode 100644
index 000000000000..5b8255ee2e7a
--- /dev/null
+++ b/security/sguil-server/files/sguild.sh.in
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# PROVIDE: sguild
+# REQUIRE: DAEMON
+# KEYWORD: FreeBSD shutdown
+
+# Add the following lines to /etc/rc.conf to enable sguild:
+# sguild_enable (bool):		Set to YES to enable sguild
+# 				Default: NO
+# sguild_flags (str):		Extra flags passed to sguild
+#				Default: -D
+# sguild_conf (str):		Sguild configuration file
+#				Default: %%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf
+
+. %%RC_SUBR%%
+
+name="sguild"
+rcvar=`set_rcvar`
+
+command="%%PREFIX%%/bin/${name}"
+procname="%%TCLSH%%"
+check_process="${command} /bin/sh"
+stop_cmd="sguild_stop"
+
+sguild_enable=${sguild_enable-NO}
+sguild_conf=${sguild_conf-%%PREFIX%%/etc/%%SGUILDIR%%/sguild.conf}
+sguild_flags=${sguild_flags--D}
+[ -n "$sguild_conf" ] && sguild_flags="$sguild_flags -c $sguild_conf"
+
+sguild_stop() {
+  if [ -z "${rc_pid}" ]; then
+    echo "${name} not running?"
+  else
+    echo "Stopping ${name}."
+    `/bin/kill -9 ${rc_pid}`
+    wait_for_pids "${rc_pid}"
+    if [ -f "/var/run/${name}.pid" ]; then
+      `rm -f /var/run/${name}.pid`
+    fi    
+  fi
+}
+
+load_rc_config ${name}
+run_rc_command "$1"
diff --git a/security/sguil-server/pkg-descr b/security/sguil-server/pkg-descr
new file mode 100644
index 000000000000..5a17c0a57b8d
--- /dev/null
+++ b/security/sguil-server/pkg-descr
@@ -0,0 +1,22 @@
+Sguil is an open source tool to implement Network 
+Security Monitoring (NSM).  NSM is the collection, 
+analysis, and escalation of indications and warnings 
+to detect and respond to intrusions.  NSM tools are 
+used more for network audit and specialized 
+applications than traditional alert-centric "intrusion 
+detection" systems.
+
+Want to learn more about Network Security Monitoring 
+(NSM)? Then check out Richard Bejtlich's recently 
+released book, The Tao of Network Security Monitoring: 
+Beyond Intrusion Detection. An excerpt reads:
+
+"Network security monitoring (NSM) equips security 
+staff to deal with the inevitable consequences of too 
+few resources and too many responsibilities. NSM collects 
+the data needed to generate better assessment, detection, 
+and response processes--resulting in decreased impact from 
+unauthorized activities."
+
+WWW: http://sguil.sourceforge.net/index.php
+pauls@utdallas.edu
diff --git a/security/sguil-server/pkg-plist b/security/sguil-server/pkg-plist
new file mode 100644
index 000000000000..57c73c729ae5
--- /dev/null
+++ b/security/sguil-server/pkg-plist
@@ -0,0 +1,41 @@
+bin/archive_sguildb.tcl
+bin/incident_report.tcl
+bin/sguild
+etc/%%SGUILDIR%%/autocat.conf-sample
+etc/%%SGUILDIR%%/sguild.access-sample
+etc/%%SGUILDIR%%/sguild.conf-sample
+etc/%%SGUILDIR%%/sguild.email-sample
+etc/%%SGUILDIR%%/sguild.queries-sample
+etc/%%SGUILDIR%%/sguild.reports-sample
+etc/%%SGUILDIR%%/sguild.users-sample
+lib/%%SGUILDIR%%/SguildAccess.tcl
+lib/%%SGUILDIR%%/SguildAutoCat.tcl
+lib/%%SGUILDIR%%/SguildClientCmdRcvd.tcl
+lib/%%SGUILDIR%%/SguildConnect.tcl
+lib/%%SGUILDIR%%/SguildCreateDB.tcl
+lib/%%SGUILDIR%%/SguildEmailEvent.tcl
+lib/%%SGUILDIR%%/SguildEvent.tcl
+lib/%%SGUILDIR%%/SguildGenericDB.tcl
+lib/%%SGUILDIR%%/SguildHealthChecks.tcl
+lib/%%SGUILDIR%%/SguildLoaderd.tcl
+lib/%%SGUILDIR%%/SguildMysqlMerge.tcl
+lib/%%SGUILDIR%%/SguildQueryd.tcl
+lib/%%SGUILDIR%%/SguildReportBuilder.tcl
+lib/%%SGUILDIR%%/SguildSendComms.tcl
+lib/%%SGUILDIR%%/SguildSensorAgentComms.tcl
+lib/%%SGUILDIR%%/SguildSensorCmdRcvd.tcl
+lib/%%SGUILDIR%%/SguildTranscript.tcl
+lib/%%SGUILDIR%%/SguildUtils.tcl
+share/%%SGUILDIR%%/create_ruledb.sql
+share/%%SGUILDIR%%/create_sguildb.sql
+share/%%SGUILDIR%%/migrate_event.tcl
+share/%%SGUILDIR%%/migrate_sancp.tcl
+share/%%SGUILDIR%%/update_sguildb_v5-v6.sql
+share/%%SGUILDIR%%/update_sguildb_v6-v7.sql
+share/%%SGUILDIR%%/update_sguildb_v7-v8.sql
+share/%%SGUILDIR%%/update_sguildb_v8-v9.sql
+share/%%SGUILDIR%%/update_sguildb_v9-v10.sql
+share/%%SGUILDIR%%/update_sguildb_v10-v11.sql
+@dirrm share/%%SGUILDIR%%
+@unexec if [ ! -f %D/etc/%%SGUILDIR%%/sguild.conf ] ; then rmdir %D/etc/%%SGUILDIR%%; fi
+@dirrm lib/%%SGUILDIR%%