Add new port security/snort2pfcd, which analyzes snort alert output and

blocks ip addresses using pf for a specified period of time.

PR:		211813
Submitted by:	onestsam@gmail.com
Reviewed by:	adamw, mat (mentors)
Approved by:	koobs (mentor)
Differential Revision:	https://reviews.freebsd.org/D7712

5 files changed, 86 insertions, 0 deletions

diff --git a/security/snort2pfcd/Makefile b/security/snort2pfcd/Makefile
new file mode 100644
index 000000000000..c4de2c6eb6ce
--- /dev/null
+++ b/security/snort2pfcd/Makefile
@@ -0,0 +1,22 @@
+# $FreeBSD$
+
+PORTNAME=	snort2pfcd
+PORTVERSION=	0.5
+CATEGORIES=	security
+MASTER_SITES=	http://www.tworoutes.com/oss/
+
+MAINTAINER=	onestsam@gmail.com
+COMMENT=	Snort alert to pf blocker
+
+LIB_DEPENDS=	libcidr.so:devel/libcidr
+RUN_DEPENDS=	snort:security/snort
+
+USE_RC_SUBR=	snort2pfcd
+PLIST_FILES=	man/man8/snort2pfcd.8.gz \
+		sbin/snort2pfcd
+
+do-install:
+	${INSTALL_PROGRAM} ${WRKSRC}/snort2pfcd ${STAGEDIR}${PREFIX}/sbin
+	${INSTALL_MAN} ${WRKSRC}/snort2pfcd.8.gz ${STAGEDIR}${MAN8PREFIX}/man/man8
+
+.include <bsd.port.mk>
diff --git a/security/snort2pfcd/distinfo b/security/snort2pfcd/distinfo
new file mode 100644
index 000000000000..063ae6255d3a
--- /dev/null
+++ b/security/snort2pfcd/distinfo
@@ -0,0 +1,3 @@
+TIMESTAMP = 1472559141
+SHA256 (snort2pfcd-0.5.tar.gz) = ea2f3df7bfbad5ecce7a266df89c4102cf5e92fa72869615925ca15631064dfe
+SIZE (snort2pfcd-0.5.tar.gz) = 9321
diff --git a/security/snort2pfcd/files/patch-Makefile b/security/snort2pfcd/files/patch-Makefile
new file mode 100644
index 000000000000..94561dbff8db
--- /dev/null
+++ b/security/snort2pfcd/files/patch-Makefile
@@ -0,0 +1,11 @@
+--- Makefile.orig	2016-08-30 14:07:38 UTC
++++ Makefile
+@@ -1,7 +1,7 @@
+ PROG= snort2pfcd
+ SRCS= main.c parser.c kevent.c spfc.c ioctl_helpers.c
+ MAN= ${PROG}.8
+-CFLAGS+=-Wall -Werror -pedantic
++CFLAGS+=-Wall -pedantic -I${LOCALBASE}/include
+ LDFLAGS+=-lutil -L${LOCALBASE}/lib -lcidr
+ 
+ .include <bsd.prog.mk>
diff --git a/security/snort2pfcd/files/snort2pfcd.in b/security/snort2pfcd/files/snort2pfcd.in
new file mode 100644
index 000000000000..6b381a276747
--- /dev/null
+++ b/security/snort2pfcd/files/snort2pfcd.in
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+# $FreeBSD$
+#
+# PROVIDE: snort2pfcd
+# REQUIRE: DAEMON pf snort
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name="snort2pfcd"
+rcvar=${name}_enable
+pidfile="/var/run/${name}.pid"
+command="%%PREFIX%%/sbin/${name}"
+start_cmd="${name}_start"
+stop_cmd="${name}_stop"
+required_modules="pf"
+
+snort2pfcd_start()
+{
+	echo "Starting ${name}..."
+	if [ $(sysctl -n kern.securelevel) != "3" ]; then
+		${command} ${snort2pfcd_flags}
+	else
+		echo "${name} cannot operate on pf at securelevel 3"
+	fi
+
+	if [ -f ${pidfile} ]; then
+		echo "${name} successfully started"
+	else
+		echo "${name} statup failed"
+	fi
+}
+
+snort2pfcd_stop()
+{
+	if [ -f ${pidfile} ]; then
+		echo "Stopping ${name}..."
+		kill $(cat ${pidfile})
+		rm ${pidfile}
+	else
+		echo "${name} is not running?"
+	fi
+}
+
+load_rc_config ${name}
+run_rc_command "$1"
diff --git a/security/snort2pfcd/pkg-descr b/security/snort2pfcd/pkg-descr
new file mode 100644
index 000000000000..6f0d8137f3b2
--- /dev/null
+++ b/security/snort2pfcd/pkg-descr
@@ -0,0 +1,3 @@
+Analyzes snort alert output and blocks ip addresses using pf for a specified
+period of time. A whitelist is specified in CIDR format to exclude local and 
+trusted ip address from being blocked.