net-analyzer/honeytrap: Version bump. Thanks to aballier for help with autotools and masterdriverz for a quick review.

svn path=/sunrise/; revision=5043

6 files changed, 337 insertions, 57 deletions

diff --git a/net-analyzer/honeytrap/ChangeLog b/net-analyzer/honeytrap/ChangeLog
index a7a8f7336..4fa67b322 100644
--- a/net-analyzer/honeytrap/ChangeLog
+++ b/net-analyzer/honeytrap/ChangeLog
@@ -2,6 +2,12 @@
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
 # $Header: $
 
+  10 Nov 2007; Jukka Ruohonen <drear@iki.fi>
+  +files/honeytrap-1.0.0-autoconf.patch, files/honeytrap.conf,
+  files/honeytrap.initd, +honeytrap-1.0.0.ebuild:
+  Version bump. Thanks to aballier for help with autotools and masterdriverz
+  for a quick review.
+
   24 Jun 2007; Jakub Moc <jakub@gentoo.org> honeytrap-0.6.4.ebuild:
   Move lots of stuff to pkg_setup; use linux-info eclass instead of ewarns,
   default to iptables if no monitor backend is selected, cosmetics
diff --git a/net-analyzer/honeytrap/Manifest b/net-analyzer/honeytrap/Manifest
index 85bc4dad4..27e1bde05 100644
--- a/net-analyzer/honeytrap/Manifest
+++ b/net-analyzer/honeytrap/Manifest
@@ -1,7 +1,10 @@
-AUX honeytrap.conf 2018 RMD160 d12898a960f2c6bdcd24b8efdf233e850fd8da6c SHA1 4e873da666dce22df61dae35961a6316b6e5c912 SHA256 eaac73cbb94f5f1c7b51f7c7637a2cf380c11be006cf26d4a66619a94c1588a2
+AUX honeytrap-1.0.0-autoconf.patch 2576 RMD160 f7737b643cb010e7bf8ef8338fbaa71e2b2eba46 SHA1 07cfdd86dbb252885e5912b430f6de8ba82ee54c SHA256 083be38d8f2af86fd6d576017ec35e759ce97d2601f04805e410d2441cff8a22
+AUX honeytrap.conf 2450 RMD160 17f419cbcf7f4ed89d001b655a5e7c5c91662c9e SHA1 5d0e20a62754a5dc0159edb06f9f6dfe05ad7909 SHA256 e7802927f7146dde69d8420142cf00c8e739120cf84ca8ff8f00e6b8df9033df
 AUX honeytrap.confd 614 RMD160 07a1eee2c255be2cdea329bc272e4d0eb08e4fc4 SHA1 35a55b503f934d8f911aa696ae220192b2d40720 SHA256 ba34016ec19f670dc679060e33eb79ca89927f67a2d8c1adf459b0486ed67974
-AUX honeytrap.initd 709 RMD160 e9e34b24b829476a337b3acc0f91408211bc074c SHA1 d86cd0d4dac74c65ec93527276b05230f086b04d SHA256 376addc165212da0db7b6887027e19f36f3846da5ae3928d4ff29aaa6418a327
+AUX honeytrap.initd 787 RMD160 db044b2b11690fa5eed0eb3aa1c9f6358d5cac7f SHA1 958b49a8026bc5dec58925c8f16217e7177cb025 SHA256 d28c0943cf9fd0f2d3c521f4864112e2ab74aae87e4c563a069cf4170737a5c4
 DIST honeytrap-0.6.4.tar.bz2 253145 RMD160 00af82f6018a0d124636164fa68b14548231097e SHA1 d0a76c559d94ca97ca97a7a6b101738f0f0611c0 SHA256 e693c50dad5745e2fac594ee4e1234e9bbcd80b757b8b6d1a126d6d9381bdac4
+DIST honeytrap-1.0.0.tar.bz2 574018 RMD160 1d4901f6b91459b6ef058e766c78803cb8114dd3 SHA1 e49306c4b7a8176c497155523176a2d657c2febf SHA256 b4066fb504e76d0b060c0ab839997e743dae13ad5f41cf6d8731b7154e47f451
 EBUILD honeytrap-0.6.4.ebuild 3171 RMD160 ff8cad13468be4995f92a3cfc1cb8a2e0b7caec9 SHA1 0cf18e9bb35f06632806fcc16c130a1913b2fb16 SHA256 271b05b20dc4817d35cd51db97ae9c24ecf80e511e99074ebee11a8596b1696c
-MISC ChangeLog 648 RMD160 dda03d9e1d6416e76d1cded2e56f42064dfe6062 SHA1 b737500200d95e7dc049c100bb0a42fcddd4ac23 SHA256 16d1e79541954410f997da151711bf6336d21b94306b6146bfd09a370a1d222e
+EBUILD honeytrap-1.0.0.ebuild 4451 RMD160 36185d22aeea78d68d18f2c2d60997cb9bb38c37 SHA1 46f43248f415d8244840aa261bd36047005b1498 SHA256 d4d89d021161a0e3c4f9faba9562851613d38db540b3c1b564fa789f7f33ab47
+MISC ChangeLog 906 RMD160 3d85471feb850e7b77a17f2ddc0c0f3a32171d50 SHA1 7102825ea61232ba70b95dfe5f66333ca2b42425 SHA256 df7005df1ff2f4e12b51093ccec28ce82661759aedfb758f3ae5889a8ea5074c
 MISC metadata.xml 170 RMD160 645927a396fdc21cdeb089fe42c5397332420ea6 SHA1 ac7f48a14fec325926f9ce1be8fbf1f311b4f2e4 SHA256 d797a2ec6f9dc516c9f9c1a758ee87ad3e8c43101b5dc76c2f872d5bd4639b42
diff --git a/net-analyzer/honeytrap/files/honeytrap-1.0.0-autoconf.patch b/net-analyzer/honeytrap/files/honeytrap-1.0.0-autoconf.patch
new file mode 100644
index 000000000..4d569fa0d
--- /dev/null
+++ b/net-analyzer/honeytrap/files/honeytrap-1.0.0-autoconf.patch
@@ -0,0 +1,74 @@
+diff -ur honeytrap-1.0.0/configure.in honeytrap-1.0.0.new/configure.in
+--- honeytrap-1.0.0/configure.in	2007-10-27 14:22:14.000000000 +0300
++++ honeytrap-1.0.0.new/configure.in	2007-11-10 14:40:27.000000000 +0200
+@@ -76,35 +76,41 @@
+       CFLAGS="$CFLAGS -Wall"
+ fi
+ 
+-AC_ARG_ENABLE(debug,
+-[  --enable-debug          enable debugging options (bugreports and developers only)],
+-                [ if test -n "$GCC"; then
+-                    CFLAGS="-O0 -DDEBUG -g"
+-                  else
+-                    CFLAGS="$CFLAGS -DDEBUG"
+-                  fi      
+-		  enable_debug="X"
+-                ], enable_debug=" ")
+-
+-AC_ARG_ENABLE(profile,
+-[  --enable-profile        enable profiling options (developers only)],
+-        [ if test -n "$GCC"; then
+-            CFLAGS="$CFLAGS -DPROFILE -pg"
+-          else
+-            CFLAGS="$CFLAGS -DPROFILE"
+-          fi
+-	  enable_profile="X"
+-        ], enable_profile=" ")
+-AC_ARG_ENABLE(devmodules,
+-[  --enable-devmodules     enable unstable modules (not recommended for production setups)],
+-                [ if test -n "$GCC"; then
+-                    CFLAGS="-O0 -DDEBUG -g"
+-                  else
+-                    CFLAGS="$CFLAGS -DDEBUG"
+-                  fi      
+-		  enable_devmodules="X"
+-                ], enable_devmodules=" ")
+-
++if test "${enable_debug}" = "yes" ; then
++  AC_ARG_ENABLE(debug,
++  [  --enable-debug          enable debugging options (bugreports and developers only)],
++                  [ if test -n "$GCC"; then
++                      CFLAGS="-O0 -DDEBUG -g"
++                    else
++                      CFLAGS="$CFLAGS -DDEBUG"
++                    fi      
++		    enable_debug="X"
++                  ], enable_debug=" ")
++fi
++
++if test "${enable_profile}" = "yes" ; then
++  AC_ARG_ENABLE(profile,
++  [  --enable-profile        enable profiling options (developers only)],
++          [ if test -n "$GCC"; then
++              CFLAGS="$CFLAGS -DPROFILE -pg"
++            else
++              CFLAGS="$CFLAGS -DPROFILE"
++            fi
++	    enable_profile="X"
++          ], enable_profile=" ")
++fi
++
++if test "${enable_devmodules}" = "yes" ; then
++  AC_ARG_ENABLE(devmodules,
++  [  --enable-devmodules     enable unstable modules (not recommended for production setups)],
++                  [ if test -n "$GCC"; then
++                      CFLAGS="-O0 -DDEBUG -g"
++                    else
++                      CFLAGS="$CFLAGS -DDEBUG"
++                    fi      
++		    enable_devmodules="X"
++                  ], enable_devmodules=" ")
++fi
+ 
+ #AC_CANONICAL_HOST
+ linux=no
diff --git a/net-analyzer/honeytrap/files/honeytrap.conf b/net-analyzer/honeytrap/files/honeytrap.conf
index 775cec8ed..17cb56017 100644
--- a/net-analyzer/honeytrap/files/honeytrap.conf
+++ b/net-analyzer/honeytrap/files/honeytrap.conf
@@ -1,48 +1,109 @@
-# /etc/honeytrap/honeytrap.conf
-#
-# This is a sample honeytrap configuration file.
-# However, the default values below should work in most installations.
-#
-# Copyright (C) 2006 Tillmann Werner <tillmann.werner@gmx.de>
-#
-#
-# allowed keywords are:
-#
-# keyword	values		description
-# ----------------------------------------------------------------------------------
-# pidfile	path		full pid file path (defaults to /var/run/honeytrap.pid if not given)
-# logfile	path		full logfile path (defaults to /var/log/honeytrap.log if not given)
-# user		username	user from /etc/passwd under which honeytrap should run
-# group		groupname	group from /etc/group under which honeytrap should run
-# promisc	-		tells honeytrap to sniff in promiscuous mode
-# mirror	-		tells honeytrap to run in mirror mode
-# response_dir	path		path to directory with default responses (defaults to /etc/honeytrap/responses)
-# plugin_dir	path		path to directory with honeytrap plugins (defaults to /usr/src/honeytrap_dynamicsrc)
-# attacks_dir	path		where to save attack strings (default is /var/log/honeytrap)
-# dlsave_dir	path		where to save downloaded files (default is /var/log/honeytrap)
-# read_limt     number          max. bytes to read from a socket - prevents honeytrap from memory exhaustion
-
-# Sane defaults for Gentoo
-
-logfile	= /var/log/honeytrap/honeytrap.log
-
-response_dir = /etc/honeytrap/responses
-plugin_dir = /usr/src/honeytrap_dynamicsrc
-
-attacks_dir = /var/log/honeytrap/attacks
-dlsave_dir = /var/log/honeytrap/downloads
-
-# run in mirror mode - mirror connections back to the initiator (use with caution!)
-# mirror
-
-# put network interface into promiscuous mode - only available when using the pcap connection monitor
-# promisc
-
-# max bytes to read from an attack connection (10MB = 10485760)
-read_limit = 10485760
-
-# use this host (ip address) to listen for FTP data connections (you would need the htm_ftpDownload plugin version 3)
-# ftp_host = example.com
-
-# include explicit port configuration
-# include = /etc/honeytrap/ports.conf
+/* 
+ * honeytrap 1.0 configuration file template -- please adjust
+ * (c) Tillmann Werner <tillmann.werner@gmx.de>
+ */
+
+// Small modifications for sane defaults in Gentoo.
+
+/* log to this file */
+logfile		= "/var/log/honeytrap/honeytrap.log"
+
+/* where to look for default responses
+ * these are sent for connections handled in "normal mode" */
+response_dir	= "/etc/honeytrap/responses"
+
+/* replace rfc1918 ip addresses with attacking ip address */
+replace_private_ips = "no"
+
+/* default port mode -- valid values are "ignore", "normal" and "mirror"
+portconf_default = "normal"
+
+/* put network interface into promiscuous mode
+ * (only availabel when compiled with --with-pcap-mon) */
+//promisc = "on"
+
+// do not read more than 20 MB - used to prevent DoS attacks
+read_limit = "20971520"
+
+/* include a file */
+//include = "/etc/honeytrap/ports.conf"
+
+
+/* ----- plugin stuff below ----- */
+
+/* where to look for plugins
+   need to be set before loading plugins */
+plugin_dir	= "/usr/src/honeytrap_dynamicsrc"
+
+
+/* include a plugin via plugin-[ModuleName] = "" */
+
+plugin-ftpDownload = ""
+plugin-tftpDownload = ""
+plugin-b64Decode = ""
+plugin-vncDownload = ""
+
+
+/* store attacks on disk */
+plugin-SaveFile = {
+	attacks_dir	= "/var/log/honeytrap/attacks"
+	downloads_dir	= "/var/log/honeytrap/downloads"
+}
+
+
+/* scan downloaded samples with ClamAV engine */
+/*
+plugin-ClamAV = {
+	temp_dir	= "/tmp"
+	clamdb_path	= "/var/lib/clamav"
+}
+*/
+
+/* calculate locality sensitive hashes */
+/*
+plugin-SpamSum = {
+	md5sum_sigfile	= "/var/log/honeytrap/md5sum.sigs"
+	spamsum_sigfile	= "/var/log/honeytrap/spamsum.sigs"
+}
+*/
+
+/* store attacks in PostgeSQL database */
+/*
+plugin-SavePostgres = {
+	db_host	= "localhost"
+	db_name	= "some_db"
+	db_user	= "some_user"
+	db_pass	= "some_pass"
+//	db_port = "some_port"	// defaults to 5432/tcp if not set
+}
+*/
+
+
+/* invoke wget to download files via http */
+/*
+plugin-httpDownload = {
+	http_program = "/usr/bin/wget"
+//      http_options = "-nv"
+	http_options = "-q"
+	download_dir = "/var/log/honeytrap/downloads"
+}
+*/
+
+
+
+/* ----- port mode configuration below ----- */
+
+// default port configuration (ignore, normal or mirror)
+//   ignore: just ignore connection attempts
+//   normal: send a default response
+//   mirror: mirror connections back to the initiator (use with caution!)
+portconf_default = "normal"
+
+// explicit port configuration
+portconf = {
+	/* ignore these ports */
+	ignore = {
+		protocol	= "tcp"
+		port		= "22"
+	}
+}
diff --git a/net-analyzer/honeytrap/files/honeytrap.initd b/net-analyzer/honeytrap/files/honeytrap.initd
index 9aa489d8e..12784caf1 100644
--- a/net-analyzer/honeytrap/files/honeytrap.initd
+++ b/net-analyzer/honeytrap/files/honeytrap.initd
@@ -8,8 +8,8 @@ depend() {
 }
 
 checkconfig() {
-        if [ ! -e $CONF ] ; then
-                eerror "You need a configuration file to run Honeytrap."
+        if [ ! -e ${CONF} ] ; then
+                eerror "You need a configuration file to run honeytrap."
                 eerror "The example config is /etc/honeytrap/honeytrap.conf."
                 return 1
         fi
@@ -17,15 +17,16 @@ checkconfig() {
 
 start() {
 	checkconfig || return 1
-	ebegin "Starting Honeytrap"
+	ebegin "Starting honeytrap"
+	# Remove --background for verbose debugging of the config file.
 	start-stop-daemon --start --exec /usr/sbin/honeytrap \
-		--pidfile ${PIDFILE} \
-		-- ${HONEYTRAP_OPTS} >/dev/null 2>&1
+		--pidfile ${PIDFILE} --background \
+		-- -P ${PIDFILE} ${HONEYTRAP_OPTS}
 	eend $?
 }
 
 stop() {
-	ebegin "Stopping Honeytrap"
+	ebegin "Stopping honeytrap"
         start-stop-daemon --stop --quiet --pidfile ${PIDFILE}
 	eend $?
 }
diff --git a/net-analyzer/honeytrap/honeytrap-1.0.0.ebuild b/net-analyzer/honeytrap/honeytrap-1.0.0.ebuild
new file mode 100644
index 000000000..cb60460d9
--- /dev/null
+++ b/net-analyzer/honeytrap/honeytrap-1.0.0.ebuild
@@ -0,0 +1,135 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+inherit eutils autotools linux-info
+
+DESCRIPTION="Network security tool for observing network services via low-interactive honeypot"
+HOMEPAGE="http://honeytrap.mwcollect.org/"
+SRC_URI="mirror://sourceforge/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="pcap-mon ipq-mon nfq-mon clamav postgres spamsum cspm efence debug profile"
+
+RDEPEND="pcap-mon? ( virtual/libpcap )
+	ipq-mon? ( net-firewall/iptables )
+	nfq-mon? ( net-firewall/iptables net-libs/libnetfilter_queue )
+	!pcap-mon? ( !nfq-mon? ( !ipq-mon? ( net-firewall/iptables ) ) )
+	clamav? ( app-antivirus/clamav )
+	postgres? ( dev-db/postgresql )
+	cspm? ( dev-libs/libpcre )"
+DEPEND="${RDEPEND}
+	efence? ( dev-util/efence )"
+
+pkg_setup() {
+	enewgroup honeytrap
+	enewuser honeytrap -1 -1 /sbin/nologin honeytrap
+
+	if ! use pcap-mon && ! use ipq-mon && ! use nfq-mon ; then
+		ewarn "You did not choose any connection monitor."
+		ewarn "Currently pcap-based, ip_queue-based and nf_queue-based monitors are supported."
+		ewarn "Defaulting to ip_queue; if this is not what you want, you should add either"
+		ewarn "pcap-mon or nfq-mon to your USE flags and re-emerge this ebuild."
+		epause 3
+	fi
+
+	if use efence ; then
+		ewarn "You have enabled a link with Electric Fence malloc debugger."
+		ewarn "It is known that honeytrap will not work with efence and xen-sources."
+		epause 3
+	fi
+
+	if use cspm ; then
+		ewarn "You have enabled CSPM, shellcode pattern matching plugin."
+		ewarn "The CSPM plugin is still unstable and should not be used in production setups."
+		epause 3
+	fi
+
+	use ipq-mon && CONFIG_CHECK="IP_NF_QUEUE"
+	use nfq-mon && CONFIG_CHECK="NETFILTER_NETLINK_QUEUE"
+	linux-info_pkg_setup
+}
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}"
+
+	# Automake files are a mess; a review of these is in the upstream todo-list.
+	# This patch could be nicer, but at least it prevents ugly things from happening with use_enable.
+	epatch "${FILESDIR}/${PN}-1.0.0-autoconf.patch"
+
+	einfo "Regenerating autoconf/automake files."
+	eautoreconf
+}
+
+src_compile() {
+	local myconf
+
+	if use pcap-mon ; then
+		myconf="${myconf} --with-stream-mon=pcap"
+	elif use ipq-mon ; then
+		myconf="${myconf} --with-stream-mon=ipq --with-libipq-includes=/usr/include/libipq"
+	elif use nfq-mon ; then
+		myconf="${myconf} --with-stream-mon=nfq --with-libnfq-includes=/usr/include/libnetfilter_queue"
+	elif ! use pcap-mon && ! use ipq-mon && ! use nfq-mon ; then
+		myconf="${myconf} --with-stream-mon=ipq --with-libipq-includes=/usr/include/libipq"
+	fi
+
+	# Note: enabling --devmodules replaces also CFLAGS; keep it this way.
+	if use cspm ; then
+		myconf="${myconf} --enable-devmodules"
+	fi
+
+	econf \
+		$(use_with clamav) \
+		$(use_with postgres) \
+		$(use_with spamsum) \
+		$(use_with cspm) \
+		$(use_with efence) \
+		$(use_enable debug) \
+		$(use_enable profile) \
+		${myconf} || die "econf failed"
+
+	emake || die "emake failed"
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "emake install failed"
+
+	# Unfortunately the dynamic shared plugins are installed into /etc/honeytrap/plugins by default.
+	# The easiest way is to just move them and put them into /usr/src/honeytrap_dynamicsrc (cf. Snort).
+	dodir /usr/src
+	mv "${D}"/etc/honeytrap/plugins "${D}"/usr/src/honeytrap_dynamicsrc || die
+
+	# As the ebuild includes a modified version of this file, no need to copy this into the live system.
+	rm -f "${D}"/etc/honeytrap/honeytrap.conf*
+
+	mv "${D}"/etc/honeytrap/ports.conf.dist "${D}"/etc/honeytrap/ports.conf
+
+	# Note: NEWS is empty, so no need for it; man-file is installed without doman.
+	dodoc README TODO ChangeLog
+
+	newinitd "${FILESDIR}"/${PN}.initd ${PN}
+	newconfd "${FILESDIR}"/${PN}.confd ${PN}
+	cp "${FILESDIR}"/honeytrap.conf "${D}"/etc/honeytrap/honeytrap.conf
+
+	keepdir /var/log/honeytrap
+	keepdir /var/log/honeytrap/attacks
+	keepdir /var/log/honeytrap/downloads
+
+	fowners -R honeytrap:honeytrap /var/log/honeytrap
+	fperms 0700 -R /var/log/honeytrap
+}
+
+pkg_postinst() {
+	ewarn
+	ewarn "WARNING (from the README):"
+	ewarn "Honeytrap is a low-interactive honeypot and therefore detectable."
+	ewarn "It  is  written  in  C  and thus potentially vulnerable to buffer"
+	ewarn "overflow attacks. Take care. Running in mirror mode is dangerous."
+	ewarn "Attacks  may  be directed to the attacker, appearing to come from"
+	ewarn "your system. Use with caution."
+	ewarn
+}