net-analyzer/prelude-lml: New package

Prelude-LML is a log analyser that allows Prelude to collect and
analyze information from all kind of applications emitting logs or
syslog messages in order to detect suspicious activities and transform
them into Prelude-IDMEF alerts.

6 files changed, 115 insertions, 0 deletions

diff --git a/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-conf.patch b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-conf.patch
new file mode 100644
index 000000000000..dab4ea8a6bb1
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-conf.patch
@@ -0,0 +1,22 @@
+--- a/prelude-lml.conf
++++ b/prelude-lml.conf
+@@ -92,7 +92,7 @@
+ time-format = "%b %d %H:%M:%S"
+ prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
+ file = /var/log/messages
+-file = /var/log/secure
++file = /var/log/auth.log
+ # udp-server = 0.0.0.0
+ # tcp-server = 0.0.0.0
+ # tcp-tls-server = 0.0.0.0
+--- a/prelude-lml.conf.in
++++ b/prelude-lml.conf.in
+@@ -92,7 +92,7 @@
+ time-format = "%b %d %H:%M:%S"
+ prefix-regex = "^(?P<timestamp>.{15}) (?P<hostname>\S+) (?:(?P<process>\S+?)(?:\[(?P<pid>[0-9]+)\])?: )?"
+ file = /var/log/messages
+-file = /var/log/secure
++file = /var/log/auth.log
+ # udp-server = 0.0.0.0
+ # tcp-server = 0.0.0.0
+ # tcp-tls-server = 0.0.0.0
diff --git a/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-configure.patch b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-configure.patch
new file mode 100644
index 000000000000..154a261eb5ad
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-configure.patch
@@ -0,0 +1,35 @@
+--- a/configure.in
++++ b/configure.in
+@@ -107,10 +107,13 @@
+ dnl **************************************************
+ GNUTLS_MIN_VERSION=1.0.17
+ 
+-PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $GNUTLS_MIN_VERSION], [],
+-                  [AM_PATH_LIBGNUTLS($GNUTLS_MIN_VERSION, enable_gnutls=yes, enable_gnutls=no)])
+-
+-AC_CHECK_HEADER(gnutls/gnutls.h, enable_gnutls=yes, enable_gnutls=no)
++AC_ARG_ENABLE(gnutls, AC_HELP_STRING(--enable-gnutls, Define whether GnuTLS provides gnutls_hash_get_len function), , enable_gnutls="yes")
++if test x$enable_gnutls = xyes; then
++	PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $GNUTLS_MIN_VERSION], [],
++	                  [AM_PATH_LIBGNUTLS($GNUTLS_MIN_VERSION, enable_gnutls=yes, enable_gnutls=no)])
++	
++	AC_CHECK_HEADER(gnutls/gnutls.h, enable_gnutls=yes, enable_gnutls=no)
++fi
+ 
+ if test x$enable_gnutls = xyes; then
+         AC_DEFINE_UNQUOTED(HAVE_GNUTLS, , Tell whether GnuTLS is available for TCP-TLS support)
+@@ -125,8 +128,12 @@
+ dnl * Check for libICU                               *
+ dnl **************************************************
+ 
+-PKG_CHECK_MODULES([ICU], [icu >= 3.0], [enable_icu=yes],
+-                  [AC_CHECK_ICU(3.8, enable_icu=yes, enable_icu=no)])
++AC_ARG_ENABLE(icu, AC_HELP_STRING(--enable-icu, Tell whether libicu is available for encoding convertion), , enable_icu="yes")
++
++if test x$enable_icu = xyes; then
++	PKG_CHECK_MODULES([ICU], [icu >= 3.0], [enable_icu=yes],
++        	          [AC_CHECK_ICU(3.8, enable_icu=yes, enable_icu=no)])
++fi
+ if test x$enable_icu = xyes; then
+         AC_DEFINE_UNQUOTED(HAVE_LIBICU, , Tell whether libicu is available for encoding convertion)
+ fi
diff --git a/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-run.patch b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-run.patch
new file mode 100644
index 000000000000..8b4e65216cca
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml-3.0.0-run.patch
@@ -0,0 +1,14 @@
+--- a/configure.in
++++ b/configure.in
+@@ -187,9 +187,9 @@
+ configdir=$SYSCONFDIR/prelude-lml
+ prelude_lml_conf=$configdir/prelude-lml.conf
+ regex_conf=$configdir/plugins.rules
+-metadata_dir=$LOCALSTATEDIR/lib/prelude-lml
++metadata_dir=$LOCALSTATEDIR/prelude-lml
+ plugindir=$LIBDIR/prelude-lml
+-lml_run_dir=$LOCALSTATEDIR/run/prelude-lml
++lml_run_dir=/run/prelude-lml
+ 
+ AC_DEFINE_UNQUOTED(PRELUDE_LML_CONF, "$prelude_lml_conf", Path to the LML configuration file)
+ AC_DEFINE_UNQUOTED(LOG_PLUGIN_DIR, "$plugindir", Prelude-LML report plugin directory)
diff --git a/net-analyzer/prelude-lml/files/prelude-lml.initd b/net-analyzer/prelude-lml/files/prelude-lml.initd
new file mode 100755
index 000000000000..411e02762455
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml.initd
@@ -0,0 +1,27 @@
+#!/sbin/runscript
+# Copyright 1999-2016 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+BIN_LML=/usr/bin/prelude-lml
+PID_LML=/run/prelude-lml/prelude-lml.pid
+
+depend() {
+  need net
+  after prelude-manager
+}
+
+start() {
+  ebegin "Starting prelude-lml"
+  checkpath -d -m 0755 -o root:root /run/prelude-lml
+  start-stop-daemon --start --exec $BIN_LML \
+    --pidfile $PID_LML -- -d -P $PID_LML
+  eend $?
+}
+
+stop() {
+  ebegin "Stopping prelude-lml"
+  start-stop-daemon --stop --exec $BIN_LML \
+    --pidfile $PID_LML
+  eend $?
+}
diff --git a/net-analyzer/prelude-lml/files/prelude-lml.run b/net-analyzer/prelude-lml/files/prelude-lml.run
new file mode 100644
index 000000000000..75f2ef89adda
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml.run
@@ -0,0 +1,4 @@
+# Configuration to create /run/prelude-lml directory
+# Used as part of systemd's tmpfiles
+
+d /run/prelude-lml 0755 root root
diff --git a/net-analyzer/prelude-lml/files/prelude-lml.service b/net-analyzer/prelude-lml/files/prelude-lml.service
new file mode 100644
index 000000000000..9d9230c6ff4c
--- /dev/null
+++ b/net-analyzer/prelude-lml/files/prelude-lml.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Prelude-LML service
+DefaultDependencies=no
+After=remote_fs.target prelude-manager.service
+
+[Service]
+ExecStart=/usr/bin/prelude-lml -d -P /run/prelude-lml/prelude-lml.pid
+Type=forking
+PIDFile=/run/prelude-lml/prelude-lml.pid
+Restart=always
+
+[Install]
+WantedBy=multi-user.target