From 25804f5aa80f4145255d372dbc05e2733c8d8fb4 Mon Sep 17 00:00:00 2001
From: Eric Leblond <eric@regit.org>
Date: Wed, 21 Sep 2011 19:55:03 +0200
Subject: [PATCH] Add install-conf command to build system.

This patch adds support for customisation of suricata.yaml and
automatic download of emerging threat GPL rules. By running
'make install-full' after 'make install', files necessary to run
suricata are copied in the configuration directory and the latest
ruleset is downloaded and installed. Suricata can then be run
without files edition.
This patch has a special treatment for the windows build which
requires some different paths.
suricata.yaml is also updated to load all rules files provided by
emergingthreat ruleset.
---
 Makefile.am                       | 22 ++++++-
 configure.in                      | 54 +++++++++++++++--
 suricata.yaml => suricata.yaml.in | 99 ++++++++++++-------------------
 3 files changed, 109 insertions(+), 66 deletions(-)
 rename suricata.yaml => suricata.yaml.in (96%)

diff --git a/Makefile.am b/Makefile.am
index 1631fe6723..80856007f8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,7 +2,7 @@
 # have all needed files, that a GNU package needs
 AUTOMAKE_OPTIONS = foreign 1.4
 ACLOCAL_AMFLAGS = -I m4
-EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml \
+EXTRA_DIST = ChangeLog COPYING LICENSE suricata.yaml.in \
              classification.config \
              reference.config
 if BUILD_LIBHTP
@@ -10,3 +10,23 @@ if BUILD_LIBHTP
 endif
 SUBDIRS = $(HTP_DIR) src qa rules doc
 
+install-data-am:
+	@echo "Run 'make install-conf' if you want to install initial configuration files. Or 'make install-full' to install configuration and rules";
+
+install-full: install-conf install-rules
+
+install-conf:
+	install -d $(sysconfdir)
+	test -e $(sysconfdir)/suricata.yaml || install -m 600 $(top_srcdir)/suricata.yaml $(sysconfdir)
+	test -e $(sysconfdir)/classification.config || install -m 600 $(top_srcdir)/classification.config $(sysconfdir)
+	test -e $(sysconfdir)/reference.config || install -m 600 $(top_srcdir)/reference.config $(sysconfdir)
+	install -d $(localstatedir)/log/suricata
+
+install-rules:
+	install -d $(sysconfdir)/rules
+	wget -qO - http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz | tar zkxv -C $(sysconfdir)
+	test -e $(sysconfdir)/rules/decoder-events.rules || install -m 600 $(top_srcdir)/rules/decoder-events.rules $(sysconfdir)/rules/
+	test -e $(sysconfdir)/rules/stream-events.rules || install -m 600 $(top_srcdir)/rules/stream-events.rules $(sysconfdir)/rules/
+	test -e $(sysconfdir)/rules/smtp-events.rules || install -m 600 $(top_srcdir)/rules/smtp-events.rules $(sysconfdir)/rules/
+	test -e $(sysconfdir)/rules/http-events.rules || install -m 600 $(top_srcdir)/rules/http-events.rules $(sysconfdir)/rules/
+	@echo "You can now start suricata by running as root something like '$(bindir)/suricata -c $(sysconfdir)/suricata.yaml -i eth0'"
diff --git a/configure.in b/configure.in
index 9c08f20ce6..5750edce76 100644
--- a/configure.in
+++ b/configure.in
@@ -121,7 +121,7 @@ AC_INIT(configure.in)
     AC_MSG_CHECKING([host os])
 
     # If no host os was detected, try with uname
-	if test -z "$host" ; then
+    if test -z "$host" ; then
 	    host="`uname`"
     fi
     echo -n "installation for $host OS... \c"
@@ -148,6 +148,10 @@ AC_INIT(configure.in)
            *-*-mingw32*)
                     CFLAGS="${CFLAGS} -DOS_WIN32"
                     LDFLAGS="${LDFLAGS} -lws2_32"
+		    WINDOWS_PATH="yes"
+                    ;;
+           *-*-cygwin)
+		    WINDOWS_PATH="yes"
                     ;;
 	   *)
 		AC_MSG_WARN([unsupported OS this may or may not work])
@@ -1166,7 +1170,45 @@ AC_SUBST(CFLAGS)
 AC_SUBST(LDFLAGS)
 AC_SUBST(CPPFLAGS)
 
-AC_OUTPUT(Makefile src/Makefile qa/Makefile qa/coccinelle/Makefile rules/Makefile doc/Makefile)
+define([EXPAND_VARIABLE],
+[$2=[$]$1
+if test $prefix = 'NONE'; then
+	prefix="/usr/local"
+fi
+while true; do
+  case "[$]$2" in
+    *\[$]* ) eval "$2=[$]$2" ;;
+    *) break ;;
+  esac
+done
+eval "$2=[$]$2$3"
+])dnl EXPAND_VARIABLE
+
+# suricata log dir
+if test "$WINDOWS_PATH" = "yes"; then
+  systemtype="`systeminfo | grep \"System Type\"`"
+  case $systemtype in
+    *x64*)
+      e_logdir="C:\\Program Files (x86)\\Suricata\\log\\"
+      e_sysconfdir="C:\\Program Files (x86)\\Suricata\\"
+      e_magic_file="C:\\Program Files (x86)\\Suricata\\magic.mgc"
+      ;;
+    *)
+      e_logdir="C:\\Program Files\\Suricata\\log\\"
+      e_sysconfdir="C:\\Program Files\\Suricata\\"
+      e_magic_file="C:\\Program Files\\Suricata\\magic.mgc"
+      ;;
+  esac
+else
+  EXPAND_VARIABLE(localstatedir, e_logdir, "/log/suricata")
+  EXPAND_VARIABLE(sysconfdir, e_sysconfdir, "/")
+  e_magic_file="/usr/share/file/magic"
+fi
+AC_SUBST(e_logdir)
+AC_SUBST(e_sysconfdir)
+AC_SUBST(e_magic_file)
+
+AC_OUTPUT(Makefile src/Makefile qa/Makefile qa/coccinelle/Makefile rules/Makefile doc/Makefile suricata.yaml)
 
 echo "
 Suricata Configuration:
@@ -1187,5 +1229,9 @@ Suricata Configuration:
   GCC Profile enabled:      ${enable_gccprofile}
   Old barnyard2 support:    ${enable_old_barnyard2}
   Non-bundled htp:          ${enable_non_bundled_htp}
-  PCRE jit:                 ${pcre_jit_available}
-"
+  PCRE jit:                 ${pcre_jit_available}"
+
+echo "
+To build and install run 'make' and 'make install'.
+You can run 'make install-conf' if you want to install initial configuration files.
+Running 'make install-full' will install configuration and rules and provide you a ready-to-run suricata."
diff --git a/suricata.yaml b/suricata.yaml.in
similarity index 96%
rename from suricata.yaml
rename to suricata.yaml.in
index 055576e7ca..5c59720a40 100644
--- a/suricata.yaml
+++ b/suricata.yaml.in
@@ -40,7 +40,7 @@ action-order:
 # The default logging directory.  Any log or output file will be
 # placed here if its not specified with a full path name.  This can be
 # overridden with the -l command line parameter.
-default-log-dir: /var/log/suricata
+default-log-dir: @e_logdir@
 
 # Configure the type of alert (and other) logging you would like.
 outputs:
@@ -164,6 +164,7 @@ outputs:
 
 # Magic file. The extension .mgc is added to the value here.
 #magic-file: /usr/share/file/magic
+magic-file: @e_magic_file@
 
 # When running in NFQ inline mode, it is possible to use a simulated
 # non-terminal NFQUEUE verdict.
@@ -651,85 +652,61 @@ ipfw:
 
 # Set the default rule path here to search for the files.
 # if not set, it will look at the current working dir
-default-rule-path: /etc/suricata/rules/
+default-rule-path: @e_sysconfdir@rules
 rule-files:
- - attack-responses.rules
- - backdoor.rules
- - bad-traffic.rules
- - chat.rules
- - ddos.rules
- - deleted.rules
- - dns.rules
- - dos.rules
- - experimental.rules
- - exploit.rules
- - finger.rules
- - ftp.rules
- - icmp-info.rules
- - icmp.rules
- - imap.rules
- - info.rules
- - local.rules
- - misc.rules
- - multimedia.rules
- - mysql.rules
- - netbios.rules
- - nntp.rules
- - oracle.rules
- - other-ids.rules
- - p2p.rules
- - policy.rules
- - pop2.rules
- - pop3.rules
- - porn.rules
- - rpc.rules
- - rservices.rules
- - scada.rules
- - scan.rules
- - shellcode.rules
- - smtp.rules
- - snmp.rules
- - specific-threats.rules
- - spyware-put.rules
- - sql.rules
- - telnet.rules
- - tftp.rules
- - virus.rules
- - voip.rules
- - web-activex.rules
- - web-attacks.rules
- - web-cgi.rules
- - web-client.rules
- - web-coldfusion.rules
- - web-frontpage.rules
- - web-iis.rules
- - web-misc.rules
- - web-php.rules
- - x11.rules
+ - botcc.rules
+ - ciarmy.rules
+ - compromised.rules
+ - drop.rules
+ - dshield.rules
+ - emerging-activex.rules
  - emerging-attack_response.rules
+ - emerging-chat.rules
+ - emerging-current_events.rules
+ - emerging-deleted.rules
+ - emerging-dns.rules
  - emerging-dos.rules
  - emerging-exploit.rules
- - emerging-game.rules
+ - emerging-ftp.rules
+ - emerging-games.rules
+ - emerging-icmp_info.rules
+ - emerging-icmp.rules
+ - emerging-imap.rules
  - emerging-inappropriate.rules
  - emerging-malware.rules
+ - emerging-misc.rules
+ - emerging-mobile_malware.rules
+ - emerging-netbios.rules
  - emerging-p2p.rules
  - emerging-policy.rules
+ - emerging-pop3.rules
+ - emerging-rpc.rules
+ - emerging-scada.rules
  - emerging-scan.rules
+ - emerging-shellcode.rules
+ - emerging-smtp.rules
+ - emerging-snmp.rules
+ - emerging-sql.rules
+ - emerging-telnet.rules
+ - emerging-tftp.rules
+ - emerging-trojan.rules
+ - emerging-user_agents.rules
  - emerging-virus.rules
  - emerging-voip.rules
- - emerging-web.rules
  - emerging-web_client.rules
  - emerging-web_server.rules
  - emerging-web_specific_apps.rules
- - emerging-user_agents.rules
- - emerging-current_events.rules
+ - emerging-worm.rules
+ - rbn-malvertisers.rules
+ - rbn.rules
+ - tor.rules
  - decoder-events.rules # available in suricata sources under rules dir
  - stream-events.rules  # available in suricata sources under rules dir
  - http-events.rules    # available in suricata sources under rules dir
  - smtp-events.rules    # available in suricata sources under rules dir
 
-classification-file: /etc/suricata/classification.config
-reference-config-file: /etc/suricata/reference.config
+classification-file: @e_sysconfdir@classification.config
+reference-config-file: @e_sysconfdir@reference.config
 
 # Holds variables that would be used by the engine.
 vars: