snort3: bump to 3.5.1.0

[Ansuel]

Bump snort3 to 3.5.1.0. Manually refresh the PCRE2 patch to latest
changes.

Signed-off-by: Christian Marangi ansuelsmth@gmail.com

[Ansuel]

@Neustradamus Since i see you love doing research I'm curious how much people are using downstream patch (and maybe mine) for PCRE2 in package repositories

[graysky2]

Had to make two modifications as detailed here. After that, snort seems to be functional.

Recommend merge.

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

[Ansuel]

Honestly using pcre2_to_regex doesn't make sense and the compile error should be investigated... Would be good to have repro steps...

[graysky2]

@Ansuel - I PM'ed a few of the active snort users in the forums asking them to join the conversation (xxxx and efahl)

Had to make two modifications as detailed here. After that, snort seems to be functional.

To save time looking up that thread, these are the two changes I made to get this working:

1. In processing the raw rules, I have this step: sed -i 's/pcre:/pcre2:/g' snort.rules
2. I modified /etc/snort/local.lua as follows:

 detection = { 
        hyperscan_literals = true,
-       pcre_to_regex = true,
+       -- pcre_to_regex = true,
+       pcre2_to_regex = false,
 }

[efahl]

It still seems more appropriate to add wrappers in the API code so that the exported symbol names don't change (and thus the user defined lua-config files would need no modifications). The changes in an underlying library should not propagate into breaking changes in the config files (even if the original implementers of snort made the poor choice of using the underlying library's name in their public API).

[Ansuel]

@efahl this might be O.K. for trivial library/program, not for a security intrusion program where something silently changing might produce intrusion not detected.

I feel manual checkup is still needed. But yes needs to se... all the rename from pcre to pcre2 can be skipped but we need to discuss that.

[Neustradamus]

@Ansuel: Thanks for your PR!

@graysky2 is here :)

A discussion here about pcre vs pcre2:

• [RFT] core: convert project to PCRE2 snort3/snort3#326

[graysky2]

Upstream is actively working on this and thinking about the user experience (not changing configure files or tweaking rules). I do not know timing thought and since our snort package has not been updated since dropping pcre going back 5 months now, my recommendation is to merge this even though doing so will require users to make a few tweaks.

[graysky2]

3.5.1.0 works fine for me

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

[graysky2]

@Ansuel - can you update for 3.5.2.0?

diff --git a/net/snort3/Makefile b/net/snort3/Makefile
index 14186d13ec12..1353ee6878b5 100644
--- a/net/snort3/Makefile
+++ b/net/snort3/Makefile
@@ -6,13 +6,13 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=snort3
-PKG_VERSION:=3.5.1.0
+PKG_VERSION:=3.5.2.0
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git
 PKG_SOURCE_VERSION:=$(PKG_VERSION)
 PKG_SOURCE_URL:=https://github.com/snort3/snort3
-PKG_MIRROR_HASH:=ba9c9ea48ceb915c4de2d3ad2d52f9333a8907ca6e1d2f9e139d98ba39fde807
+PKG_MIRROR_HASH:=c43db5c068c4b4564e7506ec5800f6a110689db0c2efc81e45311b2117a7a27d
 
 PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>, John Audia <therealgraysky@proton.me>
 PKG_LICENSE:=GPL-2.0-only
diff --git a/net/snort3/patches/900-core-convert-project-to-PCRE2.patch b/net/snort3/patches/900-core-convert-project-to-PCRE2.patch
index 25ef48faf15b..ac73aa5eb58b 100644
--- a/net/snort3/patches/900-core-convert-project-to-PCRE2.patch
+++ b/net/snort3/patches/900-core-convert-project-to-PCRE2.patch
@@ -242,7 +242,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
    * bool detection.enable_address_anomaly_checks = false: enable
      check and alerting of address anomalies
    * bool detection.enable_strict_reduction = false: enable strict
-@@ -8213,11 +8213,11 @@ Configuration:
+@@ -8216,11 +8216,11 @@ Configuration:
      }
  
  
@@ -256,7 +256,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
  
  Type: ips_option
  
-@@ -8225,15 +8225,15 @@ Usage: detect
+@@ -8228,15 +8228,15 @@ Usage: detect
  
  Configuration:
  
@@ -276,7 +276,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
  
  
  7.96. pkt_data
-@@ -8311,7 +8311,7 @@ Configuration:
+@@ -8314,7 +8314,7 @@ Configuration:
  --------------
  
  Help: rule option for matching payload data with hyperscan regex;
@@ -285,7 +285,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
  
  Type: ips_option
  
-@@ -9162,7 +9162,7 @@ locations, you can use these options:
+@@ -9165,7 +9165,7 @@ locations, you can use these options:
    * --with-pkg-libraries: specify the directory containing the
      package libraries.
  
@@ -294,7 +294,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
  iconv, and hyperscan packages. For more information on these
  libraries see the Getting Started section of the manual.
  
-@@ -9769,15 +9769,15 @@ libraries see the Getting Started sectio
+@@ -9772,15 +9772,15 @@ libraries see the Getting Started sectio
      offload fast pattern search (defaults to disabled) { 0:max32 }
    * int detection.offload_threads = 0: maximum number of simultaneous
      offloads (defaults to disabled) { 0:max32 }
@@ -316,7 +316,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
    * string detection.service_extension[].extend_to
      [].extend_to_service: service to extend to
    * string detection.service_extension[].service: service to perform
-@@ -10536,7 +10536,7 @@ libraries see the Getting Started sectio
+@@ -10539,7 +10539,7 @@ libraries see the Getting Started sectio
      that determined packet verdict
    * enum packet_tracer.output = console: select where to send packet
      trace { console | file }
@@ -325,7 +325,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
    * bool perf_monitor.base = true: enable base statistics
    * bool perf_monitor.cpu = false: enable cpu statistics
    * bool perf_monitor.flow = false: enable traffic statistics
-@@ -12367,10 +12367,10 @@ libraries see the Getting Started sectio
+@@ -12371,10 +12371,10 @@ libraries see the Getting Started sectio
      translation errors (sum)
    * payload_injector.http_injects: total number of http injections
      (sum)
@@ -339,7 +339,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
      recursion limit (sum)
    * perf_monitor.flow_tracker_creates: total number of flow trackers
      created (sum)
-@@ -16585,8 +16585,8 @@ and are not applicable elsewhere.
+@@ -16591,8 +16591,8 @@ and are not applicable elsewhere.
    * pass (ips_action): manage the counters for the pass action
    * payload_injector (basic): payload injection utility
    * pbb (codec): support for 802.1ah protocol
@@ -350,7 +350,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
    * perf_monitor (inspector): performance monitoring and flow
      statistics collection
    * pgm (codec): support for pragmatic general multicast
-@@ -16610,7 +16610,7 @@ and are not applicable elsewhere.
+@@ -16616,7 +16616,7 @@ and are not applicable elsewhere.
      identification system
    * references (basic): define reference systems used in rules
    * regex (ips_option): rule option for matching payload data with
@@ -359,7 +359,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
    * reject (ips_action): manage the data and the counters for the
      reject action
    * rem (ips_option): rule option to convey an arbitrary comment in
-@@ -17009,7 +17009,7 @@ and are not applicable elsewhere.
+@@ -17015,7 +17015,7 @@ and are not applicable elsewhere.
    * ips_option::msg: rule option summarizing rule purpose output with
      events
    * ips_option::mss: detection for TCP maximum segment size
@@ -368,7 +368,7 @@ Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
    * ips_option::pkt_data: rule option to set the detection cursor to
      the normalized packet data
    * ips_option::pkt_num: alert on raw packet number
-@@ -17019,7 +17019,7 @@ and are not applicable elsewhere.
+@@ -17025,7 +17025,7 @@ and are not applicable elsewhere.
    * ips_option::reference: rule option to indicate relevant attack
      identification system
    * ips_option::regex: rule option for matching payload data with
-- 
2.47.0