diff options
Diffstat (limited to 'network/snort')
-rw-r--r-- | network/snort/README | 34 | ||||
-rw-r--r-- | network/snort/README.SLACKWARE | 48 | ||||
-rw-r--r-- | network/snort/doinst.sh | 19 | ||||
-rw-r--r-- | network/snort/rc.snort | 53 | ||||
-rw-r--r-- | network/snort/slack-desc | 6 | ||||
-rw-r--r-- | network/snort/snort.SlackBuild | 98 | ||||
-rw-r--r-- | network/snort/snort.info | 10 |
7 files changed, 196 insertions, 72 deletions
diff --git a/network/snort/README b/network/snort/README index 6a15d09b62..52132b6ce9 100644 --- a/network/snort/README +++ b/network/snort/README @@ -3,8 +3,8 @@ is capable of performing real-time traffic analysis, alerting, blocking and packet logging on IP networks. It utilizes a combination of protocol analysis and pattern matchingin order to detect a anomalies, misuse and attacks. Snort uses a flexible rules language to describe activity that can be considered -malicious or anomalous as well as an analysis engine that incorporates a modular -plugin architecture. Snort is capable of detecting and responding in real-time, +malicious or anomalous as well as an analysis engine that incorporates a modular +plugin architecture. Snort is capable of detecting and responding in real-time, sending alerts, performing session sniping, logging packets, or dropping sessions/packets when deployed in-line. @@ -12,31 +12,5 @@ Snort has three primary functional modes. It can be used as a packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection and prevention system. -Please read the snort_manual.pdf file that should be included with this -distribution for full documentation on the program as well as a guide to -getting started. - -This package builds a very basic snort implimentation useful for monitoring -traffic as an IDS or packet logger and as a sort of improved tcpdump (which -is what I use it for). MySQL support is included, so you should have little -trouble hooking snort up to a database or ACID. For more information on -these, check out snort's homepage at: - - http://www.snort.org/ - http://www.snort.org/docs/ - -snort.org has a nasty habit of changing the location of their source -code, which means there's no garauntee that the link in snort.info is -correct. If you can't get that link to work, look for the source code at: - - http://www.snort.org/dl/old/ - -Please note that this build script disables dynamic plugins. This can be -easily added by deleting the following line in the script. - - --disable-dynamicplugin \ - -This will put the headers and source for dynamic plugins into /usr/src/snort. -There is no rc.snort script included with this script at this time, but you -should have little trouble creating one of your own. Please e-mail me with -any questions or comments. -- Alan Hicks <alan@lizella.net> +Note that --libdir seems to be ignored on Slackware64; libraries are installed +to /usr/lib anyway. diff --git a/network/snort/README.SLACKWARE b/network/snort/README.SLACKWARE new file mode 100644 index 0000000000..05fa4f438e --- /dev/null +++ b/network/snort/README.SLACKWARE @@ -0,0 +1,48 @@ +Snort has three primary functional modes. It can be used as a packet sniffer +like tcpdump(1), a packet logger (useful for network traffic debugging, etc), +or as a full blown network intrusion detection and prevention system. + +Please read the snort_manual.pdf file that should be included with this +distribution for full documentation on the program as well as a guide to +getting started. + +This package builds a very basic snort implimentation useful for monitoring +traffic as an IDS or packet logger and as a sort of improved tcpdump (which +is what I use it for). MySQL support is included, so you should have little +trouble hooking snort up to a database or ACID. For more information on +these, check out snort's homepage at: + + http://www.snort.org/ + http://www.snort.org/docs/ + +snort.org has a nasty habit of changing the location of their source +code, which means there's no garauntee that the link in snort.info is +correct. If you can't get that link to work, look for the source code at: + + http://www.snort.org/dl/old/ + +In order for Snort to function properly, you need to provide rule files. +I recommend registering for free at http://www.snorg.org so you can get these +files. Once you have done that, go to http://snort.org/pub-bin/downloads.cgi +and get the latest 2.8 series VRT Certified Rules. You need to untar this +file and place follow files from etc in the tarball in to your /etc/snort +directory : + +generators +gen-msg.map +sid +sid-msg.map + +If you are going to use a front end like Base, you should copy the +dog/signatures directory from the tarball in to +/usr/doc/snort-$VERSION/ . Last, but certainly not least, you must +copy the contents of the rules/ directory in the tarball to +/etc/snort/rules/ . After you've done this, you can safely restart +snort or send a HUP to snort to reload the files (killall -HUP snort). + +A rc.snort file has been included for your convenience, but it needs to be +added to your init script of choice to run on boot. You should modify the +variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor. +This Slackbuild is no longer maintained by Alan Hicks, but rather me +(Thomas York), so email me instead if you have any questions. + --Thomas York (straterra@fuhell.com) diff --git a/network/snort/doinst.sh b/network/snort/doinst.sh index f10be9c005..fa5bf4b741 100644 --- a/network/snort/doinst.sh +++ b/network/snort/doinst.sh @@ -1,18 +1,29 @@ -#!/bin/sh - config() { NEW="$1" - OLD="`dirname $NEW`/`basename $NEW .new`" + OLD="$(dirname $NEW)/$(basename $NEW .new)" # If there's no config file by that name, mv it over: if [ ! -r $OLD ]; then mv $NEW $OLD - elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy rm $NEW fi # Otherwise, we leave the .new copy for the admin to consider... } +# Keep same perms on rc.snort.new: +if [ -e etc/rc.d/rc.snort ]; then + cp -a etc/rc.d/rc.snort etc/rc.d/rc.snort.new.incoming + cat etc/rc.d/rc.snort.new > etc/rc.d/rc.snort.new.incoming + mv etc/rc.d/rc.snort.new.incoming etc/rc.d/rc.snort.new +fi + +config etc/rc.d/rc.snort.new config etc/snort/snort.conf.new config etc/snort/reference.config.new config etc/snort/threshold.conf.new +config etc/snort/attribute_table.dtd.new +config etc/snort/classification.config.new +config etc/snort/gen-msg.map.new +config etc/snort/sid-msg.map.new +config etc/snort/unicode.map.new diff --git a/network/snort/rc.snort b/network/snort/rc.snort new file mode 100644 index 0000000000..d91941e822 --- /dev/null +++ b/network/snort/rc.snort @@ -0,0 +1,53 @@ +#!/bin/sh +# Start/stop/restart snort + +# This tell snort which interface to listen on (any for every interface) +IFACE=${IFACE:-any} + +# Make sure this matches your IFACE +PIDFILE=/var/run/snort_$IFACE.pid + +# You probably don't want to change this, but in case you do +LOGDIR="/var/log/snort" + +# Probably not this either +CONF=/etc/snort/snort.conf + +# Start snort: +snort_start() { + CMDLINE="/usr/bin/snort -d -D -i $IFACE" + echo -n "Starting Snort daemon: $CMDLINE" + $CMDLINE --pid-path /var/run --create-pidfile -l $LOGDIR -c $CONF + echo +} + +# Stop snort: +snort_stop() { + echo -n "Stopping Snort daemon ($IFACE)..." + kill $(cat $PIDFILE) + echo + sleep 1 + rm -f $PIDFILE +} + +# Restart snort: +snort_restart() { + snort_stop + sleep 1 + snort_start +} + +case "$1" in +'start') + snort_start + ;; +'stop') + snort_stop + ;; +'restart') + snort_restart + ;; +*) + echo "usage $0 start|stop|restart" +esac + diff --git a/network/snort/slack-desc b/network/snort/slack-desc index cc4035ea3c..4d2f8cc2c8 100644 --- a/network/snort/slack-desc +++ b/network/snort/slack-desc @@ -11,9 +11,9 @@ snort: snort: Snort is an open source network intrusion detection and prevention snort: system. It is capable of performing real-time traffic analysis, snort: alerting, blocking and packet logging on IP networks. It utilizes a -snort: combination of protocol analysis and pattern matchingin order to detect -snort: anomalies, misuse and attacks. +snort: combination of protocol analysis and pattern matchingin order to +snort: detect anomalies, misuse and attacks. snort: Snort is capable of detecting and responding in real-time, sending snort: alerts, performing session sniping, logging packets, or dropping snort: sessions/packets when deployed in-line. -snort: +snort: diff --git a/network/snort/snort.SlackBuild b/network/snort/snort.SlackBuild index d12fa64d25..7168c20f76 100644 --- a/network/snort/snort.SlackBuild +++ b/network/snort/snort.SlackBuild @@ -1,5 +1,7 @@ #!/bin/sh -# Copyright 2006, Alan Hicks, Lizella, GA + +# Copyright 2006-2009, Alan Hicks, Lizella, GA, +# Copyright 2009, Thomas York, Beech Grove, In. # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -22,65 +24,101 @@ # Modified by the SlackBuilds.org project PRGNAM=snort -VERSION=2.6.1.5 +VERSION=2.8.4.1 ARCH=${ARCH:-i486} BUILD=${BUILD:-1} TAG=${TAG:-_SBo} + CWD=$(pwd) TMP=${TMP:-/tmp/SBo} -PKG=$TMP/pkg-$PRGNAM +PKG=$TMP/package-$PRGNAM OUTPUT=${OUTPUT:-/tmp} if [ "$ARCH" = "i486" ]; then SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" elif [ "$ARCH" = "i686" ]; then SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" fi +set -e + rm -rf $PKG mkdir -p $TMP $PKG $OUTPUT -cd $TMP || exit 1 +cd $TMP rm -rf $PRGNAM-$VERSION -tar xzvf $CWD/$PRGNAM-$VERSION.tar.gz || exit 1 -cd $PRGNAM-$VERSION || exit 1 +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION -# Fix ownership and permissions inside the source tarball. -# It's appalling how many projects have 777 permissions or -# even suid, sgid, and sticky bits set on things. chown -R root:root . -chmod -R u+w,go+r-w,a-s . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ ./configure \ --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ --sysconfdir=/etc \ + --mandir=/usr/man \ --localstatedir=/var \ + --docdir=/usr/doc/$PRGNAM-$VERSION \ --enable-pthread \ --enable-linux-smp-stats \ - --with-mysql=/usr \ - --disable-dynamicplugin \ - || exit 1 - -make || exit 1 -make install-strip DESTDIR=$PKG || exit 1 - -if [ -d $PKG/usr/man ]; then - ( cd $PKG/usr/man - find . -type f -exec gzip -9 {} \; - for i in $(find . -type l) ; do ln -s $(readlink $i).gz $i.gz ; rm $i ; done - ) -fi + --with-mysql-libraries=/usr/lib${LIBDIRSUFFIX}/mysql \ + --with-mysql-includes=/usr/include/mysql \ + --build=$ARCH-slackware-linux -mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION -cp -a COPYING ChangeLog LICENSE RELEASE.NOTES doc/* $PKG/usr/doc/$PRGNAM-$VERSION/ -cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +make +make install-strip DESTDIR=$PKG -# Setup a sane config directory - snort won't do this on its own -mkdir -p $PKG/etc/snort -cat etc/snort.conf > $PKG/etc/snort/snort.conf.new -cat etc/reference.config > $PKG/etc/snort/reference.config.new +( cd $PKG/usr/man + find . -type f -exec gzip -9 {} \; + for i in $(find . -type l) ; do ln -s $(readlink $i).gz $i.gz ; rm $i ; done +) + +# Set up a sane config directory - snort won't do this on its own +mkdir -p $PKG/etc/$PRGNAM +# Fix paths for libraries in snort.conf +sed -e 's%usr/local%usr%g' etc/snort.conf > $PKG/etc/snort/snort.conf.new cat etc/threshold.conf > $PKG/etc/snort/threshold.conf.new +cat etc/reference.config > $PKG/etc/snort/reference.config.new +cat etc/classification.config > $PKG/etc/snort/classification.config.new +cat etc/attribute_table.dtd > $PKG/etc/snort/attribute_table.dtd.new +cat etc/gen-msg.map > $PKG/etc/snort/gen-msg.map.new +cat etc/sid-msg.map > $PKG/etc/snort/sid-msg.map.new +cat etc/unicode.map > $PKG/etc/snort/unicode.map.new + +# Create default, empty directory for rules +mkdir -p $PKG/etc/snort/rules +mkdir -p $PKG/etc/snort/preproc_rules + +# Include the rc.snort file +mkdir -p $PKG/etc/rc.d +cat $CWD/rc.snort > $PKG/etc/rc.d/rc.snort.new +chmod 0755 $PKG/etc/rc.d/rc.snort.new + +# Create directory for logging +mkdir -p $PKG/var/log/snort + +# Bundle the SQL schemas and install the docs +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/schemas +for file in schemas/create_*; do + cat $file > $PKG/usr/doc/$PRGNAM-$VERSION/$file +done +cp -a COPYING ChangeLog LICENSE RELEASE.NOTES doc/* \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE +find $PKG/usr/doc -name "Makefile*" -exec rm -f {} \; +rm -rf $PKG/usr/share mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc diff --git a/network/snort/snort.info b/network/snort/snort.info index de7b99f343..ca5339190f 100644 --- a/network/snort/snort.info +++ b/network/snort/snort.info @@ -1,8 +1,8 @@ PRGNAM="snort" -VERSION="2.6.1.5" +VERSION="2.8.4.1" HOMEPAGE="http://www.snort.org/" -DOWNLOAD="http://www.snort.org/dl/old/snort-2.6.1.5.tar.gz" -MD5SUM="e52a7ea6ba9743a8f8ca397cd26fa1bf" -MAINTAINER="Alan_Hicks" -EMAIL="alan@lizella.net" +DOWNLOAD="http://dl.snort.org/snort-current/snort-2.8.4.1.tar.gz" +MD5SUM="63f4e76ae96a2d133f4c7b741bad5458" +MAINTAINER="Thomas_York" +EMAIL="straterra@fuhell.com" APPROVED="rworkman" |