1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
README.SLACKWARE
================
Documentation
-------------
This package builds a very basic snort implementation useful for monitoring
traffic as an IDS or packet logger and as a sort of improved tcpdump. More
information can be found at the following URLs:
https://www.snort.org/ (homepage)
https://www.snort.org/#documents (documentation links)
http://manual.snort.org/ (user manual)
Running the SlackBuild
----------------------
By default, non-Ethernet decoders (for example, venet0) are enabled. If
you need to disable this for performance reasons, use the option
'NON_ETHER=no':
NON_ETHER=no ./snort.SlackBuild
Starting snort
--------------
An rc.snort file has been included for your convenience, but it needs to be
added to your init script of choice to run on boot. You should modify the
variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor,
or start it as:
IFACE=xxxx /etc/rc.d/rc.snort start|stop|restart
As an example, you can put this in your /etc/rc.d/rc.local script:
if [ -x /etc/rc.d/rc.snort ]; then
IFACE=eth1 /etc/rc.d/rc.snort start
fi
and put this in your /etc/rc.d/rc.local_shutdown:
if [ -x /etc/rc.d/rc.snort ]; then
IFACE=xxxx /etc/rc.d/rc.snort stop
fi
Installing and Updating Rules
-----------------------------
In order for Snort to function properly, you need to download rules, and
you need to update the rules regularly.
You can get a paid subscription for the latest rules at
https://www.snort.org/products
or you can register for free to download rules >30 days old at
https://www.snort.org/users/sign_up
then download your rules from
https://www.snort.org/snort-rules
The downloaded .tar.gz file contains rules and updated configuration files.
Be careful merging them, as you will probably have customized a few settings
in your snort.conf. You need to
1) put the new rules/* into /etc/snort/rules/
2) put the new preproc_rules/* into /etc/snort/preproc_rules/
3) put the new etc/* into /etc/snort/ (except for snort.conf)
4) review any changes to snort.conf and merge them into /etc/snort.conf
5) restart snort:
# IFACE=xxxx /etc/rc.d/rc.snort restart
Below is a sample script that you can use to do steps 1-3 automatically.
The script installs the new configuration as snort.conf.new, so that you can
review it.
#!/bin/bash
#=============================================================================
# Sample script to update snort rules, signatures and configurations
# *** USE AT YOUR OWN RISK *** NO GUARANTEES ***
#=============================================================================
# Written by Niels Horn
# Maintained by David Spencer <baildon.research@googlemail.com>
# v2 2015-02-22 dbs
CONFDIR=/etc/snort
# Exit on most errors
set -e
if [ -z "$1" ]; then
echo "Please specify snortrules-snapshot file:"
echo " $0 snortrules-snapshot-nnnn.tar.gz"
exit 1
fi
# Configuration files
echo "*** Updating configuration files..."
for cf in $( tar tf "$1" | grep "etc/" ); do
if [ ! "$cf" = "etc/" ]; then
file=$(basename "$cf")
tar -o -xf "$1" "$cf" -O > "$CONFDIR/$file.new"
# check if it is "snort.conf"
if [ "$file" = "snort.conf" ]; then
LIBDIRSUFFIX=""
[ "$(uname -m)" = 'x86_64' ] && LIBDIRSUFFIX="64"
sed -i -e "s#/usr/local/lib/#/usr/lib$LIBDIRSUFFIX/#g" "$CONFDIR/snort.conf.new"
else
# OK, it is something else, we can handle this
if [ -r "$CONFDIR/$file" ]; then
# we have a previous version
if [ "$(md5sum <"$CONFDIR/$file")" = "$(md5sum <"$CONFDIR/$file.new")" ]; then
# nothing new, dump previous version
rm "$CONFDIR/$file"
else
# keep previous version
mv -f "$CONFDIR/$file" "$CONFDIR/$file.old"
fi
fi
# move new file over
mv -f "$CONFDIR/$file.new" "$CONFDIR/$file"
fi
fi
done
# rules
echo "*** Updating rules..."
tar -o --strip-components=1 --directory=/etc/snort/rules --wildcards -xf "$1" 'rules/*'
# preproc-rules
echo "*** Updating preproc_rules..."
tar -o --strip-components=1 --directory=/etc/snort/preproc_rules --wildcards -xf "$1" 'preproc_rules/*'
echo "All done."
|
