summaryrefslogtreecommitdiff
path: root/network/snort/README.SLACKWARE
blob: 6bcf0714d1cd83e463701cdf9fd18fd8f9da74b2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
README.SLACKWARE
================

Documentation
-------------

This package builds a very basic snort implementation useful for monitoring
traffic as an IDS or packet logger and as a sort of improved tcpdump. More
information can be found at the following URLs:
  https://www.snort.org/               (homepage)
  https://www.snort.org/#documents     (documentation links)
  http://manual.snort.org/             (user manual)


Running the SlackBuild
----------------------

By default, non-Ethernet decoders (for example, venet0) are enabled. If
you need to disable this for performance reasons, use the option
'NON_ETHER=no':

  NON_ETHER=no ./snort.SlackBuild


Starting snort
--------------

An rc.snort file has been included for your convenience, but it needs to be
added to your init script of choice to run on boot. You should modify the
variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor,
or start it as:

  IFACE=xxxx /etc/rc.d/rc.snort start|stop|restart

As an example, you can put this in your /etc/rc.d/rc.local script:

  if [ -x /etc/rc.d/rc.snort ]; then
    IFACE=eth1 /etc/rc.d/rc.snort start
  fi

and put this in your /etc/rc.d/rc.local_shutdown:

  if [ -x /etc/rc.d/rc.snort ]; then
    IFACE=xxxx /etc/rc.d/rc.snort stop
  fi


Installing and Updating Rules
-----------------------------

In order for Snort to function properly, you need to download rules, and
you need to update the rules regularly.

You can get a paid subscription for the latest rules at
  https://www.snort.org/products

or you can register for free to download rules >30 days old at
  https://www.snort.org/users/sign_up
then download your rules from
  https://www.snort.org/snort-rules

The downloaded .tar.gz file contains rules and updated configuration files.
Be careful merging them, as you will probably have customized a few settings
in your snort.conf. You need to

1) put the new rules/*		into /etc/snort/rules/
2) put the new preproc_rules/*	into /etc/snort/preproc_rules/
3) put the new etc/*		into /etc/snort/ (except for snort.conf)
4) review any changes to snort.conf and merge them into /etc/snort.conf
5) restart snort:
   # IFACE=xxxx /etc/rc.d/rc.snort restart

Below is a sample script that you can use to do steps 1-3 automatically.
The script installs the new configuration as snort.conf.new, so that you can
review it.

#!/bin/bash
#=============================================================================
# Sample script to update snort rules, signatures and configurations
# *** USE AT YOUR OWN RISK *** NO GUARANTEES ***
#=============================================================================
# Written by Niels Horn
# Maintained by David Spencer <baildon.research@googlemail.com>
# v2 2015-02-22 dbs

CONFDIR=/etc/snort

# Exit on most errors
set -e

if [ -z "$1" ]; then
  echo "Please specify snortrules-snapshot file:"
  echo "  $0 snortrules-snapshot-nnnn.tar.gz"
  exit 1
fi

# Configuration files
echo "*** Updating configuration files..."
for cf in $( tar tf "$1" | grep "etc/" ); do
  if [ ! "$cf" = "etc/" ]; then
    file=$(basename "$cf")
    tar -o -xf "$1" "$cf" -O > "$CONFDIR/$file.new"
    # check if it is "snort.conf"
    if [ "$file" = "snort.conf" ]; then
      LIBDIRSUFFIX=""
      [ "$(uname -m)" = 'x86_64' ] && LIBDIRSUFFIX="64"
      sed -i -e "s#/usr/local/lib/#/usr/lib$LIBDIRSUFFIX/#g" "$CONFDIR/snort.conf.new"
    else
      # OK, it is something else, we can handle this
      if [ -r "$CONFDIR/$file" ]; then
        # we have a previous version
        if [ "$(md5sum <"$CONFDIR/$file")" = "$(md5sum <"$CONFDIR/$file.new")" ]; then
          # nothing new, dump previous version
          rm "$CONFDIR/$file"
        else
          # keep previous version
          mv -f "$CONFDIR/$file" "$CONFDIR/$file.old"
        fi
      fi
      # move new file over
      mv -f "$CONFDIR/$file.new" "$CONFDIR/$file"
    fi
  fi
done

# rules
echo "*** Updating rules..."
tar -o --strip-components=1 --directory=/etc/snort/rules --wildcards -xf "$1" 'rules/*'

# preproc-rules
echo "*** Updating preproc_rules..."
tar -o --strip-components=1 --directory=/etc/snort/preproc_rules --wildcards -xf "$1" 'preproc_rules/*'

echo "All done."