From 75f2ad568a76b131b75575e8054e098dd819a01d Mon Sep 17 00:00:00 2001 From: Niels Horn Date: Mon, 20 Sep 2010 19:23:25 -0400 Subject: network/snort: Added (Intrusion Detection and Prevention System) Signed-off-by: dsomero --- network/snort/README | 13 ++++ network/snort/README.SLACKWARE | 165 +++++++++++++++++++++++++++++++++++++++++ network/snort/doinst.sh | 33 +++++++++ network/snort/rc.snort | 53 +++++++++++++ network/snort/slack-desc | 19 +++++ network/snort/snort.SlackBuild | 149 +++++++++++++++++++++++++++++++++++++ network/snort/snort.info | 10 +++ 7 files changed, 442 insertions(+) create mode 100644 network/snort/README create mode 100644 network/snort/README.SLACKWARE create mode 100644 network/snort/doinst.sh create mode 100644 network/snort/rc.snort create mode 100644 network/snort/slack-desc create mode 100644 network/snort/snort.SlackBuild create mode 100644 network/snort/snort.info (limited to 'network/snort') diff --git a/network/snort/README b/network/snort/README new file mode 100644 index 0000000000..249f906b22 --- /dev/null +++ b/network/snort/README @@ -0,0 +1,13 @@ +Snort is an open source network intrusion detection and prevention system. It +is capable of performing real-time traffic analysis, alerting, blocking and +packet logging on IP networks. It utilizes a combination of protocol analysis +and pattern matching in order to detect a anomalies, misuse and attacks. +Snort uses a flexible rules language to describe activity that can be considered +malicious or anomalous as well as an analysis engine that incorporates a modular +plugin architecture. Snort is capable of detecting and responding in real-time, +sending alerts, performing session sniping, logging packets, or dropping +sessions/packets when deployed in-line. + +Snort has three primary functional modes. It can be used as a packet sniffer +like tcpdump(1), a packet logger (useful for network traffic debugging, etc), +or as a full blown network intrusion detection and prevention system. diff --git a/network/snort/README.SLACKWARE b/network/snort/README.SLACKWARE new file mode 100644 index 0000000000..86115083da --- /dev/null +++ b/network/snort/README.SLACKWARE @@ -0,0 +1,165 @@ +README.SLACKWARE +================ + + +Documentation +------------- + +Please read the snort_manual.pdf file that should be included with this +distribution for full documentation on the program as well as a guide to +getting started. + +This package builds a very basic snort implementation useful for monitoring +traffic as an IDS or packet logger and as a sort of improved tcpdump. +MySQL support is included, so you should have little trouble hooking snort up +to a database or ACID. For more information on these, check out snort's +homepage at: + + http://www.snort.org/ + http://www.snort.org/docs/ + + +Source tarball and newer releases +--------------------------------- + +snort.org has no direct links to the source tarball, that's why it is also +hosted on http://www.nielshorn.net/ +This is needed for sbopkg to work. + +If you want a newer version than the one available there, check: + + https://www.snort.org/snort-downloads + + +Starting snort +-------------- + +An rc.snort file has been included for your convenience, but it needs to be +added to your init script of choice to run on boot. You should modify the +variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor, +or start it as: + + IFACE=xxxx /etc/rc.d/rc.snort start|stop|restart + +As an example, you can put this in your /etc/rc.d/rc.local script: + + if [ -x /etc/rc.d/rc.snort ]; then + IFACE=eth1 /etc/rc.d/rc.snort start + fi + +And this in your /etc/rc.d/rc.local_shutdown: + + if [ -x /etc/rc.d/rc.snort ]; then + /etc/rc.d/rc.snort stop + fi + + +Installing / Updating Rules etc. +-------------------------------- + +In order for Snort to function properly, you need to provide rule files. +You can either get a paid subscription (newest rules) at: + + https://www.snort.org/vrt/buy-a-subscription + +or register for free (only rules >30 days old) at: + + https://www.snort.org/signup + +Then download your rules from: + + https://www.snort.org/snort-rules + +The downloaded file contains the rules, signatures and updated configuration +files. Be careful when updating these, as you will probably have customized +a few settings in your snort.conf +At the end of this file is a sample script that you can use as a base to +automate unpacking of the tarball. It updates the rules, signatures and some +configurations, but copies the new snort.conf as snort.conf.new, so that you +can examine it later. +This script is included only as an example and without any guarantee. +** Use at your own risk! ** + +Basically, you need to +1) put the new rules/* into /etc/snort/rules/ +2) put the new preproc_rules/* into /etc/snort/preproc_rules/ +3) put the new doc/signatures/* into /usr/doc/snort-*/signatures/ +4) put the new etc/* into /etc/snort/ (except for snort.conf) + +After updating your files, restart snort with: + + # /etc/rc.d/rc.snort restart + +============================================================================= +Sample script to update rules, signatures and configurations +*** USE AT YOUR OWN RISK *** NO GUARANTEES *** +============================================================================= +#!/bin/bash + +# snortrules_update +# +# Written by Niels Horn +# Nothing guaranteed, use at your own risk! +# +# v1.00-2010/09/18 - first attempt +# + +CWD=$(pwd) +CONFDIR=/etc/snort + +# Exit on most errors +set -e + +if [ "x$1" = "x" ]; then + echo "Specify snortrules-snapshot file:" + echo + echo " $0 " + echo + exit 1 +fi + +# Configuration files +echo "*** Updating configuration files..." +for cf in $( tar tf $1 | grep "etc/" ); do + if [ ! "$cf" = "etc/" ]; then + file=$(basename $cf) + tar -xf $1 $cf -O > $CONFDIR/$file.new + # check if it is "snort.conf" + if [ ! "$file" = "snort.conf" ]; then + # OK, it is something else, we can handle this + if [ -r $CONFDIR/$file ]; then + # we have a previous version + if [ "$(cat $CONFDIR/$file | md5sum)" = "$(cat $CONFDIR/$file.new | md5sum)" ]; then + # nothing new, dump previous version + rm $CONFDIR/$file + else + # keep previous version + mv -f $CONFDIR/$file $CONFDIR/$file.old + fi + fi + # move new file over + mv -f $CONFDIR/$file.new $CONFDIR/$file + fi + fi +done + +# rules +echo "*** Updating rules..." +cd /etc/snort/rules + tar --strip-components=1 --wildcards -xf $CWD/$1 rules/* +cd - > /dev/null + +# preproc-rules +echo "*** Updating preproc_rules..." +cd /etc/snort/preproc_rules + tar --strip-components=1 --wildcards -xf $CWD/$1 preproc_rules/* +cd - > /dev/null + +# signatures +echo "*** Updating signatures..." +cd /usr/doc/snort-*/signatures + tar --strip-components=2 --wildcards -xf $CWD/$1 doc/signatures/* +cd - > /dev/null + +echo "All done." + diff --git a/network/snort/doinst.sh b/network/snort/doinst.sh new file mode 100644 index 0000000000..ee9ebe7752 --- /dev/null +++ b/network/snort/doinst.sh @@ -0,0 +1,33 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + if [ -e $OLD ]; then + cp -a $OLD ${NEW}.incoming + cat $NEW > ${NEW}.incoming + mv ${NEW}.incoming $NEW + fi + config $NEW +} + +preserve_perms etc/rc.d/rc.snort.new +config etc/snort/snort.conf.new +config etc/snort/reference.config.new +config etc/snort/threshold.conf.new +config etc/snort/attribute_table.dtd.new +config etc/snort/classification.config.new +config etc/snort/gen-msg.map.new +config etc/snort/sid-msg.map.new +config etc/snort/unicode.map.new + diff --git a/network/snort/rc.snort b/network/snort/rc.snort new file mode 100644 index 0000000000..d91941e822 --- /dev/null +++ b/network/snort/rc.snort @@ -0,0 +1,53 @@ +#!/bin/sh +# Start/stop/restart snort + +# This tell snort which interface to listen on (any for every interface) +IFACE=${IFACE:-any} + +# Make sure this matches your IFACE +PIDFILE=/var/run/snort_$IFACE.pid + +# You probably don't want to change this, but in case you do +LOGDIR="/var/log/snort" + +# Probably not this either +CONF=/etc/snort/snort.conf + +# Start snort: +snort_start() { + CMDLINE="/usr/bin/snort -d -D -i $IFACE" + echo -n "Starting Snort daemon: $CMDLINE" + $CMDLINE --pid-path /var/run --create-pidfile -l $LOGDIR -c $CONF + echo +} + +# Stop snort: +snort_stop() { + echo -n "Stopping Snort daemon ($IFACE)..." + kill $(cat $PIDFILE) + echo + sleep 1 + rm -f $PIDFILE +} + +# Restart snort: +snort_restart() { + snort_stop + sleep 1 + snort_start +} + +case "$1" in +'start') + snort_start + ;; +'stop') + snort_stop + ;; +'restart') + snort_restart + ;; +*) + echo "usage $0 start|stop|restart" +esac + diff --git a/network/snort/slack-desc b/network/snort/slack-desc new file mode 100644 index 0000000000..1ba61509f0 --- /dev/null +++ b/network/snort/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-------handy-ruler-----------------------------------------------------| +snort: Snort (Intrusion Detection and Prevention System) +snort: +snort: Snort is an open source network intrusion detection and prevention +snort: system. It is capable of performing real-time traffic analysis, +snort: alerting, blocking and packet logging on IP networks. It utilizes a +snort: combination of protocol analysis and pattern matching in order to +snort: detect anomalies, misuse and attacks. +snort: Snort is capable of detecting and responding in real-time, sending +snort: alerts, performing session sniping, logging packets, or dropping +snort: sessions/packets when deployed in-line. +snort: diff --git a/network/snort/snort.SlackBuild b/network/snort/snort.SlackBuild new file mode 100644 index 0000000000..2eaeea0d5d --- /dev/null +++ b/network/snort/snort.SlackBuild @@ -0,0 +1,149 @@ +#!/bin/sh + +# Copyright 2006-2009, Alan Hicks, Lizella, GA, +# Copyright 2009, Thomas York, Beech Grove, In. +# Copyright 2010, Niels Horn, Rio de Janeiro, RJ, Brazil +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# Modified by the SlackBuilds.org project + +# Maintained as of version 2.8.6.1 by Niels Horn +# revision date: 2010/09/18 + +PRGNAM=snort +VERSION=${VERSION:-2.8.6.1} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) ARCH=i486 ;; + arm*) ARCH=arm ;; + *) ARCH=$( uname -m ) ;; + esac +fi + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +tar xvf $CWD/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION + +# The Makefiles do not respect the --libdir setting, which causes the libs to +# go to /usr/lib/ on Slackware64. We'll "teach them" how to do it right :) +for mf in $( find src/ -name Makefile.in ) ; do + sed -i "s|\${exec_prefix}/lib/snort_dynamic|@libdir@/snort_dynamic|g" $mf +done + +# Similar problem with the --docdir in /doc/Makefile.in ... +sed -i "s|\${datadir}/doc/\${PACKAGE}|@docdir@|g" doc/Makefile.in + +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr \ + --libdir=/usr/lib${LIBDIRSUFFIX} \ + --sysconfdir=/etc \ + --mandir=/usr/man \ + --localstatedir=/var \ + --docdir=/usr/doc/$PRGNAM-$VERSION \ + --enable-pthread \ + --enable-linux-smp-stats \ + --with-mysql-libraries=/usr/lib${LIBDIRSUFFIX}/mysql \ + --with-mysql-includes=/usr/include/mysql \ + --build=$ARCH-slackware-linux + +make +make install-strip DESTDIR=$PKG + +find $PKG/usr/man -type f -exec gzip -9 {} \; +for i in $( find $PKG/usr/man -type l ) ; do ln -s $(readlink $i).gz $i.gz ; rm $i ; done + +# Set up a sane config directory - snort won't do this on its own +mkdir -p $PKG/etc/$PRGNAM +# Fix paths for libraries in snort.conf, also 64-bits and rules paths... +sed -e "s|usr/local/lib|usr/lib${LIBDIRSUFFIX}|g" \ + -e "s|PATH ../|PATH |g" etc/snort.conf > $PKG/etc/snort/snort.conf.new +cat etc/threshold.conf > $PKG/etc/snort/threshold.conf.new +cat etc/reference.config > $PKG/etc/snort/reference.config.new +cat etc/classification.config > $PKG/etc/snort/classification.config.new +cat etc/attribute_table.dtd > $PKG/etc/snort/attribute_table.dtd.new +cat etc/gen-msg.map > $PKG/etc/snort/gen-msg.map.new +cat etc/sid-msg.map > $PKG/etc/snort/sid-msg.map.new +cat etc/unicode.map > $PKG/etc/snort/unicode.map.new + +# Create default, empty directory for rules +mkdir -p $PKG/etc/snort/rules +mkdir -p $PKG/etc/snort/preproc_rules + +# Include the rc.snort file +mkdir -p $PKG/etc/rc.d +cat $CWD/rc.snort > $PKG/etc/rc.d/rc.snort.new +chmod 0755 $PKG/etc/rc.d/rc.snort.new + +# Create directory for logging +mkdir -p $PKG/var/log/snort + +# Create directories for schemas and signatures +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION/{schemas,signatures} +# Bundle the SQL schemas and install the docs +for file in schemas/create_*; do + cat $file > $PKG/usr/doc/$PRGNAM-$VERSION/$file +done +cp -a COPYING ChangeLog LICENSE RELEASE.NOTES \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +cat $CWD/README.SLACKWARE > $PKG/usr/doc/$PRGNAM-$VERSION/README.SLACKWARE + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +cat $CWD/doinst.sh > $PKG/install/doinst.sh + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/network/snort/snort.info b/network/snort/snort.info new file mode 100644 index 0000000000..9b46a29865 --- /dev/null +++ b/network/snort/snort.info @@ -0,0 +1,10 @@ +PRGNAM="snort" +VERSION="2.8.6.1" +HOMEPAGE="http://www.snort.org/" +DOWNLOAD="http://www.nielshorn.net/_download/slackware/source/snort-2.8.6.1.tar.gz" +MD5SUM="b1119396a32e9df0d80404e4b6c49166" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" +MAINTAINER="Niels Horn" +EMAIL="niels.horn@gmail.com" +APPROVED="dsomero" -- cgit v1.2.3