blob: 8b02a1dcc0cccc86c9a5ab90cea5f42f0d988be6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
README.SLACKWARE
================
Documentation
-------------
This package builds a very basic snort implementation useful for monitoring
traffic as an IDS or packet logger and as a sort of improved tcpdump. More
information can be found at the following URLs:
https://www.snort.org/ (homepage)
https://www.snort.org/#documents (documentation links)
http://manual.snort.org/ (user manual)
Starting snort
--------------
An rc.snort file has been included for your convenience, but it needs to be
added to your init script of choice to run on boot. You should modify the
variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor,
or start it as:
IFACE=xxxx /etc/rc.d/rc.snort start|stop|restart
As an example, you can put this in your /etc/rc.d/rc.local script:
if [ -x /etc/rc.d/rc.snort ]; then
IFACE=eth1 /etc/rc.d/rc.snort start
fi
and put this in your /etc/rc.d/rc.local_shutdown:
if [ -x /etc/rc.d/rc.snort ]; then
IFACE=xxxx /etc/rc.d/rc.snort stop
fi
Installing and Updating Rules
-----------------------------
In order for Snort to function properly, you need to download rules, and
you need to update the rules regularly.
You can get a paid subscription for the latest rules at
https://www.snort.org/products
or you can register for free to download rules >30 days old at
https://www.snort.org/users/sign_up
then download your rules from
https://www.snort.org/snort-rules
The downloaded .tar.gz file contains rules and updated configuration files.
Be careful merging them, as you will probably have customized a few settings
in your snort.conf. You need to
1) put the new rules/* into /etc/snort/rules/
2) put the new preproc_rules/* into /etc/snort/preproc_rules/
3) put the new etc/* into /etc/snort/ (except for snort.conf)
4) review any changes to snort.conf and merge them into /etc/snort.conf
5) restart snort:
# IFACE=xxxx /etc/rc.d/rc.snort restart
Below is a sample script that you can use to do steps 1-3 automatically.
The script installs the new configuration as snort.conf.new, so that you can
review it.
#!/bin/bash
#=============================================================================
# Sample script to update snort rules, signatures and configurations
# *** USE AT YOUR OWN RISK *** NO GUARANTEES ***
#=============================================================================
# Written by Niels Horn
# Maintained by David Spencer <baildon.research@googlemail.com>
# v2 2015-02-22 dbs
CONFDIR=/etc/snort
# Exit on most errors
set -e
if [ -z "$1" ]; then
echo "Please specify snortrules-snapshot file:"
echo " $0 snortrules-snapshot-nnnn.tar.gz"
exit 1
fi
# Configuration files
echo "*** Updating configuration files..."
for cf in $( tar tf "$1" | grep "etc/" ); do
if [ ! "$cf" = "etc/" ]; then
file=$(basename "$cf")
tar -o -xf "$1" "$cf" -O > "$CONFDIR/$file.new"
# check if it is "snort.conf"
if [ "$file" = "snort.conf" ]; then
LIBDIRSUFFIX=""
[ "$(uname -m)" = 'x86_64' ] && LIBDIRSUFFIX="64"
sed -i -e "s#/usr/local/lib/#/usr/lib$LIBDIRSUFFIX/#g" "$CONFDIR/snort.conf.new"
else
# OK, it is something else, we can handle this
if [ -r "$CONFDIR/$file" ]; then
# we have a previous version
if [ "$(md5sum <"$CONFDIR/$file")" = "$(md5sum <"$CONFDIR/$file.new")" ]; then
# nothing new, dump previous version
rm "$CONFDIR/$file"
else
# keep previous version
mv -f "$CONFDIR/$file" "$CONFDIR/$file.old"
fi
fi
# move new file over
mv -f "$CONFDIR/$file.new" "$CONFDIR/$file"
fi
fi
done
# rules
echo "*** Updating rules..."
tar -o --strip-components=1 --directory=/etc/snort/rules --wildcards -xf "$1" 'rules/*'
# preproc-rules
echo "*** Updating preproc_rules..."
tar -o --strip-components=1 --directory=/etc/snort/preproc_rules --wildcards -xf "$1" 'preproc_rules/*'
echo "All done."
|
