On Sun, Oct 07, 2012 at 10:40:35PM -0400, Lawrence Teo wrote:
> On Fri, Oct 05, 2012 at 08:52:10PM +0200, Markus Lude wrote:
> > On Wed, Oct 03, 2012 at 10:08:10PM -0400, Lawrence Teo wrote:
> > > * In snort.conf, add commented include lines for Emerging Threats rules.
> >
> > IMO this is not needed. Users may add this themselves.
> >
> > include $RULE_PATH/emerging.conf
> >
> > may be enough then.
>
> Thanks, I have updated snort.conf accordingly.
>
> > > * In pkg/README, describe how to download both the official Snort rules
> > > as well as the Emerging Threats rules. Also provide some guidance on
> > > how to use oinkmaster to download the rules.
> >
> > I think guidance on how to use oinkmaster should better be placed in the
> > oinkmaster port.
> >
> > Should we add URLs for both registered and subscribed users of the VRT
> > rules there?
>
> Sure, I'll send a separate oinkmaster diff shortly to add these URLs
> and also fix a few other things to make it work better with recent
> Snort versions.
>
> > > * In pkg/README, recommend that the user change snort.conf to match
> > > their environment (since Snort cannot load at least one of the current
> > > Emerging Threats rules if HOME_NET is left as "any").
> >
> > It is always recommended to not blindly run all the rules. Choose which
> > one apply to your environment.
>
> I agree; I have revised pkg/README to provide as much guidance as
> possible especially to new Snort users.
>
> The revised diff is below. Please let me know what you think! :)
pkg/README reads fine, for the rc.d script I can't comment as I'm not
that familiar with it.
Thanks for pushing this forward!
Regards,
Markus
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/snort/Makefile,v
> retrieving revision 1.69
> diff -u -p -r1.69 Makefile
> --- Makefile 28 Sep 2012 19:30:54 -0000 1.69
> +++ Makefile 7 Oct 2012 18:00:08 -0000
> @@ -4,7 +4,9 @@ SHARED_ONLY = Yes
>
> COMMENT = highly flexible sniffer/NIDS
>
> -DISTNAME = snort-2.9.3.1
> +VERSION = 2.9.3.1
> +DISTNAME = snort-${VERSION}
> +REVISION = 0
>
> CATEGORIES = net security
>
> @@ -43,6 +45,9 @@ PREPROC = decoder.rules preprocessor.ru
>
> DOCS = AUTHORS CREDITS README README.* *.pdf TODO
> USAGE \
> WISHLIST
> +
> +V = ${VERSION:S/.//g}
> +SUBST_VARS += V
>
> pre-configure:
> @${SUBST_CMD} ${WRKSRC}/etc/snort.conf
> Index: patches/patch-etc_snort_conf
> ===================================================================
> RCS file: /cvs/ports/net/snort/patches/patch-etc_snort_conf,v
> retrieving revision 1.6
> diff -u -p -r1.6 patch-etc_snort_conf
> --- patches/patch-etc_snort_conf 26 Sep 2012 02:11:05 -0000 1.6
> +++ patches/patch-etc_snort_conf 7 Oct 2012 18:00:08 -0000
> @@ -2,8 +2,8 @@ $OpenBSD: patch-etc_snort_conf,v 1.6 201
>
> reputation preprocessor disabled, still experimental
>
> ---- etc/snort.conf.orig Tue Jul 31 18:21:16 2012
> -+++ etc/snort.conf Tue Sep 11 23:02:31 2012
> +--- etc/snort.conf.orig Tue Jul 31 12:21:16 2012
> ++++ etc/snort.conf Sat Oct 6 22:13:19 2012
> @@ -101,17 +101,17 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.1
> # Path to your rules files (this can be a relative path)
> # Note for Windows users: You are advised to make this an absolute path,
> @@ -54,3 +54,21 @@ reputation preprocessor disabled, still
>
> ###################################################
> # Step #6: Configure output plugins
> +@@ -544,6 +545,7 @@ include reference.config
> + # site specific rules
> + include $RULE_PATH/local.rules
> +
> ++# Official Sourcefire VRT rules from http://www.snort.org/snort-rules/
> + include $RULE_PATH/attack-responses.rules
> + include $RULE_PATH/backdoor.rules
> + include $RULE_PATH/bad-traffic.rules
> +@@ -598,6 +600,9 @@ include $RULE_PATH/web-iis.rules
> + include $RULE_PATH/web-misc.rules
> + include $RULE_PATH/web-php.rules
> + include $RULE_PATH/x11.rules
> ++
> ++# Emerging Threats rules from
> http://rules.emergingthreats.net/open/snort-2.9.0/
> ++# include $RULE_PATH/emerging.conf
> +
> + ###################################################
> + # Step #8: Customize your preprocessor and decoder alerts
> Index: pkg/PLIST
> ===================================================================
> RCS file: /cvs/ports/net/snort/pkg/PLIST,v
> retrieving revision 1.21
> diff -u -p -r1.21 PLIST
> --- pkg/PLIST 26 Sep 2012 02:11:05 -0000 1.21
> +++ pkg/PLIST 7 Oct 2012 18:00:08 -0000
> @@ -143,3 +143,4 @@ share/examples/snort/unicode.map
> @group _snort
> @sample /var/snort/
> @sample /var/snort/log/
> +@rcscript ${RCDIR}/snort
> Index: pkg/README
> ===================================================================
> RCS file: /cvs/ports/net/snort/pkg/README,v
> retrieving revision 1.1
> diff -u -p -r1.1 README
> --- pkg/README 26 Sep 2012 02:11:05 -0000 1.1
> +++ pkg/README 7 Oct 2012 18:31:59 -0000
> @@ -5,12 +5,51 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11:
> +-----------------------------------------------------------------------
>
> An up-to-date set of rules is needed for Snort to be useful as an IDS.
> -These can be downloaded manually or net/oinkmaster can be used to
> -download the latest rules from several different sources.
> +By default, these rules are expected to be present in the
> +${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in
> +${SYSCONFDIR}/snort/snort.conf.
>
> -It is recommended that snort be run as an unprivileged chrooted user.
> +The two most common sources of Snort rules are the official Snort rules
> +and the Emerging Threats rules. To download the official Snort rules,
> +you will first need to sign up for an "oinkcode" at
> +https://www.snort.org/signup since they are distributed under a
> +commercial license. Emerging Threats rules can be downloaded without
> +signing up.
> +
> +The easiest way to download these rules is to use a rule manager such as
> +the oinkmaster package. You can set up oinkmaster's config file to
> +download one or more Snort rulesets and extract them automatically.
> +Please refer to the documentation in the oinkmaster package for more
> +details.
> +
> +If you prefer to obtain the rules manually without using a rule manager,
> +you can use the following example commands to download and extract them
> +to the correct directory:
> +
> +* Official Snort rules (replace <oinkcode> with yours):
> +
> + ftp -o snortrules-snapshot-${V}.tar.gz \
> +
> http://www.snort.org/reg-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode>
> + tar -C /etc/snort -xzf snortrules-snapshot-${V}.tar.gz rules
> preproc_rules
> +
> +* Emerging Threats rules:
> +
> + ftp
> http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
> + tar -C /etc/snort -xzf emerging.rules.tar.gz
> +
> + If you use Emerging Threats rules, you will need to uncomment its
> + include line in ${SYSCONFDIR}/snort/snort.conf and edit
> + ${SYSCONFDIR}/snort/rules/emerging.conf for Snort to load them.
> +
> +It is important that you review the rules carefully to ensure that you
> +use the rules that apply to your environment. You should also modify
> +${SYSCONFDIR}/snort/snort.conf to define the relevant variables such as
> +HOME_NET to match your network.
> +
> +It is recommended that Snort be run as an unprivileged chrooted user.
> A _snort user/group and a log directory have been created for this
> -purpose. You should start snort with the following options to take
> -advantage of this:
> +purpose. You should start Snort with the ${RCDIR}/snort script to take
> +advantage of this.
>
> - -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l
> /var/snort/log
> +For more details on setting up Snort, please refer to its user manual at
> +${TRUEPREFIX}/share/doc/snort/snort_manual.pdf
> Index: pkg/snort.rc
> ===================================================================
> RCS file: pkg/snort.rc
> diff -N pkg/snort.rc
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ pkg/snort.rc 7 Oct 2012 18:00:08 -0000
> @@ -0,0 +1,10 @@
> +#!/bin/sh
> +#
> +# $OpenBSD$
> +
> +daemon="${TRUEPREFIX}/bin/snort -D"
> +daemon_flags="-c ${SYSCONFDIR}/snort/snort.conf -u _snort -g _snort -t
> /var/snort -l /var/snort/log"
> +
> +. /etc/rc.d/rc.subr
> +
> +rc_cmd $1
