Hello,
Can you have a look at this FB? Snort is a good NIDS but installation
and configuration can be complex. I try to simplify it as much as possible.
List of files joined:
-> FrugalBuild
-> rc.snortd (rc script for snort daemon)
-> snortd.en
-> README.Frugalware
-> snortd (text file used by rc script for daemon's configuration)
-> snort.install
-> snort.patch (modify snort configuration file)
Thank you
Elentir
# Compiling Time: 0.5 SBU
# Maintainer: -
# Contributor : Elentir <[EMAIL PROTECTED]>
pkgname=snort
pkgver=2.8.3.1
pkgrel=1
pkgdesc="Open source Network Intrusion Prevention and Detection System "
url="http://www.snort.org";
source=("$url/dl/$pkgname-$pkgver.tar.gz" snort.patch rc.snortd snortd
snortd.en README.Frugalware)
depends=('glibc' 'libpcap' 'pcre' 'mysql' 'libmysqlclient')
groups=('network-extra')
archs=('i686')
up2date="lynx -dump '$url/dl' | grep -v beta | Flasttar"
Fconfopts="--enable-dynamicplugins --enable-timestamps --enable-perfprofiling
--with-mysql --prefix=/usr"
backup=(etc/snort/{snort.conf,excludes.conf})
install=$pkgname.install
sha1sums=('384203f68e2000c490bbc5a5a2724b0b74d10e74' \
'905fe7db5171e1b144029262d1a5e5df58b0cab3' \
'cae0e913ac66f1806c51d574cb116265a90c5e6a' \
'd27311d274366323f3e981c370ad97db6bb3b7ac' \
'0519af7c5cd7329656d3d1b530682bc8a86accb1' \
'5fe4d74b376f8249209f81720f9312bfb85d9249')
build()
{
Fmkdir /etc/snort/rules
Fmkdir /var/snort
Fmkdir /var/log/snort
touch $Fdestdir/etc/snort/excludes.conf || Fdie
Fmkdir /etc/sysconfig
Fmkdir /etc/rc.d/rc.messages
Fbuild
Frcd2 snortd
Ffile $pkgname-$pkgver/schemas/create_mysql /etc/snort/
Ffile $pkgname-$pkgver/etc/* /etc/snort/
Ffile snortd /etc/sysconfig/
Ffile snortd.en /etc/rc.d/rc.messages
Fdoc README.Frugalware
}
# optimization OK
#!/bin/sh
#
# Start/Stop/Restart Snort NIDS
#
# Specify network interface
# chkconfig: 2345 40 60
# description: Snort is an open source NIDS
# Source function library.
. /etc/rc.d/rc.functions
# Configuration locale
. /etc/sysconfig/snortd
if [ "$ALERTMODE"X = "X" ]; then
ALERTMODE=""
else
ALERTMODE="-A $ALERTMODE"
fi
if [ "$BINARY_LOG"X = "1X" ]; then
BINARY_LOG="-b"
else
BINARY_LOG=""
fi
if [ "$DAEMON"X = "1X" ]; then
DAEMON="-D"
else
DAEMON=""
fi
if [ "$INTERFACE"X = "X" ]; then
INTERFACE="eth0"
else
INTERFACE="$INTERFACE"
fi
if [ "$DUMP_APP"X = "1X" ]; then
DUMP_APP="-d"
else
DUMP_APP=""
fi
if [ "$NO_PACKET_LOG"X = "1X" ]; then
NO_PACKET_LOG="-N"
else
NO_PACKET_LOG=""
fi
if [ "$PRINT_INTERFACE"X = "1X" ]; then
PRINT_INTERFACE="-I"
else
PRINT_INTERFACE=""
fi
if [ "$PASS_FIRST"X = "1X" ]; then
PASS_FIRST="-o"
else
PASS_FIRST=""
fi
snort_start() {
if ! /sbin/ifconfig $2 | grep "RUNNING" 1> /dev/null; then
/sbin/ifconfig $INTERFACE up -arp
/usr/bin/touch /var/run/snort.$INTERFACE
fi
/usr/bin/snort -u snort -g snort -i $INTERFACE -c /etc/snort/snort.conf
$ALERTMODE $DAEMON $DUMP_APP $NO_PACKET_LOG $PRINT_INTERFACE $PASS_FIRST -l
/var/log/snort -F /etc/snort/excludes.conf
return $?
}
snort_stop() {
killall snort &>/dev/null
ret=$?
if [ -e /var/run/snort.$INTERFACE ]; then
/sbin/ifconfig $INTERFACE down
/usr/bin/rm -f /var/run/snort.$INTERFACE
fi
return $ret
}
snort_restart() {
snort_stop
/usr/bin/sleep 2
snort_start
}
case "$1" in
'start')
start "$startsnortd"
snort_start
ok $?
;;
'stop')
stop "$stopsnortd"
snort_stop
ok $?
;;
'restart')
snort_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
=== Configure mySql and Snort
1. Start mysql service and setup mysql root password with :
--------------
$ mysql_secure_installation
--------------
or
--------------
$ mysqladmin -u root password 'new-password'
--------------
2. Create a new user and group and give rights to /var/log/snort for this new
user :
-------------
$ groupadd snort
$ useradd -g snort snort -s /bin/false
$ chown snort:snort /var/log/snort/
-------------
3. Create snort database with this command :
--------------
$ mysql -u root -p -e "create database snort;grant all on snort.* to [EMAIL
PROTECTED] identified by 'snort';flush privileges;"
> enter mysql root password
--------------
4. Set up the tables in snort databases with :
--------------
$ mysql -u snort -psnort < /etc/snort/create_mysql snort
--------------
/!\ You can change mysql snort's user password (modify "identified by
'password'" in step 2 and replace '-psnort' with '-ppassword' in step 4) but in
this case you must make a change in /etc/snort/snort.conf too (see
http://www.snort.org/docs/) /!\
5. Install snort rules (see official documentation on www.snort.org)
6. Configure /etc/snort.conf with your custom rules' parameters
7. You can now start Snort with :
--------------
$ service snortd start
--------------
=== Uninstalling Snort
1. Drop mysql database with command :
--------------
$ mysql -u root -p -e "drop database snort;"
> enter mysql root password
--------------
2. Delete snort user and group:
--------------
$ userdel snort
$ groupdel snort
--------------
post_install()
{
echo "Adding snortd service..."
chkconfig --add rc.snortd
}
pre_remove()
{
echo "Removing snortd service..."
chkconfig --del rc.snortd
}
op=$1
shift
$op $*
--- etc/snort.conf 2008-09-15 18:28:02.000000000 +0200
+++ etc/snort.conf 2008-10-04 14:47:29.000000000 +0200
@@ -1,5 +1,5 @@
#--------------------------------------------------
-# http://www.snort.org Snort 2.8.3.1 Ruleset
+# http://www.snort.org Snort 2.8.3 Ruleset
# Contact: [EMAIL PROTECTED]
#--------------------------------------------------
# $Id$
@@ -107,7 +107,7 @@
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\rules
-var RULE_PATH ../rules
+var RULE_PATH /etc/snort/rules
var PREPROC_RULE_PATH ../preproc_rules
# Configure the snort decoder
@@ -149,7 +149,7 @@
# actual length of the captured portion of the packet that the length
# is supposed to represent:
#
-# config enable_decode_oversized_alerts
+config enable_decode_oversized_alerts
#
# Same as above, but drop packet if in Inline mode -
# enable_decode_oversized_alerts must be enabled for this to work:
@@ -163,7 +163,7 @@
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
-# config detection: search-method lowmem
+config detection: search-method ac-bnfa
# Configure Inline Resets
# ========================
@@ -191,27 +191,27 @@
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
#
-dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/
+dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
#
# Load a specific dynamic preprocessor library from the install path
# (same as command line option --dynamic-preprocessor-lib)
#
-# dynamicpreprocessor file
/usr/local/lib/snort_dynamicpreprocessor/libdynamicexample.so
+# dynamicpreprocessor file
/usr/lib/snort_dynamicpreprocessor/libdynamicexample.so
#
# Load a dynamic engine from the install path
# (same as command line option --dynamic-engine-lib)
#
-dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so
+dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
#
# Load all dynamic rules libraries from the install path
# (same as command line option --dynamic-detection-lib-dir)
#
-# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
+# dynamicdetection directory /usr/lib/snort_dynamicrule/
#
# Load a specific dynamic rule library from the install path
# (same as command line option --dynamic-detection-lib)
#
-# dynamicdetection file
/usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
+# dynamicdetection file /usr/lib/snort_dynamicrule/libdynamicexamplerule.so
#
###################################################
@@ -291,7 +291,7 @@
# bind_to 10.3.1.0/24
#preprocessor frag3_engine: policy bsd
-preprocessor frag3_global: max_frags 65536
+preprocessor frag3_global: max_frags 65536, prealloc_frags 65536
preprocessor frag3_engine: policy first detect_anomalies
@@ -420,9 +420,9 @@
#
# Example config (that emulates Stream4 with UDP support compiled in)
preprocessor stream5_global: max_tcp 8192, track_tcp yes, \
- track_udp no
-preprocessor stream5_tcp: policy first, use_static_footprint_sizes
-# preprocessor stream5_udp: ignore_any_rules
+ track_udp yes
+preprocessor stream5_tcp: policy first, detect_anomalies,
use_static_footprint_sizes
+preprocessor stream5_udp:
# Performance Statistics
@@ -430,7 +430,7 @@
# Documentation for this is provided in the Snort Manual. You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
#
-# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
+preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
@@ -448,7 +448,7 @@
#
#preprocessor http_inspect_server: server 1.1.1.1 \
# ports { 80 3128 8080 } \
-# server_flow_depth 0 \
+# flow_depth 0 \
# ascii no \
# double_decode yes \
# non_rfc_char { 0x00 } \
@@ -500,6 +500,18 @@
preprocessor bo
+# telnet_decode: Telnet negotiation string normalizer
+# ---------------------------------------------------
+# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
+# traffic. It works in much the same way as the http_decode preprocessor,
+# searching for traffic that breaks up the normal data stream of a protocol and
+# replacing it with a normalized representation of that traffic so that the
+# "content" pattern matching keyword can work without requiring modifications.
+# This preprocessor requires no arguments.
+#
+# DEPRECATED in favor of ftp_telnet dynamic preprocessor
+#preprocessor telnet_decode
+#
# ftp_telnet: FTP & Telnet normalizer, protocol enforcement and buff overflow
# ---------------------------------------------------------------------------
# This preprocessor normalizes telnet negotiation strings from telnet and
@@ -802,7 +814,7 @@
# See the README.database file for more information about configuring
# and using this plugin.
#
-# output database: log, mysql, user=root password=test dbname=db host=localhost
+output database: log, mysql, user=snort password=snort dbname=snort
host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
@@ -877,7 +889,7 @@
# such as: c:\snort\etc\classification.config
#
-include classification.config
+include /etc/snort/classification.config
#
# Include reference systems
@@ -885,7 +897,7 @@
# such as: c:\snort\etc\reference.config
#
-include reference.config
+include /etc/snort/reference.config
####################################################################
# Step #5: Configure snort with config statements
@@ -924,45 +936,45 @@
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
-include $RULE_PATH/local.rules
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/scan.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/tftp.rules
-
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-php.rules
-
-include $RULE_PATH/sql.rules
-include $RULE_PATH/x11.rules
-include $RULE_PATH/icmp.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/snmp.rules
-
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
+#include $RULE_PATH/local.rules
+#include $RULE_PATH/bad-traffic.rules
+#include $RULE_PATH/exploit.rules
+#include $RULE_PATH/scan.rules
+#include $RULE_PATH/finger.rules
+#include $RULE_PATH/ftp.rules
+#include $RULE_PATH/telnet.rules
+#include $RULE_PATH/rpc.rules
+#include $RULE_PATH/rservices.rules
+#include $RULE_PATH/dos.rules
+#include $RULE_PATH/ddos.rules
+#include $RULE_PATH/dns.rules
+#include $RULE_PATH/tftp.rules
+
+#include $RULE_PATH/web-cgi.rules
+#include $RULE_PATH/web-coldfusion.rules
+#include $RULE_PATH/web-iis.rules
+#include $RULE_PATH/web-frontpage.rules
+#include $RULE_PATH/web-misc.rules
+#include $RULE_PATH/web-client.rules
+#include $RULE_PATH/web-php.rules
+
+#include $RULE_PATH/sql.rules
+#include $RULE_PATH/x11.rules
+#include $RULE_PATH/icmp.rules
+#include $RULE_PATH/netbios.rules
+#include $RULE_PATH/misc.rules
+#include $RULE_PATH/attack-responses.rules
+#include $RULE_PATH/oracle.rules
+#include $RULE_PATH/mysql.rules
+#include $RULE_PATH/snmp.rules
+
+#include $RULE_PATH/smtp.rules
+#include $RULE_PATH/imap.rules
+#include $RULE_PATH/pop2.rules
+#include $RULE_PATH/pop3.rules
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/other-ids.rules
+#include $RULE_PATH/nntp.rules
+#include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
@@ -976,7 +988,7 @@
# include $RULE_PATH/p2p.rules
# include $RULE_PATH/spyware-put.rules
# include $RULE_PATH/specific-threats.rules
-include $RULE_PATH/experimental.rules
+#include $RULE_PATH/experimental.rules
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
@@ -987,4 +999,4 @@
# Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\threshold.conf
# Uncomment if needed.
-# include threshold.conf
+include threshold.conf
#### General Configuration
INTERFACE=eth0
PASS_FIRST=0
DAEMON=1
#### Logging & Alerting
ALERTMODE=
DUMP_APP=0
BINARY_LOG=0
NO_PACKET_LOG=0
PRINT_INTERFACE=0
stopsnortd="Stopping Snort Daemon"
startsnortd="Starting Snort Daemon"
_______________________________________________
Frugalware-devel mailing list
[email protected]
http://frugalware.org/mailman/listinfo/frugalware-devel
