OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: [EMAIL PROTECTED]
Module: openpkg-src Date: 03-Sep-2005 21:39:16
Branch: HEAD Handle: 2005090320391500
Added files:
openpkg-src/snort fsl.snort snort-update.sh
Modified files:
openpkg-src/snort rc.snort snort.conf snort.spec
Log:
Major packaging improvement:
1. Completely revamp the rule handling: First, rules are no longer
installed in unpacked form. Instead their original tarball is
installed. Second, the Snort oinkmaster tool is installed and used
to manage the rule installation.
By default it just uses the default rule tarball once (which means
it just initially installs them). But after optional registering at
snort.org, one can use the received "oinkcode" to let the package
upgrade to the latest Snort rules automatically.
2. Add OSSP fsl support to make sure Snort no longer logs to syslog.
Summary:
Revision Changes Path
1.1 +16 -0 openpkg-src/snort/fsl.snort
1.2 +21 -1 openpkg-src/snort/rc.snort
1.1 +43 -0 openpkg-src/snort/snort-update.sh
1.2 +4 -4 openpkg-src/snort/snort.conf
1.32 +87 -33 openpkg-src/snort/snort.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/snort/fsl.snort
============================================================================
$ cvs diff -u -r0 -r1.1 fsl.snort
--- /dev/null 2005-09-03 21:39:13 +0200
+++ fsl.snort 2005-09-03 21:39:15 +0200
@@ -0,0 +1,16 @@
+##
+## fsl.snort -- OSSP fsl configuration
+##
+
+ident (snort)/.+ q{
+ prefix(
+ prefix="%b %d %H:%M:%S %N <%L> $1[%P]: "
+ )
+ -> {
+ debug: file(
+ path="@l_prefix@/var/snort/snort.log",
+ perm=0644
+ )
+ }
+};
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/snort/rc.snort
============================================================================
$ cvs diff -u -r1.1 -r1.2 rc.snort
--- openpkg-src/snort/rc.snort 29 Jul 2005 08:00:19 -0000 1.1
+++ openpkg-src/snort/rc.snort 3 Sep 2005 19:39:15 -0000 1.2
@@ -12,6 +12,8 @@
snort_log_numfiles="10"
snort_log_minsize="1M"
snort_log_complevel="9"
+ snort_update_time="once"
+ snort_update_source="file://@l_prefix@/share/snort/rules.tar.gz"
%common
snort_cfgfile="@l_prefix@/etc/snort/snort.conf"
@@ -21,6 +23,9 @@
snort_signal () {
[ -f $snort_pidfile ] && kill -$1 `cat $snort_pidfile`
}
+ snort_update () {
+ @l_prefix@/sbin/snort-update "$snort_update_source"
+ }
%status -u @l_susr@ -o
snort_usable="no"
@@ -61,8 +66,17 @@
rcService snort active no && exit 0
rc snort stop start
-%daily -u @l_susr@
+%hourly -u @l_rusr@
+ rcService snort enable yes || exit 0
+ if [ ".$snort_update_time" = .hourly ]; then
+ snort_update || exit $?
+ fi
+
+%daily -u @l_rusr@
rcService snort enable yes || exit 0
+ if [ ".$snort_update_time" = .daily ]; then
+ snort_update || exit $?
+ fi
shtool rotate -f \
-n ${snort_log_numfiles} -s ${snort_log_minsize} -d \
-z ${snort_log_complevel} -m 644 -o @l_rusr@ -g @l_rgrp@ \
@@ -70,3 +84,9 @@
-E "${snort_log_epilog}; rc snort reload" \
$snort_logdir/snort.alert.log
+%weekly -u @l_rusr@
+ rcService snort enable yes || exit 0
+ if [ ".$snort_update_time" = .weekly ]; then
+ snort_update || exit $?
+ fi
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/snort/snort-update.sh
============================================================================
$ cvs diff -u -r0 -r1.1 snort-update.sh
--- /dev/null 2005-09-03 21:39:13 +0200
+++ snort-update.sh 2005-09-03 21:39:15 +0200
@@ -0,0 +1,43 @@
+#!/bin/sh
+##
+## snort-update.sh -- Snort Rule Updating Utility
+## Copyright (c) 2005 Ralf S. Engelschall <[EMAIL PROTECTED]>
+##
+
+# command line parameters
+url="$1"
+if [ ".$url" = . ]; then
+ echo "USAGE: $0 <url>" 1>&2
+ exit 1
+fi
+
+# configuration
+rulesdir="@l_prefix@/var/snort/rules"
+tmpdir="@l_prefix@/var/snort/tmp"
+oinkmaster="@l_prefix@/sbin/oinkmaster"
+logfile="@l_prefix@/var/snort/oinkmaster.log"
+statsfile="@l_prefix@/var/snort/snort.stats"
+
+# parameter post-processing
+url=`echo "$url" |\
+ sed -e
's;^oinkcode:\(.*\)$;http://www.snort.org/pub-bin/oinkmaster.cgi/\1/[EMAIL
PROTECTED]@.tar.gz;' \
+ -e 's;^\(/.*\)$;file://\1;'`
+
+# ruleset updating
+( echo "++ SNORT-UPDATE START (`date`)"
+ echo "++ Update URL: \"$url\""
+ $oinkmaster -q -o $rulesdir -u $url
+ if [ ! -f $rulesdir/local.rules ]; then
+ touch $rulesdir/local.rules
+ fi
+ @l_prefix@/lib/openpkg/shtool subst \
+ -e 's;\(var HOME_NET\) any;\1 $(HOME_NET:-any);' \
+ -e 's;\(var EXTERNAL_NET\) any;\1 $(EXTERNAL_NET:-any);' \
+ -e 's; \([^ /]*\.map\); $(RULE_PATH)/\1;' \
+ -e 's; \([^ /]*\.config\); $(RULE_PATH)/\1;' \
+ -e "s;\\(var RULE_PATH\\).*;\\1 \$(RULE_PATH:-$rulesdir);" \
+ -e "s;/var/snort/snort\.stats;$statsfile;" \
+ $rulesdir/snort.conf
+ echo "++ SNORT-UPDATE END (`date`)"
+) >>$logfile 2>&1
+
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/snort/snort.conf
============================================================================
$ cvs diff -u -r1.1 -r1.2 snort.conf
--- openpkg-src/snort/snort.conf 29 Jul 2005 08:00:19 -0000 1.1
+++ openpkg-src/snort/snort.conf 3 Sep 2005 19:39:15 -0000 1.2
@@ -3,8 +3,8 @@
##
# common variables
-var CFG_PATH @l_prefix@/share/snort
-var VAR_PATH @l_prefix@/var/snort
+var VAR_PATH @l_prefix@/var/snort
+var RULE_PATH $VAR_PATH/rules
# output selection
config alertfile: $VAR_PATH/snort.alert.log
@@ -15,8 +15,8 @@
config show_year
config order: alert pass log
-# load default snort configuration
+# load snort rules configuration
var HOME_NET any
var EXTERNAL_NET any
-include $CFG_PATH/etc/snort.conf
+include $RULE_PATH/snort.conf
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/snort/snort.spec
============================================================================
$ cvs diff -u -r1.31 -r1.32 snort.spec
--- openpkg-src/snort/snort.spec 29 Jul 2005 15:41:10 -0000 1.31
+++ openpkg-src/snort/snort.spec 3 Sep 2005 19:39:15 -0000 1.32
@@ -23,8 +23,9 @@
##
# package version
-%define V_snort 2.4.0
-%define V_rules 2.4
+%define V_snort 2.4.0
+%define V_rules 2.4
+%define V_oinkmaster 1.2
# package information
Name: snort
@@ -37,26 +38,34 @@
Group: Network
License: GPL
Version: %{V_snort}
-Release: 20050729
+Release: 20050903
# package options
+%option with_fsl yes
%option with_mysql no
%option with_pgsql no
# list of sources
Source0: http://www.snort.org/dl/current/snort-%{V_snort}.tar.gz
Source1:
http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-%{V_rules}.tar.gz
-Source2: snort.conf
-Source3: rc.snort
+Source2:
http://osdn.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-%{V_oinkmaster}.tar.gz
+Source3: snort.conf
+Source4: rc.snort
+Source5: fsl.snort
+Source6: snort-update.sh
Patch0: snort.patch
# build information
Prefix: %{l_prefix}
BuildRoot: %{l_buildroot}
BuildPreReq: OpenPKG, openpkg >= 20040130, make, gcc
-PreReq: OpenPKG, openpkg >= 20040130
+PreReq: OpenPKG, openpkg >= 20040130, perl, perl-www, perl-sys,
perl-comp
BuildPreReq: libpcap, libnet, pcre
PreReq: libpcap, libnet, pcre
+%if "%{with_fsl}" == "yes"
+BuildPreReq: fsl >= 1.2.0
+PreReq: fsl >= 1.2.0
+%endif
%if "%{with_mysql}" == "yes"
BuildPreReq: mysql
PreReq: mysql
@@ -87,10 +96,15 @@
url = http://www.snort.org/dl/
regex = snort-(\d+\.\d+\.\d+)\.tar\.gz
}
+ prog snort:oinkmaster = {
+ version = %{V_oinkmaster}
+ url = http://prdownloads.sourceforge.net/oinkmaster/
+ regex = oinkmaster-(__VER__)\.tar\.gz
+ }
%prep
%setup -q
- %setup -q -D -T -a 1
+ %setup -q -D -T -a 2
%patch -p0
%{l_shtool} subst %{l_value -s -a} \
src/snort.h
@@ -107,8 +121,8 @@
CC="%{l_cc}" \
CFLAGS="%{l_cflags -O}" \
CPPFLAGS="%{l_cppflags}" \
- LDFLAGS="%{l_ldflags}" \
- LIBS="$LIBS" \
+ LDFLAGS="%{l_ldflags} %{l_fsl_ldflags}" \
+ LIBS="$LIBS %{l_fsl_libs}" \
./configure \
--prefix=%{l_prefix} \
--sysconfdir=%{l_prefix}/etc/snort \
@@ -139,12 +153,12 @@
%{l_shtool} mkdir -f -p -m 755 \
$RPM_BUILD_ROOT%{l_prefix}/sbin \
$RPM_BUILD_ROOT%{l_prefix}/man/man8 \
+ $RPM_BUILD_ROOT%{l_prefix}/etc/fsl \
$RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \
$RPM_BUILD_ROOT%{l_prefix}/etc/snort \
- $RPM_BUILD_ROOT%{l_prefix}/share/snort/etc \
- $RPM_BUILD_ROOT%{l_prefix}/share/snort/map \
- $RPM_BUILD_ROOT%{l_prefix}/share/snort/rules \
- $RPM_BUILD_ROOT%{l_prefix}/var/snort
+ $RPM_BUILD_ROOT%{l_prefix}/share/snort \
+ $RPM_BUILD_ROOT%{l_prefix}/var/snort/rules \
+ $RPM_BUILD_ROOT%{l_prefix}/var/snort/tmp
# install program and manual page
%{l_shtool} install -c -s -m 755 \
@@ -152,33 +166,23 @@
%{l_shtool} install -c -m 644 \
snort.8 $RPM_BUILD_ROOT%{l_prefix}/man/man8/
- # install default configuration and rules files
- %{l_shtool} install -c -m 644 \
- -e 's;\(var HOME_NET\) any;\1 $(HOME_NET:-any);' \
- -e 's;\(var EXTERNAL_NET\) any;\1 $(EXTERNAL_NET:-any);' \
- -e 's;\(var RULE_PATH\).*;\1 %{l_prefix}/share/snort/rules;g' \
- -e 's;include classification.config;include
%{l_prefix}/share/snort/etc/classification.config;' \
- -e 's;include reference.config;include
%{l_prefix}/share/snort/etc/reference.config;' \
- -e 's;iis_unicode_map unicode.map;iis_unicode_map
%{l_prefix}/share/snort/map/unicode.map;' \
- etc/snort.conf \
- $RPM_BUILD_ROOT%{l_prefix}/share/snort/etc/
- %{l_shtool} install -c -m 644 \
- etc/reference.config etc/classification.config etc/threshold.conf \
- $RPM_BUILD_ROOT%{l_prefix}/share/snort/etc/
- %{l_shtool} install -c -m 644 \
- etc/unicode.map etc/gen-msg.map etc/sid-msg.map \
- $RPM_BUILD_ROOT%{l_prefix}/share/snort/map/
- %{l_shtool} install -c -m 644 \
- rules/*.rules $RPM_BUILD_ROOT%{l_prefix}/share/snort/rules/
-
# install default configuration
%{l_shtool} install -c -m 644 %{l_value -s -a} \
%{SOURCE snort.conf} $RPM_BUILD_ROOT%{l_prefix}/etc/snort/
+ # install default ruleset tarball
+ %{l_shtool} install -c -m 644 \
+ %{SOURCE snortrules-pr-%{V_rules}.tar.gz} \
+ $RPM_BUILD_ROOT%{l_prefix}/share/snort/rules.tar.gz
+
# install run-command script
%{l_shtool} install -c -m 755 %{l_value -s -a} \
%{SOURCE rc.snort} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
+ # install OSSP fsl configuration
+ %{l_shtool} install -c -m 644 %{l_value -s -a} \
+ %{SOURCE fsl.snort} $RPM_BUILD_ROOT%{l_prefix}/etc/fsl/
+
# install optional/additional files
%if "%{with_mysql}" == "yes"
%{l_shtool} install -c -m 644 \
@@ -191,11 +195,35 @@
$RPM_BUILD_ROOT%{l_prefix}/share/snort/
%endif
+ # install oinkmaster utility
+ ( cd oinkmaster-%{V_oinkmaster}
+ %{l_shtool} install -c -m 755 \
+ -e 's;#!/usr/bin/perl;#!%{l_prefix}/bin/perl;g' \
+ -e
's;/etc/oinkmaster\.conf;%{l_prefix}/etc/snort/oinkmaster.conf;' \
+ oinkmaster.pl $RPM_BUILD_ROOT%{l_prefix}/sbin/oinkmaster
+ %{l_shtool} install -c -m 644 \
+ oinkmaster.1 $RPM_BUILD_ROOT%{l_prefix}/man/man8/oinkmaster.8
+ %{l_shtool} install -c -m 644 \
+ -e 's;^\(path = \);\1%{l_prefix}/bin:;' \
+ -e 's;^# tmpdir = /home/oinkmaster/tmp/;tmpdir =
%{l_prefix}/var/snort/tmp;' \
+ -e 's;^# \(use_external_bins = 0\);\1;' \
+ -e 's;^\(skipfile snort\.conf\);# \1;' \
+ oinkmaster.conf $RPM_BUILD_ROOT%{l_prefix}/etc/snort/
+ ) || exit $?
+
+ # install rule update utility
+ %{l_shtool} install -c -m 755 %{l_value -s -a} \
+ -e 's;@V_rules@;%{V_rules};g' \
+ %{SOURCE snort-update.sh} \
+ $RPM_BUILD_ROOT%{l_prefix}/sbin/snort-update
+
# determine installation files
%{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
%{l_files_std} \
'%config %{l_prefix}/etc/snort/*' \
- '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort'
+ '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort' \
+ '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort/rules' \
+ '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort/tmp'
%files -f files
@@ -209,6 +237,30 @@
echo "\"snort_if\" in $RPM_INSTALL_PREFIX/etc/rc.conf to the name
of the"
echo "used network interface."
) | %{l_rpmtool} msg -b -t notice
+ ( echo "To use Snort as an IDS, its rules HAVE to be ALWAYS up to
date."
+ echo "But this package just ships with the latest PUBLIC version
of the"
+ echo "\"Sourcefire VRT Certified Rules\" for UNREGISTERED Snort
users."
+ echo "This means your rules are NOT covering the latest known
attacks."
+ echo ""
+ echo "Hence, we strongly recommend to become at least a REGISTERED
Snort"
+ echo "user (see http://www.snort.org/ for details). This way you
receive"
+ echo "a so-called \"oinkcode\" (a sequence of 40 hexadecimal
numbers)"
+ echo "which you can configure in the file"
+ echo " $RPM_INSTALL_PREFIX/etc/rc.conf"
+ echo "via the directives"
+ echo " snort_update_time=\"daily\""
+ echo " snort_update_source=\"oinkcode:XXXX...\""
+ echo "to update your Snort rules in"
+ echo " $RPM_INSTALL_PREFIX/var/snort/rules/"
+ echo "automatically once per day with the latest version of the"
+ echo "\"Sourcefire VRT Certified Rules\" for REGISTERED Snort
users."
+ ) | %{l_rpmtool} msg -b -t notice
+ fi
+
+ # trigger a ruleset update
+ snort_update_source=`%{l_rc} -q snort_update_source`
+ if [ ".$snort_update_source" != . ]; then
+ su - %{l_rusr} -c "$RPM_INSTALL_PREFIX/sbin/snort-update
\"$snort_update_source\""
fi
# after upgrade, restart service
@@ -224,5 +276,7 @@
rm -f $RPM_INSTALL_PREFIX/var/snort/*.pid >/dev/null 2>&1 || true
rm -f $RPM_INSTALL_PREFIX/var/snort/*.log >/dev/null 2>&1 || true
rm -f $RPM_INSTALL_PREFIX/var/snort/*.cap >/dev/null 2>&1 || true
+ rm -f $RPM_INSTALL_PREFIX/var/snort/rules/* >/dev/null 2>&1 || true
+ rm -f $RPM_INSTALL_PREFIX/var/snort/tmp/* >/dev/null 2>&1 || true
exit 0
@@ .
______________________________________________________________________
The OpenPKG Project www.openpkg.org
CVS Repository Commit List [email protected]
