On Wed, Oct 03, 2012 at 11:19:43PM +0200, Markus Lude wrote: > On Tue, Oct 02, 2012 at 11:00:53AM +0100, Stuart Henderson wrote: > > On 2012/10/01 22:56, Lawrence Teo wrote: > > > This diff adds an rc.d script for Snort. > > > > > > It also modifies the pkg/README file to mention the rc.d script, and > > > adds a note that rules need to be present in /etc/snort/rules for Snort > > > to work as an IDS (since `/etc/rc.d/snort start` will fail if rules > > > don't exist in that directory). > > > > > An up-to-date set of rules is needed for Snort to be useful as an IDS. > > > These can be downloaded manually or net/oinkmaster can be used to > > > -download the latest rules from several different sources. > > > +download the latest rules from several different sources. By default, > > > +these rules are expected to be present in the ${SYSCONFDIR}/snort/rules > > > +directory as defined by RULE_PATH in ${SYSCONFDIR}/snort/snort.conf. > > > > It would be nice to give a specific example of commands that could be > > run to download some rules to get started and see it working, preferably > > without having to register - I found various talk about "community rules" > > but didn't find anywhere they could actually be downloaded - do you know > > of anything that might be suitable? > > You may use the rules from the emerging threats project at > http://rules.emergingthreats.net > > With oinkmaster (which is in ports) you could use for example > > url = > http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz > > in oinkmaster.conf and then add the rules files to snort.conf. > > Regards, > Markus
Thank you Stuart and Markus for your feedback. Coincidentally I was revising my diff to include Emerging Threats rules after reading Stuart's question about community rules. :) Also, Markus, thanks for bringing up oinkmaster; I have changed the diff to provide more details on how to use oinkmaster in pkg/README. The revised diff below does a few things: * In snort.conf, mention the general URLs where Snort rules can be downloaded. * In snort.conf, add commented include lines for Emerging Threats rules. * In pkg/README, describe how to download both the official Snort rules as well as the Emerging Threats rules. Also provide some guidance on how to use oinkmaster to download the rules. * In pkg/README, recommend that the user change snort.conf to match their environment (since Snort cannot load at least one of the current Emerging Threats rules if HOME_NET is left as "any"). * Based on Stuart's feedback, I have changed the rc.d script to move -D to the "daemon" variable and removed pexp. Thoughts/OK? Thanks, Lawrence Index: Makefile =================================================================== RCS file: /home/lteo/cvsync/cvs/ports/net/snort/Makefile,v retrieving revision 1.69 diff -u -p -r1.69 Makefile --- Makefile 28 Sep 2012 19:30:54 -0000 1.69 +++ Makefile 3 Oct 2012 03:34:49 -0000 @@ -4,7 +4,9 @@ SHARED_ONLY = Yes COMMENT = highly flexible sniffer/NIDS -DISTNAME = snort-2.9.3.1 +VERSION = 2.9.3.1 +DISTNAME = snort-${VERSION} +REVISION = 0 CATEGORIES = net security @@ -43,6 +45,9 @@ PREPROC = decoder.rules preprocessor.ru DOCS = AUTHORS CREDITS README README.* *.pdf TODO USAGE \ WISHLIST + +V = ${VERSION:S/.//g} +SUBST_VARS += V pre-configure: @${SUBST_CMD} ${WRKSRC}/etc/snort.conf Index: patches/patch-etc_snort_conf =================================================================== RCS file: /home/lteo/cvsync/cvs/ports/net/snort/patches/patch-etc_snort_conf,v retrieving revision 1.6 diff -u -p -r1.6 patch-etc_snort_conf --- patches/patch-etc_snort_conf 26 Sep 2012 02:11:05 -0000 1.6 +++ patches/patch-etc_snort_conf 3 Oct 2012 01:44:45 -0000 @@ -2,8 +2,8 @@ $OpenBSD: patch-etc_snort_conf,v 1.6 201 reputation preprocessor disabled, still experimental ---- etc/snort.conf.orig Tue Jul 31 18:21:16 2012 -+++ etc/snort.conf Tue Sep 11 23:02:31 2012 +--- etc/snort.conf.orig Tue Jul 31 12:21:16 2012 ++++ etc/snort.conf Tue Oct 2 21:41:48 2012 @@ -101,17 +101,17 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.1 # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, @@ -54,3 +54,66 @@ reputation preprocessor disabled, still ################################################### # Step #6: Configure output plugins +@@ -544,6 +545,7 @@ include reference.config + # site specific rules + include $RULE_PATH/local.rules + ++# Official Sourcefire VRT rules from http://www.snort.org/snort-rules/ + include $RULE_PATH/attack-responses.rules + include $RULE_PATH/backdoor.rules + include $RULE_PATH/bad-traffic.rules +@@ -598,6 +600,54 @@ include $RULE_PATH/web-iis.rules + include $RULE_PATH/web-misc.rules + include $RULE_PATH/web-php.rules + include $RULE_PATH/x11.rules ++ ++# Emerging Threats rules from http://rules.emergingthreats.net/open/snort-2.9.0/ ++# include $RULE_PATH/emerging-activex.rules ++# include $RULE_PATH/emerging-attack_response.rules ++# include $RULE_PATH/emerging-botcc.rules ++# include $RULE_PATH/emerging-chat.rules ++# include $RULE_PATH/emerging-ciarmy.rules ++# include $RULE_PATH/emerging-compromised.rules ++# include $RULE_PATH/emerging-current_events.rules ++# include $RULE_PATH/emerging-deleted.rules ++# include $RULE_PATH/emerging-dns.rules ++# include $RULE_PATH/emerging-dos.rules ++# include $RULE_PATH/emerging-drop.rules ++# include $RULE_PATH/emerging-dshield.rules ++# include $RULE_PATH/emerging-exploit.rules ++# include $RULE_PATH/emerging-ftp.rules ++# include $RULE_PATH/emerging-games.rules ++# include $RULE_PATH/emerging-icmp.rules ++# include $RULE_PATH/emerging-icmp_info.rules ++# include $RULE_PATH/emerging-imap.rules ++# include $RULE_PATH/emerging-inappropriate.rules ++# include $RULE_PATH/emerging-info.rules ++# include $RULE_PATH/emerging-malware.rules ++# include $RULE_PATH/emerging-misc.rules ++# include $RULE_PATH/emerging-mobile_malware.rules ++# include $RULE_PATH/emerging-netbios.rules ++# include $RULE_PATH/emerging-p2p.rules ++# include $RULE_PATH/emerging-policy.rules ++# include $RULE_PATH/emerging-pop3.rules ++# include $RULE_PATH/emerging-rbn-malvertisers.rules ++# include $RULE_PATH/emerging-rbn.rules ++# include $RULE_PATH/emerging-rpc.rules ++# include $RULE_PATH/emerging-scada.rules ++# include $RULE_PATH/emerging-scan.rules ++# include $RULE_PATH/emerging-shellcode.rules ++# include $RULE_PATH/emerging-smtp.rules ++# include $RULE_PATH/emerging-snmp.rules ++# include $RULE_PATH/emerging-sql.rules ++# include $RULE_PATH/emerging-telnet.rules ++# include $RULE_PATH/emerging-tftp.rules ++# include $RULE_PATH/emerging-tor.rules ++# include $RULE_PATH/emerging-trojan.rules ++# include $RULE_PATH/emerging-user_agents.rules ++# include $RULE_PATH/emerging-voip.rules ++# include $RULE_PATH/emerging-web_client.rules ++# include $RULE_PATH/emerging-web_server.rules ++# include $RULE_PATH/emerging-web_specific_apps.rules ++# include $RULE_PATH/emerging-worm.rules + + ################################################### + # Step #8: Customize your preprocessor and decoder alerts Index: pkg/PLIST =================================================================== RCS file: /home/lteo/cvsync/cvs/ports/net/snort/pkg/PLIST,v retrieving revision 1.21 diff -u -p -r1.21 PLIST --- pkg/PLIST 26 Sep 2012 02:11:05 -0000 1.21 +++ pkg/PLIST 3 Oct 2012 01:30:59 -0000 @@ -143,3 +143,4 @@ share/examples/snort/unicode.map @group _snort @sample /var/snort/ @sample /var/snort/log/ +@rcscript ${RCDIR}/snort Index: pkg/README =================================================================== RCS file: /home/lteo/cvsync/cvs/ports/net/snort/pkg/README,v retrieving revision 1.1 diff -u -p -r1.1 README --- pkg/README 26 Sep 2012 02:11:05 -0000 1.1 +++ pkg/README 4 Oct 2012 01:37:09 -0000 @@ -5,12 +5,43 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11: +----------------------------------------------------------------------- An up-to-date set of rules is needed for Snort to be useful as an IDS. -These can be downloaded manually or net/oinkmaster can be used to -download the latest rules from several different sources. +By default, these rules are expected to be present in the +${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in +${SYSCONFDIR}/snort/snort.conf. + +To download the official Snort rules, you will first need to sign up +for an ``oinkcode'' at https://www.snort.org/signup since the rules are +distributed under the VRT Certified Rules License Agreement. Once you +have an oinkcode, you can download the rules with this command (replace +<oinkcode> with yours): + + ftp -o snortrules-snapshot-${V}.tar.gz \ + http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> + +Then, extract the rules to ${SYSCONFDIR}/snort: + + cd ${SYSCONFDIR}/snort + tar zxf /path/to/snortrules-snapshot-${V}.tar.gz rules preproc_rules + +Alternatively, you can use free rules from Emerging Threats: + + ftp http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz + cd ${SYSCONFDIR}/snort + tar zxf /path/to/emerging.rules.tar.gz rules + +If you choose to use Emerging Threats rules, you will need to uncomment +their include lines in ${SYSCONFDIR}/snort/snort.conf. + +Apart from the manual download process, you can also use the oinkmaster +package to download the rules by specifying their URL(s) in +${SYSCONFDIR}/oinkmaster.conf, for example: + + url = http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> It is recommended that snort be run as an unprivileged chrooted user. A _snort user/group and a log directory have been created for this -purpose. You should start snort with the following options to take -advantage of this: +purpose. You should start snort with the ${RCDIR}/snort script to take +advantage of this. - -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log +You should also modify ${SYSCONFDIR}/snort/snort.conf to define the +relevant variables such as HOME_NET to suit your environment. Index: pkg/snort.rc =================================================================== RCS file: pkg/snort.rc diff -N pkg/snort.rc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pkg/snort.rc 3 Oct 2012 01:45:29 -0000 @@ -0,0 +1,10 @@ +#!/bin/sh +# +# $OpenBSD$ + +daemon="${TRUEPREFIX}/bin/snort -D" +daemon_flags="-c ${SYSCONFDIR}/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log" + +. /etc/rc.d/rc.subr + +rc_cmd $1