On Wed, Oct 03, 2012 at 11:19:43PM +0200, Markus Lude wrote:
> On Tue, Oct 02, 2012 at 11:00:53AM +0100, Stuart Henderson wrote:
> > On 2012/10/01 22:56, Lawrence Teo wrote:
> > > This diff adds an rc.d script for Snort.
> > >
> > > It also modifies the pkg/README file to mention the rc.d script, and
> > > adds a note that rules need to be present in /etc/snort/rules for Snort
> > > to work as an IDS (since `/etc/rc.d/snort start` will fail if rules
> > > don't exist in that directory).
> >
> > > An up-to-date set of rules is needed for Snort to be useful as an IDS.
> > > These can be downloaded manually or net/oinkmaster can be used to
> > > -download the latest rules from several different sources.
> > > +download the latest rules from several different sources. By default,
> > > +these rules are expected to be present in the ${SYSCONFDIR}/snort/rules
> > > +directory as defined by RULE_PATH in ${SYSCONFDIR}/snort/snort.conf.
> >
> > It would be nice to give a specific example of commands that could be
> > run to download some rules to get started and see it working, preferably
> > without having to register - I found various talk about "community rules"
> > but didn't find anywhere they could actually be downloaded - do you know
> > of anything that might be suitable?
>
> You may use the rules from the emerging threats project at
> http://rules.emergingthreats.net
>
> With oinkmaster (which is in ports) you could use for example
>
> url =
> http://rules.emergingthreats.net/open-nogpl/snort-2.9.0/emerging.rules.tar.gz
>
> in oinkmaster.conf and then add the rules files to snort.conf.
>
> Regards,
> Markus
Thank you Stuart and Markus for your feedback.
Coincidentally I was revising my diff to include Emerging Threats rules
after reading Stuart's question about community rules. :) Also, Markus,
thanks for bringing up oinkmaster; I have changed the diff to provide
more details on how to use oinkmaster in pkg/README.
The revised diff below does a few things:
* In snort.conf, mention the general URLs where Snort rules can be
downloaded.
* In snort.conf, add commented include lines for Emerging Threats rules.
* In pkg/README, describe how to download both the official Snort rules
as well as the Emerging Threats rules. Also provide some guidance on
how to use oinkmaster to download the rules.
* In pkg/README, recommend that the user change snort.conf to match
their environment (since Snort cannot load at least one of the current
Emerging Threats rules if HOME_NET is left as "any").
* Based on Stuart's feedback, I have changed the rc.d script to move -D
to the "daemon" variable and removed pexp.
Thoughts/OK?
Thanks,
Lawrence
Index: Makefile
===================================================================
RCS file: /home/lteo/cvsync/cvs/ports/net/snort/Makefile,v
retrieving revision 1.69
diff -u -p -r1.69 Makefile
--- Makefile 28 Sep 2012 19:30:54 -0000 1.69
+++ Makefile 3 Oct 2012 03:34:49 -0000
@@ -4,7 +4,9 @@ SHARED_ONLY = Yes
COMMENT = highly flexible sniffer/NIDS
-DISTNAME = snort-2.9.3.1
+VERSION = 2.9.3.1
+DISTNAME = snort-${VERSION}
+REVISION = 0
CATEGORIES = net security
@@ -43,6 +45,9 @@ PREPROC = decoder.rules preprocessor.ru
DOCS = AUTHORS CREDITS README README.* *.pdf TODO USAGE \
WISHLIST
+
+V = ${VERSION:S/.//g}
+SUBST_VARS += V
pre-configure:
@${SUBST_CMD} ${WRKSRC}/etc/snort.conf
Index: patches/patch-etc_snort_conf
===================================================================
RCS file: /home/lteo/cvsync/cvs/ports/net/snort/patches/patch-etc_snort_conf,v
retrieving revision 1.6
diff -u -p -r1.6 patch-etc_snort_conf
--- patches/patch-etc_snort_conf 26 Sep 2012 02:11:05 -0000 1.6
+++ patches/patch-etc_snort_conf 3 Oct 2012 01:44:45 -0000
@@ -2,8 +2,8 @@ $OpenBSD: patch-etc_snort_conf,v 1.6 201
reputation preprocessor disabled, still experimental
---- etc/snort.conf.orig Tue Jul 31 18:21:16 2012
-+++ etc/snort.conf Tue Sep 11 23:02:31 2012
+--- etc/snort.conf.orig Tue Jul 31 12:21:16 2012
++++ etc/snort.conf Tue Oct 2 21:41:48 2012
@@ -101,17 +101,17 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.1
# Path to your rules files (this can be a relative path)
# Note for Windows users: You are advised to make this an absolute path,
@@ -54,3 +54,66 @@ reputation preprocessor disabled, still
###################################################
# Step #6: Configure output plugins
+@@ -544,6 +545,7 @@ include reference.config
+ # site specific rules
+ include $RULE_PATH/local.rules
+
++# Official Sourcefire VRT rules from http://www.snort.org/snort-rules/
+ include $RULE_PATH/attack-responses.rules
+ include $RULE_PATH/backdoor.rules
+ include $RULE_PATH/bad-traffic.rules
+@@ -598,6 +600,54 @@ include $RULE_PATH/web-iis.rules
+ include $RULE_PATH/web-misc.rules
+ include $RULE_PATH/web-php.rules
+ include $RULE_PATH/x11.rules
++
++# Emerging Threats rules from
http://rules.emergingthreats.net/open/snort-2.9.0/
++# include $RULE_PATH/emerging-activex.rules
++# include $RULE_PATH/emerging-attack_response.rules
++# include $RULE_PATH/emerging-botcc.rules
++# include $RULE_PATH/emerging-chat.rules
++# include $RULE_PATH/emerging-ciarmy.rules
++# include $RULE_PATH/emerging-compromised.rules
++# include $RULE_PATH/emerging-current_events.rules
++# include $RULE_PATH/emerging-deleted.rules
++# include $RULE_PATH/emerging-dns.rules
++# include $RULE_PATH/emerging-dos.rules
++# include $RULE_PATH/emerging-drop.rules
++# include $RULE_PATH/emerging-dshield.rules
++# include $RULE_PATH/emerging-exploit.rules
++# include $RULE_PATH/emerging-ftp.rules
++# include $RULE_PATH/emerging-games.rules
++# include $RULE_PATH/emerging-icmp.rules
++# include $RULE_PATH/emerging-icmp_info.rules
++# include $RULE_PATH/emerging-imap.rules
++# include $RULE_PATH/emerging-inappropriate.rules
++# include $RULE_PATH/emerging-info.rules
++# include $RULE_PATH/emerging-malware.rules
++# include $RULE_PATH/emerging-misc.rules
++# include $RULE_PATH/emerging-mobile_malware.rules
++# include $RULE_PATH/emerging-netbios.rules
++# include $RULE_PATH/emerging-p2p.rules
++# include $RULE_PATH/emerging-policy.rules
++# include $RULE_PATH/emerging-pop3.rules
++# include $RULE_PATH/emerging-rbn-malvertisers.rules
++# include $RULE_PATH/emerging-rbn.rules
++# include $RULE_PATH/emerging-rpc.rules
++# include $RULE_PATH/emerging-scada.rules
++# include $RULE_PATH/emerging-scan.rules
++# include $RULE_PATH/emerging-shellcode.rules
++# include $RULE_PATH/emerging-smtp.rules
++# include $RULE_PATH/emerging-snmp.rules
++# include $RULE_PATH/emerging-sql.rules
++# include $RULE_PATH/emerging-telnet.rules
++# include $RULE_PATH/emerging-tftp.rules
++# include $RULE_PATH/emerging-tor.rules
++# include $RULE_PATH/emerging-trojan.rules
++# include $RULE_PATH/emerging-user_agents.rules
++# include $RULE_PATH/emerging-voip.rules
++# include $RULE_PATH/emerging-web_client.rules
++# include $RULE_PATH/emerging-web_server.rules
++# include $RULE_PATH/emerging-web_specific_apps.rules
++# include $RULE_PATH/emerging-worm.rules
+
+ ###################################################
+ # Step #8: Customize your preprocessor and decoder alerts
Index: pkg/PLIST
===================================================================
RCS file: /home/lteo/cvsync/cvs/ports/net/snort/pkg/PLIST,v
retrieving revision 1.21
diff -u -p -r1.21 PLIST
--- pkg/PLIST 26 Sep 2012 02:11:05 -0000 1.21
+++ pkg/PLIST 3 Oct 2012 01:30:59 -0000
@@ -143,3 +143,4 @@ share/examples/snort/unicode.map
@group _snort
@sample /var/snort/
@sample /var/snort/log/
+@rcscript ${RCDIR}/snort
Index: pkg/README
===================================================================
RCS file: /home/lteo/cvsync/cvs/ports/net/snort/pkg/README,v
retrieving revision 1.1
diff -u -p -r1.1 README
--- pkg/README 26 Sep 2012 02:11:05 -0000 1.1
+++ pkg/README 4 Oct 2012 01:37:09 -0000
@@ -5,12 +5,43 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11:
+-----------------------------------------------------------------------
An up-to-date set of rules is needed for Snort to be useful as an IDS.
-These can be downloaded manually or net/oinkmaster can be used to
-download the latest rules from several different sources.
+By default, these rules are expected to be present in the
+${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in
+${SYSCONFDIR}/snort/snort.conf.
+
+To download the official Snort rules, you will first need to sign up
+for an ``oinkcode'' at https://www.snort.org/signup since the rules are
+distributed under the VRT Certified Rules License Agreement. Once you
+have an oinkcode, you can download the rules with this command (replace
+<oinkcode> with yours):
+
+ ftp -o snortrules-snapshot-${V}.tar.gz \
+
http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode>
+
+Then, extract the rules to ${SYSCONFDIR}/snort:
+
+ cd ${SYSCONFDIR}/snort
+ tar zxf /path/to/snortrules-snapshot-${V}.tar.gz rules preproc_rules
+
+Alternatively, you can use free rules from Emerging Threats:
+
+ ftp http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
+ cd ${SYSCONFDIR}/snort
+ tar zxf /path/to/emerging.rules.tar.gz rules
+
+If you choose to use Emerging Threats rules, you will need to uncomment
+their include lines in ${SYSCONFDIR}/snort/snort.conf.
+
+Apart from the manual download process, you can also use the oinkmaster
+package to download the rules by specifying their URL(s) in
+${SYSCONFDIR}/oinkmaster.conf, for example:
+
+ url =
http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode>
It is recommended that snort be run as an unprivileged chrooted user.
A _snort user/group and a log directory have been created for this
-purpose. You should start snort with the following options to take
-advantage of this:
+purpose. You should start snort with the ${RCDIR}/snort script to take
+advantage of this.
- -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log
+You should also modify ${SYSCONFDIR}/snort/snort.conf to define the
+relevant variables such as HOME_NET to suit your environment.
Index: pkg/snort.rc
===================================================================
RCS file: pkg/snort.rc
diff -N pkg/snort.rc
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ pkg/snort.rc 3 Oct 2012 01:45:29 -0000
@@ -0,0 +1,10 @@
+#!/bin/sh
+#
+# $OpenBSD$
+
+daemon="${TRUEPREFIX}/bin/snort -D"
+daemon_flags="-c ${SYSCONFDIR}/snort/snort.conf -u _snort -g _snort -t
/var/snort -l /var/snort/log"
+
+. /etc/rc.d/rc.subr
+
+rc_cmd $1
