On 2012-10-03 at 22:08:10 -0400, Lawrence Teo wrote:
> Index: pkg/README
> ===================================================================
> RCS file: /home/lteo/cvsync/cvs/ports/net/snort/pkg/README,v
> retrieving revision 1.1
> diff -u -p -r1.1 README
> --- pkg/README 26 Sep 2012 02:11:05 -0000 1.1
> +++ pkg/README 4 Oct 2012 01:37:09 -0000
> @@ -5,12 +5,43 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11:
> +-----------------------------------------------------------------------
>
> An up-to-date set of rules is needed for Snort to be useful as an IDS.
> -These can be downloaded manually or net/oinkmaster can be used to
> -download the latest rules from several different sources.
> +By default, these rules are expected to be present in the
> +${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in
> +${SYSCONFDIR}/snort/snort.conf.
> +
> +To download the official Snort rules, you will first need to sign up
> +for an ``oinkcode'' at https://www.snort.org/signup since the rules are
> +distributed under the VRT Certified Rules License Agreement. Once you
> +have an oinkcode, you can download the rules with this command (replace
> +<oinkcode> with yours):
> +
> + ftp -o snortrules-snapshot-${V}.tar.gz \
> +
> http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode>
> +
> +Then, extract the rules to ${SYSCONFDIR}/snort:
> +
> + cd ${SYSCONFDIR}/snort
> + tar zxf /path/to/snortrules-snapshot-${V}.tar.gz rules preproc_rules
> +
> +Alternatively, you can use free rules from Emerging Threats:
> +
> + ftp
> http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
> + cd ${SYSCONFDIR}/snort
> + tar zxf /path/to/emerging.rules.tar.gz rules
> +
> +If you choose to use Emerging Threats rules, you will need to uncomment
> +their include lines in ${SYSCONFDIR}/snort/snort.conf.
> +
> +Apart from the manual download process, you can also use the oinkmaster
> +package to download the rules by specifying their URL(s) in
> +${SYSCONFDIR}/oinkmaster.conf, for example:
> +
> + url =
> http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode>
>
> It is recommended that snort be run as an unprivileged chrooted user.
> A _snort user/group and a log directory have been created for this
> -purpose. You should start snort with the following options to take
> -advantage of this:
> +purpose. You should start snort with the ${RCDIR}/snort script to take
> +advantage of this.
>
> - -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l
> /var/snort/log
> +You should also modify ${SYSCONFDIR}/snort/snort.conf to define the
> +relevant variables such as HOME_NET to suit your environment.
In the snort.org URLs above, I would recommend replacing 'sub-rules'
with 'reg-rules'. The 'sub-rules' URLs are for the paid subscription
rules and I believe will fail if your oink code is associated with a
non-paid account.
--avj
