On 2012-10-03 at 22:08:10 -0400, Lawrence Teo wrote: > Index: pkg/README > =================================================================== > RCS file: /home/lteo/cvsync/cvs/ports/net/snort/pkg/README,v > retrieving revision 1.1 > diff -u -p -r1.1 README > --- pkg/README 26 Sep 2012 02:11:05 -0000 1.1 > +++ pkg/README 4 Oct 2012 01:37:09 -0000 > @@ -5,12 +5,43 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11: > +----------------------------------------------------------------------- > > An up-to-date set of rules is needed for Snort to be useful as an IDS. > -These can be downloaded manually or net/oinkmaster can be used to > -download the latest rules from several different sources. > +By default, these rules are expected to be present in the > +${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in > +${SYSCONFDIR}/snort/snort.conf. > + > +To download the official Snort rules, you will first need to sign up > +for an ``oinkcode'' at https://www.snort.org/signup since the rules are > +distributed under the VRT Certified Rules License Agreement. Once you > +have an oinkcode, you can download the rules with this command (replace > +<oinkcode> with yours): > + > + ftp -o snortrules-snapshot-${V}.tar.gz \ > + > http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> > + > +Then, extract the rules to ${SYSCONFDIR}/snort: > + > + cd ${SYSCONFDIR}/snort > + tar zxf /path/to/snortrules-snapshot-${V}.tar.gz rules preproc_rules > + > +Alternatively, you can use free rules from Emerging Threats: > + > + ftp > http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz > + cd ${SYSCONFDIR}/snort > + tar zxf /path/to/emerging.rules.tar.gz rules > + > +If you choose to use Emerging Threats rules, you will need to uncomment > +their include lines in ${SYSCONFDIR}/snort/snort.conf. > + > +Apart from the manual download process, you can also use the oinkmaster > +package to download the rules by specifying their URL(s) in > +${SYSCONFDIR}/oinkmaster.conf, for example: > + > + url = > http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> > > It is recommended that snort be run as an unprivileged chrooted user. > A _snort user/group and a log directory have been created for this > -purpose. You should start snort with the following options to take > -advantage of this: > +purpose. You should start snort with the ${RCDIR}/snort script to take > +advantage of this. > > - -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l > /var/snort/log > +You should also modify ${SYSCONFDIR}/snort/snort.conf to define the > +relevant variables such as HOME_NET to suit your environment.
In the snort.org URLs above, I would recommend replacing 'sub-rules' with 'reg-rules'. The 'sub-rules' URLs are for the paid subscription rules and I believe will fail if your oink code is associated with a non-paid account. --avj