On Thu, Oct 04, 2012 at 08:52:36AM -0400, Adam Jeanguenat wrote:
> On 2012-10-03 at 22:08:10 -0400, Lawrence Teo wrote:
> > Index: pkg/README
> > ===================================================================
> > RCS file: /home/lteo/cvsync/cvs/ports/net/snort/pkg/README,v
> > retrieving revision 1.1
> > diff -u -p -r1.1 README
> > --- pkg/README 26 Sep 2012 02:11:05 -0000 1.1
> > +++ pkg/README 4 Oct 2012 01:37:09 -0000
> > @@ -5,12 +5,43 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11:
> > +-----------------------------------------------------------------------
> >
> > An up-to-date set of rules is needed for Snort to be useful as an IDS.
> > -These can be downloaded manually or net/oinkmaster can be used to
> > -download the latest rules from several different sources.
> > +By default, these rules are expected to be present in the
> > +${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in
> > +${SYSCONFDIR}/snort/snort.conf.
> > +
> > +To download the official Snort rules, you will first need to sign up
> > +for an ``oinkcode'' at https://www.snort.org/signup since the rules are
> > +distributed under the VRT Certified Rules License Agreement. Once you
> > +have an oinkcode, you can download the rules with this command (replace
> > +<oinkcode> with yours):
> > +
> > + ftp -o snortrules-snapshot-${V}.tar.gz \
> > +
> > http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode>
> > +
> > +Then, extract the rules to ${SYSCONFDIR}/snort:
> > +
> > + cd ${SYSCONFDIR}/snort
> > + tar zxf /path/to/snortrules-snapshot-${V}.tar.gz rules preproc_rules
> > +
> > +Alternatively, you can use free rules from Emerging Threats:
> > +
> > + ftp
> > http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
> > + cd ${SYSCONFDIR}/snort
> > + tar zxf /path/to/emerging.rules.tar.gz rules
> > +
> > +If you choose to use Emerging Threats rules, you will need to uncomment
> > +their include lines in ${SYSCONFDIR}/snort/snort.conf.
> > +
> > +Apart from the manual download process, you can also use the oinkmaster
> > +package to download the rules by specifying their URL(s) in
> > +${SYSCONFDIR}/oinkmaster.conf, for example:
> > +
> > + url =
> > http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode>
> >
> > It is recommended that snort be run as an unprivileged chrooted user.
> > A _snort user/group and a log directory have been created for this
> > -purpose. You should start snort with the following options to take
> > -advantage of this:
> > +purpose. You should start snort with the ${RCDIR}/snort script to take
> > +advantage of this.
> >
> > - -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l
> > /var/snort/log
> > +You should also modify ${SYSCONFDIR}/snort/snort.conf to define the
> > +relevant variables such as HOME_NET to suit your environment.
>
> In the snort.org URLs above, I would recommend replacing 'sub-rules'
> with 'reg-rules'. The 'sub-rules' URLs are for the paid subscription
> rules and I believe will fail if your oink code is associated with a
> non-paid account.
Adam, thank you for the comment. 'sub-rules' will still work for a
non-paid account; it will just fallback to giving you the non-paid rules
tarball. For example I don't have a paid subscription but I can
download the free 1-month-old rules tarball using the 'sub-rules' URL
with my oinkcode.
But I think you raised a good point; in case that fallback ever stops
working in the future, it's safer to use 'reg-rules' since that ensures
that the steps in pkg/README will always work by default.
I will revise the diff accordingly and resend.
Thanks,
Lawrence
