On Thu, Oct 04, 2012 at 08:52:36AM -0400, Adam Jeanguenat wrote: > On 2012-10-03 at 22:08:10 -0400, Lawrence Teo wrote: > > Index: pkg/README > > =================================================================== > > RCS file: /home/lteo/cvsync/cvs/ports/net/snort/pkg/README,v > > retrieving revision 1.1 > > diff -u -p -r1.1 README > > --- pkg/README 26 Sep 2012 02:11:05 -0000 1.1 > > +++ pkg/README 4 Oct 2012 01:37:09 -0000 > > @@ -5,12 +5,43 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11: > > +----------------------------------------------------------------------- > > > > An up-to-date set of rules is needed for Snort to be useful as an IDS. > > -These can be downloaded manually or net/oinkmaster can be used to > > -download the latest rules from several different sources. > > +By default, these rules are expected to be present in the > > +${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in > > +${SYSCONFDIR}/snort/snort.conf. > > + > > +To download the official Snort rules, you will first need to sign up > > +for an ``oinkcode'' at https://www.snort.org/signup since the rules are > > +distributed under the VRT Certified Rules License Agreement. Once you > > +have an oinkcode, you can download the rules with this command (replace > > +<oinkcode> with yours): > > + > > + ftp -o snortrules-snapshot-${V}.tar.gz \ > > + > > http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> > > + > > +Then, extract the rules to ${SYSCONFDIR}/snort: > > + > > + cd ${SYSCONFDIR}/snort > > + tar zxf /path/to/snortrules-snapshot-${V}.tar.gz rules preproc_rules > > + > > +Alternatively, you can use free rules from Emerging Threats: > > + > > + ftp > > http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz > > + cd ${SYSCONFDIR}/snort > > + tar zxf /path/to/emerging.rules.tar.gz rules > > + > > +If you choose to use Emerging Threats rules, you will need to uncomment > > +their include lines in ${SYSCONFDIR}/snort/snort.conf. > > + > > +Apart from the manual download process, you can also use the oinkmaster > > +package to download the rules by specifying their URL(s) in > > +${SYSCONFDIR}/oinkmaster.conf, for example: > > + > > + url = > > http://www.snort.org/sub-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> > > > > It is recommended that snort be run as an unprivileged chrooted user. > > A _snort user/group and a log directory have been created for this > > -purpose. You should start snort with the following options to take > > -advantage of this: > > +purpose. You should start snort with the ${RCDIR}/snort script to take > > +advantage of this. > > > > - -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l > > /var/snort/log > > +You should also modify ${SYSCONFDIR}/snort/snort.conf to define the > > +relevant variables such as HOME_NET to suit your environment. > > In the snort.org URLs above, I would recommend replacing 'sub-rules' > with 'reg-rules'. The 'sub-rules' URLs are for the paid subscription > rules and I believe will fail if your oink code is associated with a > non-paid account.
Adam, thank you for the comment. 'sub-rules' will still work for a non-paid account; it will just fallback to giving you the non-paid rules tarball. For example I don't have a paid subscription but I can download the free 1-month-old rules tarball using the 'sub-rules' URL with my oinkcode. But I think you raised a good point; in case that fallback ever stops working in the future, it's safer to use 'reg-rules' since that ensures that the steps in pkg/README will always work by default. I will revise the diff accordingly and resend. Thanks, Lawrence