Here's the revised diff, where the only change is to replace 'sub-rules' with 'reg-rules' in the download URLs that was done based on Adam's feedback. This helps ensure that users without a paid subscription to the official Snort rules can still download the rules using the steps in pkg/README.
Everything else remains the same. What this diff does was described in my earlier post at: http://marc.info/?l=openbsd-ports&m=134931664628104&w=2 As always, comments and feedback would be appreciated. Thank you, Lawrence Index: Makefile =================================================================== RCS file: /cvs/ports/net/snort/Makefile,v retrieving revision 1.69 diff -u -p -r1.69 Makefile --- Makefile 28 Sep 2012 19:30:54 -0000 1.69 +++ Makefile 4 Oct 2012 01:44:02 -0000 @@ -4,7 +4,9 @@ SHARED_ONLY = Yes COMMENT = highly flexible sniffer/NIDS -DISTNAME = snort-2.9.3.1 +VERSION = 2.9.3.1 +DISTNAME = snort-${VERSION} +REVISION = 0 CATEGORIES = net security @@ -43,6 +45,9 @@ PREPROC = decoder.rules preprocessor.ru DOCS = AUTHORS CREDITS README README.* *.pdf TODO USAGE \ WISHLIST + +V = ${VERSION:S/.//g} +SUBST_VARS += V pre-configure: @${SUBST_CMD} ${WRKSRC}/etc/snort.conf Index: patches/patch-etc_snort_conf =================================================================== RCS file: /cvs/ports/net/snort/patches/patch-etc_snort_conf,v retrieving revision 1.6 diff -u -p -r1.6 patch-etc_snort_conf --- patches/patch-etc_snort_conf 26 Sep 2012 02:11:05 -0000 1.6 +++ patches/patch-etc_snort_conf 4 Oct 2012 01:44:02 -0000 @@ -2,8 +2,8 @@ $OpenBSD: patch-etc_snort_conf,v 1.6 201 reputation preprocessor disabled, still experimental ---- etc/snort.conf.orig Tue Jul 31 18:21:16 2012 -+++ etc/snort.conf Tue Sep 11 23:02:31 2012 +--- etc/snort.conf.orig Tue Jul 31 12:21:16 2012 ++++ etc/snort.conf Tue Oct 2 21:41:48 2012 @@ -101,17 +101,17 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.1 # Path to your rules files (this can be a relative path) # Note for Windows users: You are advised to make this an absolute path, @@ -54,3 +54,66 @@ reputation preprocessor disabled, still ################################################### # Step #6: Configure output plugins +@@ -544,6 +545,7 @@ include reference.config + # site specific rules + include $RULE_PATH/local.rules + ++# Official Sourcefire VRT rules from http://www.snort.org/snort-rules/ + include $RULE_PATH/attack-responses.rules + include $RULE_PATH/backdoor.rules + include $RULE_PATH/bad-traffic.rules +@@ -598,6 +600,54 @@ include $RULE_PATH/web-iis.rules + include $RULE_PATH/web-misc.rules + include $RULE_PATH/web-php.rules + include $RULE_PATH/x11.rules ++ ++# Emerging Threats rules from http://rules.emergingthreats.net/open/snort-2.9.0/ ++# include $RULE_PATH/emerging-activex.rules ++# include $RULE_PATH/emerging-attack_response.rules ++# include $RULE_PATH/emerging-botcc.rules ++# include $RULE_PATH/emerging-chat.rules ++# include $RULE_PATH/emerging-ciarmy.rules ++# include $RULE_PATH/emerging-compromised.rules ++# include $RULE_PATH/emerging-current_events.rules ++# include $RULE_PATH/emerging-deleted.rules ++# include $RULE_PATH/emerging-dns.rules ++# include $RULE_PATH/emerging-dos.rules ++# include $RULE_PATH/emerging-drop.rules ++# include $RULE_PATH/emerging-dshield.rules ++# include $RULE_PATH/emerging-exploit.rules ++# include $RULE_PATH/emerging-ftp.rules ++# include $RULE_PATH/emerging-games.rules ++# include $RULE_PATH/emerging-icmp.rules ++# include $RULE_PATH/emerging-icmp_info.rules ++# include $RULE_PATH/emerging-imap.rules ++# include $RULE_PATH/emerging-inappropriate.rules ++# include $RULE_PATH/emerging-info.rules ++# include $RULE_PATH/emerging-malware.rules ++# include $RULE_PATH/emerging-misc.rules ++# include $RULE_PATH/emerging-mobile_malware.rules ++# include $RULE_PATH/emerging-netbios.rules ++# include $RULE_PATH/emerging-p2p.rules ++# include $RULE_PATH/emerging-policy.rules ++# include $RULE_PATH/emerging-pop3.rules ++# include $RULE_PATH/emerging-rbn-malvertisers.rules ++# include $RULE_PATH/emerging-rbn.rules ++# include $RULE_PATH/emerging-rpc.rules ++# include $RULE_PATH/emerging-scada.rules ++# include $RULE_PATH/emerging-scan.rules ++# include $RULE_PATH/emerging-shellcode.rules ++# include $RULE_PATH/emerging-smtp.rules ++# include $RULE_PATH/emerging-snmp.rules ++# include $RULE_PATH/emerging-sql.rules ++# include $RULE_PATH/emerging-telnet.rules ++# include $RULE_PATH/emerging-tftp.rules ++# include $RULE_PATH/emerging-tor.rules ++# include $RULE_PATH/emerging-trojan.rules ++# include $RULE_PATH/emerging-user_agents.rules ++# include $RULE_PATH/emerging-voip.rules ++# include $RULE_PATH/emerging-web_client.rules ++# include $RULE_PATH/emerging-web_server.rules ++# include $RULE_PATH/emerging-web_specific_apps.rules ++# include $RULE_PATH/emerging-worm.rules + + ################################################### + # Step #8: Customize your preprocessor and decoder alerts Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/snort/pkg/PLIST,v retrieving revision 1.21 diff -u -p -r1.21 PLIST --- pkg/PLIST 26 Sep 2012 02:11:05 -0000 1.21 +++ pkg/PLIST 4 Oct 2012 01:44:02 -0000 @@ -143,3 +143,4 @@ share/examples/snort/unicode.map @group _snort @sample /var/snort/ @sample /var/snort/log/ +@rcscript ${RCDIR}/snort Index: pkg/README =================================================================== RCS file: /cvs/ports/net/snort/pkg/README,v retrieving revision 1.1 diff -u -p -r1.1 README --- pkg/README 26 Sep 2012 02:11:05 -0000 1.1 +++ pkg/README 5 Oct 2012 01:54:11 -0000 @@ -5,12 +5,43 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11: +----------------------------------------------------------------------- An up-to-date set of rules is needed for Snort to be useful as an IDS. -These can be downloaded manually or net/oinkmaster can be used to -download the latest rules from several different sources. +By default, these rules are expected to be present in the +${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in +${SYSCONFDIR}/snort/snort.conf. + +To download the official Snort rules, you will first need to sign up +for an ``oinkcode'' at https://www.snort.org/signup since the rules are +distributed under the VRT Certified Rules License Agreement. Once you +have an oinkcode, you can download the rules with this command (replace +<oinkcode> with yours): + + ftp -o snortrules-snapshot-${V}.tar.gz \ + http://www.snort.org/reg-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> + +Then, extract the rules to ${SYSCONFDIR}/snort: + + cd ${SYSCONFDIR}/snort + tar zxf /path/to/snortrules-snapshot-${V}.tar.gz rules preproc_rules + +Alternatively, you can use free rules from Emerging Threats: + + ftp http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz + cd ${SYSCONFDIR}/snort + tar zxf /path/to/emerging.rules.tar.gz rules + +If you choose to use Emerging Threats rules, you will need to uncomment +their include lines in ${SYSCONFDIR}/snort/snort.conf. + +Apart from the manual download process, you can also use the oinkmaster +package to download the rules by specifying their URL(s) in +${SYSCONFDIR}/oinkmaster.conf, for example: + + url = http://www.snort.org/reg-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> It is recommended that snort be run as an unprivileged chrooted user. A _snort user/group and a log directory have been created for this -purpose. You should start snort with the following options to take -advantage of this: +purpose. You should start snort with the ${RCDIR}/snort script to take +advantage of this. - -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log +You should also modify ${SYSCONFDIR}/snort/snort.conf to define the +relevant variables such as HOME_NET to suit your environment. Index: pkg/snort.rc =================================================================== RCS file: pkg/snort.rc diff -N pkg/snort.rc --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pkg/snort.rc 4 Oct 2012 01:44:02 -0000 @@ -0,0 +1,10 @@ +#!/bin/sh +# +# $OpenBSD$ + +daemon="${TRUEPREFIX}/bin/snort -D" +daemon_flags="-c ${SYSCONFDIR}/snort/snort.conf -u _snort -g _snort -t /var/snort -l /var/snort/log" + +. /etc/rc.d/rc.subr + +rc_cmd $1