On Sun, Oct 07, 2012 at 10:40:35PM -0400, Lawrence Teo wrote: > On Fri, Oct 05, 2012 at 08:52:10PM +0200, Markus Lude wrote: > > On Wed, Oct 03, 2012 at 10:08:10PM -0400, Lawrence Teo wrote: > > > * In snort.conf, add commented include lines for Emerging Threats rules. > > > > IMO this is not needed. Users may add this themselves. > > > > include $RULE_PATH/emerging.conf > > > > may be enough then. > > Thanks, I have updated snort.conf accordingly. > > > > * In pkg/README, describe how to download both the official Snort rules > > > as well as the Emerging Threats rules. Also provide some guidance on > > > how to use oinkmaster to download the rules. > > > > I think guidance on how to use oinkmaster should better be placed in the > > oinkmaster port. > > > > Should we add URLs for both registered and subscribed users of the VRT > > rules there? > > Sure, I'll send a separate oinkmaster diff shortly to add these URLs > and also fix a few other things to make it work better with recent > Snort versions. > > > > * In pkg/README, recommend that the user change snort.conf to match > > > their environment (since Snort cannot load at least one of the current > > > Emerging Threats rules if HOME_NET is left as "any"). > > > > It is always recommended to not blindly run all the rules. Choose which > > one apply to your environment. > > I agree; I have revised pkg/README to provide as much guidance as > possible especially to new Snort users. > > The revised diff is below. Please let me know what you think! :)
pkg/README reads fine, for the rc.d script I can't comment as I'm not that familiar with it. Thanks for pushing this forward! Regards, Markus > Index: Makefile > =================================================================== > RCS file: /cvs/ports/net/snort/Makefile,v > retrieving revision 1.69 > diff -u -p -r1.69 Makefile > --- Makefile 28 Sep 2012 19:30:54 -0000 1.69 > +++ Makefile 7 Oct 2012 18:00:08 -0000 > @@ -4,7 +4,9 @@ SHARED_ONLY = Yes > > COMMENT = highly flexible sniffer/NIDS > > -DISTNAME = snort-2.9.3.1 > +VERSION = 2.9.3.1 > +DISTNAME = snort-${VERSION} > +REVISION = 0 > > CATEGORIES = net security > > @@ -43,6 +45,9 @@ PREPROC = decoder.rules preprocessor.ru > > DOCS = AUTHORS CREDITS README README.* *.pdf TODO > USAGE \ > WISHLIST > + > +V = ${VERSION:S/.//g} > +SUBST_VARS += V > > pre-configure: > @${SUBST_CMD} ${WRKSRC}/etc/snort.conf > Index: patches/patch-etc_snort_conf > =================================================================== > RCS file: /cvs/ports/net/snort/patches/patch-etc_snort_conf,v > retrieving revision 1.6 > diff -u -p -r1.6 patch-etc_snort_conf > --- patches/patch-etc_snort_conf 26 Sep 2012 02:11:05 -0000 1.6 > +++ patches/patch-etc_snort_conf 7 Oct 2012 18:00:08 -0000 > @@ -2,8 +2,8 @@ $OpenBSD: patch-etc_snort_conf,v 1.6 201 > > reputation preprocessor disabled, still experimental > > ---- etc/snort.conf.orig Tue Jul 31 18:21:16 2012 > -+++ etc/snort.conf Tue Sep 11 23:02:31 2012 > +--- etc/snort.conf.orig Tue Jul 31 12:21:16 2012 > ++++ etc/snort.conf Sat Oct 6 22:13:19 2012 > @@ -101,17 +101,17 @@ ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.1 > # Path to your rules files (this can be a relative path) > # Note for Windows users: You are advised to make this an absolute path, > @@ -54,3 +54,21 @@ reputation preprocessor disabled, still > > ################################################### > # Step #6: Configure output plugins > +@@ -544,6 +545,7 @@ include reference.config > + # site specific rules > + include $RULE_PATH/local.rules > + > ++# Official Sourcefire VRT rules from http://www.snort.org/snort-rules/ > + include $RULE_PATH/attack-responses.rules > + include $RULE_PATH/backdoor.rules > + include $RULE_PATH/bad-traffic.rules > +@@ -598,6 +600,9 @@ include $RULE_PATH/web-iis.rules > + include $RULE_PATH/web-misc.rules > + include $RULE_PATH/web-php.rules > + include $RULE_PATH/x11.rules > ++ > ++# Emerging Threats rules from > http://rules.emergingthreats.net/open/snort-2.9.0/ > ++# include $RULE_PATH/emerging.conf > + > + ################################################### > + # Step #8: Customize your preprocessor and decoder alerts > Index: pkg/PLIST > =================================================================== > RCS file: /cvs/ports/net/snort/pkg/PLIST,v > retrieving revision 1.21 > diff -u -p -r1.21 PLIST > --- pkg/PLIST 26 Sep 2012 02:11:05 -0000 1.21 > +++ pkg/PLIST 7 Oct 2012 18:00:08 -0000 > @@ -143,3 +143,4 @@ share/examples/snort/unicode.map > @group _snort > @sample /var/snort/ > @sample /var/snort/log/ > +@rcscript ${RCDIR}/snort > Index: pkg/README > =================================================================== > RCS file: /cvs/ports/net/snort/pkg/README,v > retrieving revision 1.1 > diff -u -p -r1.1 README > --- pkg/README 26 Sep 2012 02:11:05 -0000 1.1 > +++ pkg/README 7 Oct 2012 18:31:59 -0000 > @@ -5,12 +5,51 @@ $OpenBSD: README,v 1.1 2012/09/26 02:11: > +----------------------------------------------------------------------- > > An up-to-date set of rules is needed for Snort to be useful as an IDS. > -These can be downloaded manually or net/oinkmaster can be used to > -download the latest rules from several different sources. > +By default, these rules are expected to be present in the > +${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in > +${SYSCONFDIR}/snort/snort.conf. > > -It is recommended that snort be run as an unprivileged chrooted user. > +The two most common sources of Snort rules are the official Snort rules > +and the Emerging Threats rules. To download the official Snort rules, > +you will first need to sign up for an "oinkcode" at > +https://www.snort.org/signup since they are distributed under a > +commercial license. Emerging Threats rules can be downloaded without > +signing up. > + > +The easiest way to download these rules is to use a rule manager such as > +the oinkmaster package. You can set up oinkmaster's config file to > +download one or more Snort rulesets and extract them automatically. > +Please refer to the documentation in the oinkmaster package for more > +details. > + > +If you prefer to obtain the rules manually without using a rule manager, > +you can use the following example commands to download and extract them > +to the correct directory: > + > +* Official Snort rules (replace <oinkcode> with yours): > + > + ftp -o snortrules-snapshot-${V}.tar.gz \ > + > http://www.snort.org/reg-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode> > + tar -C /etc/snort -xzf snortrules-snapshot-${V}.tar.gz rules > preproc_rules > + > +* Emerging Threats rules: > + > + ftp > http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz > + tar -C /etc/snort -xzf emerging.rules.tar.gz > + > + If you use Emerging Threats rules, you will need to uncomment its > + include line in ${SYSCONFDIR}/snort/snort.conf and edit > + ${SYSCONFDIR}/snort/rules/emerging.conf for Snort to load them. > + > +It is important that you review the rules carefully to ensure that you > +use the rules that apply to your environment. You should also modify > +${SYSCONFDIR}/snort/snort.conf to define the relevant variables such as > +HOME_NET to match your network. > + > +It is recommended that Snort be run as an unprivileged chrooted user. > A _snort user/group and a log directory have been created for this > -purpose. You should start snort with the following options to take > -advantage of this: > +purpose. You should start Snort with the ${RCDIR}/snort script to take > +advantage of this. > > - -c /etc/snort/snort.conf -u _snort -g _snort -t /var/snort -l > /var/snort/log > +For more details on setting up Snort, please refer to its user manual at > +${TRUEPREFIX}/share/doc/snort/snort_manual.pdf > Index: pkg/snort.rc > =================================================================== > RCS file: pkg/snort.rc > diff -N pkg/snort.rc > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ pkg/snort.rc 7 Oct 2012 18:00:08 -0000 > @@ -0,0 +1,10 @@ > +#!/bin/sh > +# > +# $OpenBSD$ > + > +daemon="${TRUEPREFIX}/bin/snort -D" > +daemon_flags="-c ${SYSCONFDIR}/snort/snort.conf -u _snort -g _snort -t > /var/snort -l /var/snort/log" > + > +. /etc/rc.d/rc.subr > + > +rc_cmd $1