[arch-commits] Commit in snort/trunk (PKGBUILD snort.conf.patch snort.install)
Hugo Doria
hugo at archlinux.org
Wed Jul 16 17:20:39 UTC 2008
Date: Wednesday, July 16, 2008 @ 13:20:38
Author: hugo
Revision: 5481
snort.conf.patch and snort.install changed
Modified:
snort/trunk/PKGBUILD
snort/trunk/snort.conf.patch
snort/trunk/snort.install
------------------+
PKGBUILD | 19 +-
snort.conf.patch | 378 +++++++++++++++++++++++++++++++++++++++++++++++++++--
snort.install | 10 +
3 files changed, 388 insertions(+), 19 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2008-07-16 17:18:10 UTC (rev 5480)
+++ PKGBUILD 2008-07-16 17:20:38 UTC (rev 5481)
@@ -3,9 +3,10 @@
# Contributor: Kessia 'even' Pinheiro <kessiapinheiro at gmail.com>
# Contributor: dorphell <dorphell at archlinux.org>
# Contributor: Gregor Ibic <gregor.ibic at intelicom.si>
+
pkgname=snort
pkgver=2.8.2.1
-pkgrel=4
+pkgrel=5
pkgdesc="A lightweight network intrusion detection system"
arch=('i686' 'x86_64')
license=('GPL')
@@ -19,16 +20,18 @@
'snort.conf.d'
'http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz'
'snort.conf.patch')
-md5sums=('b39e784dd8a5cf180aae20e94a7b52dd' '361b8b9e40b9af0164f6b3e3da2e8277'\
- 'b4fb8a68490589cd34df93de7609bfac' 'f236b8a4ac12e99d3e7bd81bf3b5a482'\
- 'd6ee07e7e23a0b7f5a0dd7d605828946')
url="http://www.snort.org"
options=('!makeflags' '!libtool')
+md5sums=('b39e784dd8a5cf180aae20e94a7b52dd'
+ '361b8b9e40b9af0164f6b3e3da2e8277'
+ 'b4fb8a68490589cd34df93de7609bfac'
+ 'f236b8a4ac12e99d3e7bd81bf3b5a482'
+ '5a0e91513e05942612d70d36c2983968')
build() {
cd $startdir/src/$pkgname-$pkgver
- patch -Np0 < ${startdir}/src/snort.conf.patch || return 1
+ patch -Np0 < ${startdir}/snort.conf.patch || return 1
./configure --prefix=/usr --sysconfdir=/etc/snort --with-libpcap-includes=/usr/include/pcap \
--without-mysql --without-postgresql --without-oracle --without-odbc
@@ -39,9 +42,7 @@
install -d -m744 -o snort -g snort $startdir/pkg/var/log/snort
install -D -m644 etc/{*.conf*,*.map} $startdir/pkg/etc/snort
- install -D -m644 ../snort.conf.d $startdir/pkg/etc/conf.d/snort
+ install -D -m644 ../../snort.conf.d $startdir/pkg/etc/conf.d/snort
install -D -m644 $startdir/src/rules/*.rules $startdir/pkg/etc/snort/rules
- install -D -m755 $startdir/src/snort $startdir/pkg/etc/rc.d/snort
-
- sed 's|RULE_PATH ../rules|RULE_PATH /etc/snort/rules|' -i $startdir/pkg/etc/snort/snort.conf
+ install -D -m755 $startdir/snort $startdir/pkg/etc/rc.d/snort
}
Modified: snort.conf.patch
===================================================================
--- snort.conf.patch 2008-07-16 17:18:10 UTC (rev 5480)
+++ snort.conf.patch 2008-07-16 17:20:38 UTC (rev 5481)
@@ -1,12 +1,85 @@
---- etc/snort.conf.orig 2008-07-03 16:44:57.000000000 -0300
-+++ etc/snort.conf 2008-07-03 17:42:57.000000000 -0300
-@@ -1,5 +1,5 @@
+--- etc/snort.conf.orig 2008-06-04 16:50:59.000000000 -0300
++++ etc/snort.conf 2008-07-16 13:53:02.000000000 -0300
+@@ -1,11 +1,11 @@
#--------------------------------------------------
-# http://www.snort.org Snort 2.8.2.1 Ruleset
+# http://www.snort.org Snort 2.8.2 Ruleset
# Contact: snort-sigs at lists.sourceforge.net
#--------------------------------------------------
# $Id$
+ #
+ ###################################################
+-# This file contains a sample snort configuration.
++# This file contains a sample snort configuration.
+ # You can take the following steps to create your own custom configuration:
+ #
+ # 1) Set the variables for your network
+@@ -21,7 +21,7 @@
+ # You must change the following variables to reflect your local network. The
+ # variable is currently setup for an RFC 1918 address space.
+ #
+-# You can specify it explicitly as:
++# You can specify it explicitly as:
+ #
+ # var HOME_NET 10.1.1.0/24
+ #
+@@ -43,7 +43,7 @@
+ # or you can specify the variable to be any IP address
+ # like this:
+
+-var HOME_NET any
++var HOME_NET $eth0_ADDRESS
+
+ # Set up the external network addresses as well. A good start may be "any"
+ var EXTERNAL_NET any
+@@ -52,9 +52,9 @@
+ # systems that have a service up. Why look for HTTP attacks if you are not
+ # running a web server? This allows quick filtering based on IP addresses
+ # These configurations MUST follow the same configuration scheme as defined
+-# above for $HOME_NET.
++# above for $HOME_NET.
+
+-# List of DNS servers on your network
++# List of DNS servers on your network
+ var DNS_SERVERS $HOME_NET
+
+ # List of SMTP servers on your network
+@@ -63,7 +63,7 @@
+ # List of web servers on your network
+ var HTTP_SERVERS $HOME_NET
+
+-# List of sql servers on your network
++# List of sql servers on your network
+ var SQL_SERVERS $HOME_NET
+
+ # List of telnet servers on your network
+@@ -99,7 +99,7 @@
+ portvar ORACLE_PORTS 1521
+
+ # other variables
+-#
++#
+ # AIM servers. AOL has a habit of adding new AIM servers, so instead of
+ # modifying the signatures when they do, we add them to this list of servers.
+ var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
+@@ -107,7 +107,7 @@
+ # Path to your rules files (this can be a relative path)
+ # Note for Windows users: You are advised to make this an absolute path,
+ # such as: c:\snort\rules
+-var RULE_PATH ../rules
++var RULE_PATH /etc/snort/rules
+ var PREPROC_RULE_PATH ../preproc_rules
+
+ # Configure the snort decoder
+@@ -167,7 +167,7 @@
+
+ # Configure Inline Resets
+ # ========================
+-#
++#
+ # If running an iptables firewall with snort in InlineMode() we can now
+ # perform resets via a physical device. We grab the indev from iptables
+ # and use this for the interface on which to send resets. This config
@@ -191,7 +191,7 @@
# Load all dynamic preprocessors from the install path
# (same as command line option --dynamic-preprocessor-lib-dir)
@@ -31,16 +104,296 @@
#
# Load a specific dynamic rule library from the install path
# (same as command line option --dynamic-detection-lib)
-@@ -487,7 +487,7 @@
+@@ -217,7 +217,7 @@
+ ###################################################
+ # Step #3: Configure preprocessors
+ #
+-# General configuration for preprocessors is of
++# General configuration for preprocessors is of
+ # the form
+ # preprocessor <name_of_processor>: <configuration_options>
+
+@@ -234,44 +234,44 @@
+ #
+ #preprocessor flow: stats_interval 0 hash 2
+
+-# frag3: Target-based IP defragmentation
++# frag3: Target-based IP defragmentation
+ # --------------------------------------
+ #
+ # Frag3 is a brand new IP defragmentation preprocessor that is capable of
+ # performing "target-based" processing of IP fragments. Check out the
+ # README.frag3 file in the doc directory for more background and configuration
+ # information.
+-#
+-# Frag3 configuration is a two step process, a global initialization phase
+-# followed by the definition of a set of defragmentation engines.
+-#
++#
++# Frag3 configuration is a two step process, a global initialization phase
++# followed by the definition of a set of defragmentation engines.
++#
+ # Global configuration defines the number of fragmented packets that Snort can
+ # track at the same time and gives you options regarding the memory cap for the
+-# subsystem or, optionally, allows you to preallocate all the memory for the
++# subsystem or, optionally, allows you to preallocate all the memory for the
+ # entire frag3 system.
+ #
+ # frag3_global options:
+-# max_frags: Maximum number of frag trackers that may be active at once.
++# max_frags: Maximum number of frag trackers that may be active at once.
+ # Default value is 8192.
+ # memcap: Maximum amount of memory that frag3 may access at any given time.
+ # Default value is 4MB.
+ # prealloc_frags: Maximum number of individual fragments that may be processed
+-# at once. This is instead of the memcap system, uses static
++# at once. This is instead of the memcap system, uses static
+ # allocation to increase performance. No default value. Each
+ # preallocated fragment typically eats ~1550 bytes. However,
+ # the exact amount is determined by the snaplen, and this can
+ # go as high as 64K so beware!
+ #
+-# Target-based behavior is attached to an engine as a "policy" for handling
++# Target-based behavior is attached to an engine as a "policy" for handling
+ # overlaps and retransmissions as enumerated in the Paxson paper. There are
+-# currently five policy types available: "BSD", "BSD-right", "First", "Linux"
++# currently five policy types available: "BSD", "BSD-right", "First", "Linux"
+ # and "Last". Engines can be bound to standard Snort CIDR blocks or
+ # IP lists.
+ #
+ # frag3_engine options:
+ # timeout: Amount of time a fragmented packet may be active before expiring.
+ # Default value is 60 seconds.
+-# ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
++# ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
+ # Based on the initial received fragment TTL.
+ # min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
+ # value will be discarded. Default value is 0.
+@@ -317,10 +317,10 @@
+ # ttl_limit [number] - differential of the initial ttl on a session versus
+ # the normal that someone may be playing games.
+ # Routing flap may cause lots of false positives.
+-#
+-# keepstats [machine|binary] - keep session statistics, add "machine" to
++#
++# keepstats [machine|binary] - keep session statistics, add "machine" to
+ # get them in a flat format for machine reading, add
+-# "binary" to get them in a unified binary output
++# "binary" to get them in a unified binary output
+ # format
+ # noinspect - turn off stateful inspection only
+ # timeout [number] - set the session timeout counter to [number] seconds,
+@@ -332,7 +332,7 @@
+ # max_sessions option)
+ # log_flushed_streams - if an event is detected on a stream this option will
+ # cause all packets that are stored in the stream4
+-# packet buffers to be flushed to disk. This only
++# packet buffers to be flushed to disk. This only
+ # works when logging in pcap mode!
+ # server_inspect_limit [bytes] - Byte limit on server side inspection.
+ # enable_udp_sessions - turn on tracking of "sessions" over UDP. Requires
+@@ -349,10 +349,10 @@
+ # more sessions are purged from the cache when
+ # the session limit or memcap is reached.
+ # Defaults to 5.
+-#
+-#
+ #
+-# Stream4 uses Generator ID 111 and uses the following SIDS
++#
++#
++# Stream4 uses Generator ID 111 and uses the following SIDS
+ # for that GID:
+ # SID Event description
+ # ----- -------------------
+@@ -374,9 +374,9 @@
+ #preprocessor stream4: disable_evasion_alerts
+
+ # tcp stream reassembly directive
+-# no arguments loads the default configuration
++# no arguments loads the default configuration
+ # Only reassemble the client,
+-# Only reassemble the default list of ports (See below),
++# Only reassemble the default list of ports (See below),
+ # Give alerts for "bad" streams
+ #
+ # Available options (comma delimited):
+@@ -384,7 +384,7 @@
+ # serveronly - reassemble traffic for the server side of a connection only
+ # both - reassemble both sides of a session
+ # noalerts - turn off alerts from the stream reassembly stage of stream4
+-# ports [list] - use the space separated list of ports in [list], "all"
++# ports [list] - use the space separated list of ports in [list], "all"
+ # will turn on reassembly for all ports, "default" will turn
+ # on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
+ # 111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521,
+@@ -397,12 +397,12 @@
+ # flush_behavior [mode] -
+ # default - use old static flushpoints (default)
+ # large_window - use new larger static flushpoints
+-# random - use random flushpoints defined by flush_base,
++# random - use random flushpoints defined by flush_base,
+ # flush_seed and flush_range
+ # flush_base [number] - lowest allowed random flushpoint (512 by default)
+ # flush_range [number] - number is the space within which random flushpoints
+ # are generated (default 1213)
+-# flush_seed [number] - seed for the random number generator, defaults to
++# flush_seed [number] - seed for the random number generator, defaults to
+ # Snort PID + time
+ #
+ # Using the default random flushpoints, the smallest flushpoint is 512,
+@@ -415,7 +415,7 @@
+ # replaces that of Stream4. Consequently, BOTH Stream4 and Stream5
+ # cannot be used simultaneously. Comment out the stream4 configurations
+ # above to use Stream5.
+-#
++#
+ # See README.stream5 for details on the configuration options.
+ #
+ # Example config (that emulates Stream4 with UDP support compiled in)
+@@ -429,7 +429,7 @@
+ # ----------------------
+ # Documentation for this is provided in the Snort Manual. You should read it.
+ # It is included in the release distribution as doc/snort_manual.pdf
+-#
++#
+ # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
+
+ # http_inspect: normalize and detect HTTP traffic and protocol anomalies
+@@ -438,7 +438,7 @@
+ # unicode.map should be wherever your snort.conf lives, or given
+ # a full path to where snort can find it.
+ preprocessor http_inspect: global \
+- iis_unicode_map unicode.map 1252
++ iis_unicode_map unicode.map 1252
+
+ preprocessor http_inspect_server: server default \
+ profile all ports { 80 8080 8180 } oversize_dir_length 500
+@@ -481,15 +481,15 @@
+ # -------------------------
+ # Detects Back Orifice traffic on the network.
+ #
+-# arguments:
++# arguments:
+ # syntax:
+ # preprocessor bo: noalert { client | server | general | snort_attack } \
# drop { client | server | general | snort_attack }
# example:
# preprocessor bo: noalert { general server } drop { snort_attack }
--#
+
- #
- # The Back Orifice detector uses Generator ID 105 and uses the
+ #
+-#
+-# The Back Orifice detector uses Generator ID 105 and uses the
++# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
-@@ -936,59 +936,87 @@
+ # SID Event description
+ # ----- -------------------
+@@ -606,7 +606,7 @@
+ # sensitivity in which to detect portscans. The 'low' sensitivity
+ # detects scans by the common method of looking for response errors, such
+ # as TCP RSTs or ICMP unreachables. This level requires the least
+-# tuning. The 'medium' sensitivity level detects portscans and
++# tuning. The 'medium' sensitivity level detects portscans and
+ # filtered portscans (portscans that receive no response). This
+ # sensitivity level usually requires tuning out scan events from NATed
+ # IPs, DNS cache servers, etc. The 'high' sensitivity level has
+@@ -626,11 +626,11 @@
+ # ignore_scanners { Snort IP List }
+ # ignore_scanned { Snort IP List }
+ # These options take a snort IP list as the argument. The 'watch_ip'
+-# option specifies the IP(s) to watch for portscan. The
++# option specifies the IP(s) to watch for portscan. The
+ # 'ignore_scanners' option specifies the IP(s) to ignore as scanners.
+ # Note that these hosts are still watched as scanned hosts. The
+ # 'ignore_scanners' option is used to tune alerts from very active
+-# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
++# hosts such as NAT, nessus hosts, etc. The 'ignore_scanned' option
+ # specifies the IP(s) to ignore as scanned hosts. Note that these hosts
+ # are still watched as scanner hosts. The 'ignore_scanned' option is
+ # used to tune alerts from very active hosts such as syslog servers, etc.
+@@ -650,7 +650,7 @@
+ # unicast ARP requests, and specific ARP mapping monitoring. To make use of
+ # this preprocessor you must specify the IP and hardware address of hosts on
+ # the same layer 2 segment as you. Specify one host IP MAC combo per line.
+-# Also takes a "-unicast" option to turn on unicast ARP request detection.
++# Also takes a "-unicast" option to turn on unicast ARP request detection.
+ # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
+
+ # SID Event description
+@@ -705,21 +705,21 @@
+ # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
+ # It is primarily interested in DCE/RPC data, and only decodes SMB
+ # to get at the DCE/RPC data carried by the SMB layer.
+-#
++#
+ # Currently, the preprocessor only handles reassembly of fragmentation
+ # at both the SMB and DCE/RPC layer. Snort rules can be evaded by
+ # using both types of fragmentation; with the preprocessor enabled
+ # the rules are given a buffer with a reassembled SMB or DCE/RPC
+ # packet to examine.
+-#
++#
+ # At the SMB layer, only fragmentation using WriteAndX is currently
+ # reassembled. Other methods will be handled in future versions of
+ # the preprocessor.
+-#
++#
+ # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
+ # the SMB data, as well as checking the NetBIOS header (which is always
+ # present for SMB) for the type "SMB Session".
+-#
++#
+ # Autodetection of DCE/RPC is not as reliable. Currently, two bytes are
+ # checked in the packet. Assuming that the data is a DCE/RPC header,
+ # one byte is checked for DCE/RPC version (5) and another for the type
+@@ -762,8 +762,8 @@
+ # SSL
+ #----------------------------------------
+ # Encrypted traffic should be ignored by Snort for both performance reasons
+-# and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP)
+-# inspects SSL traffic and optionally determines if and when to stop
++# and to reduce false positives. The SSL Dynamic Preprocessor (SSLPP)
++# inspects SSL traffic and optionally determines if and when to stop
+ # inspection of it.
+ #
+ # Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP to
+@@ -775,7 +775,7 @@
+ # traffic on the ports that you intend to inspect SSL
+ # encrypted traffic on.
+ #
+-# To add reassembly on port 443 to Stream5, use 'port both 443' in the
++# To add reassembly on port 443 to Stream5, use 'port both 443' in the
+ # Stream5 configuration.
+
+ preprocessor ssl: noinspect_encrypted
+@@ -827,7 +827,7 @@
+ # binary format for logging data out of Snort that is designed to be fast and
+ # efficient. Used with barnyard (the new alert/log processor), most of the
+ # overhead for logging and alerting to various slow storage mechanisms such as
+-# databases or the network can now be avoided.
++# databases or the network can now be avoided.
+ #
+ # Check out the spo_unified.h file for the data formats.
+ #
+@@ -922,81 +922,110 @@
+ # rules.
+
+ #=========================================
+-# Include all relevant rulesets here
+-#
++# Include all relevant rulesets here
++#
+ # The following rulesets are disabled by default:
+ #
+ # web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
+ # chat, multimedia, and p2p
+-#
++#
+ # These rules are either site policy specific or require tuning in order to not
+ # generate false positive alerts in most enviornments.
+-#
++#
+ # Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
@@ -152,7 +505,7 @@
+#include $RULE_PATH/experimental.rules
+
+
-+# Community Rules
++# Community Rules
+include $RULE_PATH/community-bot.rules
+include $RULE_PATH/community-deleted.rules
+include $RULE_PATH/community-dos.rules
@@ -181,7 +534,12 @@
# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules
-@@ -1000,3 +1028,4 @@
+
+ # Include any thresholding or suppression commands. See threshold.conf in the
+ # <snort src>/etc directory for details. Commands don't necessarily need to be
+-# contained in this conf, but a separate conf makes it easier to maintain them.
++# contained in this conf, but a separate conf makes it easier to maintain them.
+ # Note for Windows users: You are advised to make this an absolute path,
# such as: c:\snort\etc\threshold.conf
# Uncomment if needed.
# include threshold.conf
Modified: snort.install
===================================================================
--- snort.install 2008-07-16 17:18:10 UTC (rev 5480)
+++ snort.install 2008-07-16 17:20:38 UTC (rev 5481)
@@ -5,6 +5,11 @@
[ -f var/log/snort/alert ] || : >var/log/snort/alert
chown snort.snort var/log/snort/alert
+
+ echo
+ echo ">>> You have to edit the HOME_NET variable in the /etc/snort/snort.conf \
+file to reflect your local network"
+ echo ">>> If you do not change it, snort my not work "
}
post_upgrade() {
@@ -20,4 +25,9 @@
/bin/true
}
+op=$1
+shift
+
+$op $*
+
# vim:set ts=2 sw=2 et:
More information about the arch-commits
mailing list