[arch-commits] Commit in snort/repos (4 files)

Hugo Doria hugo at archlinux.org
Wed Jul 16 13:21:11 EDT 2008


    Date: Wednesday, July 16, 2008 @ 13:21:11
  Author: hugo
Revision: 5482

Merged revisions 5480-5481 via svnmerge from 
svn+ssh://hugo@archlinux.org/home/svn-packages/snort/trunk

........
  r5481 | hugo | 2008-07-16 14:20:38 -0300 (Wed, 16 Jul 2008) | 1 line
  
  snort.conf.patch and snort.install changed
........

Modified:
  snort/repos/extra-i686/	(properties)
  snort/repos/extra-i686/PKGBUILD
  snort/repos/extra-i686/snort.conf.patch
  snort/repos/extra-i686/snort.install

------------------+
 PKGBUILD         |   19 +-
 snort.conf.patch |  378 +++++++++++++++++++++++++++++++++++++++++++++++++++--
 snort.install    |   10 +
 3 files changed, 388 insertions(+), 19 deletions(-)


Property changes on: snort/repos/extra-i686
___________________________________________________________________
Name: svnmerge-integrated
   - /snort/trunk:1-5479
   + /snort/trunk:1-5481

Modified: extra-i686/PKGBUILD
===================================================================
--- extra-i686/PKGBUILD	2008-07-16 17:20:38 UTC (rev 5481)
+++ extra-i686/PKGBUILD	2008-07-16 17:21:11 UTC (rev 5482)
@@ -3,9 +3,10 @@
 # Contributor: Kessia 'even' Pinheiro <kessiapinheiro at gmail.com>
 # Contributor: dorphell <dorphell at archlinux.org>
 # Contributor: Gregor Ibic <gregor.ibic at intelicom.si>
+
 pkgname=snort
 pkgver=2.8.2.1
-pkgrel=4
+pkgrel=5
 pkgdesc="A lightweight network intrusion detection system"
 arch=('i686' 'x86_64')
 license=('GPL')
@@ -19,16 +20,18 @@
 	'snort.conf.d' 
 	'http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz' 
 	'snort.conf.patch')
-md5sums=('b39e784dd8a5cf180aae20e94a7b52dd' '361b8b9e40b9af0164f6b3e3da2e8277'\
-         'b4fb8a68490589cd34df93de7609bfac' 'f236b8a4ac12e99d3e7bd81bf3b5a482'\
-         'd6ee07e7e23a0b7f5a0dd7d605828946')
 url="http://www.snort.org"
 options=('!makeflags' '!libtool')
+md5sums=('b39e784dd8a5cf180aae20e94a7b52dd'
+         '361b8b9e40b9af0164f6b3e3da2e8277'
+         'b4fb8a68490589cd34df93de7609bfac'
+         'f236b8a4ac12e99d3e7bd81bf3b5a482'
+         '5a0e91513e05942612d70d36c2983968')
 
 build() {
   cd $startdir/src/$pkgname-$pkgver
 
-  patch -Np0 < ${startdir}/src/snort.conf.patch || return 1
+  patch -Np0 < ${startdir}/snort.conf.patch || return 1
 
   ./configure --prefix=/usr --sysconfdir=/etc/snort --with-libpcap-includes=/usr/include/pcap \
   --without-mysql --without-postgresql --without-oracle --without-odbc
@@ -39,9 +42,7 @@
 
   install -d -m744 -o snort -g snort $startdir/pkg/var/log/snort
   install -D -m644 etc/{*.conf*,*.map} $startdir/pkg/etc/snort
-  install -D -m644 ../snort.conf.d $startdir/pkg/etc/conf.d/snort
+  install -D -m644 ../../snort.conf.d $startdir/pkg/etc/conf.d/snort
   install -D -m644 $startdir/src/rules/*.rules $startdir/pkg/etc/snort/rules
-  install -D -m755 $startdir/src/snort $startdir/pkg/etc/rc.d/snort
-
-  sed 's|RULE_PATH ../rules|RULE_PATH /etc/snort/rules|' -i $startdir/pkg/etc/snort/snort.conf
+  install -D -m755 $startdir/snort $startdir/pkg/etc/rc.d/snort
 }

Modified: extra-i686/snort.conf.patch
===================================================================
--- extra-i686/snort.conf.patch	2008-07-16 17:20:38 UTC (rev 5481)
+++ extra-i686/snort.conf.patch	2008-07-16 17:21:11 UTC (rev 5482)
@@ -1,12 +1,85 @@
---- etc/snort.conf.orig	2008-07-03 16:44:57.000000000 -0300
-+++ etc/snort.conf	2008-07-03 17:42:57.000000000 -0300
-@@ -1,5 +1,5 @@
+--- etc/snort.conf.orig	2008-06-04 16:50:59.000000000 -0300
++++ etc/snort.conf	2008-07-16 13:53:02.000000000 -0300
+@@ -1,11 +1,11 @@
  #--------------------------------------------------
 -#   http://www.snort.org     Snort 2.8.2.1 Ruleset
 +#   http://www.snort.org     Snort 2.8.2 Ruleset
  #     Contact: snort-sigs at lists.sourceforge.net
  #--------------------------------------------------
  # $Id$
+ #
+ ###################################################
+-# This file contains a sample snort configuration. 
++# This file contains a sample snort configuration.
+ # You can take the following steps to create your own custom configuration:
+ #
+ #  1) Set the variables for your network
+@@ -21,7 +21,7 @@
+ # You must change the following variables to reflect your local network. The
+ # variable is currently setup for an RFC 1918 address space.
+ #
+-# You can specify it explicitly as: 
++# You can specify it explicitly as:
+ #
+ # var HOME_NET 10.1.1.0/24
+ #
+@@ -43,7 +43,7 @@
+ # or you can specify the variable to be any IP address
+ # like this:
+ 
+-var HOME_NET any
++var HOME_NET $eth0_ADDRESS
+ 
+ # Set up the external network addresses as well.  A good start may be "any"
+ var EXTERNAL_NET any
+@@ -52,9 +52,9 @@
+ # systems that have a service up.  Why look for HTTP attacks if you are not
+ # running a web server?  This allows quick filtering based on IP addresses
+ # These configurations MUST follow the same configuration scheme as defined
+-# above for $HOME_NET.  
++# above for $HOME_NET.
+ 
+-# List of DNS servers on your network 
++# List of DNS servers on your network
+ var DNS_SERVERS $HOME_NET
+ 
+ # List of SMTP servers on your network
+@@ -63,7 +63,7 @@
+ # List of web servers on your network
+ var HTTP_SERVERS $HOME_NET
+ 
+-# List of sql servers on your network 
++# List of sql servers on your network
+ var SQL_SERVERS $HOME_NET
+ 
+ # List of telnet servers on your network
+@@ -99,7 +99,7 @@
+ portvar ORACLE_PORTS 1521
+ 
+ # other variables
+-# 
++#
+ # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
+ # modifying the signatures when they do, we add them to this list of servers.
+ var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
+@@ -107,7 +107,7 @@
+ # Path to your rules files (this can be a relative path)
+ # Note for Windows users:  You are advised to make this an absolute path,
+ # such as:  c:\snort\rules
+-var RULE_PATH ../rules
++var RULE_PATH /etc/snort/rules
+ var PREPROC_RULE_PATH ../preproc_rules
+ 
+ # Configure the snort decoder
+@@ -167,7 +167,7 @@
+ 
+ # Configure Inline Resets
+ # ========================
+-# 
++#
+ # If running an iptables firewall with snort in InlineMode() we can now
+ # perform resets via a physical device. We grab the indev from iptables
+ # and use this for the interface on which to send resets. This config
 @@ -191,7 +191,7 @@
  # Load all dynamic preprocessors from the install path
  # (same as command line option --dynamic-preprocessor-lib-dir)
@@ -31,16 +104,296 @@
  #
  # Load a specific dynamic rule library from the install path
  # (same as command line option --dynamic-detection-lib)
-@@ -487,7 +487,7 @@
+@@ -217,7 +217,7 @@
+ ###################################################
+ # Step #3: Configure preprocessors
+ #
+-# General configuration for preprocessors is of 
++# General configuration for preprocessors is of
+ # the form
+ # preprocessor <name_of_processor>: <configuration_options>
+ 
+@@ -234,44 +234,44 @@
+ #
+ #preprocessor flow: stats_interval 0 hash 2
+ 
+-# frag3: Target-based IP defragmentation 
++# frag3: Target-based IP defragmentation
+ # --------------------------------------
+ #
+ # Frag3 is a brand new IP defragmentation preprocessor that is capable of
+ # performing "target-based" processing of IP fragments.  Check out the
+ # README.frag3 file in the doc directory for more background and configuration
+ # information.
+-# 
+-# Frag3 configuration is a two step process, a global initialization phase 
+-# followed by the definition of a set of defragmentation engines.  
+-# 
++#
++# Frag3 configuration is a two step process, a global initialization phase
++# followed by the definition of a set of defragmentation engines.
++#
+ # Global configuration defines the number of fragmented packets that Snort can
+ # track at the same time and gives you options regarding the memory cap for the
+-# subsystem or, optionally, allows you to preallocate all the memory for the 
++# subsystem or, optionally, allows you to preallocate all the memory for the
+ # entire frag3 system.
+ #
+ # frag3_global options:
+-#   max_frags: Maximum number of frag trackers that may be active at once.  
++#   max_frags: Maximum number of frag trackers that may be active at once.
+ #              Default value is 8192.
+ #   memcap: Maximum amount of memory that frag3 may access at any given time.
+ #           Default value is 4MB.
+ #   prealloc_frags: Maximum number of individual fragments that may be processed
+-#                   at once.  This is instead of the memcap system, uses static 
++#                   at once.  This is instead of the memcap system, uses static
+ #                   allocation to increase performance.  No default value.  Each
+ #                   preallocated fragment typically eats ~1550 bytes.  However,
+ #                   the exact amount is determined by the snaplen, and this can
+ #                   go as high as 64K so beware!
+ #
+-# Target-based behavior is attached to an engine as a "policy" for handling 
++# Target-based behavior is attached to an engine as a "policy" for handling
+ # overlaps and retransmissions as enumerated in the Paxson paper.  There are
+-# currently five policy types available: "BSD", "BSD-right", "First", "Linux" 
++# currently five policy types available: "BSD", "BSD-right", "First", "Linux"
+ # and "Last".  Engines can be bound to standard Snort CIDR blocks or
+ # IP lists.
+ #
+ # frag3_engine options:
+ #   timeout: Amount of time a fragmented packet may be active before expiring.
+ #            Default value is 60 seconds.
+-#   ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. 
++#   ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
+ #              Based on the initial received fragment TTL.
+ #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
+ #            value will be discarded.  Default value is 0.
+@@ -317,10 +317,10 @@
+ #   ttl_limit [number]     - differential of the initial ttl on a session versus
+ #                             the normal that someone may be playing games.
+ #                             Routing flap may cause lots of false positives.
+-# 
+-#   keepstats [machine|binary] - keep session statistics, add "machine" to 
++#
++#   keepstats [machine|binary] - keep session statistics, add "machine" to
+ #                         get them in a flat format for machine reading, add
+-#                         "binary" to get them in a unified binary output 
++#                         "binary" to get them in a unified binary output
+ #                         format
+ #   noinspect - turn off stateful inspection only
+ #   timeout [number] - set the session timeout counter to [number] seconds,
+@@ -332,7 +332,7 @@
+ #                     max_sessions option)
+ #   log_flushed_streams - if an event is detected on a stream this option will
+ #                         cause all packets that are stored in the stream4
+-#                         packet buffers to be flushed to disk.  This only 
++#                         packet buffers to be flushed to disk.  This only
+ #                         works when logging in pcap mode!
+ #   server_inspect_limit [bytes] - Byte limit on server side inspection.
+ #   enable_udp_sessions - turn on tracking of "sessions" over UDP.  Requires
+@@ -349,10 +349,10 @@
+ #                                   more sessions are purged from the cache when
+ #                                   the session limit or memcap is reached.
+ #                                   Defaults to 5.
+-#   
+-#   
+ #
+-# Stream4 uses Generator ID 111 and uses the following SIDS 
++#
++#
++# Stream4 uses Generator ID 111 and uses the following SIDS
+ # for that GID:
+ #  SID     Event description
+ # -----   -------------------
+@@ -374,9 +374,9 @@
+ #preprocessor stream4: disable_evasion_alerts
+ 
+ # tcp stream reassembly directive
+-# no arguments loads the default configuration 
++# no arguments loads the default configuration
+ #   Only reassemble the client,
+-#   Only reassemble the default list of ports (See below),  
++#   Only reassemble the default list of ports (See below),
+ #   Give alerts for "bad" streams
+ #
+ # Available options (comma delimited):
+@@ -384,7 +384,7 @@
+ #   serveronly - reassemble traffic for the server side of a connection only
+ #   both - reassemble both sides of a session
+ #   noalerts - turn off alerts from the stream reassembly stage of stream4
+-#   ports [list] - use the space separated list of ports in [list], "all" 
++#   ports [list] - use the space separated list of ports in [list], "all"
+ #                  will turn on reassembly for all ports, "default" will turn
+ #                  on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
+ #                  111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521,
+@@ -397,12 +397,12 @@
+ #   flush_behavior [mode] -
+ #           default      - use old static flushpoints (default)
+ #           large_window - use new larger static flushpoints
+-#           random       - use random flushpoints defined by flush_base, 
++#           random       - use random flushpoints defined by flush_base,
+ #                          flush_seed and flush_range
+ #   flush_base [number] - lowest allowed random flushpoint (512 by default)
+ #   flush_range [number] - number is the space within which random flushpoints
+ #                          are generated (default 1213)
+-#   flush_seed [number] - seed for the random number generator, defaults to 
++#   flush_seed [number] - seed for the random number generator, defaults to
+ #                         Snort PID + time
+ #
+ # Using the default random flushpoints, the smallest flushpoint is 512,
+@@ -415,7 +415,7 @@
+ # replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
+ # cannot be used simultaneously.  Comment out the stream4 configurations
+ # above to use Stream5.
+-# 
++#
+ # See README.stream5 for details on the configuration options.
+ #
+ # Example config (that emulates Stream4 with UDP support compiled in)
+@@ -429,7 +429,7 @@
+ # ----------------------
+ # Documentation for this is provided in the Snort Manual.  You should read it.
+ # It is included in the release distribution as doc/snort_manual.pdf
+-# 
++#
+ # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
+ 
+ # http_inspect: normalize and detect HTTP traffic and protocol anomalies
+@@ -438,7 +438,7 @@
+ # unicode.map should be wherever your snort.conf lives, or given
+ # a full path to where snort can find it.
+ preprocessor http_inspect: global \
+-    iis_unicode_map unicode.map 1252 
++    iis_unicode_map unicode.map 1252
+ 
+ preprocessor http_inspect_server: server default \
+     profile all ports { 80 8080 8180 } oversize_dir_length 500
+@@ -481,15 +481,15 @@
+ # -------------------------
+ # Detects Back Orifice traffic on the network.
+ #
+-# arguments:  
++# arguments:
+ #   syntax:
+ #     preprocessor bo: noalert { client | server | general | snort_attack } \
  #                      drop    { client | server | general | snort_attack }
  #   example:
  #     preprocessor bo: noalert { general server } drop { snort_attack }
--#
 +
- # 
- # The Back Orifice detector uses Generator ID 105 and uses the 
+ #
+-# 
+-# The Back Orifice detector uses Generator ID 105 and uses the 
++# The Back Orifice detector uses Generator ID 105 and uses the
  # following SIDS for that GID:
-@@ -936,59 +936,87 @@
+ #  SID     Event description
+ # -----   -------------------
+@@ -606,7 +606,7 @@
+ #       sensitivity in which to detect portscans.  The 'low' sensitivity
+ #       detects scans by the common method of looking for response errors, such
+ #       as TCP RSTs or ICMP unreachables.  This level requires the least
+-#       tuning.  The 'medium' sensitivity level detects portscans and 
++#       tuning.  The 'medium' sensitivity level detects portscans and
+ #       filtered portscans (portscans that receive no response).  This
+ #       sensitivity level usually requires tuning out scan events from NATed
+ #       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
+@@ -626,11 +626,11 @@
+ #     ignore_scanners { Snort IP List }
+ #     ignore_scanned { Snort IP List }
+ #       These options take a snort IP list as the argument.  The 'watch_ip'
+-#       option specifies the IP(s) to watch for portscan.  The 
++#       option specifies the IP(s) to watch for portscan.  The
+ #       'ignore_scanners' option specifies the IP(s) to ignore as scanners.
+ #       Note that these hosts are still watched as scanned hosts.  The
+ #       'ignore_scanners' option is used to tune alerts from very active
+-#       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned' option 
++#       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned' option
+ #       specifies the IP(s) to ignore as scanned hosts.  Note that these hosts
+ #       are still watched as scanner hosts.  The 'ignore_scanned' option is
+ #       used to tune alerts from very active hosts such as syslog servers, etc.
+@@ -650,7 +650,7 @@
+ # unicast ARP requests, and specific ARP mapping monitoring.  To make use of
+ # this preprocessor you must specify the IP and hardware address of hosts on
+ # the same layer 2 segment as you.  Specify one host IP MAC combo per line.
+-# Also takes a "-unicast" option to turn on unicast ARP request detection. 
++# Also takes a "-unicast" option to turn on unicast ARP request detection.
+ # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
+ 
+ #  SID     Event description
+@@ -705,21 +705,21 @@
+ # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
+ # It is primarily interested in DCE/RPC data, and only decodes SMB
+ # to get at the DCE/RPC data carried by the SMB layer.
+-# 
++#
+ # Currently, the preprocessor only handles reassembly of fragmentation
+ # at both the SMB and DCE/RPC layer.  Snort rules can be evaded by
+ # using both types of fragmentation; with the preprocessor enabled
+ # the rules are given a buffer with a reassembled SMB or DCE/RPC
+ # packet to examine.
+-# 
++#
+ # At the SMB layer, only fragmentation using WriteAndX is currently
+ # reassembled.  Other methods will be handled in future versions of
+ # the preprocessor.
+-# 
++#
+ # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
+ # the SMB data, as well as checking the NetBIOS header (which is always
+ # present for SMB) for the type "SMB Session".
+-# 
++#
+ # Autodetection of DCE/RPC is not as reliable.  Currently, two bytes are
+ # checked in the packet.  Assuming that the data is a DCE/RPC header,
+ # one byte is checked for DCE/RPC version (5) and another for the type
+@@ -762,8 +762,8 @@
+ # SSL
+ #----------------------------------------
+ # Encrypted traffic should be ignored by Snort for both performance reasons
+-# and to reduce false positives.  The SSL Dynamic Preprocessor (SSLPP) 
+-# inspects SSL traffic and optionally determines if and when to stop 
++# and to reduce false positives.  The SSL Dynamic Preprocessor (SSLPP)
++# inspects SSL traffic and optionally determines if and when to stop
+ # inspection of it.
+ #
+ # Typically, SSL is used over port 443 as HTTPS.  By enabling the SSLPP to
+@@ -775,7 +775,7 @@
+ #                   traffic on the ports that you intend to inspect SSL
+ #                   encrypted traffic on.
+ #
+-#   To add reassembly on port 443 to Stream5, use 'port both 443' in the 
++#   To add reassembly on port 443 to Stream5, use 'port both 443' in the
+ #   Stream5 configuration.
+ 
+ preprocessor ssl: noinspect_encrypted
+@@ -827,7 +827,7 @@
+ # binary format for logging data out of Snort that is designed to be fast and
+ # efficient.  Used with barnyard (the new alert/log processor), most of the
+ # overhead for logging and alerting to various slow storage mechanisms such as
+-# databases or the network can now be avoided.  
++# databases or the network can now be avoided.
+ #
+ # Check out the spo_unified.h file for the data formats.
+ #
+@@ -922,81 +922,110 @@
+ # rules.
+ 
+ #=========================================
+-# Include all relevant rulesets here 
+-# 
++# Include all relevant rulesets here
++#
+ # The following rulesets are disabled by default:
+ #
+ #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
+ #   chat, multimedia, and p2p
+-#            
++#
+ # These rules are either site policy specific or require tuning in order to not
+ # generate false positive alerts in most enviornments.
+-# 
++#
+ # Please read the specific include file for more information and
  # README.alert_order for how rule ordering affects how alerts are triggered.
  #=========================================
  
@@ -152,7 +505,7 @@
 +#include $RULE_PATH/experimental.rules
 +
 +
-+# Community Rules 
++# Community Rules
 +include $RULE_PATH/community-bot.rules
 +include $RULE_PATH/community-deleted.rules
 +include $RULE_PATH/community-dos.rules
@@ -181,7 +534,12 @@
  
  # include $PREPROC_RULE_PATH/preprocessor.rules
  # include $PREPROC_RULE_PATH/decoder.rules
-@@ -1000,3 +1028,4 @@
+ 
+ # Include any thresholding or suppression commands. See threshold.conf in the
+ # <snort src>/etc directory for details. Commands don't necessarily need to be
+-# contained in this conf, but a separate conf makes it easier to maintain them. 
++# contained in this conf, but a separate conf makes it easier to maintain them.
+ # Note for Windows users:  You are advised to make this an absolute path,
  # such as:  c:\snort\etc\threshold.conf
  # Uncomment if needed.
  # include threshold.conf

Modified: extra-i686/snort.install
===================================================================
--- extra-i686/snort.install	2008-07-16 17:20:38 UTC (rev 5481)
+++ extra-i686/snort.install	2008-07-16 17:21:11 UTC (rev 5482)
@@ -5,6 +5,11 @@
 
   [ -f var/log/snort/alert ] || : >var/log/snort/alert
   chown snort.snort var/log/snort/alert
+  
+  echo
+  echo ">>> You have to edit the HOME_NET variable in the /etc/snort/snort.conf \
+file to reflect your local network"
+  echo ">>> If you do not change it, snort my not work "
 }
 
 post_upgrade() {
@@ -20,4 +25,9 @@
   /bin/true
 }
 
+op=$1
+shift
+
+$op $*
+
 # vim:set ts=2 sw=2 et:





More information about the arch-commits mailing list