[arch-commits] Commit in snort/repos (4 files)

Hugo Doria hugo at archlinux.org
Fri Mar 20 01:54:06 UTC 2009


    Date: Thursday, March 19, 2009 @ 21:54:06
  Author: hugo
Revision: 30472

Merged revisions 30471 via svnmerge from 
svn+ssh://archlinux.org/srv/svn-packages/snort/trunk

........
  r30471 | hugo | 2009-03-19 22:53:47 -0300 (Thu, 19 Mar 2009) | 1 line
  
  upgpkg: snort 2.8.3.2-1
........

Modified:
  snort/repos/extra-i686/	(properties)
  snort/repos/extra-i686/PKGBUILD
  snort/repos/extra-i686/snort.conf.patch
  snort/repos/extra-i686/snort.install

------------------+
 PKGBUILD         |   28 +--
 snort.conf.patch |  431 +----------------------------------------------------
 snort.install    |    2 
 3 files changed, 25 insertions(+), 436 deletions(-)


Property changes on: snort/repos/extra-i686
___________________________________________________________________
Modified: svnmerge-integrated
   - /snort/trunk:1-20386
   + /snort/trunk:1-30471
Deleted: svn:mergeinfo
   - 

Modified: extra-i686/PKGBUILD
===================================================================
--- extra-i686/PKGBUILD	2009-03-20 01:53:47 UTC (rev 30471)
+++ extra-i686/PKGBUILD	2009-03-20 01:54:06 UTC (rev 30472)
@@ -5,8 +5,8 @@
 # Contributor: Gregor Ibic <gregor.ibic at intelicom.si>
 
 pkgname=snort
-pkgver=2.8.2.1
-pkgrel=8
+pkgver=2.8.3.2
+pkgrel=1
 pkgdesc="A lightweight network intrusion detection system"
 arch=('i686' 'x86_64')
 license=('GPL')
@@ -15,11 +15,11 @@
 	etc/snort/{snort,threshold}.conf
 	etc/snort/{confreference,classification}.config)
 install=snort.install
-source=("http://www.snort.org/dl/old/$pkgname-$pkgver.tar.gz"
-        'snort' 
-	'snort.conf.d' 
-	'http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz' 
-	'snort.conf.patch')
+source=(http://www.snort.org/dl/${pkgname}-${pkgver}.tar.gz
+        snort
+	snort.conf.d
+	http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-CURRENT.tar.gz
+	snort.conf.patch)
 url="http://www.snort.org"
 options=('!makeflags' '!libtool')
 
@@ -35,14 +35,14 @@
 
   mkdir -p ${pkgdir}/{etc/rc.d,etc/snort/rules}
 
-  install -d -m744 -o snort -g snort ${pkgdir}/var/log/snort
-  install -D -m644 etc/{*.conf*,*.map} ${pkgdir}/etc/snort
-  install -D -m644 ${srcdir}/snort.conf.d ${pkgdir}/etc/conf.d/snort
-  install -D -m644 ${srcdir}/rules/*.rules ${pkgdir}/etc/snort/rules
-  install -D -m755 ${srcdir}/snort ${pkgdir}/etc/rc.d/snort
+  install -d -m755 ${pkgdir}/var/log/snort || return 1
+  install -D -m644 etc/{*.conf*,*.map} ${pkgdir}/etc/snort/ || return 1
+  install -D -m644 ${srcdir}/snort.conf.d ${pkgdir}/etc/conf.d/snort | return 1
+  install -D -m644 ${srcdir}/rules/*.rules ${pkgdir}/etc/snort/rules/ || return 1 
+  install -D -m755 ${srcdir}/snort ${pkgdir}/etc/rc.d/snort || return 1
 }
-md5sums=('b39e784dd8a5cf180aae20e94a7b52dd'
+md5sums=('f75547da33446ddb4ca07eefd9ce31dc'
          '361b8b9e40b9af0164f6b3e3da2e8277'
          'b4fb8a68490589cd34df93de7609bfac'
          'f236b8a4ac12e99d3e7bd81bf3b5a482'
-         '5a0e91513e05942612d70d36c2983968')
+         'd06cfb2024fbb6ad7108e0f0c65d34a7')

Modified: extra-i686/snort.conf.patch
===================================================================
--- extra-i686/snort.conf.patch	2009-03-20 01:53:47 UTC (rev 30471)
+++ extra-i686/snort.conf.patch	2009-03-20 01:54:06 UTC (rev 30472)
@@ -1,28 +1,5 @@
---- etc/snort.conf.orig	2008-06-04 16:50:59.000000000 -0300
-+++ etc/snort.conf	2008-07-16 13:53:02.000000000 -0300
-@@ -1,11 +1,11 @@
- #--------------------------------------------------
--#   http://www.snort.org     Snort 2.8.2.1 Ruleset
-+#   http://www.snort.org     Snort 2.8.2 Ruleset
- #     Contact: snort-sigs at lists.sourceforge.net
- #--------------------------------------------------
- # $Id$
- #
- ###################################################
--# This file contains a sample snort configuration. 
-+# This file contains a sample snort configuration.
- # You can take the following steps to create your own custom configuration:
- #
- #  1) Set the variables for your network
-@@ -21,7 +21,7 @@
- # You must change the following variables to reflect your local network. The
- # variable is currently setup for an RFC 1918 address space.
- #
--# You can specify it explicitly as: 
-+# You can specify it explicitly as:
- #
- # var HOME_NET 10.1.1.0/24
- #
+--- etc/snort.conf.orig	2009-03-19 22:26:24.376016699 -0300
++++ etc/snort.conf	2009-03-19 22:33:04.085107881 -0300
 @@ -43,7 +43,7 @@
  # or you can specify the variable to be any IP address
  # like this:
@@ -32,36 +9,6 @@
  
  # Set up the external network addresses as well.  A good start may be "any"
  var EXTERNAL_NET any
-@@ -52,9 +52,9 @@
- # systems that have a service up.  Why look for HTTP attacks if you are not
- # running a web server?  This allows quick filtering based on IP addresses
- # These configurations MUST follow the same configuration scheme as defined
--# above for $HOME_NET.  
-+# above for $HOME_NET.
- 
--# List of DNS servers on your network 
-+# List of DNS servers on your network
- var DNS_SERVERS $HOME_NET
- 
- # List of SMTP servers on your network
-@@ -63,7 +63,7 @@
- # List of web servers on your network
- var HTTP_SERVERS $HOME_NET
- 
--# List of sql servers on your network 
-+# List of sql servers on your network
- var SQL_SERVERS $HOME_NET
- 
- # List of telnet servers on your network
-@@ -99,7 +99,7 @@
- portvar ORACLE_PORTS 1521
- 
- # other variables
--# 
-+#
- # AIM servers.  AOL has a habit of adding new AIM servers, so instead of
- # modifying the signatures when they do, we add them to this list of servers.
- var AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
 @@ -107,7 +107,7 @@
  # Path to your rules files (this can be a relative path)
  # Note for Windows users:  You are advised to make this an absolute path,
@@ -71,15 +18,6 @@
  var PREPROC_RULE_PATH ../preproc_rules
  
  # Configure the snort decoder
-@@ -167,7 +167,7 @@
- 
- # Configure Inline Resets
- # ========================
--# 
-+#
- # If running an iptables firewall with snort in InlineMode() we can now
- # perform resets via a physical device. We grab the indev from iptables
- # and use this for the interface on which to send resets. This config
 @@ -191,7 +191,7 @@
  # Load all dynamic preprocessors from the install path
  # (same as command line option --dynamic-preprocessor-lib-dir)
@@ -89,7 +27,7 @@
  #
  # Load a specific dynamic preprocessor library from the install path
  # (same as command line option --dynamic-preprocessor-lib)
-@@ -201,12 +201,12 @@
+@@ -201,7 +201,7 @@
  # Load a dynamic engine from the install path
  # (same as command line option --dynamic-engine-lib)
  #
@@ -98,302 +36,16 @@
  #
  # Load all dynamic rules libraries from the install path
  # (same as command line option --dynamic-detection-lib-dir)
- #
--# dynamicdetection directory /usr/local/lib/snort_dynamicrule/
-+dynamicdetection directory /usr/local/lib/snort_dynamicrule/
- #
+@@ -211,7 +211,7 @@
  # Load a specific dynamic rule library from the install path
  # (same as command line option --dynamic-detection-lib)
-@@ -217,7 +217,7 @@
- ###################################################
- # Step #3: Configure preprocessors
  #
--# General configuration for preprocessors is of 
-+# General configuration for preprocessors is of
- # the form
- # preprocessor <name_of_processor>: <configuration_options>
- 
-@@ -234,44 +234,44 @@
+-# dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so
++dynamicdetection directory /usr/lib/snort_dynamicrule/
  #
- #preprocessor flow: stats_interval 0 hash 2
  
--# frag3: Target-based IP defragmentation 
-+# frag3: Target-based IP defragmentation
- # --------------------------------------
- #
- # Frag3 is a brand new IP defragmentation preprocessor that is capable of
- # performing "target-based" processing of IP fragments.  Check out the
- # README.frag3 file in the doc directory for more background and configuration
- # information.
--# 
--# Frag3 configuration is a two step process, a global initialization phase 
--# followed by the definition of a set of defragmentation engines.  
--# 
-+#
-+# Frag3 configuration is a two step process, a global initialization phase
-+# followed by the definition of a set of defragmentation engines.
-+#
- # Global configuration defines the number of fragmented packets that Snort can
- # track at the same time and gives you options regarding the memory cap for the
--# subsystem or, optionally, allows you to preallocate all the memory for the 
-+# subsystem or, optionally, allows you to preallocate all the memory for the
- # entire frag3 system.
- #
- # frag3_global options:
--#   max_frags: Maximum number of frag trackers that may be active at once.  
-+#   max_frags: Maximum number of frag trackers that may be active at once.
- #              Default value is 8192.
- #   memcap: Maximum amount of memory that frag3 may access at any given time.
- #           Default value is 4MB.
- #   prealloc_frags: Maximum number of individual fragments that may be processed
--#                   at once.  This is instead of the memcap system, uses static 
-+#                   at once.  This is instead of the memcap system, uses static
- #                   allocation to increase performance.  No default value.  Each
- #                   preallocated fragment typically eats ~1550 bytes.  However,
- #                   the exact amount is determined by the snaplen, and this can
- #                   go as high as 64K so beware!
- #
--# Target-based behavior is attached to an engine as a "policy" for handling 
-+# Target-based behavior is attached to an engine as a "policy" for handling
- # overlaps and retransmissions as enumerated in the Paxson paper.  There are
--# currently five policy types available: "BSD", "BSD-right", "First", "Linux" 
-+# currently five policy types available: "BSD", "BSD-right", "First", "Linux"
- # and "Last".  Engines can be bound to standard Snort CIDR blocks or
- # IP lists.
- #
- # frag3_engine options:
- #   timeout: Amount of time a fragmented packet may be active before expiring.
- #            Default value is 60 seconds.
--#   ttl_limit: Limit of delta allowable for TTLs of packets in the fragments. 
-+#   ttl_limit: Limit of delta allowable for TTLs of packets in the fragments.
- #              Based on the initial received fragment TTL.
- #   min_ttl: Minimum acceptable TTL for a fragment, frags with TTLs below this
- #            value will be discarded.  Default value is 0.
-@@ -317,10 +317,10 @@
- #   ttl_limit [number]     - differential of the initial ttl on a session versus
- #                             the normal that someone may be playing games.
- #                             Routing flap may cause lots of false positives.
--# 
--#   keepstats [machine|binary] - keep session statistics, add "machine" to 
-+#
-+#   keepstats [machine|binary] - keep session statistics, add "machine" to
- #                         get them in a flat format for machine reading, add
--#                         "binary" to get them in a unified binary output 
-+#                         "binary" to get them in a unified binary output
- #                         format
- #   noinspect - turn off stateful inspection only
- #   timeout [number] - set the session timeout counter to [number] seconds,
-@@ -332,7 +332,7 @@
- #                     max_sessions option)
- #   log_flushed_streams - if an event is detected on a stream this option will
- #                         cause all packets that are stored in the stream4
--#                         packet buffers to be flushed to disk.  This only 
-+#                         packet buffers to be flushed to disk.  This only
- #                         works when logging in pcap mode!
- #   server_inspect_limit [bytes] - Byte limit on server side inspection.
- #   enable_udp_sessions - turn on tracking of "sessions" over UDP.  Requires
-@@ -349,10 +349,10 @@
- #                                   more sessions are purged from the cache when
- #                                   the session limit or memcap is reached.
- #                                   Defaults to 5.
--#   
--#   
- #
--# Stream4 uses Generator ID 111 and uses the following SIDS 
-+#
-+#
-+# Stream4 uses Generator ID 111 and uses the following SIDS
- # for that GID:
- #  SID     Event description
- # -----   -------------------
-@@ -374,9 +374,9 @@
- #preprocessor stream4: disable_evasion_alerts
- 
- # tcp stream reassembly directive
--# no arguments loads the default configuration 
-+# no arguments loads the default configuration
- #   Only reassemble the client,
--#   Only reassemble the default list of ports (See below),  
-+#   Only reassemble the default list of ports (See below),
- #   Give alerts for "bad" streams
- #
- # Available options (comma delimited):
-@@ -384,7 +384,7 @@
- #   serveronly - reassemble traffic for the server side of a connection only
- #   both - reassemble both sides of a session
- #   noalerts - turn off alerts from the stream reassembly stage of stream4
--#   ports [list] - use the space separated list of ports in [list], "all" 
-+#   ports [list] - use the space separated list of ports in [list], "all"
- #                  will turn on reassembly for all ports, "default" will turn
- #                  on reassembly for ports 21, 23, 25, 42, 53, 80, 110,
- #                  111, 135, 136, 137, 139, 143, 445, 513, 514, 1433, 1521,
-@@ -397,12 +397,12 @@
- #   flush_behavior [mode] -
- #           default      - use old static flushpoints (default)
- #           large_window - use new larger static flushpoints
--#           random       - use random flushpoints defined by flush_base, 
-+#           random       - use random flushpoints defined by flush_base,
- #                          flush_seed and flush_range
- #   flush_base [number] - lowest allowed random flushpoint (512 by default)
- #   flush_range [number] - number is the space within which random flushpoints
- #                          are generated (default 1213)
--#   flush_seed [number] - seed for the random number generator, defaults to 
-+#   flush_seed [number] - seed for the random number generator, defaults to
- #                         Snort PID + time
- #
- # Using the default random flushpoints, the smallest flushpoint is 512,
-@@ -415,7 +415,7 @@
- # replaces that of Stream4.  Consequently, BOTH Stream4 and Stream5
- # cannot be used simultaneously.  Comment out the stream4 configurations
- # above to use Stream5.
--# 
-+#
- # See README.stream5 for details on the configuration options.
- #
- # Example config (that emulates Stream4 with UDP support compiled in)
-@@ -429,7 +429,7 @@
- # ----------------------
- # Documentation for this is provided in the Snort Manual.  You should read it.
- # It is included in the release distribution as doc/snort_manual.pdf
--# 
-+#
- # preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
- 
- # http_inspect: normalize and detect HTTP traffic and protocol anomalies
-@@ -438,7 +438,7 @@
- # unicode.map should be wherever your snort.conf lives, or given
- # a full path to where snort can find it.
- preprocessor http_inspect: global \
--    iis_unicode_map unicode.map 1252 
-+    iis_unicode_map unicode.map 1252
- 
- preprocessor http_inspect_server: server default \
-     profile all ports { 80 8080 8180 } oversize_dir_length 500
-@@ -481,15 +481,15 @@
- # -------------------------
- # Detects Back Orifice traffic on the network.
- #
--# arguments:  
-+# arguments:
- #   syntax:
- #     preprocessor bo: noalert { client | server | general | snort_attack } \
- #                      drop    { client | server | general | snort_attack }
- #   example:
- #     preprocessor bo: noalert { general server } drop { snort_attack }
-+
- #
--# 
--# The Back Orifice detector uses Generator ID 105 and uses the 
-+# The Back Orifice detector uses Generator ID 105 and uses the
- # following SIDS for that GID:
- #  SID     Event description
- # -----   -------------------
-@@ -606,7 +606,7 @@
- #       sensitivity in which to detect portscans.  The 'low' sensitivity
- #       detects scans by the common method of looking for response errors, such
- #       as TCP RSTs or ICMP unreachables.  This level requires the least
--#       tuning.  The 'medium' sensitivity level detects portscans and 
-+#       tuning.  The 'medium' sensitivity level detects portscans and
- #       filtered portscans (portscans that receive no response).  This
- #       sensitivity level usually requires tuning out scan events from NATed
- #       IPs, DNS cache servers, etc.  The 'high' sensitivity level has
-@@ -626,11 +626,11 @@
- #     ignore_scanners { Snort IP List }
- #     ignore_scanned { Snort IP List }
- #       These options take a snort IP list as the argument.  The 'watch_ip'
--#       option specifies the IP(s) to watch for portscan.  The 
-+#       option specifies the IP(s) to watch for portscan.  The
- #       'ignore_scanners' option specifies the IP(s) to ignore as scanners.
- #       Note that these hosts are still watched as scanned hosts.  The
- #       'ignore_scanners' option is used to tune alerts from very active
--#       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned' option 
-+#       hosts such as NAT, nessus hosts, etc.  The 'ignore_scanned' option
- #       specifies the IP(s) to ignore as scanned hosts.  Note that these hosts
- #       are still watched as scanner hosts.  The 'ignore_scanned' option is
- #       used to tune alerts from very active hosts such as syslog servers, etc.
-@@ -650,7 +650,7 @@
- # unicast ARP requests, and specific ARP mapping monitoring.  To make use of
- # this preprocessor you must specify the IP and hardware address of hosts on
- # the same layer 2 segment as you.  Specify one host IP MAC combo per line.
--# Also takes a "-unicast" option to turn on unicast ARP request detection. 
-+# Also takes a "-unicast" option to turn on unicast ARP request detection.
- # Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
- 
- #  SID     Event description
-@@ -705,21 +705,21 @@
- # The dcerpc preprocessor detects and decodes SMB and DCE/RPC traffic.
- # It is primarily interested in DCE/RPC data, and only decodes SMB
- # to get at the DCE/RPC data carried by the SMB layer.
--# 
-+#
- # Currently, the preprocessor only handles reassembly of fragmentation
- # at both the SMB and DCE/RPC layer.  Snort rules can be evaded by
- # using both types of fragmentation; with the preprocessor enabled
- # the rules are given a buffer with a reassembled SMB or DCE/RPC
- # packet to examine.
--# 
-+#
- # At the SMB layer, only fragmentation using WriteAndX is currently
- # reassembled.  Other methods will be handled in future versions of
- # the preprocessor.
--# 
-+#
- # Autodetection of SMB is done by looking for "\xFFSMB" at the start of
- # the SMB data, as well as checking the NetBIOS header (which is always
- # present for SMB) for the type "SMB Session".
--# 
-+#
- # Autodetection of DCE/RPC is not as reliable.  Currently, two bytes are
- # checked in the packet.  Assuming that the data is a DCE/RPC header,
- # one byte is checked for DCE/RPC version (5) and another for the type
-@@ -762,8 +762,8 @@
- # SSL
- #----------------------------------------
- # Encrypted traffic should be ignored by Snort for both performance reasons
--# and to reduce false positives.  The SSL Dynamic Preprocessor (SSLPP) 
--# inspects SSL traffic and optionally determines if and when to stop 
-+# and to reduce false positives.  The SSL Dynamic Preprocessor (SSLPP)
-+# inspects SSL traffic and optionally determines if and when to stop
- # inspection of it.
- #
- # Typically, SSL is used over port 443 as HTTPS.  By enabling the SSLPP to
-@@ -775,7 +775,7 @@
- #                   traffic on the ports that you intend to inspect SSL
- #                   encrypted traffic on.
- #
--#   To add reassembly on port 443 to Stream5, use 'port both 443' in the 
-+#   To add reassembly on port 443 to Stream5, use 'port both 443' in the
- #   Stream5 configuration.
- 
- preprocessor ssl: noinspect_encrypted
-@@ -827,7 +827,7 @@
- # binary format for logging data out of Snort that is designed to be fast and
- # efficient.  Used with barnyard (the new alert/log processor), most of the
- # overhead for logging and alerting to various slow storage mechanisms such as
--# databases or the network can now be avoided.  
-+# databases or the network can now be avoided.
- #
- # Check out the spo_unified.h file for the data formats.
- #
-@@ -922,81 +922,110 @@
- # rules.
- 
- #=========================================
--# Include all relevant rulesets here 
--# 
-+# Include all relevant rulesets here
-+#
- # The following rulesets are disabled by default:
- #
- #   web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
- #   chat, multimedia, and p2p
--#            
-+#
- # These rules are either site policy specific or require tuning in order to not
- # generate false positive alerts in most enviornments.
--# 
-+#
- # Please read the specific include file for more information and
+ ###################################################
+@@ -924,59 +924,34 @@
  # README.alert_order for how rule ordering affects how alerts are triggered.
  #=========================================
  
@@ -450,61 +102,6 @@
 -# include $RULE_PATH/spyware-put.rules
 -# include $RULE_PATH/specific-threats.rules
 -include $RULE_PATH/experimental.rules
-+#include $RULE_PATH/local.rules
-+#include $RULE_PATH/bad-traffic.rules
-+#include $RULE_PATH/exploit.rules
-+#include $RULE_PATH/scan.rules
-+#include $RULE_PATH/finger.rules
-+#include $RULE_PATH/ftp.rules
-+#include $RULE_PATH/telnet.rules
-+#include $RULE_PATH/rpc.rules
-+#include $RULE_PATH/rservices.rules
-+#include $RULE_PATH/dos.rules
-+#include $RULE_PATH/ddos.rules
-+#include $RULE_PATH/dns.rules
-+#include $RULE_PATH/tftp.rules
-+
-+#include $RULE_PATH/web-cgi.rules
-+#include $RULE_PATH/web-coldfusion.rules
-+#include $RULE_PATH/web-iis.rules
-+#include $RULE_PATH/web-frontpage.rules
-+#include $RULE_PATH/web-misc.rules
-+#include $RULE_PATH/web-client.rules
-+#include $RULE_PATH/web-php.rules
-+
-+#include $RULE_PATH/sql.rules
-+#include $RULE_PATH/x11.rules
-+#include $RULE_PATH/icmp.rules
-+#include $RULE_PATH/netbios.rules
-+#include $RULE_PATH/misc.rules
-+#include $RULE_PATH/attack-responses.rules
-+#include $RULE_PATH/oracle.rules
-+#include $RULE_PATH/mysql.rules
-+#include $RULE_PATH/snmp.rules
-+
-+#include $RULE_PATH/smtp.rules
-+#include $RULE_PATH/imap.rules
-+#include $RULE_PATH/pop2.rules
-+#include $RULE_PATH/pop3.rules
-+
-+#include $RULE_PATH/nntp.rules
-+#include $RULE_PATH/other-ids.rules
-+#include $RULE_PATH/web-attacks.rules
-+#include $RULE_PATH/backdoor.rules
-+#include $RULE_PATH/shellcode.rules
-+#include $RULE_PATH/policy.rules
-+#include $RULE_PATH/porn.rules
-+#include $RULE_PATH/info.rules
-+#include $RULE_PATH/icmp-info.rules
-+#include $RULE_PATH/virus.rules
-+#include $RULE_PATH/chat.rules
-+#include $RULE_PATH/multimedia.rules
-+#include $RULE_PATH/p2p.rules
-+#include $RULE_PATH/spyware-put.rules
-+#include $RULE_PATH/specific-threats.rules
-+#include $RULE_PATH/experimental.rules
-+
-+
 +# Community Rules
 +include $RULE_PATH/community-bot.rules
 +include $RULE_PATH/community-deleted.rules
@@ -531,16 +128,8 @@
 +include $RULE_PATH/community-web-iis.rules
 +include $RULE_PATH/community-web-misc.rules
 +include $RULE_PATH/community-web-php.rules
++
++
  
  # include $PREPROC_RULE_PATH/preprocessor.rules
  # include $PREPROC_RULE_PATH/decoder.rules
- 
- # Include any thresholding or suppression commands. See threshold.conf in the
- # <snort src>/etc directory for details. Commands don't necessarily need to be
--# contained in this conf, but a separate conf makes it easier to maintain them. 
-+# contained in this conf, but a separate conf makes it easier to maintain them.
- # Note for Windows users:  You are advised to make this an absolute path,
- # such as:  c:\snort\etc\threshold.conf
- # Uncomment if needed.
- # include threshold.conf
-+

Modified: extra-i686/snort.install
===================================================================
--- extra-i686/snort.install	2009-03-20 01:53:47 UTC (rev 30471)
+++ extra-i686/snort.install	2009-03-20 01:54:06 UTC (rev 30472)
@@ -4,7 +4,7 @@
   usr/bin/passwd -l snort &>/dev/null
 
   [ -f var/log/snort/alert ] || : >var/log/snort/alert
-  chown snort.snort var/log/snort/alert
+  chown snort.snort var/log/snort/ -R
 
 cat << _EOF  
 




More information about the arch-commits mailing list