slackbuilds_ponce/network/snort/README.SLACKWARE
2010-05-12 17:44:12 +02:00

48 lines
2.2 KiB
Text

Snort has three primary functional modes. It can be used as a packet sniffer
like tcpdump(1), a packet logger (useful for network traffic debugging, etc),
or as a full blown network intrusion detection and prevention system.
Please read the snort_manual.pdf file that should be included with this
distribution for full documentation on the program as well as a guide to
getting started.
This package builds a very basic snort implimentation useful for monitoring
traffic as an IDS or packet logger and as a sort of improved tcpdump (which
is what I use it for). MySQL support is included, so you should have little
trouble hooking snort up to a database or ACID. For more information on
these, check out snort's homepage at:
http://www.snort.org/
http://www.snort.org/docs/
snort.org has a nasty habit of changing the location of their source
code, which means there's no garauntee that the link in snort.info is
correct. If you can't get that link to work, look for the source code at:
http://www.snort.org/dl/old/
In order for Snort to function properly, you need to provide rule files.
I recommend registering for free at http://www.snorg.org so you can get these
files. Once you have done that, go to http://snort.org/pub-bin/downloads.cgi
and get the latest 2.8 series VRT Certified Rules. You need to untar this
file and place follow files from etc in the tarball in to your /etc/snort
directory :
generators
gen-msg.map
sid
sid-msg.map
If you are going to use a front end like Base, you should copy the
dog/signatures directory from the tarball in to
/usr/doc/snort-$VERSION/ . Last, but certainly not least, you must
copy the contents of the rules/ directory in the tarball to
/etc/snort/rules/ . After you've done this, you can safely restart
snort or send a HUP to snort to reload the files (killall -HUP snort).
A rc.snort file has been included for your convenience, but it needs to be
added to your init script of choice to run on boot. You should modify the
variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor.
This Slackbuild is no longer maintained by Alan Hicks, but rather me
(Thomas York), so email me instead if you have any questions.
--Thomas York (straterra@fuhell.com)