mirror of
https://github.com/Ponce/slackbuilds
synced 2024-11-25 10:03:03 +01:00
3e68e1cb60
Thanks to Panagiotis Nikolaou. Signed-off-by: David Spencer <idlemoor@slackbuilds.org>
134 lines
4.1 KiB
Text
134 lines
4.1 KiB
Text
README.SLACKWARE
|
|
================
|
|
|
|
Documentation
|
|
-------------
|
|
|
|
This package builds a very basic snort implementation useful for monitoring
|
|
traffic as an IDS or packet logger and as a sort of improved tcpdump. More
|
|
information can be found at the following URLs:
|
|
https://www.snort.org/ (homepage)
|
|
https://www.snort.org/#documents (documentation links)
|
|
http://manual.snort.org/ (user manual)
|
|
|
|
|
|
Running the SlackBuild
|
|
----------------------
|
|
|
|
By default, non-Ethernet decoders (for example, venet0) are enabled. If
|
|
you need to disable this for performance reasons, use the option
|
|
'NON_ETHER=no':
|
|
|
|
NON_ETHER=no ./snort.SlackBuild
|
|
|
|
|
|
Starting snort
|
|
--------------
|
|
|
|
An rc.snort file has been included for your convenience, but it needs to be
|
|
added to your init script of choice to run on boot. You should modify the
|
|
variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor,
|
|
or start it as:
|
|
|
|
IFACE=xxxx /etc/rc.d/rc.snort start|stop|restart
|
|
|
|
As an example, you can put this in your /etc/rc.d/rc.local script:
|
|
|
|
if [ -x /etc/rc.d/rc.snort ]; then
|
|
IFACE=eth1 /etc/rc.d/rc.snort start
|
|
fi
|
|
|
|
and put this in your /etc/rc.d/rc.local_shutdown:
|
|
|
|
if [ -x /etc/rc.d/rc.snort ]; then
|
|
IFACE=xxxx /etc/rc.d/rc.snort stop
|
|
fi
|
|
|
|
|
|
Installing and Updating Rules
|
|
-----------------------------
|
|
|
|
In order for Snort to function properly, you need to download rules, and
|
|
you need to update the rules regularly.
|
|
|
|
You can get a paid subscription for the latest rules at
|
|
https://www.snort.org/products
|
|
|
|
or you can register for free to download rules >30 days old at
|
|
https://www.snort.org/users/sign_up
|
|
then download your rules from
|
|
https://www.snort.org/snort-rules
|
|
|
|
The downloaded .tar.gz file contains rules and updated configuration files.
|
|
Be careful merging them, as you will probably have customized a few settings
|
|
in your snort.conf. You need to
|
|
|
|
1) put the new rules/* into /etc/snort/rules/
|
|
2) put the new preproc_rules/* into /etc/snort/preproc_rules/
|
|
3) put the new etc/* into /etc/snort/ (except for snort.conf)
|
|
4) review any changes to snort.conf and merge them into /etc/snort.conf
|
|
5) restart snort:
|
|
# IFACE=xxxx /etc/rc.d/rc.snort restart
|
|
|
|
Below is a sample script that you can use to do steps 1-3 automatically.
|
|
The script installs the new configuration as snort.conf.new, so that you can
|
|
review it.
|
|
|
|
#!/bin/bash
|
|
#=============================================================================
|
|
# Sample script to update snort rules, signatures and configurations
|
|
# *** USE AT YOUR OWN RISK *** NO GUARANTEES ***
|
|
#=============================================================================
|
|
# Written by Niels Horn
|
|
# Maintained by David Spencer <baildon.research@googlemail.com>
|
|
# v2 2015-02-22 dbs
|
|
|
|
CONFDIR=/etc/snort
|
|
|
|
# Exit on most errors
|
|
set -e
|
|
|
|
if [ -z "$1" ]; then
|
|
echo "Please specify snortrules-snapshot file:"
|
|
echo " $0 snortrules-snapshot-nnnn.tar.gz"
|
|
exit 1
|
|
fi
|
|
|
|
# Configuration files
|
|
echo "*** Updating configuration files..."
|
|
for cf in $( tar tf "$1" | grep "etc/" ); do
|
|
if [ ! "$cf" = "etc/" ]; then
|
|
file=$(basename "$cf")
|
|
tar -o -xf "$1" "$cf" -O > "$CONFDIR/$file.new"
|
|
# check if it is "snort.conf"
|
|
if [ "$file" = "snort.conf" ]; then
|
|
LIBDIRSUFFIX=""
|
|
[ "$(uname -m)" = 'x86_64' ] && LIBDIRSUFFIX="64"
|
|
sed -i -e "s#/usr/local/lib/#/usr/lib$LIBDIRSUFFIX/#g" "$CONFDIR/snort.conf.new"
|
|
else
|
|
# OK, it is something else, we can handle this
|
|
if [ -r "$CONFDIR/$file" ]; then
|
|
# we have a previous version
|
|
if [ "$(md5sum <"$CONFDIR/$file")" = "$(md5sum <"$CONFDIR/$file.new")" ]; then
|
|
# nothing new, dump previous version
|
|
rm "$CONFDIR/$file"
|
|
else
|
|
# keep previous version
|
|
mv -f "$CONFDIR/$file" "$CONFDIR/$file.old"
|
|
fi
|
|
fi
|
|
# move new file over
|
|
mv -f "$CONFDIR/$file.new" "$CONFDIR/$file"
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# rules
|
|
echo "*** Updating rules..."
|
|
tar -o --strip-components=1 --directory=/etc/snort/rules --wildcards -xf "$1" 'rules/*'
|
|
|
|
# preproc-rules
|
|
echo "*** Updating preproc_rules..."
|
|
tar -o --strip-components=1 --directory=/etc/snort/preproc_rules --wildcards -xf "$1" 'preproc_rules/*'
|
|
|
|
echo "All done."
|