cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openbsd-ports/net/snort/pkg
History
lteo e1048a5d4e Update to Snort 2.9.4.0, from Markus Lude (maintainer). 
Notable changes:

* Consolidation of IPv6 -- now only a single build supports both
  IPv4 & IPv6, and removal of the IPv4 "only" code paths.
* File API and improvements to file processing for HTTP downloads
  and email attachments via SMTP, POP, and IMAP to facilitate
  broader file support
* Use of address space ID for tracking Frag & Stream connections
  when it is available with the DAQ
* Logging of packet data that triggers PPM for post-analysis via
  Snort event
* Decoding of IPv6 with PPPoE

This commit also includes a patch to snort.conf that was done by myself
with feedback from Markus.  The snort.conf patch ensures that Snort will
load the latest Snort ruleset since the rule files have been reorganized
by upstream.  It also excludes local.rules by default, since rule
managers like Oinkmaster skip that file when downloading rules.

Tested by Markus on i386 and sparc64, Rodolfo Gouveia on 5.2/amd64 with
his own snort.conf, and myself on amd64 and i386.

OK sthen@
2013-01-16 04:52:53 +00:00
..
DESCR
PLIST
Update to Snort 2.9.4.0, from Markus Lude (maintainer).
2013-01-16 04:52:53 +00:00
README
Make various improvements to the Snort port:
2012-10-11 02:40:48 +00:00
snort.rc
Make various improvements to the Snort port:
2012-10-11 02:40:48 +00:00

README 

$OpenBSD: README,v 1.2 2012/10/11 02:40:48 lteo Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

An up-to-date set of rules is needed for Snort to be useful as an IDS.
By default, these rules are expected to be present in the
${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in
${SYSCONFDIR}/snort/snort.conf.

The two most common sources of Snort rules are the official Snort rules
and the Emerging Threats rules.  To download the official Snort rules,
you will first need to sign up for an "oinkcode" at
https://www.snort.org/signup since they are distributed under a
commercial license.  Emerging Threats rules can be downloaded without
signing up.

The easiest way to download these rules is to use a rule manager such as
the oinkmaster package.  You can set up oinkmaster's config file to
download one or more Snort rulesets and extract them automatically.
Please refer to the documentation in the oinkmaster package for more
details.

If you prefer to obtain the rules manually without using a rule manager,
you can use the following example commands to download and extract them
to the correct directory:

* Official Snort rules (replace <oinkcode> with yours):

    ftp -o snortrules-snapshot-${V}.tar.gz \
        http://www.snort.org/reg-rules/snortrules-snapshot-${V}.tar.gz/<oinkcode>
    tar -C /etc/snort -xzf snortrules-snapshot-${V}.tar.gz rules preproc_rules

* Emerging Threats rules:

    ftp http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
    tar -C /etc/snort -xzf emerging.rules.tar.gz

  If you use Emerging Threats rules, you will need to uncomment its
  include line in ${SYSCONFDIR}/snort/snort.conf and edit
  ${SYSCONFDIR}/snort/rules/emerging.conf for Snort to load them.

It is important that you review the rules carefully to ensure that you
use the rules that apply to your environment.  You should also modify
${SYSCONFDIR}/snort/snort.conf to define the relevant variables such as
HOME_NET to match your network.

It is recommended that Snort be run as an unprivileged chrooted user.
A _snort user/group and a log directory have been created for this
purpose. You should start Snort with the ${RCDIR}/snort script to take
advantage of this.

For more details on setting up Snort, please refer to its user manual at
${TRUEPREFIX}/share/doc/snort/snort_manual.pdf