Summary: packet-sniffer/logger
Name: snort
Version: 1.6.3
Release: 0
Copyright: GPL
Group: Applications/Internet
Source0: http://www.snort.org/Files/%{name}-%{version}.tar.gz
Source1: snort-stat
Source2: snortlog
Source3: snort-update
Source4: snortd
Source5: rules.base
Source6: README.snort-stuff
Source7: vision.rules
#Url: http://www.clark.net/~roesch/security.html
Url: http://www.snort.org
BuildRoot: /var/tmp/%{name}-root
Prefix: /usr
Packager: Henri Gomez <gomez@slib.fr>, William Stearns <wstearns@pobox.com>, and Dave Wreski <dave@linuxsecurity.com>
Requires: libpcap >= 0.4
BuildRequires: libpcap >= 0.4


%description
Snort is a libpcap-based packet sniffer/logger which 
can be used as a lightweight network intrusion detection system. 
It features rules based logging and can perform protocol analysis, 
content searching/matching and can be used to detect a variety of 
attacks and probes, such as buffer overflows, stealth port scans, 
CGI attacks, SMB probes, OS fingerprinting attempts, and much more. 
Snort has a real-time alerting capabilty, with alerts being sent to syslog, 
a seperate "alert" file, or as a WinPopup message via Samba's smbclient


%prep
%setup -q 


%build
CFLAGS="$RPM_OPT_FLAGS" \
./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-smbalerts --with-libpcap-includes=/usr/include/pcap/
make


%install
if [ "$RPM_BUILD_ROOT" = "/var/tmp/snort-root" ]; then
	rm -rf $RPM_BUILD_ROOT
	mkdir -p $RPM_BUILD_ROOT/usr/bin
	mkdir -p $RPM_BUILD_ROOT/usr/sbin
	mkdir -p $RPM_BUILD_ROOT/usr/doc
	mkdir -p $RPM_BUILD_ROOT/etc/snort
	mkdir -p $RPM_BUILD_ROOT/var/log/snort/archive
	mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
	make prefix=$RPM_BUILD_ROOT/usr bindir=$RPM_BUILD_ROOT/usr/sbin sysconfdir=$RPM_BUILD_ROOT/etc/snort install
	sed -e 's;include ;include /etc/snort/;' < snort-lib > snort-lib.new
	rm -f snort-lib
	mv snort-lib.new snort-lib
	install *-lib $RPM_BUILD_ROOT/etc/snort
	install %{SOURCE1} $RPM_BUILD_ROOT/usr/bin
	install %{SOURCE2} $RPM_BUILD_ROOT/usr/bin
	install %{SOURCE3} $RPM_BUILD_ROOT/usr/sbin
	install %{SOURCE4} $RPM_BUILD_ROOT/etc/rc.d/init.d
	install %{SOURCE5} $RPM_BUILD_ROOT/etc/snort
	install $RPM_SOURCE_DIR/vision.rules $RPM_BUILD_ROOT/etc/snort
else
	echo Invalid Build root
	exit 1
fi


%clean
if [ "$RPM_BUILD_ROOT" = "/var/tmp/snort-root" ]; then
	rm -rf $RPM_BUILD_ROOT
else
	echo Invalid Build root
	exit 1
fi


%pre
#Temporarily stop snort, whether upgrading or removing.  We'll restart if it is an upgrade in %post
if [ -x /etc/rc.d/init.d/snortd ]; then
	/etc/rc.d/init.d/snortd stop
fi

# Create snort user/group, whether this is a new install or an upgrade
grep -q ^snort /etc/passwd
if [ $? -eq 1 ]; then
	useradd -s /bin/false snort
fi
grep -q ^snort /etc/group
if [ $? -eq 1 ]; then
	groupadd snort
fi


%post
/sbin/chkconfig --add snortd
if [ -x /etc/rc.d/init.d/snortd ]; then
	/etc/rc.d/init.d/snortd start
fi
echo -e "
Be sure to fetch the latest snort rules file from the ArachNIDS
database by Max Vision, or the one available from the snort.org web
site.

Included with this RPM is snort-update, a script written by 
Dave Dittrich that uses wget to regularly download the latest 
vision.rules file from dev.whitehats.com and alert you if it has 
been updated.  See the README.snort-stuff for info.

The snortlog and snort-stat perl scripts can be used to generate
statistics from the snort syslog entries.

Snort is currently configured to listen only on eth0, and assumes
the use of the ArachNIDS ruleset.  If this is not correct for your 
system, edit /etc/rc.d/init.d/snortd .

A \"snort\" user and group have been created for snort to run as instead
of running as root.

Built by: Dave Wreski, Henri Gomez, and William Stearns
Excellently coded by: Martin Roesch
"


%preun
if [ "$1" = "0" ]; then         #This is being completely erased, not upgraded
	if [ -x /etc/rc.d/init.d/snortd ]; then
		/etc/rc.d/init.d/snortd stop
	fi
	/sbin/chkconfig --del snortd
fi
		

%postun
if [ "$1" = "0" ]; then         #This is being completely erased, not upgraded
	grep -q ^snort /etc/passwd
	if [ $? -eq 0 ]; then
	    userdel snort
	fi
	grep -q ^snort /etc/group
	if [ $? -eq 0 ]; then
	    groupdel snort
	fi
fi
		

%files
%defattr(-,root,root)
%doc AUTHORS BUGS COPYING CREDITS ChangeLog INSTALL NEWS README* USAGE
%doc $RPM_SOURCE_DIR/README.snort-stuff

%attr(750,root,root)		/etc/rc.d/init.d/snortd
%attr(640,root,wheel)		/etc/snort/backdoor-lib
%attr(640,root,wheel)		/etc/snort/ddos-lib
%attr(640,root,wheel)		/etc/snort/finger-lib
%attr(640,root,wheel)		/etc/snort/ftp-lib
%attr(640,root,wheel)		/etc/snort/misc-lib
%attr(640,root,wheel)		/etc/snort/netbios-lib
%attr(640,root,wheel)		/etc/snort/overflow-lib
%attr(640,root,wheel)		/etc/snort/ping-lib
%attr(640,root,wheel)		/etc/snort/rpc-lib
%attr(640,root,wheel)		/etc/snort/rules.base
%attr(640,root,wheel)		/etc/snort/scan-lib
%attr(640,root,wheel)		/etc/snort/smtp-lib
%attr(640,root,wheel)		/etc/snort/snort-lib
%attr(640,root,wheel)		/etc/snort/telnet-lib
%attr(640,root,wheel)		/etc/snort/vision.rules
%attr(640,root,wheel)		/etc/snort/webcf-lib
%attr(640,root,wheel)		/etc/snort/webcgi-lib
%attr(640,root,wheel)		/etc/snort/webfp-lib
%attr(640,root,wheel)		/etc/snort/webiis-lib
%attr(640,root,wheel)		/etc/snort/webmisc-lib
%attr(755,root,root)		/usr/bin/snort-stat
%attr(755,root,root)		/usr/bin/snortlog
%attr(755,root,root)		/usr/man/man8/snort.8
%attr(755,root,root)		/usr/sbin/snort
%attr(755,root,root)		/usr/sbin/snort-update
%attr(750,snort,wheel)	%dir /var/log/snort
%attr(750,snort,wheel)	%dir /var/log/snort/archive

%changelog
* Tue Aug 03 2000 William Stearns <wstearns@pobox.com>
- Check to see whether this is an upgrade or a final install in the 
  preun/postun scripts
- Updated to version 1.6.3
- updated vision.rules
- new url for www.snort.org
- list out the individual files in /etc/snort, /usr/bin, /usr/sbin
- add man page back in rpm build
- pgp signed

* Tue Jul 18 2000 Henri Gomez <gomez@slib.fr>
- Create user/group snort to moved to pre install
  instead of install time
- Delete user/group snort at uninstall time


* Sat Jul 08 2000 Dave Wreski <dave@linuxsecurity.com>
- Updated to version 1.6.2
- Removed references to xntpd
- Fixed minor problems with snortd init script

* Fri Jul 07 2000 Dave Wreski <dave@linuxsecurity.com>
- Updated to version 1.6.1
- Added user/group snort

* Sat Jun 10 2000 Dave Wreski <dave@linuxsecurity.com>
- Added snort init.d script (snortd)
- Added Dave Dittrich's snort rules header file (ruiles.base)
- Added Dave Dittrich's wget rules fetch script (check-snort)
- Fixed permissions on /var/log/snort
- Created /var/log/snort/archive for archival of snort logs
- Added post/preun to add/remove snortd to/from rc?.d directories
- Defined configuration files as %config

* Tue Mar 28 2000 William Stearns <wstearns@pobox.com>
- Quick update to 1.6.
- Sanity checks before doing rm-rf in install and clean

* Fri Dec 10 1999 Henri Gomez <gomez@slib.fr>
- 1.5-0 Initial RPM release