Summary: packet-sniffer/logger Name: snort Version: 1.8 Release: 0 Copyright: GPL Group: Applications/Internet Source0: http://www.snort.org/Files/%{name}-%{version}-RELEASE.tar.gz Source1: snort-stat Source2: snortlog Source4: snortd Source5: snort.conf.dist Url: http://www.snort.org BuildRoot: /var/tmp/%{name}-root Prefix: /usr Packager: Henri Gomez , William Stearns , and Dave Wreski , Wim Vandersmissen Requires: libpcap >= 0.4 BuildRequires: libpcap >= 0.4 %description Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort has a real-time alerting capabilty, with alerts being sent to syslog, a seperate "alert" file, or as a WinPopup message via Samba's smbclient %prep %setup -q -n snort-1.8-RELEASE %build CFLAGS="$RPM_OPT_FLAGS" \ ./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-smbalerts make %install if [ "$RPM_BUILD_ROOT" = "/var/tmp/snort-root" ]; then rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr/bin mkdir -p $RPM_BUILD_ROOT/usr/sbin mkdir -p $RPM_BUILD_ROOT/usr/doc mkdir -p $RPM_BUILD_ROOT/etc/snort mkdir -p $RPM_BUILD_ROOT/var/log/snort/archive mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d make prefix=$RPM_BUILD_ROOT/usr bindir=$RPM_BUILD_ROOT/usr/sbin sysconfdir=$RPM_BUILD_ROOT/etc/snort install install \ backdoor.rules \ ddos.rules \ dns.rules \ dos.rules \ exploit.rules \ finger.rules \ ftp.rules \ icmp.rules \ info.rules \ local.rules \ misc.rules \ netbios.rules \ policy.rules \ rpc.rules \ rservices.rules \ scan.rules \ shellcode.rules \ smtp.rules \ sql.rules \ telnet.rules \ web-cgi.rules \ web-coldfusion.rules \ web-frontpage.rules \ web-iis.rules \ web-misc.rules \ x11.rules \ $RPM_BUILD_ROOT/etc/snort install %{SOURCE1} $RPM_BUILD_ROOT/usr/bin install %{SOURCE2} $RPM_BUILD_ROOT/usr/bin install %{SOURCE4} $RPM_BUILD_ROOT/etc/rc.d/init.d touch $RPM_BUILD_ROOT/etc/snort/snort.conf else echo Invalid Build root exit 1 fi %clean if [ "$RPM_BUILD_ROOT" = "/var/tmp/snort-root" ]; then rm -rf $RPM_BUILD_ROOT else echo Invalid Build root exit 1 fi %post #don't do all this stuff if we are upgrading if [ $1 = 1 ] ; then useradd -M -r -d /var/log/snort -s /bin/false -c "Snort" snort 2> /dev/null || true groupadd -r snort 2> /dev/null || true /sbin/chkconfig --add snortd fi #this only works on redhat ;/ perl -e 'open(f,"/etc/sysconfig/network-scripts/ifcfg-eth0"); while(){if (/IPADDR=(.*)/) {$internal=$1;}};close(f); open(f,"/etc/resolv.conf"); while(){if (/nameserver(.*)/) {$dns=$1;$dns=~s/[ ]+//g; $dns.="/32,"; push(@dns,$dns);}} close(f); $dns[$#dns]=~s/,$//g; open(f,">/etc/snort/snort.conf"); print f "var HOME_NET $internal/32\nvar EXTERNAL_NET any\nvar DNS_SERVERS "; print f "["; foreach (@dns) {print f "$_";} print f "]"; print f "\n\npreprocessor defrag\npreprocessor http_decode: 80 8080\npreprocessor portscan: \$HOME_NET 4 3 /var/log/snort/portscan.log\npreprocessor portscan-ignorehosts: \$DNS_SERVERS\n\n"; close(f);' #add the rest of the stuff cat - << EOF >> /etc/snort/snort.conf # Up to date snort rules are available at the following web sites: # http://www.snort.org # http://www.whitehats.com # # The snort web site has documentation about how to write your own # custom snort rules. # # The rules included with this distribution generate alerts based on # on suspicious activity. Depending on your network environment, your # security policies, and what you consider to be suspicious, some of # these rules may either generate false positives ore may be detecting # activity you consider to be acceptable; therefore, you are # encouraged to comment out rules that are not applicable in your # environment. # # Note that using all of the rules at the same time may lead to # serious packet loss on slower machines. YMMV, use with caution, # standard disclaimers apply. :) # # The following individuals contributed many of rules in this # distribution. # # Credits: # Ron Gula of Network Security Wizards # Martin Markgraf # CyberPsychotic # Nick Rogness # Jim Forster # Scott McIntyre # Tom Vandepoel # include /etc/snort/backdoor.rules include /etc/snort/ddos.rules include /etc/snort/dns.rules include /etc/snort/dos.rules include /etc/snort/exploit.rules include /etc/snort/finger.rules include /etc/snort/ftp.rules include /etc/snort/icmp.rules include /etc/snort/info.rules include /etc/snort/local.rules include /etc/snort/misc.rules include /etc/snort/netbios.rules include /etc/snort/policy.rules include /etc/snort/rpc.rules include /etc/snort/rservices.rules include /etc/snort/scan.rules include /etc/snort/shellcode.rules include /etc/snort/smtp.rules include /etc/snort/sql.rules include /etc/snort/telnet.rules include /etc/snort/web-cgi.rules include /etc/snort/web-coldfusion.rules include /etc/snort/web-frontpage.rules include /etc/snort/web-iis.rules include /etc/snort/web-misc.rules include /etc/snort/x11.rules # Ruleset, available (updated hourly) from: # # http://dev.whitehats.com/ids/vision.rules # include /etc/snort/vision.rules # # snort.conf.dist with more options is located in /usr/share/doc/snort-1.7/snort.conf.dist EOF chown snort.snort /var/log/snort echo -e " Be sure to fetch the latest snort rules file from the ArachNIDS database by Max Vision, or the one available from the snort.org web site. The snortlog and snort-stat perl scripts can be used to generate statistics from the snort syslog entries. Snort is currently configured to listen only on eth0, and uses the default rulesets. If this is not correct for your system, edit /etc/rc.d/init.d/snortd and /etc/snort/snort.conf A \"snort\" user and group have been created for snort to run as instead of running as root. You will likely need to create the /var/log/snort directory, and change ownership to the \"snort\" account. Built by: Dave Wreski dave@linuxsecurity.com and Wim Vandersmissen " %preun /etc/rc.d/init.d/snortd stop if [ $1 = 0 ] ; then /sbin/chkconfig --del snortd fi %postun #only if we are removing, not upgrading.. if [ $1 = 0 ] ; then userdel snort 2> /dev/null || true groupdel snort 2> /dev/null || true fi %files %defattr(-,root,root) %doc AUTHORS BUGS COPYING CREDITS ChangeLog INSTALL NEWS README* USAGE %doc $RPM_SOURCE_DIR/snort.conf.dist %attr(755,root,root) /usr/sbin/* %attr(755,root,root) /usr/bin/* %attr(750,root,wheel) %dir /var/log/snort %attr(750,root,wheel) %dir /var/log/snort/archive %attr(640,root,wheel) %config /etc/snort/backdoor.rules %attr(640,root,wheel) %config /etc/snort/ddos.rules %attr(640,root,wheel) %config /etc/snort/dns.rules %attr(640,root,wheel) %config /etc/snort/dos.rules %attr(640,root,wheel) %config /etc/snort/exploit.rules %attr(640,root,wheel) %config /etc/snort/finger.rules %attr(640,root,wheel) %config /etc/snort/ftp.rules %attr(640,root,wheel) %config /etc/snort/icmp.rules %attr(640,root,wheel) %config /etc/snort/info.rules %attr(640,root,wheel) %config /etc/snort/local.rules %attr(640,root,wheel) %config /etc/snort/misc.rules %attr(640,root,wheel) %config /etc/snort/netbios.rules %attr(640,root,wheel) %config /etc/snort/policy.rules %attr(640,root,wheel) %config /etc/snort/rpc.rules %attr(640,root,wheel) %config /etc/snort/rservices.rules %attr(640,root,wheel) %config /etc/snort/scan.rules %attr(640,root,wheel) %config /etc/snort/shellcode.rules %attr(640,root,wheel) %config /etc/snort/smtp.rules %attr(640,root,wheel) %config /etc/snort/sql.rules %attr(640,root,wheel) %config /etc/snort/telnet.rules %attr(640,root,wheel) %config /etc/snort/web-cgi.rules %attr(640,root,wheel) %config /etc/snort/web-coldfusion.rules %attr(640,root,wheel) %config /etc/snort/web-frontpage.rules %attr(640,root,wheel) %config /etc/snort/web-iis.rules %attr(640,root,wheel) %config /etc/snort/web-misc.rules %attr(640,root,wheel) %config /etc/snort/x11.rules %attr(640,root,wheel) %config(noreplace) /etc/snort/snort.conf %attr(750,root,root) /etc/rc.d/init.d/snortd %changelog * Wed Jul 11 2001 William Stearns - Updated source to 1.8-RELEASE, will later shoot Marty for using -RELEASE. - Use new X-rules config files instead of old X-lib files - FIXME * Sat Jan 06 2001 Wim Vandersmissen - Updated to version 1.7 - Some minor changes to snort.conf (uses default ruleset instead of vision rules) * Tue Jul 25 2000 Wim Vandersmissen - Added some checks to find out if we're upgrading or removing the package * Sat Jul 22 2000 Wim Vandersmissen - Updated to version 1.6.3 - Fixed the user/group stuff (moved to %post) - Added userdel/groupdel to %postun - Automagically adds the right IP, nameservers to /etc/snort/rules.base * Sat Jul 08 2000 Dave Wreski - Updated to version 1.6.2 - Removed references to xntpd - Fixed minor problems with snortd init script * Fri Jul 07 2000 Dave Wreski - Updated to version 1.6.1 - Added user/group snort * Sat Jun 10 2000 Dave Wreski - Added snort init.d script (snortd) - Added Dave Dittrich's snort rules header file (ruiles.base) - Added Dave Dittrich's wget rules fetch script (check-snort) - Fixed permissions on /var/log/snort - Created /var/log/snort/archive for archival of snort logs - Added post/preun to add/remove snortd to/from rc?.d directories - Defined configuration files as %config * Tue Mar 28 2000 William Stearns - Quick update to 1.6. - Sanity checks before doing rm-rf in install and clean * Fri Dec 10 1999 Henri Gomez - 1.5-0 Initial RPM release