README.SLACKWARE ================ Documentation ------------- This package builds a very basic snort implementation useful for monitoring traffic as an IDS or packet logger and as a sort of improved tcpdump. More information can be found at the following URLs: https://www.snort.org/ (homepage) https://www.snort.org/#documents (documentation links) http://manual.snort.org/ (user manual) Starting snort -------------- An rc.snort file has been included for your convenience, but it needs to be added to your init script of choice to run on boot. You should modify the variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor, or start it as: IFACE=xxxx /etc/rc.d/rc.snort start|stop|restart As an example, you can this in your /etc/rc.d/rc.local script: if [ -x /etc/rc.d/rc.snort ]; then IFACE=eth1 /etc/rc.d/rc.snort start fi and put this in your /etc/rc.d/rc.local_shutdown: if [ -x /etc/rc.d/rc.snort ]; then IFACE=xxxx /etc/rc.d/rc.snort stop fi Installing and Updating Rules ----------------------------- In order for Snort to function properly, you need to download rules, and you need to update the rules regularly. You can get a paid subscription for the latest rules at https://www.snort.org/products or you can register for free to download rules >30 days old at https://www.snort.org/users/sign_up then download your rules from https://www.snort.org/snort-rules The downloaded .tar.gz file contains rules and updated configuration files. Be careful merging them, as you will probably have customized a few settings in your snort.conf. You need to 1) put the new rules/* into /etc/snort/rules/ 2) put the new preproc_rules/* into /etc/snort/preproc_rules/ 3) put the new etc/* into /etc/snort/ (except for snort.conf) 4) review any changes to snort.conf and merge them into /etc/snort.conf 5) restart snort: # IFACE=xxxx /etc/rc.d/rc.snort restart Below is a sample script that you can use to do steps 1-3 automatically. The script installs the new configuration as snort.conf.new, so that you can review it. #!/bin/bash #============================================================================= # Sample script to update snort rules, signatures and configurations # *** USE AT YOUR OWN RISK *** NO GUARANTEES *** #============================================================================= # Written by Niels Horn # Maintained by David Spencer # v2 2015-02-22 dbs CONFDIR=/etc/snort # Exit on most errors set -e if [ -z "$1" ]; then echo "Please specify snortrules-snapshot file:" echo " $0 snortrules-snapshot-nnnn.tar.gz" exit 1 fi # Configuration files echo "*** Updating configuration files..." for cf in $( tar tf "$1" | grep "etc/" ); do if [ ! "$cf" = "etc/" ]; then file=$(basename "$cf") tar -o -xf "$1" "$cf" -O > "$CONFDIR/$file.new" # check if it is "snort.conf" if [ "$file" = "snort.conf" ]; then LIBDIRSUFFIX="" [ "$(uname -m)" = 'x86_64' ] && LIBDIRSUFFIX="64" sed -i -e "s#/usr/local/lib/#/usr/lib$LIBDIRSUFFIX/#g" "$CONFDIR/snort.conf.new" else # OK, it is something else, we can handle this if [ -r "$CONFDIR/$file" ]; then # we have a previous version if [ "$(md5sum <"$CONFDIR/$file")" = "$(md5sum <"$CONFDIR/$file.new")" ]; then # nothing new, dump previous version rm "$CONFDIR/$file" else # keep previous version mv -f "$CONFDIR/$file" "$CONFDIR/$file.old" fi fi # move new file over mv -f "$CONFDIR/$file.new" "$CONFDIR/$file" fi fi done # rules echo "*** Updating rules..." tar -o --strip-components=1 --directory=/etc/snort/rules --wildcards -xf "$1" 'rules/*' # preproc-rules echo "*** Updating preproc_rules..." tar -o --strip-components=1 --directory=/etc/snort/preproc_rules --wildcards -xf "$1" 'preproc_rules/*' echo "All done."