snort: add amish suggestions

author: M0Rf30 2022-06-17 02:20:27 +0200
committer: M0Rf30 2022-06-17 02:20:27 +0200
commit: f6ffcda4f5863e338c0961ecd5cdb51d87a266bc (patch)
tree: 8e4889562762db18906aaaa92d55de29353b22d0
parent: a2b8a58593c308fa7925aebb2ed972f47732e326 (diff)
download: aur-f6ffcda4f5863e338c0961ecd5cdb51d87a266bc.tar.gz
5 files changed, 61 insertions, 49 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 9f7c2df0e6a0..60721109363f 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,8 +1,8 @@
 pkgbase = snort
-	pkgdesc = A lightweight network intrusion detection system.
+	pkgdesc = A lightweight network IDS /IPS with OpenAppID support.
 	pkgver = 3.1.31.0
-	pkgrel = 1
-	url = https://www.snort.org/snort3
+	pkgrel = 2
+	url = https://www.snort.org
 	install = snort.install
 	arch = i686
 	arch = x86_64
@@ -13,7 +13,6 @@ pkgbase = snort
 	license = GPL
 	makedepends = cmake
 	makedepends = pkgconf
-	depends = flatbuffers
 	depends = gperftools
 	depends = hwloc
 	depends = hyperscan
@@ -35,6 +34,8 @@ pkgbase = snort
 	backup = etc/snort/homenet.lua
 	backup = etc/snort/rules/local.rules
 	backup = etc/snort/rules/snort.rules
+	backup = etc/snort/lists/default.blocklist
+	backup = etc/snort/lists/default.allowlist
 	backup = etc/logrotate.d/snort
 	source = snort3-3.1.31.0.tar.gz::https://github.com/snort3/snort3/archive/refs/tags/3.1.31.0.tar.gz
 	source = snort-openappid-23020.tar.gz::https://snort.org/downloads/openappid/23020
@@ -45,8 +46,8 @@ pkgbase = snort
 	source = snort.service
 	sha256sums = 252b2e7d8b4bfab8daaa1c7ba0396a9dd4d01e64c3b970b091b640f0658a5ae1
 	sha256sums = 8b989b49bac511b5158ef8e05122113100b85aacbd56d10f43d9ad4be350f7ff
-	sha256sums = 9fa50b961c034a694d840036c5682b21bcfe55bf9faf17602878d7db719299da
-	sha256sums = 1be3b4e25138a3696be07929d455ca84bb4eddbee5f596ae636188d49309c7f6
+	sha256sums = 2e60695f90e7cb3f1faad5aa90b3ad351f2175268fb31d6fa9601f11fca22d1c
+	sha256sums = a8a7684a676da5cd55c2b5ab012dac3d14c5a6c62f6e37c4913ba1dbe506088e
 	sha256sums = ae3245c5de527fb487c459f2f4a9c78803ae6341e9c81b9a404277679cdee051
 	sha256sums = bc4a02d184601faba5cd0f6cb454097a3b04a0c8fe56f5f8b36d24513484faa2
 	sha256sums = e1ff858e2cb062d76f72757746c4f87410151b06221255ca827b7279fee0d5df
diff --git a/PKGBUILD b/PKGBUILD
index 2e67f0fd4177..ab935c5dd99b 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -11,20 +11,22 @@ pkgname=snort
 _pkgname=snort3
 _openappid=23020
 pkgver=3.1.31.0
-pkgrel=1
-pkgdesc='A lightweight network intrusion detection system.'
+pkgrel=2
+pkgdesc='A lightweight network IDS /IPS with OpenAppID support.'
 arch=('i686' 'x86_64' 'armv6h' 'armv7h' 'aarch64' 'arm')
-url='https://www.snort.org/snort3'
+url='https://www.snort.org'
 license=('GPL')
-depends=('flatbuffers' 'gperftools' 'hwloc' 'hyperscan' 'libdaq' 'libdnet' 'libmnl' 'libpcap' 'libunwind' 'luajit' 'lz4' 'openssl' 'pcre' 'pulledpork' 'xz' 'zlib')
+depends=('gperftools' 'hwloc' 'hyperscan' 'libdaq' 'libdnet' 'libmnl' 'libpcap' 'libunwind' 'luajit' 'lz4' 'openssl' 'pcre' 'pulledpork' 'xz' 'zlib')
 makedepends=('cmake' 'pkgconf')
 backup=('etc/snort/snort.lua'
-  'etc/snort/snort_defaults.lua'
-  'etc/snort/local.lua'
-  'etc/snort/homenet.lua'
-  'etc/snort/rules/local.rules'
-  'etc/snort/rules/snort.rules'
-  'etc/logrotate.d/snort')
+        'etc/snort/snort_defaults.lua'
+        'etc/snort/local.lua'
+        'etc/snort/homenet.lua'
+        'etc/snort/rules/local.rules'
+        'etc/snort/rules/snort.rules'
+        'etc/snort/lists/default.blocklist'
+        'etc/snort/lists/default.allowlist'
+        'etc/logrotate.d/snort')
 install='snort.install'
 source=("${_pkgname}-${pkgver}.tar.gz::https://github.com/snort3/snort3/archive/refs/tags/${pkgver}.tar.gz"
   "snort-openappid-${_openappid}.tar.gz::https://snort.org/downloads/openappid/${_openappid}"
@@ -51,6 +53,8 @@ package() {
   install -D -m644 "${srcdir}"/snort.sysusers "${pkgdir}"/usr/lib/sysusers.d/snort.conf
   install -D -m644 "${srcdir}"/snort.service "${pkgdir}"/usr/lib/systemd/system/snort.service
   install -D -m644 /dev/null "${pkgdir}"/etc/snort/rules/snort.rules
+  install -D -m644 /dev/null "${pkgdir}"/etc/snort/lists/default.blocklist
+  install -D -m644 /dev/null "${pkgdir}"/etc/snort/lists/default.allowlist
   echo "HOME_NET = [[ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ]]" > "${pkgdir}"/etc/snort/homenet.lua
   echo -e '#pulledpork will put rules here in snort.rules\n#alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )' >"${pkgdir}"/etc/snort/rules/local.rules
   chmod 0644 "${pkgdir}"/etc/snort/{homenet.lua,rules/{local,snort}.rules}
@@ -63,8 +67,8 @@ package() {
 
 sha256sums=('252b2e7d8b4bfab8daaa1c7ba0396a9dd4d01e64c3b970b091b640f0658a5ae1'
             '8b989b49bac511b5158ef8e05122113100b85aacbd56d10f43d9ad4be350f7ff'
-            '9fa50b961c034a694d840036c5682b21bcfe55bf9faf17602878d7db719299da'
-            '1be3b4e25138a3696be07929d455ca84bb4eddbee5f596ae636188d49309c7f6'
+            '2e60695f90e7cb3f1faad5aa90b3ad351f2175268fb31d6fa9601f11fca22d1c'
+            'a8a7684a676da5cd55c2b5ab012dac3d14c5a6c62f6e37c4913ba1dbe506088e'
             'ae3245c5de527fb487c459f2f4a9c78803ae6341e9c81b9a404277679cdee051'
             'bc4a02d184601faba5cd0f6cb454097a3b04a0c8fe56f5f8b36d24513484faa2'
             'e1ff858e2cb062d76f72757746c4f87410151b06221255ca827b7279fee0d5df')
diff --git a/local.lua b/local.lua
index 2b6132fdb0ef..e83fd12ba1c4 100644
--- a/local.lua
+++ b/local.lua
@@ -13,24 +13,32 @@ daq =
     },
 }
 
+reputation =
+{
+    blocklist = BLACK_LIST_PATH .. '/default.blocklist',
+    allowlist = WHITE_LIST_PATH .. '/default.allowlist',
+    priority = allowlist,
+    allow = do_not_block,
+}
+
 ips =
 {
     mode = inline,
 
     -- use this to enable decoder and inspector alerts
-    --enable_builtin_rules = true,
+    enable_builtin_rules = true,
 
     -- use include for rules files; be sure to set your path
     -- note that rules files can include other rules files
-    --include = 'snort3-community.rules',
+    include = RULE_PATH .. '/snort.rules',
 
     variables = default_variables,
 
     -- pulledpork normally includes local.rules in snort.rules
     -- otherwise you may add line to include local.rules too
-    rules = [[
-        include $RULE_PATH/snort.rules
-    ]]
+    --rules = [[
+    --    include $RULE_PATH/local.rules
+    --]]
 }
 
 normalizer =
@@ -41,15 +49,11 @@ normalizer =
     }
 }
 
-file_id =
+file_policy =
 {
     enable_type = true,
     enable_signature = true,
-    file_rules = file_magic,
-    file_policy =
-    {
-        { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } }
-    }
+    rules = { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } }
 }
 
 -- Enable hyperscan for IPS, AppID, HTTP inspection, pcre/regex matches
@@ -80,6 +84,8 @@ unified2 =
 alert_fast =
 {
     file = true,
+    packet = false,
+    limit = 128,
 }
 
 file_log =
@@ -88,6 +94,13 @@ file_log =
     log_sys_time = false,
 }
 
+alert_json =
+{
+    file = true,
+    limit = 128,
+    fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp',
+}
+
 -- OpenAppID
 appid =
 {
diff --git a/snort.install b/snort.install
index 1bfb39bc09ea..5a5f727a7a1d 100644
--- a/snort.install
+++ b/snort.install
@@ -1,26 +1,16 @@
 post_install() {
-	getent group snort >/dev/null || groupadd -g 29 snort
-	getent passwd snort >/dev/null || useradd -c 'Snort user' -u 29 -g snort -d /var/log/snort -s /bin/false snort
-	passwd -l snort &>/dev/null
+    /usr/bin/nohup /usr/bin/pulledpork_update.sh /etc/snort/rules/snort.rules > /dev/null 2>&1 &
+    cat << EOF
+>>> EDIT /etc/snort/homenet.conf file to match your local network.
+>>> Add local rules to /etc/snort/rules/local.rules
 
-	[ -f var/log/snort/alert ] || : >var/log/snort/alert
-	chown snort.snort var/log/snort/ -R
-
-	cat << _EOF
-
->>> You have to edit the HOME_NET variable in the /etc/snort/snort.conf file to reflect your local network.
->>> If you do not change it, snort may not work.
-
-_EOF
+>>> Note: ALERTs are automatically deleted after 60 days
+>>>   use barnyard2 to store them in database
+EOF
 }
 
 post_upgrade() {
-	post_install $1
-}
-
-pre_remove() {
-	userdel snort &>/dev/null
-	groupdel snort &>/dev/null
+    post_install $1
 }
 
 # vim:set ts=2 sw=2 et:
diff --git a/snort.logrotate b/snort.logrotate
index b0c1adf81e43..258cc51c40f2 100644
--- a/snort.logrotate
+++ b/snort.logrotate
@@ -2,16 +2,20 @@
 	sharedscripts
 	missingok
 	notifempty
+	postrotate
+		/usr/bin/systemctl try-restart snort.service > /dev/null 2>&1 || true
+	endscript
 }
 
-/var/log/snort/alert_fast.txt /var/log/snort/*.log.* {
+/var/log/snort/alert_*.txt /var/log/snort/*.log.* {
 	nocompress
 	nocreate
         olddir /var/log/snort/old
 	sharedscripts
 	missingok
+	notifempty
 	postrotate
-		/usr/bin/find /var/log/snort/old -maxdepth 1 -name 'alert_fast.*' -type f -mtime +60 -exec /usr/bin/rm '{}' ';' > /dev/null 2>&1 || true
+		/usr/bin/find /var/log/snort/old -maxdepth 1 -name 'alert_*' -type f -mtime +60 -exec /usr/bin/rm '{}' ';' > /dev/null 2>&1 || true
 		/usr/bin/find /var/log/snort/old -maxdepth 1 -name '*.log*' -type f -mtime +60 -exec /usr/bin/rm '{}' ';' > /dev/null 2>&1 || true
 		/usr/bin/systemctl try-restart snort.service > /dev/null 2>&1 || true
 	endscript
author	M0Rf30	2022-06-17 02:20:27 +0200
committer	M0Rf30	2022-06-17 02:20:27 +0200
commit	f6ffcda4f5863e338c0961ecd5cdb51d87a266bc (patch)
tree	8e4889562762db18906aaaa92d55de29353b22d0
parent	a2b8a58593c308fa7925aebb2ed972f47732e326 (diff)
download	aur-f6ffcda4f5863e338c0961ecd5cdb51d87a266bc.tar.gz