diff options
author | M0Rf30 | 2022-06-17 02:20:27 +0200 |
---|---|---|
committer | M0Rf30 | 2022-06-17 02:20:27 +0200 |
commit | f6ffcda4f5863e338c0961ecd5cdb51d87a266bc (patch) | |
tree | 8e4889562762db18906aaaa92d55de29353b22d0 | |
parent | a2b8a58593c308fa7925aebb2ed972f47732e326 (diff) | |
download | aur-f6ffcda4f5863e338c0961ecd5cdb51d87a266bc.tar.gz |
snort: add amish suggestions
-rw-r--r-- | .SRCINFO | 13 | ||||
-rw-r--r-- | PKGBUILD | 28 | ||||
-rw-r--r-- | local.lua | 35 | ||||
-rw-r--r-- | snort.install | 26 | ||||
-rw-r--r-- | snort.logrotate | 8 |
5 files changed, 61 insertions, 49 deletions
@@ -1,8 +1,8 @@ pkgbase = snort - pkgdesc = A lightweight network intrusion detection system. + pkgdesc = A lightweight network IDS /IPS with OpenAppID support. pkgver = 3.1.31.0 - pkgrel = 1 - url = https://www.snort.org/snort3 + pkgrel = 2 + url = https://www.snort.org install = snort.install arch = i686 arch = x86_64 @@ -13,7 +13,6 @@ pkgbase = snort license = GPL makedepends = cmake makedepends = pkgconf - depends = flatbuffers depends = gperftools depends = hwloc depends = hyperscan @@ -35,6 +34,8 @@ pkgbase = snort backup = etc/snort/homenet.lua backup = etc/snort/rules/local.rules backup = etc/snort/rules/snort.rules + backup = etc/snort/lists/default.blocklist + backup = etc/snort/lists/default.allowlist backup = etc/logrotate.d/snort source = snort3-3.1.31.0.tar.gz::https://github.com/snort3/snort3/archive/refs/tags/3.1.31.0.tar.gz source = snort-openappid-23020.tar.gz::https://snort.org/downloads/openappid/23020 @@ -45,8 +46,8 @@ pkgbase = snort source = snort.service sha256sums = 252b2e7d8b4bfab8daaa1c7ba0396a9dd4d01e64c3b970b091b640f0658a5ae1 sha256sums = 8b989b49bac511b5158ef8e05122113100b85aacbd56d10f43d9ad4be350f7ff - sha256sums = 9fa50b961c034a694d840036c5682b21bcfe55bf9faf17602878d7db719299da - sha256sums = 1be3b4e25138a3696be07929d455ca84bb4eddbee5f596ae636188d49309c7f6 + sha256sums = 2e60695f90e7cb3f1faad5aa90b3ad351f2175268fb31d6fa9601f11fca22d1c + sha256sums = a8a7684a676da5cd55c2b5ab012dac3d14c5a6c62f6e37c4913ba1dbe506088e sha256sums = ae3245c5de527fb487c459f2f4a9c78803ae6341e9c81b9a404277679cdee051 sha256sums = bc4a02d184601faba5cd0f6cb454097a3b04a0c8fe56f5f8b36d24513484faa2 sha256sums = e1ff858e2cb062d76f72757746c4f87410151b06221255ca827b7279fee0d5df @@ -11,20 +11,22 @@ pkgname=snort _pkgname=snort3 _openappid=23020 pkgver=3.1.31.0 -pkgrel=1 -pkgdesc='A lightweight network intrusion detection system.' +pkgrel=2 +pkgdesc='A lightweight network IDS /IPS with OpenAppID support.' arch=('i686' 'x86_64' 'armv6h' 'armv7h' 'aarch64' 'arm') -url='https://www.snort.org/snort3' +url='https://www.snort.org' license=('GPL') -depends=('flatbuffers' 'gperftools' 'hwloc' 'hyperscan' 'libdaq' 'libdnet' 'libmnl' 'libpcap' 'libunwind' 'luajit' 'lz4' 'openssl' 'pcre' 'pulledpork' 'xz' 'zlib') +depends=('gperftools' 'hwloc' 'hyperscan' 'libdaq' 'libdnet' 'libmnl' 'libpcap' 'libunwind' 'luajit' 'lz4' 'openssl' 'pcre' 'pulledpork' 'xz' 'zlib') makedepends=('cmake' 'pkgconf') backup=('etc/snort/snort.lua' - 'etc/snort/snort_defaults.lua' - 'etc/snort/local.lua' - 'etc/snort/homenet.lua' - 'etc/snort/rules/local.rules' - 'etc/snort/rules/snort.rules' - 'etc/logrotate.d/snort') + 'etc/snort/snort_defaults.lua' + 'etc/snort/local.lua' + 'etc/snort/homenet.lua' + 'etc/snort/rules/local.rules' + 'etc/snort/rules/snort.rules' + 'etc/snort/lists/default.blocklist' + 'etc/snort/lists/default.allowlist' + 'etc/logrotate.d/snort') install='snort.install' source=("${_pkgname}-${pkgver}.tar.gz::https://github.com/snort3/snort3/archive/refs/tags/${pkgver}.tar.gz" "snort-openappid-${_openappid}.tar.gz::https://snort.org/downloads/openappid/${_openappid}" @@ -51,6 +53,8 @@ package() { install -D -m644 "${srcdir}"/snort.sysusers "${pkgdir}"/usr/lib/sysusers.d/snort.conf install -D -m644 "${srcdir}"/snort.service "${pkgdir}"/usr/lib/systemd/system/snort.service install -D -m644 /dev/null "${pkgdir}"/etc/snort/rules/snort.rules + install -D -m644 /dev/null "${pkgdir}"/etc/snort/lists/default.blocklist + install -D -m644 /dev/null "${pkgdir}"/etc/snort/lists/default.allowlist echo "HOME_NET = [[ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ]]" > "${pkgdir}"/etc/snort/homenet.lua echo -e '#pulledpork will put rules here in snort.rules\n#alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )' >"${pkgdir}"/etc/snort/rules/local.rules chmod 0644 "${pkgdir}"/etc/snort/{homenet.lua,rules/{local,snort}.rules} @@ -63,8 +67,8 @@ package() { sha256sums=('252b2e7d8b4bfab8daaa1c7ba0396a9dd4d01e64c3b970b091b640f0658a5ae1' '8b989b49bac511b5158ef8e05122113100b85aacbd56d10f43d9ad4be350f7ff' - '9fa50b961c034a694d840036c5682b21bcfe55bf9faf17602878d7db719299da' - '1be3b4e25138a3696be07929d455ca84bb4eddbee5f596ae636188d49309c7f6' + '2e60695f90e7cb3f1faad5aa90b3ad351f2175268fb31d6fa9601f11fca22d1c' + 'a8a7684a676da5cd55c2b5ab012dac3d14c5a6c62f6e37c4913ba1dbe506088e' 'ae3245c5de527fb487c459f2f4a9c78803ae6341e9c81b9a404277679cdee051' 'bc4a02d184601faba5cd0f6cb454097a3b04a0c8fe56f5f8b36d24513484faa2' 'e1ff858e2cb062d76f72757746c4f87410151b06221255ca827b7279fee0d5df') diff --git a/local.lua b/local.lua index 2b6132fdb0ef..e83fd12ba1c4 100644 --- a/local.lua +++ b/local.lua @@ -13,24 +13,32 @@ daq = }, } +reputation = +{ + blocklist = BLACK_LIST_PATH .. '/default.blocklist', + allowlist = WHITE_LIST_PATH .. '/default.allowlist', + priority = allowlist, + allow = do_not_block, +} + ips = { mode = inline, -- use this to enable decoder and inspector alerts - --enable_builtin_rules = true, + enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files - --include = 'snort3-community.rules', + include = RULE_PATH .. '/snort.rules', variables = default_variables, -- pulledpork normally includes local.rules in snort.rules -- otherwise you may add line to include local.rules too - rules = [[ - include $RULE_PATH/snort.rules - ]] + --rules = [[ + -- include $RULE_PATH/local.rules + --]] } normalizer = @@ -41,15 +49,11 @@ normalizer = } } -file_id = +file_policy = { enable_type = true, enable_signature = true, - file_rules = file_magic, - file_policy = - { - { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } } - } + rules = { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } } } -- Enable hyperscan for IPS, AppID, HTTP inspection, pcre/regex matches @@ -80,6 +84,8 @@ unified2 = alert_fast = { file = true, + packet = false, + limit = 128, } file_log = @@ -88,6 +94,13 @@ file_log = log_sys_time = false, } +alert_json = +{ + file = true, + limit = 128, + fields = 'seconds action class b64_data dir dst_addr dst_ap dst_port eth_dst eth_len eth_src eth_type gid icmp_code icmp_id icmp_seq icmp_type iface ip_id ip_len msg mpls pkt_gen pkt_len pkt_num priority proto rev rule service sid src_addr src_ap src_port target tcp_ack tcp_flags tcp_len tcp_seq tcp_win tos ttl udp_len vlan timestamp', +} + -- OpenAppID appid = { diff --git a/snort.install b/snort.install index 1bfb39bc09ea..5a5f727a7a1d 100644 --- a/snort.install +++ b/snort.install @@ -1,26 +1,16 @@ post_install() { - getent group snort >/dev/null || groupadd -g 29 snort - getent passwd snort >/dev/null || useradd -c 'Snort user' -u 29 -g snort -d /var/log/snort -s /bin/false snort - passwd -l snort &>/dev/null + /usr/bin/nohup /usr/bin/pulledpork_update.sh /etc/snort/rules/snort.rules > /dev/null 2>&1 & + cat << EOF +>>> EDIT /etc/snort/homenet.conf file to match your local network. +>>> Add local rules to /etc/snort/rules/local.rules - [ -f var/log/snort/alert ] || : >var/log/snort/alert - chown snort.snort var/log/snort/ -R - - cat << _EOF - ->>> You have to edit the HOME_NET variable in the /etc/snort/snort.conf file to reflect your local network. ->>> If you do not change it, snort may not work. - -_EOF +>>> Note: ALERTs are automatically deleted after 60 days +>>> use barnyard2 to store them in database +EOF } post_upgrade() { - post_install $1 -} - -pre_remove() { - userdel snort &>/dev/null - groupdel snort &>/dev/null + post_install $1 } # vim:set ts=2 sw=2 et: diff --git a/snort.logrotate b/snort.logrotate index b0c1adf81e43..258cc51c40f2 100644 --- a/snort.logrotate +++ b/snort.logrotate @@ -2,16 +2,20 @@ sharedscripts missingok notifempty + postrotate + /usr/bin/systemctl try-restart snort.service > /dev/null 2>&1 || true + endscript } -/var/log/snort/alert_fast.txt /var/log/snort/*.log.* { +/var/log/snort/alert_*.txt /var/log/snort/*.log.* { nocompress nocreate olddir /var/log/snort/old sharedscripts missingok + notifempty postrotate - /usr/bin/find /var/log/snort/old -maxdepth 1 -name 'alert_fast.*' -type f -mtime +60 -exec /usr/bin/rm '{}' ';' > /dev/null 2>&1 || true + /usr/bin/find /var/log/snort/old -maxdepth 1 -name 'alert_*' -type f -mtime +60 -exec /usr/bin/rm '{}' ';' > /dev/null 2>&1 || true /usr/bin/find /var/log/snort/old -maxdepth 1 -name '*.log*' -type f -mtime +60 -exec /usr/bin/rm '{}' ';' > /dev/null 2>&1 || true /usr/bin/systemctl try-restart snort.service > /dev/null 2>&1 || true endscript |