diff options
-rw-r--r-- | .SRCINFO | 10 | ||||
-rw-r--r-- | PKGBUILD | 26 | ||||
-rw-r--r-- | cstdint.patch | 2 | ||||
-rw-r--r-- | local.lua | 14 | ||||
-rw-r--r-- | snort.install | 2 | ||||
-rw-r--r-- | snort.service | 4 | ||||
-rw-r--r-- | tcmjem.patch | 11 |
7 files changed, 56 insertions, 13 deletions
@@ -1,7 +1,7 @@ pkgbase = snort pkgdesc = A lightweight network IDS /IPS with OpenAppID support. pkgver = 3.1.64.0 - pkgrel = 1 + pkgrel = 2 url = https://www.snort.org install = snort.install arch = i686 @@ -40,6 +40,7 @@ pkgbase = snort source = snort3-3.1.64.0.tar.gz::https://github.com/snort3/snort3/archive/refs/tags/3.1.64.0.tar.gz source = snort-openappid-33380.tar.gz::https://snort.org/downloads/openappid/33380 source = cstdint.patch + source = tcmjem.patch source = local.lua source = snort.logrotate source = snort.sysusers @@ -47,11 +48,12 @@ pkgbase = snort source = snort.service sha256sums = 57be62557178526059ded86d0bebf8a57aa4a46db9390a48ae030b6e45f1dc61 sha256sums = 3046c5af1dd81a104f13d8e895226ef64bca7fa358238fb5f29c659081eaee2a - sha256sums = 502fbfe78bbacc8d6d3384b70b8e6f0343c537532360cee755d7be8f30eab39c - sha256sums = 2e60695f90e7cb3f1faad5aa90b3ad351f2175268fb31d6fa9601f11fca22d1c + sha256sums = b3d86ffa12207afa0f2d3a2349cf4746711e71b8a43bdc593b1527eda972f8ea + sha256sums = 7fbf5c1b1ca10fba73350e563cafeb8ea4db7eb5d69ef62c067df602f27678f2 + sha256sums = b61d6492f86c7d79c1a76d1394d099403981aac7f371b1fe22ddd8a4bb15c87c sha256sums = a8a7684a676da5cd55c2b5ab012dac3d14c5a6c62f6e37c4913ba1dbe506088e sha256sums = ae3245c5de527fb487c459f2f4a9c78803ae6341e9c81b9a404277679cdee051 sha256sums = bc4a02d184601faba5cd0f6cb454097a3b04a0c8fe56f5f8b36d24513484faa2 - sha256sums = e1ff858e2cb062d76f72757746c4f87410151b06221255ca827b7279fee0d5df + sha256sums = cb1108ab0a6ad38981a6f308b0ae2b276b68d08bfa0e38c036eae277b38b28d8 pkgname = snort @@ -11,7 +11,7 @@ pkgname=snort _pkgname=snort3 _openappid=33380 pkgver=3.1.64.0 -pkgrel=1 +pkgrel=2 pkgdesc='A lightweight network IDS /IPS with OpenAppID support.' arch=('i686' 'x86_64' 'armv6h' 'armv7h' 'aarch64' 'arm') url='https://www.snort.org' @@ -31,6 +31,7 @@ install='snort.install' source=("${_pkgname}-${pkgver}.tar.gz::https://github.com/snort3/snort3/archive/refs/tags/${pkgver}.tar.gz" "snort-openappid-${_openappid}.tar.gz::https://snort.org/downloads/openappid/${_openappid}" 'cstdint.patch' + 'tcmjem.patch' 'local.lua' 'snort.logrotate' 'snort.sysusers' @@ -40,6 +41,9 @@ source=("${_pkgname}-${pkgver}.tar.gz::https://github.com/snort3/snort3/archive/ prepare() { cd "${_pkgname}-${pkgver}" patch -p0 < "${srcdir}"/cstdint.patch + patch -p0 < "${srcdir}"/tcmjem.patch + # Workaround https://github.com/intel/hyperscan/issues/388 + sed -i '/HAVE_HS_COMPILE_LIT/d' config.cmake.h.in cmake/sanity_checks.cmake } build() { @@ -65,6 +69,19 @@ package() { echo -e '#pulledpork will put rules here in snort.rules\n#alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )' >"${pkgdir}"/etc/snort/rules/local.rules chmod 0644 "${pkgdir}"/etc/snort/{homenet.lua,rules/{local,snort}.rules} + # rule files and other settings + sed -i -e "/^EXTERNAL_NET\\s\\+=/ a include 'homenet.lua'" \ + -e "/^HOME_NET\\s\\+=/ i -- we set HOME_NET and EXTERNAL_NET here or via an included file" \ + -e 's/^\(HOME_NET\s\+=\)/--\1/g' \ + -e 's/^\(EXTERNAL_NET\s\+=\)/--\1/g' \ + "${pkgdir}"/etc/snort/snort.lua + sed -i -e "s/^\\(RULE_PATH\\s\\+=\\).*/\\1 'rules'/g" \ + -e "s/^\\(BUILTIN_RULE_PATH\\s\\+=\\).*/\\1 'builtin_rules'/g" \ + -e "s/^\\(PLUGIN_RULE_PATH\\s\\+=\\).*/\\1 'so_rules'/g" \ + -e "s/^\\(WHITE_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \ + -e "s/^\\(BLACK_LIST_PATH\\s\\+=\\).*/\\1 'lists'/g" \ + "${pkgdir}"/etc/snort/snort_defaults.lua + # OpenAppID files install -d -m755 "${pkgdir}"/usr/lib/openappid/custom/{libs,lua,port} cp -a --no-preserve=ownership -t "${pkgdir}"/usr/lib/openappid/ "${srcdir}"/odp @@ -73,9 +90,10 @@ package() { sha256sums=('57be62557178526059ded86d0bebf8a57aa4a46db9390a48ae030b6e45f1dc61' '3046c5af1dd81a104f13d8e895226ef64bca7fa358238fb5f29c659081eaee2a' - '502fbfe78bbacc8d6d3384b70b8e6f0343c537532360cee755d7be8f30eab39c' - '2e60695f90e7cb3f1faad5aa90b3ad351f2175268fb31d6fa9601f11fca22d1c' + 'b3d86ffa12207afa0f2d3a2349cf4746711e71b8a43bdc593b1527eda972f8ea' + '7fbf5c1b1ca10fba73350e563cafeb8ea4db7eb5d69ef62c067df602f27678f2' + 'b61d6492f86c7d79c1a76d1394d099403981aac7f371b1fe22ddd8a4bb15c87c' 'a8a7684a676da5cd55c2b5ab012dac3d14c5a6c62f6e37c4913ba1dbe506088e' 'ae3245c5de527fb487c459f2f4a9c78803ae6341e9c81b9a404277679cdee051' 'bc4a02d184601faba5cd0f6cb454097a3b04a0c8fe56f5f8b36d24513484faa2' - 'e1ff858e2cb062d76f72757746c4f87410151b06221255ca827b7279fee0d5df') + 'cb1108ab0a6ad38981a6f308b0ae2b276b68d08bfa0e38c036eae277b38b28d8') diff --git a/cstdint.patch b/cstdint.patch index 9896a4f221ed..095843d86714 100644 --- a/cstdint.patch +++ b/cstdint.patch @@ -18,7 +18,7 @@ using DaqVar = std::pair<std::string, std::string>; using DaqVarList = std::vector<DaqVar>; ---- src/service_inspectors/wizard/magic.h.amm 2023-05-24 09:16:41.121404348 +0530 +--- src/service_inspectors/wizard/magic.h 2023-05-24 09:16:41.121404348 +0530 +++ src/service_inspectors/wizard/magic.h 2023-05-24 09:17:13.008321620 +0530 @@ -23,6 +23,7 @@ #include <cassert> diff --git a/local.lua b/local.lua index e83fd12ba1c4..45ecb3fcc62a 100644 --- a/local.lua +++ b/local.lua @@ -1,3 +1,9 @@ +-- use this file for local configuration +snort = +{ + ['-Q'] = true, -- inline mode +} + daq = { modules = @@ -25,8 +31,14 @@ ips = { mode = inline, + -- disable rules which cause excessive logging + --states = [[ + -- alert ( gid:116; sid: 150; enable:no; ) + -- alert ( gid:116; sid: 151; enable:no; ) + --]], + -- use this to enable decoder and inspector alerts - enable_builtin_rules = true, + --enable_builtin_rules = true, -- use include for rules files; be sure to set your path -- note that rules files can include other rules files diff --git a/snort.install b/snort.install index 5a5f727a7a1d..cd25b823338c 100644 --- a/snort.install +++ b/snort.install @@ -1,7 +1,7 @@ post_install() { /usr/bin/nohup /usr/bin/pulledpork_update.sh /etc/snort/rules/snort.rules > /dev/null 2>&1 & cat << EOF ->>> EDIT /etc/snort/homenet.conf file to match your local network. +>>> EDIT /etc/snort/homenet.lua file to match your local network. >>> Add local rules to /etc/snort/rules/local.rules >>> Note: ALERTs are automatically deleted after 60 days diff --git a/snort.service b/snort.service index 26b89f319ad7..2d21f3a49f3a 100644 --- a/snort.service +++ b/snort.service @@ -1,8 +1,8 @@ [Unit] -Description=Snort IDS daemon in NFQUEUE mode +Description=Snort IDS / IPS daemon [Service] -ExecStart=/usr/bin/snort -Q -c /etc/snort/snort.lua -l /var/log/snort --tweaks local +ExecStart=/usr/bin/snort -M -c /etc/snort/snort.lua -l /var/log/snort --tweaks local ExecReload=kill -HUP $MAINPID [Install] diff --git a/tcmjem.patch b/tcmjem.patch new file mode 100644 index 000000000000..1206937b693f --- /dev/null +++ b/tcmjem.patch @@ -0,0 +1,11 @@ +--- configure_cmake.sh 2023-06-05 17:30:25.919291388 +0530 ++++ configure_cmake.sh 2023-06-05 17:32:39.363142785 +0530 +@@ -154,6 +154,8 @@ + build_type="" + [ -z "$CFLAGS" ] && [ -z "$CXXFLAGS" ] && build_type="RelWithDebInfo" + ++tcm=0 ++jem=0 + + # parse arguments + while [ $# -ne 0 ]; do |