diff options
| -rw-r--r-- | .SRCINFO | 50 | ||||
| -rw-r--r-- | PKGBUILD | 83 | ||||
| -rw-r--r-- | local.lua | 97 | ||||
| -rw-r--r-- | snort.logrotate | 18 | ||||
| -rw-r--r-- | snort.service | 9 | ||||
| -rw-r--r-- | snort.sysusers | 1 | ||||
| -rw-r--r-- | snort.tmpfiles | 2 | ||||
| -rw-r--r-- | snort@.service | 10 |
8 files changed, 202 insertions, 68 deletions
@@ -1,6 +1,6 @@ pkgbase = snort pkgdesc = A lightweight network intrusion detection system. - pkgver = 2.9.17.1 + pkgver = 3.1.5.0 pkgrel = 1 url = http://www.snort.org install = snort.install @@ -11,34 +11,46 @@ pkgbase = snort arch = aarch64 arch = arm license = GPL - makedepends = libtirpc - depends = dbus + makedepends = cmake + makedepends = pkgconf + depends = flatbuffers + depends = gperftools + depends = hwloc + depends = hyperscan depends = libdaq depends = libdnet - depends = libgcrypt - depends = libgpg-error - depends = libnghttp2 - depends = libnl + depends = libmnl depends = libpcap + depends = libunwind depends = luajit depends = lz4 depends = openssl depends = pcre + depends = pulledpork depends = xz depends = zlib options = !makeflags options = !libtool - backup = etc/snort/snort.conf - backup = etc/snort/threshold.conf - backup = etc/snort/reference.config - backup = etc/snort/classification.config - backup = etc/snort/rules/emerging.conf - source = https://www.snort.org/downloads/snort/snort-2.9.17.1.tar.gz - source = http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz - source = snort@.service - sha256sums = 303d3d5dc5affecfeaad3a331d3163f901d48d960fdd6598cb55c6d1591eed82 - sha256sums = SKIP - sha256sums = 0b7c4e5dfbfe53d2258c54129a6fcd1e6a476a8d4259d5ad7372f6229fb30605 + backup = etc/snort/snort.lua + backup = etc/snort/snort_defaults.lua + backup = etc/snort/local.lua + backup = etc/snort/homenet.lua + backup = etc/snort/rules/local.rules + backup = etc/snort/rules/snort.rules + backup = etc/logrotate.d/snort + source = snort3-3.1.5.0.tar.gz::https://github.com/snort3/snort3/archive/refs/tags/3.1.5.0.tar.gz + source = snort-openappid-17843.tar.gz::https://snort.org/downloads/openappid/17843 + source = local.lua + source = snort.logrotate + source = snort.sysusers + source = snort.tmpfiles + source = snort.service + sha256sums = 9209ca675c55e1c9dee1cb15e571b29c317f6e167b54f22e7bc18a6164218b1b + sha256sums = d6bbe298648a095f4d4f3ff8806333143f4607fbb9f006388db055e14c5af57d + sha256sums = 9fa50b961c034a694d840036c5682b21bcfe55bf9faf17602878d7db719299da + sha256sums = 1be3b4e25138a3696be07929d455ca84bb4eddbee5f596ae636188d49309c7f6 + sha256sums = ae3245c5de527fb487c459f2f4a9c78803ae6341e9c81b9a404277679cdee051 + sha256sums = bc4a02d184601faba5cd0f6cb454097a3b04a0c8fe56f5f8b36d24513484faa2 + sha256sums = e1ff858e2cb062d76f72757746c4f87410151b06221255ca827b7279fee0d5df pkgname = snort - @@ -7,59 +7,64 @@ # Contributor: Netboy3 pkgname=snort -pkgver=2.9.17.1 +_pkgname=snort3 +_openappid=17843 +pkgver=3.1.5.0 pkgrel=1 pkgdesc='A lightweight network intrusion detection system.' arch=('i686' 'x86_64' 'armv6h' 'armv7h' 'aarch64' 'arm') url='http://www.snort.org' license=('GPL') -depends=('dbus' 'libdaq' 'libdnet' 'libgcrypt' 'libgpg-error' 'libnghttp2' 'libnl' 'libpcap' 'luajit' 'lz4' 'openssl' 'pcre' 'xz' 'zlib') -makedepends=('libtirpc') -backup=('etc/snort/snort.conf' - 'etc/snort/threshold.conf' - 'etc/snort/reference.config' - 'etc/snort/classification.config' - 'etc/snort/rules/emerging.conf') +depends=('flatbuffers' 'gperftools' 'hwloc' 'hyperscan' 'libdaq' 'libdnet' 'libmnl' 'libpcap' 'libunwind' 'luajit' 'lz4' 'openssl' 'pcre' 'pulledpork' 'xz' 'zlib') +makedepends=('cmake' 'pkgconf') +backup=('etc/snort/snort.lua' + 'etc/snort/snort_defaults.lua' + 'etc/snort/local.lua' + 'etc/snort/homenet.lua' + 'etc/snort/rules/local.rules' + 'etc/snort/rules/snort.rules' + 'etc/logrotate.d/snort') options=('!makeflags' '!libtool') install='snort.install' -source=("https://www.snort.org/downloads/snort/${pkgname}-${pkgver}.tar.gz" - "http://rules.emergingthreats.net/open/${pkgname}-2.9.0/emerging.rules.tar.gz" - 'snort@.service' -) +source=("${_pkgname}-${pkgver}.tar.gz::https://github.com/snort3/snort3/archive/refs/tags/${pkgver}.tar.gz" + "snort-openappid-${_openappid}.tar.gz::https://snort.org/downloads/openappid/${_openappid}" + 'local.lua' + 'snort.logrotate' + 'snort.sysusers' + 'snort.tmpfiles' + 'snort.service') build() { - cd "${srcdir}/${pkgname}-${pkgver}" - ./configure --prefix=/usr \ - --sysconfdir=/etc/snort \ - --with-libpcap-includes=/usr/include/pcap \ - --with-daq-includes=/usr/include \ - --with-daq-libraries=/usr/lib/daq/ \ - --disable-static-daq \ - CPPFLAGS="$CPPFLAGS -I/usr/include/tirpc/" - make + cd "${srcdir}/${_pkgname}-${pkgver}" + ./configure_cmake.sh --prefix=/usr --enable-tcmalloc --with-daq-libraries=/usr/lib/daq/ --disable-static-daq + make -C build } package() { - cd "${srcdir}/${pkgname}-${pkgver}" + cd "${srcdir}/${_pkgname}-${pkgver}" + make -C build DESTDIR="${pkgdir}" install - make DESTDIR="${pkgdir}" install + mv "${pkgdir}"{/usr,}/etc + install -D -m644 "${srcdir}"/local.lua "${pkgdir}"/etc/snort + install -D -m644 "${srcdir}"/snort.logrotate "${pkgdir}"/etc/logrotate.d/snort + install -D -m644 "${srcdir}"/snort.tmpfiles "${pkgdir}"/usr/lib/tmpfiles.d/snort.conf + install -D -m644 "${srcdir}"/snort.sysusers "${pkgdir}"/usr/lib/sysusers.d/snort.conf + install -D -m644 "${srcdir}"/snort.service "${pkgdir}"/usr/lib/systemd/system/snort.service + install -D -m644 /dev/null "${pkgdir}"/etc/snort/rules/snort.rules + echo "HOME_NET = [[ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ]]" >"${pkgdir}"/etc/snort/homenet.lua + echo -e '#pulledpork will put rules here in snort.rules\n#alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )' >"${pkgdir}"/etc/snort/rules/local.rules + chmod 0644 "${pkgdir}"/etc/snort/{homenet.lua,rules/{local,snort}.rules} - mkdir -p "${pkgdir}/"{etc/rc.d,etc/snort/rules} + # OpenAppID files + install -d -m755 "${pkgdir}"/usr/lib/openappid/custom/{libs,lua,port} + cp -a --no-preserve=ownership -t "${pkgdir}"/usr/lib/openappid/ "${srcdir}"/odp - install -d -m755 "${pkgdir}/var/log/snort" - install -D -m644 etc/{*.conf*,*.map} "${pkgdir}/etc/snort/" - cd "${srcdir}/${pkgname}-${pkgver}" - - # init service file - install -D -m644 ../snort@.service $pkgdir/usr/lib/systemd/system/snort@.service - - sed -i 's#/usr/local/lib/#/usr/lib/#' "${pkgdir}/etc/snort/snort.conf" - - # emerginthreats rules - echo 'include $RULE_PATH/emerging.conf' >>"${pkgdir}/etc/snort/snort.conf" - cp ${srcdir}/rules/* "${pkgdir}/etc/snort/rules" } -sha256sums=('303d3d5dc5affecfeaad3a331d3163f901d48d960fdd6598cb55c6d1591eed82' - 'SKIP' - '0b7c4e5dfbfe53d2258c54129a6fcd1e6a476a8d4259d5ad7372f6229fb30605') +sha256sums=('9209ca675c55e1c9dee1cb15e571b29c317f6e167b54f22e7bc18a6164218b1b' + 'd6bbe298648a095f4d4f3ff8806333143f4607fbb9f006388db055e14c5af57d' + '9fa50b961c034a694d840036c5682b21bcfe55bf9faf17602878d7db719299da' + '1be3b4e25138a3696be07929d455ca84bb4eddbee5f596ae636188d49309c7f6' + 'ae3245c5de527fb487c459f2f4a9c78803ae6341e9c81b9a404277679cdee051' + 'bc4a02d184601faba5cd0f6cb454097a3b04a0c8fe56f5f8b36d24513484faa2' + 'e1ff858e2cb062d76f72757746c4f87410151b06221255ca827b7279fee0d5df') diff --git a/local.lua b/local.lua new file mode 100644 index 000000000000..2b6132fdb0ef --- /dev/null +++ b/local.lua @@ -0,0 +1,97 @@ +daq = +{ + modules = + { + { + name = 'afpacket', + mode = 'inline', + }, + }, + module_dirs = + { + '/usr/lib/daq', + }, +} + +ips = +{ + mode = inline, + + -- use this to enable decoder and inspector alerts + --enable_builtin_rules = true, + + -- use include for rules files; be sure to set your path + -- note that rules files can include other rules files + --include = 'snort3-community.rules', + + variables = default_variables, + + -- pulledpork normally includes local.rules in snort.rules + -- otherwise you may add line to include local.rules too + rules = [[ + include $RULE_PATH/snort.rules + ]] +} + +normalizer = +{ + tcp = + { + ips = true, + } +} + +file_id = +{ + enable_type = true, + enable_signature = true, + file_rules = file_magic, + file_policy = + { + { use = { verdict = 'log', enable_file_type = true, enable_file_signature = true } } + } +} + +-- Enable hyperscan for IPS, AppID, HTTP inspection, pcre/regex matches +search_engine = { search_method = "hyperscan" } +detection = { hyperscan_literals = true, pcre_to_regex = true } + +-- Enable ZIP, PDF and SWF decompression in http_inspect and smtp +--http_inspect.decompress_pdf = true +--http_inspect.decompress_swf = true +--http_inspect.decompress_zip = true +--smtp.decompress_pdf = true +--smtp.decompress_swf = true +--smtp.decompress_zip = true + +-- Logging + +-- Enable logging of email headers and attachments in smtp +--smtp.log_email_hdrs = true +--smtp.log_filename = true +--smtp.log_mailfrom = true +--smtp.log_rcptto = true + +unified2 = +{ + limit = 128, +} + +alert_fast = +{ + file = true, +} + +file_log = +{ + log_pkt_time = true, + log_sys_time = false, +} + +-- OpenAppID +appid = +{ + app_detector_dir = '/usr/lib/openappid', + log_stats = true, + app_stats_period = 60, +} diff --git a/snort.logrotate b/snort.logrotate new file mode 100644 index 000000000000..b0c1adf81e43 --- /dev/null +++ b/snort.logrotate @@ -0,0 +1,18 @@ +/var/log/snort/*.log { + sharedscripts + missingok + notifempty +} + +/var/log/snort/alert_fast.txt /var/log/snort/*.log.* { + nocompress + nocreate + olddir /var/log/snort/old + sharedscripts + missingok + postrotate + /usr/bin/find /var/log/snort/old -maxdepth 1 -name 'alert_fast.*' -type f -mtime +60 -exec /usr/bin/rm '{}' ';' > /dev/null 2>&1 || true + /usr/bin/find /var/log/snort/old -maxdepth 1 -name '*.log*' -type f -mtime +60 -exec /usr/bin/rm '{}' ';' > /dev/null 2>&1 || true + /usr/bin/systemctl try-restart snort.service > /dev/null 2>&1 || true + endscript +} diff --git a/snort.service b/snort.service new file mode 100644 index 000000000000..26b89f319ad7 --- /dev/null +++ b/snort.service @@ -0,0 +1,9 @@ +[Unit] +Description=Snort IDS daemon in NFQUEUE mode + +[Service] +ExecStart=/usr/bin/snort -Q -c /etc/snort/snort.lua -l /var/log/snort --tweaks local +ExecReload=kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/snort.sysusers b/snort.sysusers new file mode 100644 index 000000000000..18fb40135f7b --- /dev/null +++ b/snort.sysusers @@ -0,0 +1 @@ +u snort 29 - /var/log/snort diff --git a/snort.tmpfiles b/snort.tmpfiles new file mode 100644 index 000000000000..d17da52c2972 --- /dev/null +++ b/snort.tmpfiles @@ -0,0 +1,2 @@ +d /var/log/snort 0750 snort snort - +d /var/log/snort/old 0750 snort snort - diff --git a/snort@.service b/snort@.service deleted file mode 100644 index 002818ca93b9..000000000000 --- a/snort@.service +++ /dev/null @@ -1,10 +0,0 @@ -[Unit] -Description=Snort IDS system listening on '%I' - -[Service] -Type=simple -ExecStartPre=/usr/sbin/ip link set up dev %I -ExecStart=/usr/bin/snort --daq-dir /usr/lib/daq/ -A fast -b -p -u snort -g snort -c /etc/snort/snort.conf -i %I - -[Install] -Alias=multi-user.target.wants/snort@%i.service |