[521] | 1 | Summary: packet-sniffer/logger |
---|
| 2 | Name: snort |
---|
| 3 | Version: 1.7 |
---|
| 4 | Release: 0vl2 |
---|
| 5 | License: GPL |
---|
| 6 | Group: Applications/Internet |
---|
| 7 | Url: http://www.snort.org |
---|
| 8 | Source0: http://www.snort.org/Files/%{name}-%{version}.tar.gz |
---|
| 9 | Source1: snort-stat |
---|
| 10 | Source2: snortlog |
---|
| 11 | Source4: snortd |
---|
| 12 | Source5: snort.conf |
---|
| 13 | Source6: snortrules.tar.gz |
---|
| 14 | Source7: README-snort.EUC |
---|
| 15 | Requires: libpcap >= 0.4 |
---|
| 16 | BuildRequires: libpcap >= 0.4 |
---|
| 17 | Buildroot: %{_tmppath}/%{name}-%{version}-root |
---|
| 18 | |
---|
| 19 | %description |
---|
| 20 | Snort is a libpcap-based packet sniffer/logger which |
---|
| 21 | can be used as a lightweight network intrusion detection system. |
---|
| 22 | It features rules based logging and can perform protocol analysis, |
---|
| 23 | content searching/matching and can be used to detect a variety of |
---|
| 24 | attacks and probes, such as buffer overflows, stealth port scans, |
---|
| 25 | CGI attacks, SMB probes, OS fingerprinting attempts, and much more. |
---|
| 26 | Snort has a real-time alerting capabilty, with alerts being sent to syslog, |
---|
| 27 | a seperate "alert" file, or as a WinPopup message via Samba's smbclient |
---|
| 28 | |
---|
| 29 | %description -l ja |
---|
| 30 | Snort¤È¤ÏIDS¤È¸Æ¤Ð¤ì¤ë¥½¥Õ¥È¥¦¥§¥¢¤Ç¡¢¿¯Æþ¸¡ÃÎ¥·¥¹¥Æ¥à¤È¸À¤ï¤ì¤Þ¤¹¡£ |
---|
| 31 | ¥Û¥¹¥È¤Ë²¿¤é¤«¤Î°¤µ¤ò¤·¤Æ¤¯¤ë¹Ô°Ù¤ò¸¡½Ð¤·¤ÆÃΤ餻¤Æ¤¯¤ì¤ë¥½¥Õ¥È¤Ç¤¹¡£ |
---|
| 32 | ¤¤¤í¤¤¤í¤Ê¹¶·â¤ÈÄ´ºº¡ÊÎ㤨¤Ð¥Ð¥Ã¥Õ¥¡¥ª¡¼¥Ð¥Õ¥í¡¼¡¢ |
---|
| 33 | ¥¹¥Æ¥ë¥¹¡¦¥Ý¡¼¥È¡¦¥¹¥¥ã¥ó¡¢CGI¹¶·â¡¢SMBÄ´ºº¡¢OS»ØÌæ´ÕÄê»î¤ß¡¢ |
---|
| 34 | ¤½¤Î¾¤¿¤¯¤µ¤ó¡Ë¤ò¸«¤Ä¤±¤ë¤¿¤á¤Ë»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£ |
---|
| 35 | |
---|
| 36 | %prep |
---|
| 37 | %setup -q |
---|
| 38 | cp -p %{SOURCE5} %{SOURCE7} . |
---|
| 39 | |
---|
| 40 | %build |
---|
| 41 | CFLAGS="$RPM_OPT_FLAGS" \ |
---|
| 42 | %configure --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-smbalerts |
---|
| 43 | make |
---|
| 44 | |
---|
| 45 | %install |
---|
| 46 | rm -rf %{buildroot} |
---|
| 47 | mkdir -p %{buildroot}/usr/{bin,sbin} |
---|
| 48 | mkdir -p %{buildroot}/etc/snort |
---|
| 49 | mkdir -p %{buildroot}/etc/rc.d/init.d |
---|
| 50 | mkdir -p %{buildroot}/var/log/snort/archive |
---|
| 51 | |
---|
| 52 | %makeinstall \ |
---|
| 53 | prefix=%{buildroot}/usr \ |
---|
| 54 | bindir=%{buildroot}/usr/sbin \ |
---|
| 55 | sysconfdir=%{buildroot}/etc/snort |
---|
| 56 | install %{SOURCE1} %{buildroot}/usr/bin |
---|
| 57 | install %{SOURCE2} %{buildroot}/usr/bin |
---|
| 58 | install %{SOURCE4} %{buildroot}/etc/rc.d/init.d |
---|
| 59 | tar zxvf %{SOURCE6} -C %{buildroot}/etc/snort |
---|
| 60 | |
---|
| 61 | cat - << EOF >> %{buildroot}/etc/snort/snort.conf |
---|
| 62 | #################################################################### |
---|
| 63 | # Customize your rule set |
---|
| 64 | # |
---|
| 65 | # Up to date snort rules are available at the following web sites: |
---|
| 66 | # http://www.snort.org |
---|
| 67 | # http://www.whitehats.com |
---|
| 68 | # |
---|
| 69 | # The snort web site has documentation about how to |
---|
| 70 | # write your own custom snort rules. |
---|
| 71 | # |
---|
| 72 | # The rules included with this distribution generate alerts based on |
---|
| 73 | # on suspicious activity. Depending on your network environment, your |
---|
| 74 | # security policies, and what you consider to be suspicious, some of |
---|
| 75 | # these rules may either generate false positives ore may be detecting |
---|
| 76 | # activity you consider to be acceptable; therefore, you are |
---|
| 77 | # encouraged to comment out rules that are not applicable in your |
---|
| 78 | # environment. |
---|
| 79 | # |
---|
| 80 | # Note that using all of the rules at the same time may lead to |
---|
| 81 | # serious packet loss on slower machines. YMMV, use with caution, |
---|
| 82 | # standard disclaimers apply. :) |
---|
| 83 | # |
---|
| 84 | # The following individuals contributed many of rules in this |
---|
| 85 | # distribution. |
---|
| 86 | # |
---|
| 87 | # Credits: |
---|
| 88 | # Max Vision <vision@whitehats.com> - www.whitehats.com |
---|
| 89 | # Ron Gula <rgula@securitywizards.com> of Network Security Wizards |
---|
| 90 | # Martin Markgraf <martin@mail.du.gtn.com> |
---|
| 91 | # CyberPsychotic <fygrave@tigerteam.net> |
---|
| 92 | # Nick Rogness <nick@rapidnet.com> |
---|
| 93 | # Jim Forster <jforster@rapidnet.com> |
---|
| 94 | # Scott McIntyre <scott@whoi.edu> |
---|
| 95 | # Tom Vandepoel <Tom.Vandepoel@ubizen.com> |
---|
| 96 | # Brian Caswell <bmc@mitre.org> |
---|
| 97 | # |
---|
| 98 | #=============================================== |
---|
| 99 | # Include all relevant rulesets here |
---|
| 100 | # by default virus, policy and info are disabled |
---|
| 101 | #=============================================== |
---|
| 102 | # Be sure you have created a local.rules file |
---|
| 103 | # for your includes/ignores, etc. |
---|
| 104 | #=============================================== |
---|
| 105 | #include /etc/snort/local.rules |
---|
| 106 | include /etc/snort/exploit.rules |
---|
| 107 | include /etc/snort/scan.rules |
---|
| 108 | include /etc/snort/finger.rules |
---|
| 109 | include /etc/snort/ftp.rules |
---|
| 110 | include /etc/snort/telnet.rules |
---|
| 111 | include /etc/snort/smtp.rules |
---|
| 112 | include /etc/snort/rpc.rules |
---|
| 113 | include /etc/snort/rservices.rules |
---|
| 114 | include /etc/snort/backdoor.rules |
---|
| 115 | include /etc/snort/dos.rules |
---|
| 116 | include /etc/snort/ddos.rules |
---|
| 117 | include /etc/snort/dns.rules |
---|
| 118 | include /etc/snort/netbios.rules |
---|
| 119 | include /etc/snort/sql.rules |
---|
| 120 | include /etc/snort/web-cgi.rules |
---|
| 121 | include /etc/snort/web-coldfusion.rules |
---|
| 122 | include /etc/snort/web-frontpage.rules |
---|
| 123 | include /etc/snort/web-misc.rules |
---|
| 124 | include /etc/snort/web-iis.rules |
---|
| 125 | include /etc/snort/icmp.rules |
---|
| 126 | include /etc/snort/misc.rules |
---|
| 127 | #include /etc/snort/policy.rules |
---|
| 128 | #include /etc/snort/info.rules |
---|
| 129 | #include /etc/snort/virus.rules |
---|
| 130 | |
---|
| 131 | # Ruleset, available (updated hourly) from: |
---|
| 132 | # |
---|
| 133 | # http://dev.whitehats.com/ids/vision.rules |
---|
| 134 | # include /etc/snort/vision.rules |
---|
| 135 | # |
---|
| 136 | # snort.conf with more options is located in /usr/doc/snort-1.7/snort.conf |
---|
| 137 | |
---|
| 138 | EOF |
---|
| 139 | |
---|
| 140 | %clean |
---|
| 141 | rm -rf %{buildroot} |
---|
| 142 | |
---|
| 143 | %post |
---|
| 144 | #don't do all this stuff if we are upgrading |
---|
| 145 | if [ "$1" = 1 ] ; then |
---|
| 146 | useradd -M -r -d /var/log/snort -s /bin/false -c "Snort" snort 2> /dev/null || : |
---|
| 147 | groupadd -r snort 2> /dev/null || : |
---|
| 148 | /sbin/chkconfig --add snortd |
---|
| 149 | fi |
---|
| 150 | #this only works on redhat ;/ |
---|
| 151 | perl -e 'open(f,"/etc/sysconfig/network-scripts/ifcfg-eth0"); |
---|
| 152 | while(<f>){if (/IPADDR=(.*)/) {$internal=$1;}};close(f); |
---|
| 153 | open(f,"/etc/resolv.conf"); |
---|
| 154 | while(<f>){if (/nameserver(.*)/) {$dns=$1;$dns=~s/[ ]+//g; |
---|
| 155 | $dns.="/32,"; push(@dns,$dns);}} close(f); |
---|
| 156 | $dns[$#dns]=~s/,$//g; |
---|
| 157 | open(f,">/etc/snort/snort.conf"); |
---|
| 158 | print f "var HOME_NET $internal/32\nvar EXTERNAL_NET any\nvar SMTP \$HOME_NET\nvar HTTP_SERVERS \$HOME_NET\nvar SQL_SERVERS \$HOME_NET\nvar DNS_SERVERS "; |
---|
| 159 | print f "["; |
---|
| 160 | foreach (@dns) {print f "$_";} |
---|
| 161 | print f "]"; |
---|
| 162 | print f "\n\npreprocessor defrag\npreprocessor http_decode: 80 8080\npreprocessor portscan: \$HOME_NET 4 3 /var/log/snort/portscan.log\npreprocessor portscan-ignorehosts: \$DNS_SERVERS\n\n"; |
---|
| 163 | close(f);' |
---|
| 164 | #add the rest of the stuff |
---|
| 165 | |
---|
| 166 | chown snort.snort /var/log/snort |
---|
| 167 | |
---|
| 168 | %if 0 |
---|
| 169 | echo -e " |
---|
| 170 | Be sure to fetch the latest snort rules file from the ArachNIDS |
---|
| 171 | database by Max Vision, or the one available from the snort.org web |
---|
| 172 | site. |
---|
| 173 | |
---|
| 174 | The snortlog and snort-stat perl scripts can be used to generate |
---|
| 175 | statistics from the snort syslog entries. |
---|
| 176 | |
---|
| 177 | Snort is currently configured to listen only on eth0, and uses the |
---|
| 178 | default rulesets. If this is not correct for your |
---|
| 179 | system, edit /etc/rc.d/init.d/snortd and /etc/snort/snort.conf |
---|
| 180 | |
---|
| 181 | A \"snort\" user and group have been created for snort to run as instead |
---|
| 182 | of running as root. You will likely need to create the /var/log/snort |
---|
| 183 | directory, and change ownership to the \"snort\" account. |
---|
| 184 | |
---|
| 185 | Built by: Dave Wreski |
---|
| 186 | dave@linuxsecurity.com |
---|
| 187 | and Wim Vandersmissen <wim@bofh.be> |
---|
| 188 | " |
---|
| 189 | %endif |
---|
| 190 | |
---|
| 191 | %preun |
---|
| 192 | /etc/rc.d/init.d/snortd stop |
---|
| 193 | if [ $1 = 0 ] ; then |
---|
| 194 | /sbin/chkconfig --del snortd |
---|
| 195 | fi |
---|
| 196 | exit 0 |
---|
| 197 | |
---|
| 198 | %postun |
---|
| 199 | #only if we are removing, not upgrading.. |
---|
| 200 | if [ $1 = 0 ] ; then |
---|
| 201 | userdel snort 2> /dev/null || : |
---|
| 202 | groupdel snort 2> /dev/null || : |
---|
| 203 | fi |
---|
| 204 | |
---|
| 205 | %files |
---|
| 206 | %defattr(-,root,root) |
---|
| 207 | %doc AUTHORS BUGS COPYING CREDITS ChangeLog INSTALL NEWS README* USAGE |
---|
| 208 | %doc snort.conf README-snort.EUC |
---|
| 209 | %attr(755,root,root) /usr/sbin/* |
---|
| 210 | %attr(755,root,root) /usr/bin/* |
---|
| 211 | %attr(750,root,wheel) %dir /var/log/snort |
---|
| 212 | %attr(750,root,wheel) %dir /var/log/snort/archive |
---|
| 213 | %attr(640,root,wheel) %config /etc/snort/*rules |
---|
| 214 | %attr(640,root,root) %config /etc/snort/snort.conf |
---|
| 215 | %attr(755,root,root) %config /etc/rc.d/init.d/snortd |
---|
| 216 | |
---|
| 217 | %changelog |
---|
| 218 | * Thu Sep 06 2001 Toru Sagami <sagami@vinelinux.org> |
---|
| 219 | - 1.7-0vl2: was ported to VineSeedPlus with many spec fixes |
---|
| 220 | |
---|
| 221 | * Mon Apr 09 2001 net_hal <net_hal@cwa.bai.ne.jp> |
---|
| 222 | - first buile for Vine2.1 |
---|
| 223 | - original ver 1.7 + 2001/03/28 Rules |
---|