1 | Summary: packet-sniffer/logger |
---|
2 | Name: snort |
---|
3 | Version: 1.7 |
---|
4 | Release: 0vl2 |
---|
5 | License: GPL |
---|
6 | Group: Applications/Internet |
---|
7 | Url: http://www.snort.org |
---|
8 | Source0: http://www.snort.org/Files/%{name}-%{version}.tar.gz |
---|
9 | Source1: snort-stat |
---|
10 | Source2: snortlog |
---|
11 | Source4: snortd |
---|
12 | Source5: snort.conf |
---|
13 | Source6: snortrules.tar.gz |
---|
14 | Source7: README-snort.EUC |
---|
15 | Requires: libpcap >= 0.4 |
---|
16 | BuildRequires: libpcap >= 0.4 |
---|
17 | Buildroot: %{_tmppath}/%{name}-%{version}-root |
---|
18 | |
---|
19 | %description |
---|
20 | Snort is a libpcap-based packet sniffer/logger which |
---|
21 | can be used as a lightweight network intrusion detection system. |
---|
22 | It features rules based logging and can perform protocol analysis, |
---|
23 | content searching/matching and can be used to detect a variety of |
---|
24 | attacks and probes, such as buffer overflows, stealth port scans, |
---|
25 | CGI attacks, SMB probes, OS fingerprinting attempts, and much more. |
---|
26 | Snort has a real-time alerting capabilty, with alerts being sent to syslog, |
---|
27 | a seperate "alert" file, or as a WinPopup message via Samba's smbclient |
---|
28 | |
---|
29 | %description -l ja |
---|
30 | Snort¤È¤ÏIDS¤È¸Æ¤Ð¤ì¤ë¥½¥Õ¥È¥¦¥§¥¢¤Ç¡¢¿¯Æþ¸¡ÃÎ¥·¥¹¥Æ¥à¤È¸À¤ï¤ì¤Þ¤¹¡£ |
---|
31 | ¥Û¥¹¥È¤Ë²¿¤é¤«¤Î°¤µ¤ò¤·¤Æ¤¯¤ë¹Ô°Ù¤ò¸¡½Ð¤·¤ÆÃΤ餻¤Æ¤¯¤ì¤ë¥½¥Õ¥È¤Ç¤¹¡£ |
---|
32 | ¤¤¤í¤¤¤í¤Ê¹¶·â¤ÈÄ´ºº¡ÊÎ㤨¤Ð¥Ð¥Ã¥Õ¥¡¥ª¡¼¥Ð¥Õ¥í¡¼¡¢ |
---|
33 | ¥¹¥Æ¥ë¥¹¡¦¥Ý¡¼¥È¡¦¥¹¥¥ã¥ó¡¢CGI¹¶·â¡¢SMBÄ´ºº¡¢OS»ØÌæ´ÕÄê»î¤ß¡¢ |
---|
34 | ¤½¤Î¾¤¿¤¯¤µ¤ó¡Ë¤ò¸«¤Ä¤±¤ë¤¿¤á¤Ë»È¤¦¤³¤È¤¬¤Ç¤¤ë¡£ |
---|
35 | |
---|
36 | %prep |
---|
37 | %setup -q |
---|
38 | cp -p %{SOURCE5} %{SOURCE7} . |
---|
39 | |
---|
40 | %build |
---|
41 | CFLAGS="$RPM_OPT_FLAGS" \ |
---|
42 | %configure --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-smbalerts |
---|
43 | make |
---|
44 | |
---|
45 | %install |
---|
46 | rm -rf %{buildroot} |
---|
47 | mkdir -p %{buildroot}/usr/{bin,sbin} |
---|
48 | mkdir -p %{buildroot}/etc/snort |
---|
49 | mkdir -p %{buildroot}/etc/rc.d/init.d |
---|
50 | mkdir -p %{buildroot}/var/log/snort/archive |
---|
51 | |
---|
52 | %makeinstall \ |
---|
53 | prefix=%{buildroot}/usr \ |
---|
54 | bindir=%{buildroot}/usr/sbin \ |
---|
55 | sysconfdir=%{buildroot}/etc/snort |
---|
56 | install %{SOURCE1} %{buildroot}/usr/bin |
---|
57 | install %{SOURCE2} %{buildroot}/usr/bin |
---|
58 | install %{SOURCE4} %{buildroot}/etc/rc.d/init.d |
---|
59 | tar zxvf %{SOURCE6} -C %{buildroot}/etc/snort |
---|
60 | |
---|
61 | cat - << EOF >> %{buildroot}/etc/snort/snort.conf |
---|
62 | #################################################################### |
---|
63 | # Customize your rule set |
---|
64 | # |
---|
65 | # Up to date snort rules are available at the following web sites: |
---|
66 | # http://www.snort.org |
---|
67 | # http://www.whitehats.com |
---|
68 | # |
---|
69 | # The snort web site has documentation about how to |
---|
70 | # write your own custom snort rules. |
---|
71 | # |
---|
72 | # The rules included with this distribution generate alerts based on |
---|
73 | # on suspicious activity. Depending on your network environment, your |
---|
74 | # security policies, and what you consider to be suspicious, some of |
---|
75 | # these rules may either generate false positives ore may be detecting |
---|
76 | # activity you consider to be acceptable; therefore, you are |
---|
77 | # encouraged to comment out rules that are not applicable in your |
---|
78 | # environment. |
---|
79 | # |
---|
80 | # Note that using all of the rules at the same time may lead to |
---|
81 | # serious packet loss on slower machines. YMMV, use with caution, |
---|
82 | # standard disclaimers apply. :) |
---|
83 | # |
---|
84 | # The following individuals contributed many of rules in this |
---|
85 | # distribution. |
---|
86 | # |
---|
87 | # Credits: |
---|
88 | # Max Vision <vision@whitehats.com> - www.whitehats.com |
---|
89 | # Ron Gula <rgula@securitywizards.com> of Network Security Wizards |
---|
90 | # Martin Markgraf <martin@mail.du.gtn.com> |
---|
91 | # CyberPsychotic <fygrave@tigerteam.net> |
---|
92 | # Nick Rogness <nick@rapidnet.com> |
---|
93 | # Jim Forster <jforster@rapidnet.com> |
---|
94 | # Scott McIntyre <scott@whoi.edu> |
---|
95 | # Tom Vandepoel <Tom.Vandepoel@ubizen.com> |
---|
96 | # Brian Caswell <bmc@mitre.org> |
---|
97 | # |
---|
98 | #=============================================== |
---|
99 | # Include all relevant rulesets here |
---|
100 | # by default virus, policy and info are disabled |
---|
101 | #=============================================== |
---|
102 | # Be sure you have created a local.rules file |
---|
103 | # for your includes/ignores, etc. |
---|
104 | #=============================================== |
---|
105 | #include /etc/snort/local.rules |
---|
106 | include /etc/snort/exploit.rules |
---|
107 | include /etc/snort/scan.rules |
---|
108 | include /etc/snort/finger.rules |
---|
109 | include /etc/snort/ftp.rules |
---|
110 | include /etc/snort/telnet.rules |
---|
111 | include /etc/snort/smtp.rules |
---|
112 | include /etc/snort/rpc.rules |
---|
113 | include /etc/snort/rservices.rules |
---|
114 | include /etc/snort/backdoor.rules |
---|
115 | include /etc/snort/dos.rules |
---|
116 | include /etc/snort/ddos.rules |
---|
117 | include /etc/snort/dns.rules |
---|
118 | include /etc/snort/netbios.rules |
---|
119 | include /etc/snort/sql.rules |
---|
120 | include /etc/snort/web-cgi.rules |
---|
121 | include /etc/snort/web-coldfusion.rules |
---|
122 | include /etc/snort/web-frontpage.rules |
---|
123 | include /etc/snort/web-misc.rules |
---|
124 | include /etc/snort/web-iis.rules |
---|
125 | include /etc/snort/icmp.rules |
---|
126 | include /etc/snort/misc.rules |
---|
127 | #include /etc/snort/policy.rules |
---|
128 | #include /etc/snort/info.rules |
---|
129 | #include /etc/snort/virus.rules |
---|
130 | |
---|
131 | # Ruleset, available (updated hourly) from: |
---|
132 | # |
---|
133 | # http://dev.whitehats.com/ids/vision.rules |
---|
134 | # include /etc/snort/vision.rules |
---|
135 | # |
---|
136 | # snort.conf with more options is located in /usr/doc/snort-1.7/snort.conf |
---|
137 | |
---|
138 | EOF |
---|
139 | |
---|
140 | %clean |
---|
141 | rm -rf %{buildroot} |
---|
142 | |
---|
143 | %post |
---|
144 | #don't do all this stuff if we are upgrading |
---|
145 | if [ "$1" = 1 ] ; then |
---|
146 | useradd -M -r -d /var/log/snort -s /bin/false -c "Snort" snort 2> /dev/null || : |
---|
147 | groupadd -r snort 2> /dev/null || : |
---|
148 | /sbin/chkconfig --add snortd |
---|
149 | fi |
---|
150 | #this only works on redhat ;/ |
---|
151 | perl -e 'open(f,"/etc/sysconfig/network-scripts/ifcfg-eth0"); |
---|
152 | while(<f>){if (/IPADDR=(.*)/) {$internal=$1;}};close(f); |
---|
153 | open(f,"/etc/resolv.conf"); |
---|
154 | while(<f>){if (/nameserver(.*)/) {$dns=$1;$dns=~s/[ ]+//g; |
---|
155 | $dns.="/32,"; push(@dns,$dns);}} close(f); |
---|
156 | $dns[$#dns]=~s/,$//g; |
---|
157 | open(f,">/etc/snort/snort.conf"); |
---|
158 | print f "var HOME_NET $internal/32\nvar EXTERNAL_NET any\nvar SMTP \$HOME_NET\nvar HTTP_SERVERS \$HOME_NET\nvar SQL_SERVERS \$HOME_NET\nvar DNS_SERVERS "; |
---|
159 | print f "["; |
---|
160 | foreach (@dns) {print f "$_";} |
---|
161 | print f "]"; |
---|
162 | print f "\n\npreprocessor defrag\npreprocessor http_decode: 80 8080\npreprocessor portscan: \$HOME_NET 4 3 /var/log/snort/portscan.log\npreprocessor portscan-ignorehosts: \$DNS_SERVERS\n\n"; |
---|
163 | close(f);' |
---|
164 | #add the rest of the stuff |
---|
165 | |
---|
166 | chown snort.snort /var/log/snort |
---|
167 | |
---|
168 | %if 0 |
---|
169 | echo -e " |
---|
170 | Be sure to fetch the latest snort rules file from the ArachNIDS |
---|
171 | database by Max Vision, or the one available from the snort.org web |
---|
172 | site. |
---|
173 | |
---|
174 | The snortlog and snort-stat perl scripts can be used to generate |
---|
175 | statistics from the snort syslog entries. |
---|
176 | |
---|
177 | Snort is currently configured to listen only on eth0, and uses the |
---|
178 | default rulesets. If this is not correct for your |
---|
179 | system, edit /etc/rc.d/init.d/snortd and /etc/snort/snort.conf |
---|
180 | |
---|
181 | A \"snort\" user and group have been created for snort to run as instead |
---|
182 | of running as root. You will likely need to create the /var/log/snort |
---|
183 | directory, and change ownership to the \"snort\" account. |
---|
184 | |
---|
185 | Built by: Dave Wreski |
---|
186 | dave@linuxsecurity.com |
---|
187 | and Wim Vandersmissen <wim@bofh.be> |
---|
188 | " |
---|
189 | %endif |
---|
190 | |
---|
191 | %preun |
---|
192 | /etc/rc.d/init.d/snortd stop |
---|
193 | if [ $1 = 0 ] ; then |
---|
194 | /sbin/chkconfig --del snortd |
---|
195 | fi |
---|
196 | exit 0 |
---|
197 | |
---|
198 | %postun |
---|
199 | #only if we are removing, not upgrading.. |
---|
200 | if [ $1 = 0 ] ; then |
---|
201 | userdel snort 2> /dev/null || : |
---|
202 | groupdel snort 2> /dev/null || : |
---|
203 | fi |
---|
204 | |
---|
205 | %files |
---|
206 | %defattr(-,root,root) |
---|
207 | %doc AUTHORS BUGS COPYING CREDITS ChangeLog INSTALL NEWS README* USAGE |
---|
208 | %doc snort.conf README-snort.EUC |
---|
209 | %attr(755,root,root) /usr/sbin/* |
---|
210 | %attr(755,root,root) /usr/bin/* |
---|
211 | %attr(750,root,wheel) %dir /var/log/snort |
---|
212 | %attr(750,root,wheel) %dir /var/log/snort/archive |
---|
213 | %attr(640,root,wheel) %config /etc/snort/*rules |
---|
214 | %attr(640,root,root) %config /etc/snort/snort.conf |
---|
215 | %attr(755,root,root) %config /etc/rc.d/init.d/snortd |
---|
216 | |
---|
217 | %changelog |
---|
218 | * Thu Sep 06 2001 Toru Sagami <sagami@vinelinux.org> |
---|
219 | - 1.7-0vl2: was ported to VineSeedPlus with many spec fixes |
---|
220 | |
---|
221 | * Mon Apr 09 2001 net_hal <net_hal@cwa.bai.ne.jp> |
---|
222 | - first buile for Vine2.1 |
---|
223 | - original ver 1.7 + 2001/03/28 Rules |
---|