Summary: packet-sniffer/logger
Name: snort
Version: 1.7
Release: 0vl2
License: GPL
Group: Applications/Internet
Url: http://www.snort.org
Source0: http://www.snort.org/Files/%{name}-%{version}.tar.gz
Source1: snort-stat
Source2: snortlog
Source4: snortd
Source5: snort.conf
Source6: snortrules.tar.gz
Source7: README-snort.EUC
Requires: libpcap >= 0.4
BuildRequires: libpcap >= 0.4
Buildroot: %{_tmppath}/%{name}-%{version}-root

%description
Snort is a libpcap-based packet sniffer/logger which 
can be used as a lightweight network intrusion detection system. 
It features rules based logging and can perform protocol analysis, 
content searching/matching and can be used to detect a variety of 
attacks and probes, such as buffer overflows, stealth port scans, 
CGI attacks, SMB probes, OS fingerprinting attempts, and much more. 
Snort has a real-time alerting capabilty, with alerts being sent to syslog, 
a seperate "alert" file, or as a WinPopup message via Samba's smbclient

%description -l ja
SnortとはIDSと呼ばれるソフトウェアで、侵入検知システムと言われます。
ホストに何らかの悪さをしてくる行為を検出して知らせてくれるソフトです。
いろいろな攻撃と調査（例えばバッファオーバフロー、
ステルス・ポート・スキャン、CGI攻撃、SMB調査、OS指紋鑑定試み、
その他たくさん）を見つけるために使うことができる。

%prep
%setup -q 
cp -p %{SOURCE5} %{SOURCE7} .

%build
CFLAGS="$RPM_OPT_FLAGS" \
%configure --bindir=/usr/sbin --sysconfdir=/etc/snort --enable-smbalerts
make

%install
rm -rf %{buildroot}
mkdir -p %{buildroot}/usr/{bin,sbin}
mkdir -p %{buildroot}/etc/snort
mkdir -p %{buildroot}/etc/rc.d/init.d
mkdir -p %{buildroot}/var/log/snort/archive

%makeinstall \
	prefix=%{buildroot}/usr \
	bindir=%{buildroot}/usr/sbin \
	sysconfdir=%{buildroot}/etc/snort
install %{SOURCE1} %{buildroot}/usr/bin
install %{SOURCE2} %{buildroot}/usr/bin
install %{SOURCE4} %{buildroot}/etc/rc.d/init.d
tar zxvf %{SOURCE6} -C %{buildroot}/etc/snort

cat - << EOF >> %{buildroot}/etc/snort/snort.conf
####################################################################
# Customize your rule set
#
# Up to date snort rules are available at the following web sites:
#   http://www.snort.org
#   http://www.whitehats.com
#
# The snort web site has documentation about how to 
# write your own custom snort rules.
#
# The rules included with this distribution generate alerts based on
# on suspicious activity. Depending on your network environment, your
# security policies, and what you consider to be suspicious, some of
# these rules may either generate false positives ore may be detecting
# activity you consider to be acceptable; therefore, you are
# encouraged to comment out rules that are not applicable in your
# environment.
#
# Note that using all of the rules at the same time may lead to
# serious packet loss on slower machines. YMMV, use with caution,
# standard disclaimers apply. :)
#
# The following individuals contributed many of rules in this
# distribution.
#
# Credits:
#   Max Vision <vision@whitehats.com> - www.whitehats.com
#   Ron Gula <rgula@securitywizards.com> of Network Security Wizards
#   Martin Markgraf <martin@mail.du.gtn.com>
#   CyberPsychotic <fygrave@tigerteam.net>
#   Nick Rogness <nick@rapidnet.com>
#   Jim Forster <jforster@rapidnet.com>
#   Scott McIntyre <scott@whoi.edu>
#   Tom Vandepoel <Tom.Vandepoel@ubizen.com>
#   Brian Caswell <bmc@mitre.org>
#
#===============================================
# Include all relevant rulesets here 
# by default virus, policy and info are disabled
#===============================================
# Be sure you have created a local.rules file
# for your includes/ignores, etc.
#===============================================
#include /etc/snort/local.rules
include /etc/snort/exploit.rules
include /etc/snort/scan.rules
include /etc/snort/finger.rules
include /etc/snort/ftp.rules
include /etc/snort/telnet.rules
include /etc/snort/smtp.rules
include /etc/snort/rpc.rules
include /etc/snort/rservices.rules
include /etc/snort/backdoor.rules
include /etc/snort/dos.rules
include /etc/snort/ddos.rules
include /etc/snort/dns.rules
include /etc/snort/netbios.rules
include /etc/snort/sql.rules
include /etc/snort/web-cgi.rules
include /etc/snort/web-coldfusion.rules
include /etc/snort/web-frontpage.rules
include /etc/snort/web-misc.rules
include /etc/snort/web-iis.rules
include /etc/snort/icmp.rules
include /etc/snort/misc.rules
#include /etc/snort/policy.rules
#include /etc/snort/info.rules
#include /etc/snort/virus.rules

# Ruleset, available (updated hourly) from:
#
#   http://dev.whitehats.com/ids/vision.rules
# include /etc/snort/vision.rules
#
# snort.conf with more options is located in /usr/doc/snort-1.7/snort.conf

EOF

%clean
rm -rf %{buildroot}

%post
#don't do all this stuff if we are upgrading
if [ "$1" = 1 ] ; then
useradd -M -r -d /var/log/snort -s /bin/false -c "Snort" snort 2> /dev/null || :
groupadd -r snort 2> /dev/null || :
/sbin/chkconfig --add snortd
fi
#this only works on redhat ;/
perl -e 'open(f,"/etc/sysconfig/network-scripts/ifcfg-eth0");
         while(<f>){if  (/IPADDR=(.*)/) {$internal=$1;}};close(f);
         open(f,"/etc/resolv.conf");
         while(<f>){if (/nameserver(.*)/) {$dns=$1;$dns=~s/[ ]+//g;
	 $dns.="/32,"; push(@dns,$dns);}} close(f);
	 $dns[$#dns]=~s/,$//g;
         open(f,">/etc/snort/snort.conf");
         print f "var HOME_NET $internal/32\nvar EXTERNAL_NET any\nvar SMTP \$HOME_NET\nvar HTTP_SERVERS \$HOME_NET\nvar SQL_SERVERS \$HOME_NET\nvar DNS_SERVERS ";
	 print f "[";
         foreach (@dns) {print f "$_";}
	 print f "]";
         print f "\n\npreprocessor defrag\npreprocessor http_decode: 80 8080\npreprocessor portscan: \$HOME_NET 4 3 /var/log/snort/portscan.log\npreprocessor portscan-ignorehosts: \$DNS_SERVERS\n\n";
         close(f);'
#add the rest of the stuff

chown snort.snort /var/log/snort

%if 0
echo -e "
Be sure to fetch the latest snort rules file from the ArachNIDS
database by Max Vision, or the one available from the snort.org web
site.

The snortlog and snort-stat perl scripts can be used to generate
statistics from the snort syslog entries.

Snort is currently configured to listen only on eth0, and uses the
default rulesets. If this is not correct for your 
system, edit /etc/rc.d/init.d/snortd and /etc/snort/snort.conf

A \"snort\" user and group have been created for snort to run as instead
of running as root.  You will likely need to create the /var/log/snort 
directory, and change ownership to the \"snort\" account.

Built by: Dave Wreski
dave@linuxsecurity.com
and Wim Vandersmissen <wim@bofh.be>
"
%endif

%preun
/etc/rc.d/init.d/snortd stop
if [ $1 = 0 ] ; then
	/sbin/chkconfig --del snortd
fi
exit 0

%postun
#only if we are removing, not upgrading..
if [ $1 = 0 ] ; then
	userdel snort 2> /dev/null || :
	groupdel snort 2> /dev/null || :
fi

%files
%defattr(-,root,root)
%doc AUTHORS BUGS COPYING CREDITS ChangeLog INSTALL NEWS README* USAGE
%doc snort.conf README-snort.EUC
%attr(755,root,root)  /usr/sbin/*
%attr(755,root,root)  /usr/bin/*
%attr(750,root,wheel)  %dir /var/log/snort
%attr(750,root,wheel)  %dir /var/log/snort/archive
%attr(640,root,wheel) %config /etc/snort/*rules
%attr(640,root,root)  %config /etc/snort/snort.conf
%attr(755,root,root)  %config /etc/rc.d/init.d/snortd

%changelog
* Thu Sep 06 2001 Toru Sagami <sagami@vinelinux.org>
- 1.7-0vl2: was ported to VineSeedPlus with many spec fixes

* Mon Apr 09 2001 net_hal <net_hal@cwa.bai.ne.jp>
- first buile for Vine2.1
- original ver 1.7 + 2001/03/28 Rules