# -*- coding: utf-8; mode: tcl; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- vim:fenc=utf-8:ft=tcl:et:sw=4:ts=4:sts=4 # $Id$ PortSystem 1.0 name snort version 2.9.8.3 categories net maintainers nomaintainer license GPL-2 description Open Source Network Intrusion Detection System long_description \ Snort is an open source network intrusion detection system, capable \ of performing real-time traffic analysis and packet logging on IP \ networks. It can perform protocol analysis, content \ searching/matching and can be used to detect a variety of attacks \ and probes, such as buffer overflows, stealth port scans, CGI \ attacks, SMB probes, OS fingerprinting attempts, and much more. homepage https://www.snort.org/ platforms darwin freebsd master_sites ${homepage}downloads/snort/ checksums rmd160 4fcd18bff69c8a80576ee08de76acef220a58fe9 \ sha256 856d02ccec49fa30c920a1e416c47c0d62dd224340a614959ba5c03239100e6a depends_lib port:daq \ port:openssl #patchfiles patch-src-strlcatu.h.diff patch-src-strlcpyu.h.diff add_users snort group=snort home=${prefix}/var/snort shell=/sbin/nologin realname=Snort\ user set if en1 startupitem.create yes startupitem.executable ${prefix}/bin/${name} -i ${if} -c ${prefix}/etc/snort/snort.conf -l ${prefix}/var/log/snort -u snort -g snort --pid-path ${prefix}/var/run startupitem.pidfile "${prefix}/var/run/snort_${if}.pid" #startupitem.start "${prefix}/share/${name}/snort.sh" #startupitem.stop "/bin/kill \$(cat ${prefix}/var/run/snort_*.pid)" destroot.asroot yes post-destroot { # Copy the Snort database schemas # xinstall -d -m 755 ${destroot}${prefix}/share/${name}/schemas # eval xinstall -m 755 [glob ${worksrcpath}/schemas/create*] ${destroot}${prefix}/share/${name}/schemas # Copy Snort's etc/ files xinstall -d -m 755 ${destroot}${prefix}/etc/${name} xinstall {*}[glob ${worksrcpath}/etc/*.map] ${destroot}${prefix}/etc/${name} xinstall {*}[glob ${worksrcpath}/etc/*.conf*] ${destroot}${prefix}/etc/${name} xinstall -d -m 755 ${destroot}${prefix}/share/examples/${name} file rename ${destroot}${prefix}/etc/${name}/snort.conf ${destroot}${prefix}/share/examples/${name}/snort.conf.dist # fix snort.conf.dist reinplace "s|dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/|dynamicpreprocessor directory ${prefix}/lib/snort_dynamicpreprocessor/|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist reinplace "s|dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so|dynamicengine ${prefix}/lib/snort_dynamicengine/libsf_engine.dylib|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist reinplace "s|dynamicdetection directory /usr/local/lib/snort_dynamicrule/|dynamicdetection directory ${prefix}/lib/snort_dynamicrule/|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist reinplace "s|dynamicdetection file /usr/local/lib/snort_dynamicrule/libdynamicexamplerule.so|dynamicdetection file ${prefix}/lib/snort_dynamicrule/libdynamicexamplerule.dylib|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist reinplace "s|_LIST_PATH ../rules|_LIST_PATH ${prefix}/etc/snort|g" ${destroot}${prefix}/share/examples/${name}/snort.conf.dist xinstall -d ${destroot}${prefix}/share/${name} xinstall -m 755 ${filespath}/snort.sh \ ${destroot}${prefix}/share/${name}/snort.sh reinplace "s|__PREFIX__|${prefix}|g" \ ${destroot}${prefix}/share/${name}/snort.sh xinstall -d ${destroot}${prefix}/lib/snort_dynamicrules destroot.keepdirs-append ${destroot}${prefix}/lib/snort_dynamicrules reinplace "s|/usr/local/lib/snort_dynamicrules|${prefix}/lib/snort_dynamicrules|" \ ${destroot}${prefix}/share/examples/${name}/snort.conf.dist reinplace "s|dynamicengine ${prefix}/lib/snort_dynamicengine/libsf_engine.dylib|dynamicengine ${prefix}/lib/snort_dynamicengine/libsf_engine.so|" \ ${destroot}${prefix}/share/examples/${name}/snort.conf.dist xinstall -d ${destroot}${prefix}/etc/snort/rules destroot.keepdirs-append ${destroot}${prefix}/etc/snort/rules reinplace "s|var RULE_PATH ../rules|var RULE_PATH /rules|" \ ${destroot}${prefix}/share/examples/${name}/snort.conf.dist xinstall -d -o snort ${destroot}${prefix}/var/log/snort destroot.keepdirs-append ${destroot}${prefix}/var/log/snort } post-activate { if ![file exists ${prefix}/etc/snort/snort.conf ] { copy ${prefix}/share/examples/${name}/snort.conf.dist ${prefix}/etc/snort/snort.conf system "touch ${prefix}/etc/snort/rules/local.rules" system "touch ${prefix}/etc/snort/white_list.rules" system "touch ${prefix}/etc/snort/black_list.rules" } } notes " ***** File locations ***** The Snort database schemas -> ${prefix}/share/${name}/schemas The snort.conf sample file -> ${prefix}/share/examples/${name}/snort.conf.dist If it doesn't exist before, the sample config is copied to ${prefix}/etc/snort.conf NOTE: Make sure you do not change the location of the snort.conf file or the startup scripts will not be able to find it. *Please download rules from https://www.snort.org/downloads/#rule-downloads either manually or with oinkmaster.* Oinkmaster is the recommended way with regular updates. Change at least your HOME_NET in snort.conf and Validate your config with $ snort -T -c ${prefix}/etc/snort/snort.conf By default ${prefix}/share/${name}/snort.sh is configured to listen only on ${if} interface. If you want to listen multiple interface, you need to start one snort instance per interface (or bond them) $ grep 'Snort rules read' /var/log/system.log $ egrep '^output' ${prefix}/etc/snort/snort.conf If you get empty touched logs, try also to set: ipvar EXTERNAL_NET !\$HOME_NET instead of any You can test that snort is functioning by using these tools: ftp http://\$EXTERNAL_HOST/cmd.exe ftp http://lteo.net/cmd.exe http://testmyids.com nmap, IDSWakeup, pytbull, metasploit To use blacklist/whitelist, see http://blog.securitymonks.com/2009/07/19/blacklisting-with-snort/ http://systemnoise.com/wordpress/?p=89 http://labs.snort.org/iplists/ " if {![variant_isset mysql51] && ![variant_isset mysql55] && ![variant_isset mariadb] && ![variant_isset percona] } { default_variants +mysql56 } variant mysql51 \ conflicts mysql55 mysql56 mariadb percona \ description "Enable MySQL 5.1 support" { depends_lib-append port:mysql51 configure.env-append MYSQL_CONFIG=${prefix}/lib/mysql51/bin/mysql_config configure.args-append --with-mysql-includes=${prefix}/include/mysql51/mysql \ --with-mysql-libraries=${prefix}/lib/mysql51/mysql configure.env CFLAGS="-L${prefix}/lib/mysql51/mysql" } variant mysql55 \ conflicts mysql51 mysql56 mariadb percona \ description "Enable MySQL 5.5 support" { depends_lib-append port:mysql55 configure.env-append MYSQL_CONFIG=${prefix}/lib/mysql55/bin/mysql_config configure.args-append --with-mysql-includes=${prefix}/include/mysql55/mysql \ --with-mysql-libraries=${prefix}/lib/mysql55/mysql configure.env CFLAGS="-L${prefix}/lib/mysql55/mysql" } variant mysql56 \ conflicts mysql51 mysql55 mariadb percona \ description "Enable MySQL 5.6 support" { depends_lib-append port:mysql56 configure.env-append MYSQL_CONFIG=${prefix}/lib/mysql56/bin/mysql_config configure.args-append --with-mysql-includes=${prefix}/include/mysql56/mysql \ --with-mysql-libraries=${prefix}/lib/mysql56/mysql configure.env CFLAGS="-L${prefix}/lib/mysql56/mysql" } variant mariadb \ conflicts mysql51 mysql55 mysql56 percona \ description "Enable MariaDB (MySQL) support" { depends_lib-append port:mariadb configure.env-append MYSQL_CONFIG=${prefix}/lib/mariadb/bin/mysql_config configure.args-append --with-mysql-includes=${prefix}/include/mariadb/mysql \ --with-mysql-libraries=${prefix}/lib/mariadb/mysql configure.env CFLAGS="-L${prefix}/lib/mariadb/mysql" } variant percona \ conflicts mysql51 mysql55 mysql56 mariadb \ description "Enable Percona (MySQL) support" { depends_lib-append port:percona configure.env-append MYSQL_CONFIG=${prefix}/lib/percona/bin/mysql_config configure.args-append --with-mysql-includes=${prefix}/include/percona/mysql \ --with-mysql-libraries=${prefix}/lib/percona/mysql configure.env CFLAGS="-L${prefix}/lib/percona/mysql" } livecheck.type regex livecheck.url ${homepage}downloads livecheck.regex >${name}-(\[0-9.\]+)${extract.suffix}<