Home

The net/snort port

snort-2.9.20p2 – highly flexible sniffer/NIDS (cvsweb github mirror)

Description

Snort is an open source network intrusion detection and prevention system.  It
is capable of performing real-time traffic analysis, alerting, blocking and
packet logging on IP networks.  It utilizes a combination of protocol analysis
and pattern matching in order to detect a anomalies, misuse and attacks.
Snort uses a flexible rules language to describe activity that can be considered
malicious or anomalous as well as an analysis engine that incorporates a
modular plugin architecture.  Snort is capable of detecting and responding in
real-time, sending alerts, performing session sniping, logging packets, or
dropping sessions/packets when deployed in-line.

Snort has three primary functional modes.  It can be used as a packet sniffer
like tcpdump(8), a packet logger (useful for network traffic
debugging, etc), or as a full blown network intrusion detection and prevention
system.
WWW: https://www.snort.org/

Readme

+-----------------------------------------------------------------------
| Running ${PKGSTEM} on OpenBSD
+-----------------------------------------------------------------------

An up-to-date set of rules is needed for Snort to be useful as an IDS.
By default, these rules are expected to be present in the
${SYSCONFDIR}/snort/rules directory as defined by RULE_PATH in
${SYSCONFDIR}/snort/snort.conf.

The two most common sources of Snort rules are the official Snort rules
and the Emerging Threats rules.  To download the official Snort rules,
you will first need to sign up for an "oinkcode" at
https://www.snort.org/users/sign_up since they are distributed under a
commercial license.  Emerging Threats rules can be downloaded without
signing up.

The easiest way to download these rules is to use a rule manager such as
the oinkmaster package.  You can set up oinkmaster's config file to
download one or more Snort rulesets and extract them automatically.
Please refer to the documentation in the oinkmaster package for more
details.

If you prefer to obtain the rules manually without using a rule manager,
you can use the following example commands to download and extract them
to the correct directory:

* Official Snort rules (replace  with yours):

    ftp -o snortrules-snapshot-${RULESV}.tar.gz \
      https://www.snort.org/rules/snortrules-snapshot-${RULESV}.tar.gz?oinkcode=
    tar -C /etc/snort -xzf snortrules-snapshot-${RULESV}.tar.gz rules preproc_rules

* Emerging Threats rules:

    ftp https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz
    tar -C /etc/snort -xzf emerging.rules.tar.gz

  If you use Emerging Threats rules, you will need to uncomment its
  include line in ${SYSCONFDIR}/snort/snort.conf and edit
  ${SYSCONFDIR}/snort/rules/emerging.conf for Snort to load them.

It is important that you review the rules carefully to ensure that you
use the rules that apply to your environment.  You should also modify
${SYSCONFDIR}/snort/snort.conf to define the relevant variables such as
HOME_NET to match your network.

It is recommended that Snort be run as an unprivileged chrooted user.
A _snort user/group and a log directory have been created for this
purpose. You should start Snort with the ${RCDIR}/snort script to take
advantage of this.

For more details on setting up Snort, please refer to its user manual at
${TRUEPREFIX}/share/doc/snort/snort_manual.pdf

Maintainer

Markus Lude

Categories

net security

Library dependencies

Files

Search