+++ /dev/null
-#--------------------------------------------------
-# http://www.snort.org Snort 2.1.0 Ruleset
-# Contact: snort-sigs@lists.sourceforge.net
-#--------------------------------------------------
-# $Id$
-#
-###################################################
-# This file contains a sample snort configuration.
-# You can take the following steps to create your own custom configuration:
-#
-# 1) Set the network variables for your network
-# 2) Configure preprocessors
-# 3) Configure output plugins
-# 4) Customize your rule set
-#
-###################################################
-# Step #1: Set the network variables:
-#
-# You must change the following variables to reflect your local network. The
-# variable is currently setup for an RFC 1918 address space.
-#
-# You can specify it explicitly as:
-#
-# var HOME_NET 10.1.1.0/24
-#
-# or use global variable $<interfacename>_ADDRESS which will be always
-# initialized to IP address and netmask of the network interface which you run
-# snort at. Under Windows, this must be specified as
-# $(<interfacename>_ADDRESS), such as:
-# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
-#
-# var HOME_NET $eth0_ADDRESS
-#
-# You can specify lists of IP addresses for HOME_NET
-# by separating the IPs with commas like this:
-#
-# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
-#
-# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
-#
-# or you can specify the variable to be any IP address
-# like this:
-
-var HOME_NET any
-
-# Set up the external network addresses as well. A good start may be "any"
-var EXTERNAL_NET any
-
-# Configure your server lists. This allows snort to only look for attacks to
-# systems that have a service up. Why look for HTTP attacks if you are not
-# running a web server? This allows quick filtering based on IP addresses
-# These configurations MUST follow the same configuration scheme as defined
-# above for $HOME_NET.
-
-# List of DNS servers on your network
-var DNS_SERVERS $HOME_NET
-
-# List of SMTP servers on your network
-var SMTP_SERVERS $HOME_NET
-
-# List of web servers on your network
-var HTTP_SERVERS $HOME_NET
-
-# List of sql servers on your network
-var SQL_SERVERS $HOME_NET
-
-# List of telnet servers on your network
-var TELNET_SERVERS $HOME_NET
-
-# List of snmp servers on your network
-var SNMP_SERVERS $HOME_NET
-
-# Configure your service ports. This allows snort to look for attacks destined
-# to a specific application only on the ports that application runs on. For
-# example, if you run a web server on port 8081, set your HTTP_PORTS variable
-# like this:
-#
-# var HTTP_PORTS 8081
-#
-# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
-# We will adding support for a real list of ports in the future.
-
-# Ports you run web servers on
-#
-# Please note: [80,8080] does not work.
-# If you wish to define multiple HTTP ports,
-#
-## var HTTP_PORTS 80
-## include somefile.rules
-## var HTTP_PORTS 8080
-## include somefile.rules
-var HTTP_PORTS 80
-
-# Ports you want to look for SHELLCODE on.
-var SHELLCODE_PORTS !80
-
-# Ports you do oracle attacks on
-var ORACLE_PORTS 1521
-
-# other variables
-#
-# AIM servers. AOL has a habit of adding new AIM servers, so instead of
-# modifying the signatures when they do, we add them to this list of servers.
-var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
-
-# Path to your rules files (this can be a relative path)
-var RULE_PATH /etc/snort/rules
-
-# Configure the snort decoder
-# ============================
-#
-# Snort's decoder will alert on lots of things such as header
-# truncation or options of unusual length or infrequently used tcp options
-#
-#
-# Stop generic decode events:
-#
-# config disable_decode_alerts
-#
-# Stop Alerts on experimental TCP options
-#
-# config disable_tcpopt_experimental_alerts
-#
-# Stop Alerts on obsolete TCP options
-#
-# config disable_tcpopt_obsolete_alerts
-#
-# Stop Alerts on T/TCP alerts
-#
-# In snort 2.0.1 and above, this only alerts when the a TCP option is detected
-# that shows T/TCP being actively used on the network. If this is normal
-# behavior for your network, disable the next option.
-#
-# config disable_tcpopt_ttcp_alerts
-#
-# Stop Alerts on all other TCPOption type events:
-#
-# config disable_tcpopt_alerts
-#
-# Stop Alerts on invalid ip options
-#
-# config disable_ipopt_alerts
-
-# Configure the detection engine
-# ===============================
-#
-# Use a different pattern matcher in case you have a machine with very limited
-# resources:
-#
-# config detection: search-method lowmem
-
-###################################################
-# Step #2: Configure preprocessors
-#
-# General configuration for preprocessors is of
-# the form
-# preprocessor <name_of_processor>: <configuration_options>
-
-# Configure Flow tracking module
-# -------------------------------
-#
-# The Flow tracking module is meant to start unifying the state keeping
-# mechanisms of snort into a single place. Right now, only a portscan detector
-# is implemented but in the long term, many of the stateful subsystems of
-# snort will be migrated over to becoming flow plugins. This must be enabled
-# for flow-portscan to work correctly.
-#
-# See README.flow for additional information
-#
-# preprocessor flow: stats_interval 0 hash 2
-
-# frag2: IP defragmentation support
-# -------------------------------
-# This preprocessor performs IP defragmentation. This plugin will also detect
-# people launching fragmentation attacks (usually DoS) against hosts. No
-# arguments loads the default configuration of the preprocessor, which is a 60
-# second timeout and a 4MB fragment buffer.
-
-# The following (comma delimited) options are available for frag2
-# timeout [seconds] - sets the number of [seconds] than an unfinished
-# fragment will be kept around waiting for completion,
-# if this time expires the fragment will be flushed
-# memcap [bytes] - limit frag2 memory usage to [number] bytes
-# (default: 4194304)
-#
-# min_ttl [number] - minimum ttl to accept
-#
-# ttl_limit [number] - difference of ttl to accept without alerting
-# will cause false positves with router flap
-#
-# Frag2 uses Generator ID 113 and uses the following SIDS
-# for that GID:
-# SID Event description
-# ----- -------------------
-# 1 Oversized fragment (reassembled frag > 64k bytes)
-# 2 Teardrop-type attack
-
-preprocessor frag2
-
-# stream4: stateful inspection/stream reassembly for Snort
-#----------------------------------------------------------------------
-# Use in concert with the -z [all|est] command line switch to defeat stick/snot
-# against TCP rules. Also performs full TCP stream reassembly, stateful
-# inspection of TCP streams, etc. Can statefully detect various portscan
-# types, fingerprinting, ECN, etc.
-
-# stateful inspection directive
-# no arguments loads the defaults (timeout 30, memcap 8388608)
-# options (options are comma delimited):
-# detect_scans - stream4 will detect stealth portscans and generate alerts
-# when it sees them when this option is set
-# detect_state_problems - detect TCP state problems, this tends to be very
-# noisy because there are a lot of crappy ip stack
-# implementations out there
-#
-# disable_evasion_alerts - turn off the possibly noisy mitigation of
-# overlapping sequences.
-#
-#
-# min_ttl [number] - set a minium ttl that snort will accept to
-# stream reassembly
-#
-# ttl_limit [number] - differential of the initial ttl on a session versus
-# the normal that someone may be playing games.
-# Routing flap may cause lots of false positives.
-#
-# keepstats [machine|binary] - keep session statistics, add "machine" to
-# get them in a flat format for machine reading, add
-# "binary" to get them in a unified binary output
-# format
-# noinspect - turn off stateful inspection only
-# timeout [number] - set the session timeout counter to [number] seconds,
-# default is 30 seconds
-# memcap [number] - limit stream4 memory usage to [number] bytes
-# log_flushed_streams - if an event is detected on a stream this option will
-# cause all packets that are stored in the stream4
-# packet buffers to be flushed to disk. This only
-# works when logging in pcap mode!
-#
-# Stream4 uses Generator ID 111 and uses the following SIDS
-# for that GID:
-# SID Event description
-# ----- -------------------
-# 1 Stealth activity
-# 2 Evasive RST packet
-# 3 Evasive TCP packet retransmission
-# 4 TCP Window violation
-# 5 Data on SYN packet
-# 6 Stealth scan: full XMAS
-# 7 Stealth scan: SYN-ACK-PSH-URG
-# 8 Stealth scan: FIN scan
-# 9 Stealth scan: NULL scan
-# 10 Stealth scan: NMAP XMAS scan
-# 11 Stealth scan: Vecna scan
-# 12 Stealth scan: NMAP fingerprint scan stateful detect
-# 13 Stealth scan: SYN-FIN scan
-# 14 TCP forward overlap
-
-preprocessor stream4: disable_evasion_alerts
-
-# tcp stream reassembly directive
-# no arguments loads the default configuration
-# Only reassemble the client,
-# Only reassemble the default list of ports (See below),
-# Give alerts for "bad" streams
-#
-# Available options (comma delimited):
-# clientonly - reassemble traffic for the client side of a connection only
-# serveronly - reassemble traffic for the server side of a connection only
-# both - reassemble both sides of a session
-# noalerts - turn off alerts from the stream reassembly stage of stream4
-# ports [list] - use the space separated list of ports in [list], "all"
-# will turn on reassembly for all ports, "default" will turn
-# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
-# and 513
-
-preprocessor stream4_reassemble
-
-# http_inspect: normalize and detect HTTP traffic and protocol anomalies
-#
-# lots of options available here. See doc/README.http_inspect.
-# unicode.map should be wherever your snort.conf lives, or given
-# a full path to where snort can find it.
-preprocessor http_inspect: global \
- iis_unicode_map unicode.map 1252
-
-preprocessor http_inspect_server: server default \
- profile all \
- ports { 80 8080 }
-#
-# Example unqiue server configuration
-#
-#preprocessor http_inspect_server: server 1.1.1.1 \
-# ports { 80 3128 8080 } \
-# flow_depth 0 \
-# ascii no \
-# double_decode yes \
-# non_rfc_char { 0x00 } \
-# chunk_length 500000 \
-# non_strict \
-# no_alerts
-
-
-# rpc_decode: normalize RPC traffic
-# ---------------------------------
-# RPC may be sent in alternate encodings besides the usual 4-byte encoding
-# that is used by default. This plugin takes the port numbers that RPC
-# services are running on as arguments - it is assumed that the given ports
-# are actually running this type of service. If not, change the ports or turn
-# it off.
-# The RPC decode preprocessor uses generator ID 106
-#
-# arguments: space separated list
-# alert_fragments - alert on any rpc fragmented TCP data
-# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
-# no_alert_large_fragments - don't alert when the fragmented
-# sizes exceed the current packet size
-# no_alert_incomplete - don't alert when a single segment
-# exceeds the current packet size
-
-preprocessor rpc_decode: 111 32771
-
-# bo: Back Orifice detector
-# -------------------------
-# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
-#
-# The Back Orifice detector uses Generator ID 105 and uses the
-# following SIDS for that GID:
-# SID Event description
-# ----- -------------------
-# 1 Back Orifice traffic detected
-
-preprocessor bo
-
-# telnet_decode: Telnet negotiation string normalizer
-# ---------------------------------------------------
-# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
-# traffic. It works in much the same way as the http_decode preprocessor,
-# searching for traffic that breaks up the normal data stream of a protocol and
-# replacing it with a normalized representation of that traffic so that the
-# "content" pattern matching keyword can work without requiring modifications.
-# This preprocessor requires no arguments.
-# Portscan uses Generator ID 109 and does not generate any SID currently.
-
-preprocessor telnet_decode
-
-# Flow-Portscan: detect a variety of portscans
-# ---------------------------------------
-# Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to
-# work.
-#
-# This module detects portscans based off of flow creation in the flow
-# preprocessors. The goal is to catch catch one->many hosts and one->many
-# ports scans.
-#
-# Flow-Portscan has numerous options available, please read
-# README.flow-portscan for help configuring this option.
-
-# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
-# SID Event description
-# ----- -------------------
-# 1 flow-portscan: Fixed Scale Scanner Limit Exceeded
-# 2 flow-portscan: Sliding Scale Scanner Limit Exceeded
-# 3 flow-portscan: Fixed Scale Talker Limit Exceeded
-# 4 flow-portscan: Sliding Scale Talker Limit Exceeded
-
-# preprocessor flow-portscan: \
-# talker-sliding-scale-factor 0.50 \
-# talker-fixed-threshold 30 \
-# talker-sliding-threshold 30 \
-# talker-sliding-window 20 \
-# talker-fixed-window 30 \
-# scoreboard-rows-talker 30000 \
-# server-watchnet [10.2.0.0/30] \
-# server-ignore-limit 200 \
-# server-rows 65535 \
-# server-learning-time 14400 \
-# server-scanner-limit 4 \
-# scanner-sliding-window 20 \
-# scanner-sliding-scale-factor 0.50 \
-# scanner-fixed-threshold 15 \
-# scanner-sliding-threshold 40 \
-# scanner-fixed-window 15 \
-# scoreboard-rows-scanner 30000 \
-# src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
-# dst-ignore-net [10.0.0.0/30] \
-# alert-mode once \
-# output-mode msg \
-# tcp-penalties on
-
-# arpspoof
-#----------------------------------------
-# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
-# unicast ARP requests, and specific ARP mapping monitoring. To make use of
-# this preprocessor you must specify the IP and hardware address of hosts on
-# the same layer 2 segment as you. Specify one host IP MAC combo per line.
-# Also takes a "-unicast" option to turn on unicast ARP request detection.
-# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
-
-# SID Event description
-# ----- -------------------
-# 1 Unicast ARP request
-# 2 Etherframe ARP mismatch (src)
-# 3 Etherframe ARP mismatch (dst)
-# 4 ARP cache overwrite attack
-
-#preprocessor arpspoof
-#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
-
-
-# Performance Statistics
-# ----------------------
-# Documentation for this is provided in the Snort Manual. You should read it.
-# It is included in the release distribution as doc/snort_manual.pdf
-#
-# preprocessor perfmonitor: console flow events time 10
-
-####################################################################
-# Step #3: Configure output plugins
-#
-# Uncomment and configure the output plugins you decide to use. General
-# configuration for output plugins is of the form:
-#
-# output <name_of_plugin>: <configuration_options>
-#
-# alert_syslog: log alerts to syslog
-# ----------------------------------
-# Use one or more syslog facilities as arguments. Win32 can also optionally
-# specify a particular hostname/port. Under Win32, the default hostname is
-# '127.0.0.1', and the default port is 514.
-#
-# [Unix flavours should use this format...]
-# output alert_syslog: LOG_AUTH LOG_ALERT
-#
-# [Win32 can use any of these formats...]
-# output alert_syslog: LOG_AUTH LOG_ALERT
-# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
-# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
-
-# log_tcpdump: log packets in binary tcpdump format
-# -------------------------------------------------
-# The only argument is the output file name.
-#
-# output log_tcpdump: tcpdump.log
-
-# database: log to a variety of databases
-# ---------------------------------------
-# See the README.database file for more information about configuring
-# and using this plugin.
-#
-# output database: log, mysql, user=root password=test dbname=db host=localhost
-# output database: alert, postgresql, user=snort dbname=snort
-# output database: log, unixodbc, user=snort dbname=snort
-# output database: log, mssql, dbname=snort user=snort password=test
-
-# unified: Snort unified binary format alerting and logging
-# -------------------------------------------------------------
-# The unified output plugin provides two new formats for logging and generating
-# alerts from Snort, the "unified" format. The unified format is a straight
-# binary format for logging data out of Snort that is designed to be fast and
-# efficient. Used with barnyard (the new alert/log processor), most of the
-# overhead for logging and alerting to various slow storage mechanisms such as
-# databases or the network can now be avoided.
-#
-# Check out the spo_unified.h file for the data formats.
-#
-# Two arguments are supported.
-# filename - base filename to write to (current time_t is appended)
-# limit - maximum size of spool file in MB (default: 128)
-#
-# output alert_unified: filename snort.alert, limit 128
-# output log_unified: filename snort.log, limit 128
-
-# You can optionally define new rule types and associate one or more output
-# plugins specifically to that type.
-#
-# This example will create a type that will log to just tcpdump.
-# ruletype suspicious
-# {
-# type log
-# output log_tcpdump: suspicious.log
-# }
-#
-# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
-# suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
-#
-# This example will create a rule type that will log to syslog and a mysql
-# database:
-# ruletype redalert
-# {
-# type alert
-# output alert_syslog: LOG_AUTH LOG_ALERT
-# output database: log, mysql, user=snort dbname=snort host=localhost
-# }
-#
-# EXAMPLE RULE FOR REDALERT RULETYPE:
-# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
-# (msg:"Someone is being LEET"; flags:A+;)
-
-#
-# Include classification & priority settings
-#
-
-include classification.config
-
-#
-# Include reference systems
-#
-
-include reference.config
-
-####################################################################
-# Step #4: Customize your rule set
-#
-# Up to date snort rules are available at http://www.snort.org
-#
-# The snort web site has documentation about how to write your own custom snort
-# rules.
-#
-# The rules included with this distribution generate alerts based on on
-# suspicious activity. Depending on your network environment, your security
-# policies, and what you consider to be suspicious, some of these rules may
-# either generate false positives ore may be detecting activity you consider to
-# be acceptable; therefore, you are encouraged to comment out rules that are
-# not applicable in your environment.
-#
-# The following individuals contributed many of rules in this distribution.
-#
-# Credits:
-# Ron Gula <rgula@securitywizards.com> of Network Security Wizards
-# Max Vision <vision@whitehats.com>
-# Martin Markgraf <martin@mail.du.gtn.com>
-# Fyodor Yarochkin <fygrave@tigerteam.net>
-# Nick Rogness <nick@rapidnet.com>
-# Jim Forster <jforster@rapidnet.com>
-# Scott McIntyre <scott@whoi.edu>
-# Tom Vandepoel <Tom.Vandepoel@ubizen.com>
-# Brian Caswell <bmc@snort.org>
-# Zeno <admin@cgisecurity.com>
-# Ryan Russell <ryan@securityfocus.com>
-
-
-
-#=========================================
-# Include all relevant rulesets here
-#
-# The following rulesets are disabled by default:
-#
-# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
-# chat, multimedia, and p2p
-#
-# These rules are either site policy specific or require tuning in order to not
-# generate false positive alerts in most enviornments.
-#
-# Please read the specific include file for more information and
-# README.alert_order for how rule ordering affects how alerts are triggered.
-#=========================================
-
-include $RULE_PATH/local.rules
-include $RULE_PATH/bad-traffic.rules
-include $RULE_PATH/exploit.rules
-include $RULE_PATH/scan.rules
-include $RULE_PATH/finger.rules
-include $RULE_PATH/ftp.rules
-include $RULE_PATH/telnet.rules
-include $RULE_PATH/rpc.rules
-include $RULE_PATH/rservices.rules
-include $RULE_PATH/dos.rules
-include $RULE_PATH/ddos.rules
-include $RULE_PATH/dns.rules
-include $RULE_PATH/tftp.rules
-
-include $RULE_PATH/web-cgi.rules
-include $RULE_PATH/web-coldfusion.rules
-include $RULE_PATH/web-iis.rules
-include $RULE_PATH/web-frontpage.rules
-include $RULE_PATH/web-misc.rules
-include $RULE_PATH/web-client.rules
-include $RULE_PATH/web-php.rules
-
-include $RULE_PATH/sql.rules
-include $RULE_PATH/x11.rules
-include $RULE_PATH/icmp.rules
-include $RULE_PATH/netbios.rules
-include $RULE_PATH/misc.rules
-include $RULE_PATH/attack-responses.rules
-include $RULE_PATH/oracle.rules
-include $RULE_PATH/mysql.rules
-include $RULE_PATH/snmp.rules
-
-include $RULE_PATH/smtp.rules
-include $RULE_PATH/imap.rules
-include $RULE_PATH/pop2.rules
-include $RULE_PATH/pop3.rules
-
-include $RULE_PATH/nntp.rules
-include $RULE_PATH/other-ids.rules
-# include $RULE_PATH/web-attacks.rules
-# include $RULE_PATH/backdoor.rules
-# include $RULE_PATH/shellcode.rules
-# include $RULE_PATH/policy.rules
-# include $RULE_PATH/porn.rules
-# include $RULE_PATH/info.rules
-# include $RULE_PATH/icmp-info.rules
-# include $RULE_PATH/virus.rules
-# include $RULE_PATH/chat.rules
-# include $RULE_PATH/multimedia.rules
-# include $RULE_PATH/p2p.rules
-include $RULE_PATH/experimental.rules
-
-# Include any thresholding or suppression commands
-#include threshold.conf
#
# TODO: - snort rules - fix description
+# - clamav support - cleanup, add some docs
+# update clamav patches - the current one uses obsolete cl_scanbuff
+# function (should use cl_scanfile/cl_scandesc instead)
+# - snort_inline - prepare separate sets of config-files, rules
+# and startup script, adds some docs
+# - snort 2.6
#
# Conditional build:
%bcond_without pgsql # build without PostgreSQL storage support
%bcond_without snmp # build without SNMP support
%bcond_without inline # build without inline support
%bcond_without prelude # build without prelude support
+%bcond_with clamav # build with ClamAV preprocessor support (anti-vir)
+%bcond_with registered # build with rules available for registered users
#
Summary: Network intrusion detection system (IDS/IPS)
Summary(pl): System wykrywania intruzów w sieciach (IDS/IPS)
Summary(ru): Snort - ÓÉÓÔÅÍÁ ÏÂÎÁÒÕÖÅÎÉÑ ÐÏÐÙÔÏË ×ÔÏÒÖÅÎÉÑ × ÓÅÔØ
Summary(uk): Snort - ÓÉÓÔÅÍÁ ×ÉÑ×ÌÅÎÎÑ ÓÐÒÏ ×ÔÏÒÇÎÅÎÎÑ × ÍÅÒÅÖÕ
Name: snort
-Version: 2.4.4
-Release: 1
-License: GPL v2
+Version: 2.4.5
+Release: 3
+License: GPL v2 (vrt rules on VRT-License)
Group: Networking
Source0: http://www.snort.org/dl/current/%{name}-%{version}.tar.gz
-# Source0-md5: 9dc9060d1f2e248663eceffadfc45e7e
+# Source0-md5: 108b3c20dcbaf3cdb17ea9203342eaaa
Source1: http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/%{name}rules-pr-2.4.tar.gz
# Source1-md5: 35d9a2486f8c0280bb493aa03c011927
-Source2: %{name}.init
-Source3: %{name}.logrotate
-Source4: %{name}.conf
+%if %{with registered}
+Source2: http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_os/%{name}rules-snapshot-2.4.tar.gz
+# NoSource2-md5: 79af87cda3321bd64279038f9352c1b3
+NoSource: 2
+%endif
+Source3: http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules-2.4.tar.gz
+# Source3-md5: 639d98ed81314723f4dee0b3100f7a19
+Source4: %{name}.init
+Source5: %{name}.logrotate
Patch0: %{name}-libnet1.patch
Patch1: %{name}-lib64.patch
+# http://www.bleedingsnort.com/staticpages/index.php?page=snort-clamav
+Patch2: %{name}-2.4.3-clamonly.diff
URL: http://www.snort.org/
BuildRequires: autoconf
BuildRequires: automake
+%{?with_clamav:BuildRequires: clamav-devel}
%{?with_inline:BuildRequires: iptables-devel}
BuildRequires: libnet1-devel = 1.0.2a
BuildRequires: libpcap-devel
%{?with_mysql:Provides: snort(mysql) = %{version}}
%{?with_pgsql:Provides: snort(pgsql) = %{version}}
Provides: user(snort)
+Obsoletes: snort-rules
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%define _sysconfdir /etc/snort
ÞÁÓ¦, ÎÁÄÓÉÌÁÀÞÉ ÐÏצÄÏÍÌÅÎÎÑ ÄÏ syslog, ÏËÒÅÍÏÇÏ ÆÁÊÌÕ ÞÉ ÑË WinPopup
ÐÏצÄÏÍÌÅÎÎÑ ÞÅÒÅÚ smbclient.
-%package rules
-Summary: Snort rules
-Summary(pl): Regu³ki snorta
-Group: Networking
-Requires: %{name} = %{version}-%{release}
-
-%description rules
-Snort rules.
-
-%description rules -l pl
-Regu³ki snorta.
-
%prep
-%setup -q -a1
+%setup -q %{!?with_registered:-a1} %{?with_registered:-a2} -a3
%patch0 -p1
%if "%{_lib}" == "lib64"
%patch1 -p1
%endif
+%{?with_clamav:%patch2 -p1}
+
+sed -i "s#var\ RULE_PATH.*#var RULE_PATH /etc/snort/rules#g" rules/snort.conf
+_DIR=$(pwd)
+cd rules
+for I in community-*.rules; do
+ echo "include \$RULE_PATH/$I" >> snort.conf
+done
+cd $_DIR
%build
%{__aclocal}
--enable-perfmonitor \
--with%{!?with_pgsql:out}-postgresql \
--with%{!?with_mysql:out}-mysql \
- %{?with_prelude:--enable-prelude }
+ %{?with_prelude:--enable-prelude } \
+ %{?with_clamav:--enable-clamav --with-clamav-defdir=/var/lib/clamav}
%{__make}
install rules/*.config $RPM_BUILD_ROOT%{_sysconfdir}
install etc/unicode.map $RPM_BUILD_ROOT%{_sysconfdir}
install rules/*.rules $RPM_BUILD_ROOT%{_sysconfdir}/rules
-install %{SOURCE2} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name}
-install %{SOURCE3} $RPM_BUILD_ROOT/etc/logrotate.d/%{name}
-install %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}
+install %{SOURCE4} $RPM_BUILD_ROOT/etc/rc.d/init.d/%{name}
+install %{SOURCE5} $RPM_BUILD_ROOT/etc/logrotate.d/%{name}
+install rules/snort.conf $RPM_BUILD_ROOT%{_sysconfdir}
mv schemas/create_mysql schemas/create_mysql.sql
mv schemas/create_postgresql schemas/create_postgresql.sql
%post
/sbin/chkconfig --add snort
%service snort restart
-if [ "$1" = 1 ]; then
- %banner -e %{name} <<-EOF
- To run snort you must download and install snort rules.
- poldek -u snort-rules or download from http://www.snort.org/
-EOF
-fi
-
%preun
if [ "$1" = "0" ] ; then
%attr(640,root,snort) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/*.config
%attr(640,root,snort) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/snort.conf
%attr(750,root,snort) %dir %{_sysconfdir}/rules
+%attr(640,root,snort) %{_sysconfdir}/rules/*
%attr(754,root,root) /etc/rc.d/init.d/%{name}
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/logrotate.d/*
%{_mandir}/man?/*
-
-%files rules
-%defattr(644,root,root,755)
-%attr(640,root,snort) %{_sysconfdir}/rules/*