Major packaging improvement: 1. Completely revamp the rule handling: First, rules are no longer installed in unpacked form. Instead their original tarball is installed. Second, the Snort oinkmaster tool is installed and used to manage the rule installation. By default it just uses the default rule tarball once (which means it just initially installs them). But after optional registering at snort.org, one can use the received "oinkcode" to let the package upgrade to the latest Snort rules automatically. 2. Add OSSP fsl support to make sure Snort no longer logs to syslog.

snort/fsl.snort

@@ -0,0 +1,16 @@
+##
+##  fsl.snort -- OSSP fsl configuration
+##
+
+ident (snort)/.+ q{
+    prefix(
+        prefix="%b %d %H:%M:%S %N <%L> $1[%P]: "
+    )
+    -> {
+        debug: file(
+            path="@l_prefix@/var/snort/snort.log",
+            perm=0644
+        )
+    }
+};
+

snort/rc.snort

@@ -12,6 +12,8 @@
     snort_log_numfiles="10"
     snort_log_minsize="1M"
     snort_log_complevel="9"
+    snort_update_time="once"
+    snort_update_source="file://@l_prefix@/share/snort/rules.tar.gz"
 
 %common
     snort_cfgfile="@l_prefix@/etc/snort/snort.conf"
@@ -21,6 +23,9 @@
     snort_signal () {
         [ -f $snort_pidfile ] && kill -$1 `cat $snort_pidfile`
     }
+    snort_update () {
+        @l_prefix@/sbin/snort-update "$snort_update_source"
+    }
 
 %status -u @l_susr@ -o
     snort_usable="no"
@@ -61,8 +66,17 @@
     rcService snort active no  && exit 0
     rc snort stop start
 
-%daily -u @l_susr@
+%hourly -u @l_rusr@
+    rcService snort enable yes || exit 0
+    if [ ".$snort_update_time" = .hourly ]; then
+        snort_update || exit $?
+    fi
+
+%daily -u @l_rusr@
     rcService snort enable yes || exit 0
+    if [ ".$snort_update_time" = .daily ]; then
+        snort_update || exit $?
+    fi
     shtool rotate -f \
         -n ${snort_log_numfiles} -s ${snort_log_minsize} -d \
         -z ${snort_log_complevel} -m 644 -o @l_rusr@ -g @l_rgrp@ \
@@ -70,3 +84,9 @@
         -E "${snort_log_epilog}; rc snort reload" \
         $snort_logdir/snort.alert.log
 
+%weekly -u @l_rusr@
+    rcService snort enable yes || exit 0
+    if [ ".$snort_update_time" = .weekly ]; then
+        snort_update || exit $?
+    fi
+

snort/snort-update.sh

@@ -0,0 +1,43 @@
+#!/bin/sh
+##
+##  snort-update.sh -- Snort Rule Updating Utility
+##  Copyright (c) 2005 Ralf S. Engelschall <rse@engelschall.com> 
+##
+
+#   command line parameters
+url="$1"
+if [ ".$url" = . ]; then
+    echo "USAGE: $0 <url>" 1>&2
+    exit 1
+fi
+
+#   configuration
+rulesdir="@l_prefix@/var/snort/rules"
+tmpdir="@l_prefix@/var/snort/tmp"
+oinkmaster="@l_prefix@/sbin/oinkmaster"
+logfile="@l_prefix@/var/snort/oinkmaster.log"
+statsfile="@l_prefix@/var/snort/snort.stats"
+
+#   parameter post-processing
+url=`echo "$url" |\
+     sed -e 's;^oinkcode:\(.*\)$;http://www.snort.org/pub-bin/oinkmaster.cgi/\1/snortrules-snapshot-@V_rules@.tar.gz;' \
+         -e 's;^\(/.*\)$;file://\1;'`
+
+#   ruleset updating
+( echo "++ SNORT-UPDATE START (`date`)"
+  echo "++ Update URL: \"$url\""
+  $oinkmaster -q -o $rulesdir -u $url
+  if [ ! -f $rulesdir/local.rules ]; then
+      touch $rulesdir/local.rules
+  fi
+  @l_prefix@/lib/openpkg/shtool subst \
+      -e 's;\(var HOME_NET\) any;\1 $(HOME_NET:-any);' \
+      -e 's;\(var EXTERNAL_NET\) any;\1 $(EXTERNAL_NET:-any);' \
+      -e 's; \([^ /]*\.map\); $(RULE_PATH)/\1;' \
+      -e 's; \([^ /]*\.config\); $(RULE_PATH)/\1;' \
+      -e "s;\\(var RULE_PATH\\).*;\\1 \$(RULE_PATH:-$rulesdir);" \
+      -e "s;/var/snort/snort\.stats;$statsfile;" \
+      $rulesdir/snort.conf
+  echo "++ SNORT-UPDATE END (`date`)"
+) >>$logfile 2>&1
+

snort/snort.conf

@@ -3,8 +3,8 @@
 ##
 
 #   common variables
-var CFG_PATH @l_prefix@/share/snort
-var VAR_PATH @l_prefix@/var/snort
+var VAR_PATH  @l_prefix@/var/snort
+var RULE_PATH $VAR_PATH/rules
 
 #   output selection
 config alertfile:    $VAR_PATH/snort.alert.log
@@ -15,8 +15,8 @@ output alert_fast:   $VAR_PATH/snort.alert.log
 config show_year
 config order: alert pass log
 
-#   load default snort configuration
+#   load snort rules configuration
 var HOME_NET      any
 var EXTERNAL_NET  any
-include $CFG_PATH/etc/snort.conf
+include $RULE_PATH/snort.conf
 

snort/snort.spec

@@ -23,8 +23,9 @@
 ##
 
 #   package version
-%define       V_snort 2.4.0
-%define       V_rules 2.4
+%define       V_snort      2.4.0
+%define       V_rules      2.4
+%define       V_oinkmaster 1.2
 
 #   package information
 Name:         snort
@@ -37,26 +38,34 @@ Class:        PLUS
 Group:        Network
 License:      GPL
 Version:      %{V_snort}
-Release:      20050729
+Release:      20050903
 
 #   package options
+%option       with_fsl    yes
 %option       with_mysql  no
 %option       with_pgsql  no
 
 #   list of sources
 Source0:      http://www.snort.org/dl/current/snort-%{V_snort}.tar.gz
 Source1:      http://www.snort.org/pub-bin/downloads.cgi/Download/vrt_pr/snortrules-pr-%{V_rules}.tar.gz
-Source2:      snort.conf
-Source3:      rc.snort
+Source2:      http://osdn.dl.sourceforge.net/sourceforge/oinkmaster/oinkmaster-%{V_oinkmaster}.tar.gz
+Source3:      snort.conf
+Source4:      rc.snort
+Source5:      fsl.snort
+Source6:      snort-update.sh
 Patch0:       snort.patch
 
 #   build information
 Prefix:       %{l_prefix}
 BuildRoot:    %{l_buildroot}
 BuildPreReq:  OpenPKG, openpkg >= 20040130, make, gcc
-PreReq:       OpenPKG, openpkg >= 20040130
+PreReq:       OpenPKG, openpkg >= 20040130, perl, perl-www, perl-sys, perl-comp
 BuildPreReq:  libpcap, libnet, pcre
 PreReq:       libpcap, libnet, pcre
+%if "%{with_fsl}" == "yes"
+BuildPreReq:  fsl >= 1.2.0
+PreReq:       fsl >= 1.2.0
+%endif
 %if "%{with_mysql}" == "yes"
 BuildPreReq:  mysql
 PreReq:       mysql
@@ -87,10 +96,15 @@ AutoReqProv:  no
         url       = http://www.snort.org/dl/
         regex     = snort-(\d+\.\d+\.\d+)\.tar\.gz
     }
+    prog snort:oinkmaster = {
+        version   = %{V_oinkmaster}
+        url       = http://prdownloads.sourceforge.net/oinkmaster/
+        regex     = oinkmaster-(__VER__)\.tar\.gz
+    }
 
 %prep
     %setup -q
-    %setup -q -D -T -a 1
+    %setup -q -D -T -a 2
     %patch -p0
     %{l_shtool} subst %{l_value -s -a} \
         src/snort.h
@@ -107,8 +121,8 @@ AutoReqProv:  no
     CC="%{l_cc}" \
     CFLAGS="%{l_cflags -O}" \
     CPPFLAGS="%{l_cppflags}" \
-    LDFLAGS="%{l_ldflags}" \
-    LIBS="$LIBS" \
+    LDFLAGS="%{l_ldflags} %{l_fsl_ldflags}" \
+    LIBS="$LIBS %{l_fsl_libs}" \
     ./configure \
         --prefix=%{l_prefix} \
         --sysconfdir=%{l_prefix}/etc/snort \
@@ -139,12 +153,12 @@ AutoReqProv:  no
     %{l_shtool} mkdir -f -p -m 755 \
         $RPM_BUILD_ROOT%{l_prefix}/sbin \
         $RPM_BUILD_ROOT%{l_prefix}/man/man8 \
+        $RPM_BUILD_ROOT%{l_prefix}/etc/fsl \
         $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d \
         $RPM_BUILD_ROOT%{l_prefix}/etc/snort \
-        $RPM_BUILD_ROOT%{l_prefix}/share/snort/etc \
-        $RPM_BUILD_ROOT%{l_prefix}/share/snort/map \
-        $RPM_BUILD_ROOT%{l_prefix}/share/snort/rules \
-        $RPM_BUILD_ROOT%{l_prefix}/var/snort
+        $RPM_BUILD_ROOT%{l_prefix}/share/snort \
+        $RPM_BUILD_ROOT%{l_prefix}/var/snort/rules \
+        $RPM_BUILD_ROOT%{l_prefix}/var/snort/tmp
 
     #   install program and manual page
     %{l_shtool} install -c -s -m 755 \
@@ -152,33 +166,23 @@ AutoReqProv:  no
     %{l_shtool} install -c -m 644 \
         snort.8 $RPM_BUILD_ROOT%{l_prefix}/man/man8/
 
-    #   install default configuration and rules files
-    %{l_shtool} install -c -m 644 \
-        -e 's;\(var HOME_NET\) any;\1 $(HOME_NET:-any);' \
-        -e 's;\(var EXTERNAL_NET\) any;\1 $(EXTERNAL_NET:-any);' \
-        -e 's;\(var RULE_PATH\).*;\1 %{l_prefix}/share/snort/rules;g' \
-        -e 's;include classification.config;include %{l_prefix}/share/snort/etc/classification.config;' \
-        -e 's;include reference.config;include %{l_prefix}/share/snort/etc/reference.config;' \
-        -e 's;iis_unicode_map unicode.map;iis_unicode_map %{l_prefix}/share/snort/map/unicode.map;' \
-        etc/snort.conf \
-        $RPM_BUILD_ROOT%{l_prefix}/share/snort/etc/
-    %{l_shtool} install -c -m 644 \
-        etc/reference.config etc/classification.config etc/threshold.conf \
-        $RPM_BUILD_ROOT%{l_prefix}/share/snort/etc/
-    %{l_shtool} install -c -m 644 \
-        etc/unicode.map etc/gen-msg.map etc/sid-msg.map \
-        $RPM_BUILD_ROOT%{l_prefix}/share/snort/map/
-    %{l_shtool} install -c -m 644 \
-        rules/*.rules $RPM_BUILD_ROOT%{l_prefix}/share/snort/rules/
-
     #   install default configuration
     %{l_shtool} install -c -m 644 %{l_value -s -a} \
         %{SOURCE snort.conf} $RPM_BUILD_ROOT%{l_prefix}/etc/snort/
 
+    #   install default ruleset tarball
+    %{l_shtool} install -c -m 644 \
+        %{SOURCE snortrules-pr-%{V_rules}.tar.gz} \
+        $RPM_BUILD_ROOT%{l_prefix}/share/snort/rules.tar.gz
+
     #   install run-command script
     %{l_shtool} install -c -m 755 %{l_value -s -a} \
         %{SOURCE rc.snort} $RPM_BUILD_ROOT%{l_prefix}/etc/rc.d/
 
+    #   install OSSP fsl configuration
+    %{l_shtool} install -c -m 644 %{l_value -s -a} \
+        %{SOURCE fsl.snort} $RPM_BUILD_ROOT%{l_prefix}/etc/fsl/
+
     #   install optional/additional files
 %if "%{with_mysql}" == "yes"
     %{l_shtool} install -c -m 644 \
@@ -191,11 +195,35 @@ AutoReqProv:  no
         $RPM_BUILD_ROOT%{l_prefix}/share/snort/
 %endif
 
+    #   install oinkmaster utility
+    ( cd oinkmaster-%{V_oinkmaster}
+      %{l_shtool} install -c -m 755 \
+          -e 's;#!/usr/bin/perl;#!%{l_prefix}/bin/perl;g' \
+          -e 's;/etc/oinkmaster\.conf;%{l_prefix}/etc/snort/oinkmaster.conf;' \
+          oinkmaster.pl $RPM_BUILD_ROOT%{l_prefix}/sbin/oinkmaster
+      %{l_shtool} install -c -m 644 \
+          oinkmaster.1 $RPM_BUILD_ROOT%{l_prefix}/man/man8/oinkmaster.8
+      %{l_shtool} install -c -m 644 \
+          -e 's;^\(path = \);\1%{l_prefix}/bin:;' \
+          -e 's;^# tmpdir = /home/oinkmaster/tmp/;tmpdir = %{l_prefix}/var/snort/tmp;' \
+          -e 's;^# \(use_external_bins = 0\);\1;' \
+          -e 's;^\(skipfile snort\.conf\);# \1;' \
+          oinkmaster.conf $RPM_BUILD_ROOT%{l_prefix}/etc/snort/
+    ) || exit $?
+
+    #   install rule update utility
+    %{l_shtool} install -c -m 755 %{l_value -s -a} \
+        -e 's;@V_rules@;%{V_rules};g' \
+        %{SOURCE snort-update.sh} \
+        $RPM_BUILD_ROOT%{l_prefix}/sbin/snort-update
+
     #   determine installation files
     %{l_rpmtool} files -v -ofiles -r$RPM_BUILD_ROOT \
         %{l_files_std} \
         '%config %{l_prefix}/etc/snort/*' \
-        '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort'
+        '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort' \
+        '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort/rules' \
+        '%attr(-,%{l_rusr},%{l_rgrp}) %{l_prefix}/var/snort/tmp'
 
 %files -f files
 
@@ -209,6 +237,30 @@ AutoReqProv:  no
           echo "\"snort_if\" in $RPM_INSTALL_PREFIX/etc/rc.conf to the name of the"
           echo "used network interface."
         ) | %{l_rpmtool} msg -b -t notice
+        ( echo "To use Snort as an IDS, its rules HAVE to be ALWAYS up to date."
+          echo "But this package just ships with the latest PUBLIC version of the"
+          echo "\"Sourcefire VRT Certified Rules\" for UNREGISTERED Snort users."
+          echo "This means your rules are NOT covering the latest known attacks."
+          echo ""
+          echo "Hence, we strongly recommend to become at least a REGISTERED Snort"
+          echo "user (see http://www.snort.org/ for details). This way you receive"
+          echo "a so-called \"oinkcode\" (a sequence of 40 hexadecimal numbers)"
+          echo "which you can configure in the file"
+          echo "    $RPM_INSTALL_PREFIX/etc/rc.conf"
+          echo "via the directives"
+          echo "    snort_update_time=\"daily\""
+          echo "    snort_update_source=\"oinkcode:XXXX...\""
+          echo "to update your Snort rules in"
+          echo "    $RPM_INSTALL_PREFIX/var/snort/rules/"
+          echo "automatically once per day with the latest version of the"
+          echo "\"Sourcefire VRT Certified Rules\" for REGISTERED Snort users."
+        ) | %{l_rpmtool} msg -b -t notice
+    fi
+
+    #   trigger a ruleset update
+    snort_update_source=`%{l_rc} -q snort_update_source`
+    if [ ".$snort_update_source" != . ]; then
+        su - %{l_rusr} -c "$RPM_INSTALL_PREFIX/sbin/snort-update \"$snort_update_source\""
     fi
 
     #   after upgrade, restart service
@@ -224,5 +276,7 @@ AutoReqProv:  no
     rm -f $RPM_INSTALL_PREFIX/var/snort/*.pid >/dev/null 2>&1 || true
     rm -f $RPM_INSTALL_PREFIX/var/snort/*.log >/dev/null 2>&1 || true
     rm -f $RPM_INSTALL_PREFIX/var/snort/*.cap >/dev/null 2>&1 || true
+    rm -f $RPM_INSTALL_PREFIX/var/snort/rules/* >/dev/null 2>&1 || true
+    rm -f $RPM_INSTALL_PREFIX/var/snort/tmp/*   >/dev/null 2>&1 || true
     exit 0