--- oinkmaster-1.0.orig/oinkmaster.1 +++ oinkmaster-1.0/oinkmaster.1 @@ -8,7 +8,7 @@ .B oinkmaster \- update Snort signatures .SH SYNOPSIS -.B oinkmaster.pl -o +.B oinkmaster -o .I outdir [options] .SH DESCRIPTION @@ -99,14 +99,14 @@ and put the new rules in /etc/rules/: .PP .nf -\fB oinkmaster.pl -o /etc/rules \fP +\fB oinkmaster -o /etc/rules \fP .fi .PP Grab rules archive from local filesystem and do not print anything unless it contains updated rules: .PP .nf -\fB oinkmaster.pl -u file:///tmp/rules.tar.gz -o /etc/rules -q \fP +\fB oinkmaster -u file:///tmp/rules.tar.gz -o /etc/rules -q \fP .fi .PP Download rules archive from default location, make backup of old rules if @@ -117,7 +117,7 @@ first encrypting the content.) .PP .nf -\fB oinkmaster.pl -o /etc/snort/rules -b /etc/snort/backup 2>&1 | \fP\\ +\fB oinkmaster -o /etc/snort/rules -b /etc/snort/backup 2>&1 | \fP\\ \fB mail -s "subject" user@example.com .fi .PP @@ -129,7 +129,7 @@ .PP .nf \fB TMP=`mktemp /tmp/oinkmaster.XXXXXX` && \fP\\ -\fB (oinkmaster.pl -C /etc/oinkmaster-global.conf \fP\\ +\fB (oinkmaster -C /etc/oinkmaster-global.conf \fP\\ \fB -C /etc/oinkmaster-sensor.conf -o /etc/rules \fP\\ \fB -U /etc/snort.conf \fP\\ \fB -u scp://user@example.com:/home/user/rules.tar.gz \fP\\ --- oinkmaster-1.0.orig/debian/changelog +++ oinkmaster-1.0/debian/changelog @@ -0,0 +1,12 @@ +oinkmaster (1.0-1) unstable; urgency=low + + * Initial Release (#219996). This is needed for the release since + there is currently no mechanism to update Snort's ruleset + * Provide a custom configuration file, it is somewhat restricted + so that only root will be able to download new rules under + /var/run/oinkmaster, it will use Perl's implementations of libraries + to avoid system calls to wget/tar/gzip + * Updated ruleset location to 2.2 + + -- Javier Fernandez-Sanguino Pen~a Mon, 13 Sep 2004 16:15:26 +0200 + --- oinkmaster-1.0.orig/debian/compat +++ oinkmaster-1.0/debian/compat @@ -0,0 +1 @@ +4 --- oinkmaster-1.0.orig/debian/dirs +++ oinkmaster-1.0/debian/dirs @@ -0,0 +1,4 @@ +usr/sbin +usr/share/doc/oinkmaster/contrib +etc/ +var/run/oinkmaster --- oinkmaster-1.0.orig/debian/watch +++ oinkmaster-1.0/debian/watch @@ -0,0 +1,6 @@ +# Watch file for oinkmaster +# Site Directory Pattern Version Script +version=2 +# Note: this will not work because of sourceforge's redirect +#http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-(.*)\.tar\.gz debian uupdate +ftp://ftp.sf.net/pub/sourceforge/o/oi/oinkmaster/oinkmaster-(.*)\.tar\.gz debian uupdate --- oinkmaster-1.0.orig/debian/control +++ oinkmaster-1.0/debian/control @@ -0,0 +1,21 @@ +Source: oinkmaster +Section: admin +Priority: optional +Maintainer: Javier Fernandez-Sanguino Pen~a +Build-Depends: debhelper (>= 4.0.0) +Standards-Version: 3.6.0 + +Package: oinkmaster +Architecture: all +Depends: perl (>= 5.6.1), libio-zlib-perl, libwww-perl, libarchive-tar-perl +Recommends: wget +Description: Snort rules manager + A simple script to manage and update Snort rules with the + capability of disabling, modifying and enabling specific + rules after an update. Oinkmaster will tell you exactly what + has changed since your last update, giving you good + control of your rules. It also can be used to manage updates + from both the official provider (www.snort.org) and from + home-grown rulesets. + . + Homepage: http://oinkmaster.sourceforge.net/ --- oinkmaster-1.0.orig/debian/rules +++ oinkmaster-1.0/debian/rules @@ -0,0 +1,65 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Oinkmaster's debian/rules +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + + +build: + dh_testdir + touch build-stamp + +clean: + dh_testdir + dh_testroot + dh_clean + rm -f build-stamp configure-stamp + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + install -m 755 oinkmaster.pl debian/oinkmaster/usr/sbin/oinkmaster + chown root:root debian/oinkmaster/var/run/oinkmaster + chmod o-rwX debian/oinkmaster/var/run/oinkmaster + install -m 640 debian/oinkmaster.conf debian/oinkmaster/etc/ + install -m 644 contrib/* debian/oinkmaster/usr/share/doc/oinkmaster/contrib/ + +binary-arch: build install + +binary-indep: build install + dh_testdir + dh_testroot + dh_installchangelogs ChangeLog + dh_installdocs + dh_installexamples oinkmaster.conf +# dh_install +# dh_installdebconf +# dh_installcron + dh_installman oinkmaster.1 + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- oinkmaster-1.0.orig/debian/oinkmaster.conf +++ oinkmaster-1.0/debian/oinkmaster.conf @@ -0,0 +1,163 @@ +# This is the default Debian configuration for oinkmaster +# Fore more information on how to customise this file with +# further options please check /usr/share/doc/oinkmater/examples +# for the original (bigger and more verbose) configuration file. + +# ------------------------- +# Location of rules archive +# ------------------------- +# NOTE: this might need to be changed based on the Snort version +# you are running. This configuration files uses Snort 2.2.x +url = http://www.snort.org/dl/rules/snortrules-snapshot-2_2.tar.gz + +# For Snort 2.1 +#url = http://www.snort.org/dl/rules/snortrules-snapshot-2_1.tar.gz + +# For Snort 2.0 +# url = http://www.snort.org/dl/rules/snortrules-snapshot-2_0.tar.gz +# To use CVS snapshots +# url = http://www.snort.org/dl/rules/snortrules-snapshot-CURRENT.tar.gz + +# -------------------- +# System configuration +# -------------------- +path = /sbin:/usr/sbin:/bin:/usr/bin +# Use external binaries? By default we don't. +use_external_bins = 1 +# Temporary directory to use. The default configuration only allows +# root to update the ruleset. +# Note: If commented out will check environment variables TMP, +# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set. +tmpdir = /var/run/oinkmaster +# Umask to use while executing +umask = 0027 + + +# -------------------- +# Extra configuration +# -------------------- +# Files in the archive matching this regular expression will be +# checked for changes, and then updated or added if needed. +# You can then choose to skip individual files by specifying +# the "skipfile" keyword below. +# Normally you shouldn't need to change this one. +# (But if you do, make sure it's still a valid regexp.) +update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$ + + +# Regexp of keywords that starts a snort rule. +# May be useful if you create your own ruletypes and want those +# lines to be regarded as rules as well. +# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic + + +# If the number of rules files in the downloaded archive matching the +# 'update_files' regexp is below min_files, or if the total number +# of rules in it is below min_rules, the archive is regarded as +# broken and the update is aborted with an error message. +# Both are set to 1 by default (i.e. the archive is only regarded as +# broken if it's totally empty). +# min_files = 1 +# min_rules = 1 + + +# By default, a basic sanity check is performed on most paths/filenames to +# see if they contain illegal characters that may screw things up. If this +# check is too strict for your system (i.e. you get bogus "illegal +# characters in filename" errors) and you're sure you want to disable +# the check completely, set use_path_checks to 0. +use_path_checks = 1 + + +# You can include other files: +# include foo.conf + +# -------------- +# Rules handling +# -------------- + +####################################################################### +# Files to totally skip (i.e. never update or check for changes) # +# # +# Syntax: skipfile filename # +# or: skipfile filename1, filename2, filename3, ... # +####################################################################### + +# Ignore local.rules from the rules archive by default since we might +# have put some local rules in our own local.rules and we don't want it to +# get overwritten by the empty one from the archive after each update. +skipfile local.rules + +# The file deleted.rules contains rules that have been deleted from other +# files, so there is usually no point in updating it (although it may be +# useful to watch for changes in it anyway since it sometimes contains +# useful comments about *why* certain rules are deleted). +skipfile deleted.rules + +# Also skip snort.conf by default since we don't want to overwrite our own +# snort.conf if we have it in the same directory as the rules. If you +# have your own production copy of snort.conf in another directory, it may +# be really nice to check for changes in this file though, especially +# since variables are sometimes added or modified and new/old files are +# included/excluded. +skipfile snort.conf + +# You may want to consider ignoring threshold.conf for the same reasons as +# for snort.conf, i.e. if you customize it locally and don't want it to +# become overwritten by the default one. It may be better to put local +# thresholding/suppressing in some local file and still update and use +# the official one though, in case important stuff is added to it some +# day. We do update it by default, but it's your call. +# skipfile threshold.conf + + + +########################################################################## +# SIDs to modify after each update (only for the skilled/stupid/brave). # +# Don't use it unless you have to. There is nothing that stops you from # +# modifying rules in such ways that they become invalid. # +# If you just want to disable SIDs, please skip this section and have a # +# look at the "disablesid" keyword below. # +# # +# You may specify multiple modifysid directives for the same SID (they # +# will be processed in order of appearance), and you may also specify a # +# list of SIDs on which the substitution should be applied. # +# The wildcard ("*") can be used to apply the substitution on all rules # +# regardless of the SID. # +# # +# Syntax: modifysid SID "replacethis" | "withthis" # +# or: # +# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" # +# or: # +# modifysid * "replacethis" | "withthis" # +# # +# The strings within the quotes will simply be passed to a # +# s/replacethis/withthis/ statement in Perl, so they must be valid # +# regular expressions. The strings are case-sensitive and only the first # +# occurrence will be replaced. If there are multiple occurrences you # +# want replace, simply repeat the same modifysid line. # +########################################################################## + + +######################################################################## +# SIDs to enable after each update. # +# Will simply remove all the leading '#' for a specified SID (if it's # +# a multi-line rule, the leading '#' for all lines are removed.) # +# These will be processed after all the modifysid and disablesid # +# statements. Using 'enablesid' on a rule that is not disabled is a # +# NOOP. # +# # +# Syntax: enablesid SID # +# or: enablesid SID1, SID2, SID3, ... # +######################################################################## + + +######################################################################## +# SIDs to comment out, i.e. disable, after each update by placing a # +# '#' in front of the rule (if it's a multi-line rule, it will be put # +# in front of all lines). # +# # +# Syntax: disablesid SID # +# or: disablesid SID1, SID2, SID3, ... # +######################################################################## + --- oinkmaster-1.0.orig/debian/README.Debian +++ oinkmaster-1.0/debian/README.Debian @@ -0,0 +1,22 @@ +oinkmaster for Debian +--------------------- + +There is currently no automatic mechanism in place to update the Snort +signatures through Cron. If you wish to enable such a mechanism you'll +have to write it yourself. + +Note that oinkmaster will not auto-detect the Snort version you are using, +since Snort rules do not specify the version you should be careful and +review which ruleset is being downloaded before activating such a task. +The default configuration for oinkmaster uses the latests Snort Debian +release available. + +The default Debian configuration only allows root to download the rulesets +by using /var/run/oinkmaster and restricting permissions in that directory. +$TMP or /tmp are not used in order to avoid symlink attacks. It also avoids +the use of external binaries so that system() calls are also avoided, you +will need to install some additional Perl libraries (included in the +following packages: libio-zlib-perl, libwww-perl, libarchive-tar-perl) + + + -- Javier Fernandez-Sanguino Pen~a , Mon, 13 Sep 2004 16:15:26 +0200 --- oinkmaster-1.0.orig/debian/docs +++ oinkmaster-1.0/debian/docs @@ -0,0 +1,4 @@ +FAQ +README +README.gui +UPGRADING --- oinkmaster-1.0.orig/debian/copyright +++ oinkmaster-1.0/debian/copyright @@ -0,0 +1,44 @@ +This package was debianized by +Javier Fernandez-Sanguino Pen~a on +Mon, 13 Sep 2004 16:15:26 +0200. + +It was downloaded from http://prdownloads.sourceforge.net/oinkmaster/ + +Upstream Author: Andreas Östling + +Copyright: + + Copyright (c) 2001-2004 Andreas Östling + All rights reserved. + + Redistribution and use in source and binary forms, with or + without modification, are permitted provided that the following + conditions are met: + + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. + + 2. Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials + provided with the distribution. + + 3. Neither the name of the author nor the names of its + contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. + + THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, + EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.