| @@ -0,0 +1,3007 @@
+diff -ruN snort-2.9.0.3/autojunk.sh snort-2.9.0.3_bkup/autojunk.sh
+--- snort-2.9.0.3/autojunk.sh 1969-12-31 16:00:00.000000000 -0800
++++ snort-2.9.0.3_bkup/autojunk.sh 2011-01-24 08:50:41.000000000 -0800
+@@ -0,0 +1,7 @@
++#!/bin/sh
++# the list of commands that need to run before we do a compile
++libtoolize --automake --copy
++aclocal -I m4
++autoheader
++automake --add-missing --copy
++autoconf
+diff -ruN snort-2.9.0.3/etc/snort.conf snort-2.9.0.3_bkup/etc/snort.conf
+--- snort-2.9.0.3/etc/snort.conf 2010-12-09 13:33:36.000000000 -0800
++++ snort-2.9.0.3_bkup/etc/snort.conf 2011-01-24 08:50:39.000000000 -0800
+@@ -377,11 +377,38 @@
+ # prelude
+ # output alert_prelude
+
++###################################################
++# snortsam
++###################################################
++# In order to cause Snort to send a blocking request to the SnortSam agent,
++# that agent has to be listed, including the port it listens on,
++# and the encryption key it is using. The statement for that is:
++#
++# output alert_fwsam: {SnortSam Station}:{port}/{password}
++#
++# {SnortSam Station}: IP address or host name of the host where SnortSam is running.
++# {port}: The port the remote SnortSam agent listens on.
++# {password}: The password, or key, used for encryption of the
++# communication to the remote agent.
++#
++# At the very least, the IP address or host name of the host running SnortSam
++# needs to be specified. If the port is omitted, it defaults to TCP port 898.
++# If the password is omitted, it defaults to a preset password.
++# (In which case it needs to be omitted on the SnortSam agent as well)
++#
++# More than one host can be specified, but has to be done on the same line.
++# Just separate them with one or more spaces.
++#
++# Examples:
++#
++# output alert_fwsam: firewall/idspassword
++# output alert_fwsam: fw1.domain.tld:898/mykey
++# output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw
++
+ # metadata reference data. do not modify these lines
+ include classification.config
+ include reference.config
+
+-
+ ###################################################
+ # Step #7: Customize your rule set
+ # For more information, see Snort Manual, Writing Snort Rules
+diff -ruN snort-2.9.0.3/src/fatal.h snort-2.9.0.3_bkup/src/fatal.h
+--- snort-2.9.0.3/src/fatal.h 1969-12-31 16:00:00.000000000 -0800
++++ snort-2.9.0.3_bkup/src/fatal.h 2011-01-24 08:50:41.000000000 -0800
+@@ -0,0 +1,40 @@
++/* $Id$ */
++/*
++** Copyright (C) 2002-2008 Sourcefire, Inc.
++** Copyright (C) 1998-2002 Martin Roesch <roesch@sourcefire.com>
++**
++** This program is free software; you can redistribute it and/or modify
++** it under the terms of the GNU General Public License Version 2 as
++** published by the Free Software Foundation. You may not use, modify or
++** distribute this program under any other version of the GNU General
++** Public License.
++**
++** This program is distributed in the hope that it will be useful,
++** but WITHOUT ANY WARRANTY; without even the implied warranty of
++** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++** GNU General Public License for more details.
++**
++** You should have received a copy of the GNU General Public License
++** along with this program; if not, write to the Free Software
++** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++*/
++
++#ifndef __FATAL_H__
++#define __FATAL_H__
++
++
++/*
++ * in debugging mode print out the filename and the line number where the
++ * failure have occured
++ */
++
++
++#ifdef DEBUG
++ #define FATAL(msg) { printf("%s:%d: ", __FILE__, __LINE__); FatalError( (char *) msg); }
++#else
++ #define FATAL(msg) FatalError( (char *) msg)
++#endif
++
++
++
++#endif /* __FATAL_H__ */
+diff -ruN snort-2.9.0.3/src/output-plugins/Makefile.am snort-2.9.0.3_bkup/src/output-plugins/Makefile.am
+--- snort-2.9.0.3/src/output-plugins/Makefile.am 2010-06-09 15:05:17.000000000 -0700
++++ snort-2.9.0.3_bkup/src/output-plugins/Makefile.am 2011-01-24 08:50:40.000000000 -0800
+@@ -15,6 +15,7 @@
+ spo_log_tcpdump.h spo_unified.c spo_unified2.c spo_unified.h spo_unified2.h \
+ spo_log_ascii.c spo_log_ascii.h spo_alert_sf_socket.h spo_alert_sf_socket.c \
+ $(PRELUDE_CODE) spo_alert_arubaaction.c spo_alert_arubaaction.h \
++spo_alert_fwsam.c spo_alert_fwsam.h \
+ spo_alert_test.c spo_alert_test.h
+
+ INCLUDES = @INCLUDES@
+diff -ruN snort-2.9.0.3/src/output-plugins/spo_alert_fwsam.c snort-2.9.0.3_bkup/src/output-plugins/spo_alert_fwsam.c
+--- snort-2.9.0.3/src/output-plugins/spo_alert_fwsam.c 1969-12-31 16:00:00.000000000 -0800
++++ snort-2.9.0.3_bkup/src/output-plugins/spo_alert_fwsam.c 2011-01-24 08:50:40.000000000 -0800
+@@ -0,0 +1,1379 @@
++/* $id: snortpatchb,v 1.2 2002/10/26 03:32:35 fknobbe Exp $
++**
++** spo_alert_fwsam.c
++**
++** Copyright (c) 2001-2004 Frank Knobbe <frank@knobbe.us>
++**
++** This program is free software; you can redistribute it and/or modify
++** it under the terms of the GNU General Public License as published by
++** the Free Software Foundation; either version 2 of the License, or
++** (at your option) any later version.
++**
++** This program is distributed in the hope that it will be useful,
++** but WITHOUT ANY WARRANTY; without even the implied warranty of
++** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++** GNU General Public License for more details.
++**
++** You should have received a copy of the GNU General Public License
++** along with this program; if not, write to the Free Software
++** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
++*/
++
++/*
++ * Purpose:
++ *
++ * This module sends alerts to a remote service on a host running SnortSam
++ * (the agent) which will block the intruding IP address on a variety of
++ * host and network firewalls.
++ *
++ * SnortSam also performs checks against a white-list of never-to-be-blocked IP addresses,
++ * can override block durations (for example for known proxies), and can detect attack conditions
++ * where too many blocks are received within a defined interval. If an attack is detected
++ * it will unblock the last x blocks and wait for the attack to end.
++ *
++ * See the SnortSam documentation for more information.
++ *
++ *
++ * Output Plugin Parameters:
++ ***************************
++ *
++ * output alert_fwsam: <SnortSam Station>:<port>/<key>
++ *
++ * <FW Mgmt Station>: The IP address or host name of the host running SnortSam.
++ * <port>: The port the remote SnortSam service listens on (default 898).
++ * <key>: The key used for authentication (encryption really)
++ * of the communication to the remote service.
++ *
++ * Examples:
++ *
++ * output alert_fwsam: snortsambox/idspassword
++ * output alert_fwsam: fw1.domain.tld:898/mykey
++ * output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw
++ *
++ *
++ * Rule Options:
++ ***************
++ *
++ * fwsam: who[how],time;
++ *
++ * who: src, source, dst, dest, destination
++ * IP address to be blocked according to snort rule (some rules
++ * are reversed, i.e. homenet -> any [and you want to block any]).
++ * src denotes IP to the left of -> and dst denotes IP to the right
++ *
++ * how: Optional. In, out, src, dest, either, both, this, conn, connection
++ * Tells FW-1 to block packets INcoming from host, OUTgoing to host,
++ * EITHERway, or only THIS connection (IP/Service pair).
++ * See 'fw sam' for more information. May be ignored by other plugins.
++ *
++ * time: Duration of block in seconds. (Accepts 'days', 'months', 'weeks',
++ * 'years', 'minutes', 'seconds', 'hours'. Alternatively, a value of
++ * 0, or the keyword PERManent, INFinite, or ALWAYS, will block the
++ * host permanently. Be careful with this!
++ * Tells FW-1 (and others) how long to inhibit packets from the host.
++ *
++ * Examples:
++ *
++ * fwsam: src[either],15min;
++ * or dst[in], 2 days 4 hours
++ * or src, 1 hour
++ *
++ * (default: src[either],5min)
++ *
++ *
++ * Effect:
++ *
++ * Alerts are sent to the remote SnortSam services on Firewall-1 Management Stations
|
