@@ -0,0 +1,5720 @@
+diff -uNr snort-2.9.5.orig/autojunk.sh snort-2.9.5/autojunk.sh
+--- snort-2.9.5.orig/autojunk.sh 1970-01-01 01:00:00.000000000 +0100
++++ snort-2.9.5/autojunk.sh 2013-07-08 22:58:39.886671038 +0200
+@@ -0,0 +1,7 @@
++#!/bin/sh
++# the list of commands that need to run before we do a compile
++libtoolize -f --automake --copy
++aclocal --verbose -I m4 -I /usr/share/aclocal
++autoheader -f
++automake -f --add-missing --copy
++autoconf -f
+diff -uNr snort-2.9.5.orig/etc/snort.conf snort-2.9.5/etc/snort.conf
+--- snort-2.9.5.orig/etc/snort.conf 2013-06-04 23:23:28.000000000 +0200
++++ snort-2.9.5/etc/snort.conf 2013-07-08 22:58:33.182668593 +0200
+@@ -529,11 +529,38 @@
+ # pcap
+ # output log_tcpdump: tcpdump.log
+
++###################################################
++# snortsam
++###################################################
++# In order to cause Snort to send a blocking request to the SnortSam agent,
++# that agent has to be listed, including the port it listens on,
++# and the encryption key it is using. The statement for that is:
++#
++# output alert_fwsam: {SnortSam Station}:{port}/{password}
++#
++# {SnortSam Station}: IP address or host name of the host where SnortSam is running.
++# {port}: The port the remote SnortSam agent listens on.
++# {password}: The password, or key, used for encryption of the
++# communication to the remote agent.
++#
++# At the very least, the IP address or host name of the host running SnortSam
++# needs to be specified. If the port is omitted, it defaults to TCP port 898.
++# If the password is omitted, it defaults to a preset password.
++# (In which case it needs to be omitted on the SnortSam agent as well)
++#
++# More than one host can be specified, but has to be done on the same line.
++# Just separate them with one or more spaces.
++#
++# Examples:
++#
++# output alert_fwsam: firewall/idspassword
++# output alert_fwsam: fw1.domain.tld:898/mykey
++# output alert_fwsam: 192.168.0.1/borderfw 192.168.1.254/wanfw
++
+ # metadata reference data. do not modify these lines
+ include classification.config
+ include reference.config
+
+-
+ ###################################################
+ # Step #7: Customize your rule set
+ # For more information, see Snort Manual, Writing Snort Rules
+diff -uNr snort-2.9.5.orig/etc/snort.conf.orig snort-2.9.5/etc/snort.conf.orig
+--- snort-2.9.5.orig/etc/snort.conf.orig 1970-01-01 01:00:00.000000000 +0100
++++ snort-2.9.5/etc/snort.conf.orig 2013-06-04 23:23:28.000000000 +0200
+@@ -0,0 +1,688 @@
++#--------------------------------------------------
++# VRT Rule Packages Snort.conf
++#
++# For more information visit us at:
++# http://www.snort.org Snort Website
++# http://vrt-blog.snort.org/ Sourcefire VRT Blog
++#
++# Mailing list Contact: snort-sigs@lists.sourceforge.net
++# False Positive reports: fp@sourcefire.com
++# Snort bugs: bugs@snort.org
++#
++# Compatible with Snort Versions:
++# VERSIONS : 2.9.5.0
++#
++# Snort build options:
++# OPTIONS : --enable-gre --enable-mpls --enable-targetbased --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3
++#
++# Additional information:
++# This configuration file enables active response, to run snort in
++# test mode -T you are required to supply an interface -i <interface>
++# or test mode will fail to fully validate the configuration and
++# exit with a FATAL error
++#--------------------------------------------------
++
++###################################################
++# This file contains a sample snort configuration.
++# You should take the following steps to create your own custom configuration:
++#
++# 1) Set the network variables.
++# 2) Configure the decoder
++# 3) Configure the base detection engine
++# 4) Configure dynamic loaded libraries
++# 5) Configure preprocessors
++# 6) Configure output plugins
++# 7) Customize your rule set
++# 8) Customize preprocessor and decoder rule set
++# 9) Customize shared object rule set
++###################################################
++
++###################################################
++# Step #1: Set the network variables. For more information, see README.variables
++###################################################
++
++# Setup the network addresses you are protecting
++ipvar HOME_NET any
++
++# Set up the external network addresses. Leave as "any" in most situations
++ipvar EXTERNAL_NET any
++
++# List of DNS servers on your network
++ipvar DNS_SERVERS $HOME_NET
++
++# List of SMTP servers on your network
++ipvar SMTP_SERVERS $HOME_NET
++
++# List of web servers on your network
++ipvar HTTP_SERVERS $HOME_NET
++
++# List of sql servers on your network
++ipvar SQL_SERVERS $HOME_NET
++
++# List of telnet servers on your network
++ipvar TELNET_SERVERS $HOME_NET
++
++# List of ssh servers on your network
++ipvar SSH_SERVERS $HOME_NET
++
++# List of ftp servers on your network
++ipvar FTP_SERVERS $HOME_NET
++
++# List of sip servers on your network
++ipvar SIP_SERVERS $HOME_NET
++
++# List of ports you run web servers on
++portvar HTTP_PORTS [80,81,82,83,84,85,86,87,88,89,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
++
++# List of ports you want to look for SHELLCODE on.
++portvar SHELLCODE_PORTS !80
++
++# List of ports you might see oracle attacks on
++portvar ORACLE_PORTS 1024:
++
++# List of ports you want to look for SSH connections on:
++portvar SSH_PORTS 22
++
++# List of ports you run ftp servers on
++portvar FTP_PORTS [21,2100,3535]
++
++# List of ports you run SIP servers on
++portvar SIP_PORTS [5060,5061,5600]
++
++# List of file data ports for file inspection
++portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
++
++# List of GTP ports for GTP preprocessor
++portvar GTP_PORTS [2123,2152,3386]
++
++# other variables, these should not be modified
++ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
++
++# Path to your rules files (this can be a relative path)
++# Note for Windows users: You are advised to make this an absolute path,
++# such as: c:\snort\rules
++var RULE_PATH ../rules
++var SO_RULE_PATH ../so_rules
++var PREPROC_RULE_PATH ../preproc_rules
++
++# If you are using reputation preprocessor set these
++# Currently there is a bug with relative paths, they are relative to where snort is
++# not relative to snort.conf like the above variables
++# This is completely inconsistent with how other vars work, BUG 89986
++# Set the absolute path appropriately
++var WHITE_LIST_PATH ../rules
++var BLACK_LIST_PATH ../rules
++
++###################################################
++# Step #2: Configure the decoder. For more information, see README.decode
++###################################################
++
++# Stop generic decode events:
++config disable_decode_alerts
++
++# Stop Alerts on experimental TCP options
++config disable_tcpopt_experimental_alerts
++
++# Stop Alerts on obsolete TCP options
++config disable_tcpopt_obsolete_alerts
++
++# Stop Alerts on T/TCP alerts
++config disable_tcpopt_ttcp_alerts
++
++# Stop Alerts on all other TCPOption type events:
++config disable_tcpopt_alerts
++
++# Stop Alerts on invalid ip options
++config disable_ipopt_alerts
++
++# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
++# config enable_decode_oversized_alerts
++
++# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
|
@@ -0,0 +1,31 @@
+--- src/output-plugins/spo_alert_fwsam.c.orig 2013-07-08 22:37:00.143048750 +0200
++++ src/output-plugins/spo_alert_fwsam.c 2013-07-08 22:43:22.529806701 +0200
+@@ -177,7 +177,7 @@
+ * Returns: void function
+ *
+ */
+-void AlertFWsamInit(char *args)
++void AlertFWsamInit(struct _SnortConfig *sc, char *args)
+ { char *ap;
+ unsigned long statip,cnt,again,i;
+ char *stathost,*statport,*statpass;
+@@ -395,7 +395,7 @@
+ #endif
+
+ /* Set the preprocessor function into the function list */
+- AddFuncToOutputList(AlertFWsam, OUTPUT_TYPE_FLAG__ALERT, fwsamlist);
++ AddFuncToOutputList(sc, AlertFWsam, OUTPUT_TYPE_FLAG__ALERT, fwsamlist);
+ AddFuncToCleanExitList(AlertFWsamCleanExitFunc, fwsamlist);
+ AddFuncToReloadList(AlertFWsamRestartFunc, fwsamlist);
+ }
+--- src/output-plugins/spo_alert_fwsam.h.orig 2013-07-08 22:46:18.705188991 +0200
++++ src/output-plugins/spo_alert_fwsam.h 2013-07-08 22:47:43.332967700 +0200
+@@ -196,7 +196,7 @@
+
+ /* functions */
+ void AlertFWsamSetup(void);
+-void AlertFWsamInit(char *args);
++void AlertFWsamInit(struct _SnortConfig *sc,char *args);
+ void AlertFWsamOptionInit(char *args,OptTreeNode *otn,int protocol);
+ void AlertFWsamCleanExitFunc(int signal, void *arg);
+ void AlertFWsamRestartFunc(int signal, void *arg);
|