Re: [RFR] templates://snort/{snort.templates,snort-common.templates}
Christian PERRIER wrote:
> This review is quite "light": I indeed have the feeling that I already
> came on this package at some (distant) point in the past.
February 2008!
> Rationale:
> --- snort.old/debian/snort.templates 2013-08-18 06:18:52.501757139 +0200
> +++ snort/debian/snort.templates 2013-08-25 14:59:27.881965518 +0200
Oh, you skipped:
> Template: snort/startup
> Type: select
> __Choices: boot, dialup, manual
> Default: boot
> _Description: Snort start method:
> Snort can be started during boot, when connecting to the net with pppd or
> only manually with the /usr/sbin/snort command.
It seems to me that this would be clearer if it included the word
"automatically":
Please choose how Snort should be started: automatically on boot,
automatically when connecting to the net with pppd, or manually with the
/usr/sbin/snort command.
> @@ -10,13 +10,13 @@
> Type: string
> Default: eth0
> _Description: Interface(s) which Snort should listen on:
> + This value is usually "eth0", but this may be inappropriate in some
> + network environments; for a dialup connection "ppp0" might be more
> + appropriate (see the output of "/sbin/ifconfig").
> .
> + Typically, this is the same interface as the "default route" is on. You can
> + determine which interface is used for this by running "/sbin/route -n"
> + (look for "0.0.0.0").
> .
> It is also not uncommon to use an interface with no IP address
> configured in promiscuous mode. For such cases, select the
>
> Use of double quotes
And in the next paragraph (around "port mirroring/spanning").
These days apparently they're trying to move us from ifconfig from
net-tools to ip from iproute(2), in which case maybe it's time to
start advising the use of "ip link" and "ip route". I'm not sure of
that, though - I'm not even sure where I'd go to find out.
Meanwhile I notice snort-common.templates also has some singlequotes
around "/usr/sbin/snort -T -c /etc/snort/snort.conf".
> --- snort.old/debian/control 2013-08-18 06:18:52.501757139 +0200
> +++ snort/debian/control 2013-08-25 15:00:36.675922549 +0200
> @@ -67,7 +67,7 @@
> Conflicts: snort (<< ${binary:Version})
> Replaces: snort (<< 1.8.4beta1-1)
> Suggests: snort-doc
> -Description: flexible Network Intrusion Detection System [common files]
> +Description: flexible Network Intrusion Detection System - common files
> Snort is a libpcap-based packet sniffer/logger which can be used as a
> lightweight network intrusion detection system. It features rules
> based logging and can perform content searching/matching in addition
> to being used to detect a variety of other attacks and probes, such
The boilerplate is mostly okay, but I'd recommend adding a hyphen in
"rule-based logging", and simplifying away the easily misunderstood
"being used to":
lightweight network intrusion detection system. It features rules-based
logging and can perform content searching/matching in addition to
detecting a variety of other attacks and probes, such as buffer
(And as I asked last time, if this is a lightweight one, what do the
heavyweights look like?)
> Package: snort-common
[...]
> This is a common package which holds cron jobs, tools and config files used
> by all the different packages flavors.
^
Missing Harvard comma, bad noun-stack:
This is a common package which holds cron jobs, tools, and config files
used by all the different package flavors.
> @@ -85,7 +85,7 @@
> Depends: ${misc:Depends}
> Priority: optional
> Section: doc
> -Description: Documentation for the Snort IDS [documentation]
> +Description: Documentation for the Snort IDS - documentation
Hang on, don't you mean
Description: flexible Network Intrusion Detection System - documentation
[...]
This package provides the documentation for Snort.
Package: snort-rules-default
[...]
> +Description: flexible Network Intrusion Detection System - ruleset
> Snort default ruleset which provides a basic set network intrusion detection
> rules developed by the Snort community.
Add the boilerplate paragraph and merge the two existing paragraphs
into one.
Hang on, what's this "control.inline" file with lots more stanzas?
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
diff -ru snort-2.9.5.3.pristine/debian/control snort-2.9.5.3/debian/control
--- snort-2.9.5.3.pristine/debian/control 2013-08-16 19:56:00.000000000 +0100
+++ snort-2.9.5.3/debian/control 2013-08-25 16:01:50.206500418 +0100
@@ -45,13 +45,12 @@
Suggests: snort-doc
Description: flexible Network Intrusion Detection System
Snort is a libpcap-based packet sniffer/logger which can be used as a
- lightweight network intrusion detection system. It features rules
- based logging and can perform content searching/matching in addition
- to being used to detect a variety of other attacks and probes, such
- as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
- much more. Snort has a real-time alerting capability, with alerts being
- sent to syslog, a separate "alert" file, or even to a Windows computer
- via Samba.
+ lightweight network intrusion detection system. It features rules-based
+ logging and can perform content searching/matching in addition to
+ detecting a variety of other attacks and probes, such as buffer
+ overflows, stealth port scans, CGI attacks, SMB probes, and much more.
+ Snort has a real-time alerting capability, with alerts being sent to
+ syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
This package provides the plain-vanilla version of Snort.
@@ -67,33 +66,33 @@
Conflicts: snort (<< ${binary:Version})
Replaces: snort (<< 1.8.4beta1-1)
Suggests: snort-doc
-Description: flexible Network Intrusion Detection System [common files]
+Description: flexible Network Intrusion Detection System - common files
Snort is a libpcap-based packet sniffer/logger which can be used as a
- lightweight network intrusion detection system. It features rules
- based logging and can perform content searching/matching in addition
- to being used to detect a variety of other attacks and probes, such
- as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
- much more. Snort has a real-time alerting capability, with alerts being
- sent to syslog, a separate "alert" file, or even to a Windows computer
- via Samba.
+ lightweight network intrusion detection system. It features rules-based
+ logging and can perform content searching/matching in addition to
+ detecting a variety of other attacks and probes, such as buffer
+ overflows, stealth port scans, CGI attacks, SMB probes, and much more.
+ Snort has a real-time alerting capability, with alerts being sent to
+ syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
- This is a common package which holds cron jobs, tools and config files used
- by all the different packages flavors.
+ This is a common package which holds cron jobs, tools, and config files
+ used by all the different package flavors.
Package: snort-doc
Architecture: all
Depends: ${misc:Depends}
Priority: optional
Section: doc
-Description: Documentation for the Snort IDS [documentation]
+Description: flexible Network Intrusion Detection System - documentation
Snort is a libpcap-based packet sniffer/logger which can be used as a
- lightweight network intrusion detection system. It features rules
- based logging and can perform content searching/matching in addition
- to being used to detect a variety of other attacks and probes, such
- as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
- much more. Snort has a real-time alerting capability, with alerts being
- sent to syslog, a separate "alert" file, or even to a Windows computer
- via Samba.
+ lightweight network intrusion detection system. It features rules-based
+ logging and can perform content searching/matching in addition to
+ detecting a variety of other attacks and probes, such as buffer
+ overflows, stealth port scans, CGI attacks, SMB probes, and much more.
+ Snort has a real-time alerting capability, with alerts being sent to
+ syslog, a separate "alert" file, or even to a Windows computer via Samba.
+ .
+ This package provides the documentation for Snort.
Package: snort-rules-default
Provides: snort-rules
@@ -106,29 +105,34 @@
Suggests: snort (>= 2.2.0) | snort-pgsql (>= 2.2.0) | snort-mysql (>= 2.2.0)
Recommends: oinkmaster
Homepage: http://www.snort.org/snort-rules/
-Description: flexible Network Intrusion Detection System ruleset
- Snort default ruleset which provides a basic set network intrusion detection
- rules developed by the Snort community.
+Description: flexible Network Intrusion Detection System - ruleset
+ Snort is a libpcap-based packet sniffer/logger which can be used as a
+ lightweight network intrusion detection system. It features rules-based
+ logging and can perform content searching/matching in addition to
+ detecting a variety of other attacks and probes, such as buffer
+ overflows, stealth port scans, CGI attacks, SMB probes, and much more.
+ Snort has a real-time alerting capability, with alerts being sent to
+ syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
- These rules can be used as a basis for development of additional rules. Users
- using Snort to defend networks in production environments are encouraged
- to update their local rulesets as described in the included documentation
- or using the oinkmaster package.
+ This is the Snort default ruleset, which provides a basic set of network
+ intrusion detection rules developed by the Snort community. They can be
+ used as a basis for development of additional rules. Users using Snort to
+ defend networks in production environments are encouraged to update their
+ local rulesets as described in the included documentation or using the
+ oinkmaster package.
Package: snort-common-libraries
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Suggests: snort (>= 2.7.0) | snort-pgsql (>= 2.7.0) | snort-mysql (>= 2.7.0)
Conflicts: snort-common (<< 2.7.0-6)
-Description: flexible Network Intrusion Detection System ruleset
+Description: flexible Network Intrusion Detection System - libraries
Snort is a libpcap-based packet sniffer/logger which can be used as a
- lightweight network intrusion detection system. It features rules
- based logging and can perform content searching/matching in addition
- to being used to detect a variety of other attacks and probes, such
- as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
- much more. Snort has a real-time alerting capability, with alerts being
- sent to syslog, a separate "alert" file, or even to a Windows computer
- via Samba.
+ lightweight network intrusion detection system. It features rules-based
+ logging and can perform content searching/matching in addition to
+ detecting a variety of other attacks and probes, such as buffer
+ overflows, stealth port scans, CGI attacks, SMB probes, and much more.
+ Snort has a real-time alerting capability, with alerts being sent to
+ syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
This package provides libraries used by all the Snort binary packages.
-
diff -ru snort-2.9.5.3.pristine/debian/snort-common.templates snort-2.9.5.3/debian/snort-common.templates
--- snort-2.9.5.3.pristine/debian/snort-common.templates 2013-08-16 19:50:42.000000000 +0100
+++ snort-2.9.5.3/debian/snort-common.templates 2013-08-25 15:41:00.254833111 +0100
@@ -17,7 +17,7 @@
starting up normally. Please review and correct it.
.
To diagnose errors in your Snort configuration you can run (as root)
- the following: '/usr/sbin/snort -T -c /etc/snort/snort.conf'
+ the following: "/usr/sbin/snort -T -c /etc/snort/snort.conf"
Template: snort/deprecated_file
Type: note
diff -ru snort-2.9.5.3.pristine/debian/snort.templates snort-2.9.5.3/debian/snort.templates
--- snort-2.9.5.3.pristine/debian/snort.templates 2013-08-16 19:50:42.000000000 +0100
+++ snort-2.9.5.3/debian/snort.templates 2013-08-25 16:13:13.852548728 +0100
@@ -3,27 +3,28 @@
__Choices: boot, dialup, manual
Default: boot
_Description: Snort start method:
- Snort can be started during boot, when connecting to the net with pppd or
- only manually with the /usr/sbin/snort command.
+ Please choose how Snort should be started: automatically on boot,
+ automatically when connecting to the net with pppd, or manually with the
+ /usr/sbin/snort command.
Template: snort/interface
Type: string
Default: eth0
_Description: Interface(s) which Snort should listen on:
- This value is usually 'eth0', but this may be inappropriate in some
- network environments; for a dialup connection 'ppp0' might be more
- appropriate (see the output of '/sbin/ifconfig').
- .
- Typically, this is the same interface as the 'default route' is on. You can
- determine which interface is used for this by running '/sbin/route -n'
- (look for '0.0.0.0').
+ This value is usually "eth0", but this may be inappropriate in some
+ network environments; for a dialup connection "ppp0" might be more
+ appropriate (see the output of "/sbin/ifconfig").
+ .
+ Typically, this is the same interface as the "default route" is on. You can
+ determine which interface is used for this by running "/sbin/route -n"
+ (look for "0.0.0.0").
.
It is also not uncommon to use an interface with no IP address
configured in promiscuous mode. For such cases, select the
interface in this system that is physically connected to the network
that should be inspected, enable promiscuous mode later on and make sure
that the network traffic is sent to this interface (either connected
- to a 'port mirroring/spanning' port in a switch, to a hub or to a tap).
+ to a "port mirroring/spanning" port in a switch, to a hub, or to a tap).
.
You can configure multiple interfaces, just by adding more than
one interface name separated by spaces. Each interface can have its
@@ -49,12 +50,11 @@
check every packet that passes the Ethernet segment even if it's a
connection between two other computers.
-
Template: snort/invalid_interface
Type: error
_Description: Invalid interface
Snort is trying to use an interface which does not exist or is down.
- Either it is defaulting inappropriately to 'eth0', or you specified
+ Either it is defaulting inappropriately to "eth0", or you specified
one which is invalid.
Template: snort/send_stats
@@ -88,7 +88,7 @@
Template: snort/please_restart_manually
Type: note
_Description: Snort restart required
- As Snort is manually launched, you need to run '/etc/init.d/snort' for
+ As Snort is manually launched, you need to run "service snort restart" for
the changes to take place.
Template: snort/config_parameters
@@ -103,4 +103,3 @@
one. Until you do this, the initialization script will not use the new
configuration and you will not take advantage of the benefits
introduced in newer releases.
-
Template: snort/startup
Type: select
__Choices: boot, dialup, manual
Default: boot
_Description: Snort start method:
Please choose how Snort should be started: automatically on boot,
automatically when connecting to the net with pppd, or manually with the
/usr/sbin/snort command.
Template: snort/interface
Type: string
Default: eth0
_Description: Interface(s) which Snort should listen on:
This value is usually "eth0", but this may be inappropriate in some
network environments; for a dialup connection "ppp0" might be more
appropriate (see the output of "/sbin/ifconfig").
.
Typically, this is the same interface as the "default route" is on. You can
determine which interface is used for this by running "/sbin/route -n"
(look for "0.0.0.0").
.
It is also not uncommon to use an interface with no IP address
configured in promiscuous mode. For such cases, select the
interface in this system that is physically connected to the network
that should be inspected, enable promiscuous mode later on and make sure
that the network traffic is sent to this interface (either connected
to a "port mirroring/spanning" port in a switch, to a hub, or to a tap).
.
You can configure multiple interfaces, just by adding more than
one interface name separated by spaces. Each interface can have its
own specific configuration.
Template: snort/address_range
Type: string
Default: 192.168.0.0/16
_Description: Address range for the local network:
Please use the CIDR form - for example, 192.168.1.0/24 for a block of
256 addresses or 192.168.1.42/32 for just one. Multiple values should
be comma-separated (without spaces).
.
Please note that if Snort is configured to use multiple interfaces,
it will use this value as the HOME_NET definition for all of them.
Template: snort/disable_promiscuous
Type: boolean
Default: false
_Description: Should Snort disable promiscuous mode on the interface?
Disabling promiscuous mode means that Snort will only see packets
addressed to the interface it is monitoring. Enabling it allows Snort to
check every packet that passes the Ethernet segment even if it's a
connection between two other computers.
Template: snort/invalid_interface
Type: error
_Description: Invalid interface
Snort is trying to use an interface which does not exist or is down.
Either it is defaulting inappropriately to "eth0", or you specified
one which is invalid.
Template: snort/send_stats
Type: boolean
Default: true
_Description: Should daily summaries be sent by e-mail?
A cron job can be set up to send daily summaries of Snort logs to a
selected e-mail address.
.
Please choose whether you want to activate this feature.
Template: snort/stats_rcpt
Type: string
Default: root
_Description: Recipient of daily statistics mails:
Please specify the e-mail address that should receive daily summaries
of Snort logs.
Template: snort/options
Type: string
_Description: Additional custom options:
Please specify any additional options Snort should use.
Template: snort/stats_treshold
Type: string
Default: 1
_Description: Minimum occurrences before alerts are reported:
Please enter the minimum number of alert occurrences before a given alert is
included in the daily statistics.
Template: snort/please_restart_manually
Type: note
_Description: Snort restart required
As Snort is manually launched, you need to run "service snort restart" for
the changes to take place.
Template: snort/config_parameters
Type: error
_Description: Obsolete configuration file
This system uses an obsolete configuration file
(/etc/snort/snort.common.parameters)
which has been automatically converted into the new configuration
file format (at /etc/default/snort).
.
Please review the new configuration and remove the obsolete
one. Until you do this, the initialization script will not use the new
configuration and you will not take advantage of the benefits
introduced in newer releases.
Template: snort/deprecated_config
Type: note
_Description: Deprecated options in configuration file
The Snort configuration file (/etc/snort/snort.conf) uses deprecated
options no longer available for this Snort release. Snort will not be able to
start unless you provide a correct configuration file. Either allow the
configuration file to be replaced with the one provided in this package or fix
it manually by removing deprecated options.
.
The following deprecated options were found in the configuration file:
${DEP_CONFIG}
Template: snort/config_error
Type: error
_Description: Configuration error
The current Snort configuration is invalid and will prevent Snort
starting up normally. Please review and correct it.
.
To diagnose errors in your Snort configuration you can run (as root)
the following: "/usr/sbin/snort -T -c /etc/snort/snort.conf"
Template: snort/deprecated_file
Type: note
_Description: Deprecated configuration file
Your system has deprecated configuration files which should not be used any
longer and might contain deprecated options. If included through the standard
configuration file (/etc/snort/snort.conf), they might prevent Snort from
starting up properly.
.
Please remove these files as well as any existing references to them in the
/etc/snort/snort.conf configuration file.
.
The following deprecated configuration files were found:
${DEP_FILE}
Source: snort
Section: net
Priority: optional
Maintainer: Javier Fernández-Sanguino Peña <jfs@debian.org>
Uploaders: Andrew Pollock <apollock@debian.org>
Build-Depends:
libnet1-dev,
libpcap0.8-dev,
libpcre3-dev,
debhelper (>= 5.0.0),
po-debconf (>= 0.5.0),
libgnutls-dev,
libdumbnet-dev,
libdaq-dev,
flex,
bison
Build-Depends-Indep:
texlive,
texlive-latex-base,
latex2html,
ghostscript
Standards-Version: 3.9.2
Homepage: http://www.snort.org/
Vcs-Git: git://git.debian.org/git/pkg-snort/pkg-snort.git
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-snort/pkg-snort.git
Package: snort
Architecture: any
Pre-Depends: adduser (>= 3.11)
Depends:
snort-common-libraries (>=${binary:Version}),
snort-rules-default (>= ${source:Version}),
snort-common (>= ${source:Version}),
debconf (>= 0.2.80) | debconf-2.0,
rsyslog | system-log-daemon,
logrotate,
net-tools,
${shlibs:Depends},
${misc:Depends}
Conflicts:
snort-mysql,
snort-pgsql
Replaces: snort-common (<< 2.0.2-3)
Recommends: iproute
Suggests: snort-doc
Description: flexible Network Intrusion Detection System
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules-based
logging and can perform content searching/matching in addition to
detecting a variety of other attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and much more.
Snort has a real-time alerting capability, with alerts being sent to
syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
This package provides the plain-vanilla version of Snort.
Package: snort-common
Architecture: all
Pre-Depends: adduser (>= 3.11)
Depends:
perl-modules,
debconf (>= 0.2.80) | debconf-2.0,
lsb-base,
${shlibs:Depends},
${misc:Depends}
Conflicts: snort (<< ${binary:Version})
Replaces: snort (<< 1.8.4beta1-1)
Suggests: snort-doc
Description: flexible Network Intrusion Detection System - common files
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules-based
logging and can perform content searching/matching in addition to
detecting a variety of other attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and much more.
Snort has a real-time alerting capability, with alerts being sent to
syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
This is a common package which holds cron jobs, tools, and config files
used by all the different package flavors.
Package: snort-doc
Architecture: all
Depends: ${misc:Depends}
Priority: optional
Section: doc
Description: flexible Network Intrusion Detection System - documentation
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules-based
logging and can perform content searching/matching in addition to
detecting a variety of other attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and much more.
Snort has a real-time alerting capability, with alerts being sent to
syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
This package provides the documentation for Snort.
Package: snort-rules-default
Provides: snort-rules
Architecture: all
Depends:
debconf (>= 0.2.80) | debconf-2.0,
adduser (>= 3.11),
${shlibs:Depends},
${misc:Depends}
Suggests: snort (>= 2.2.0) | snort-pgsql (>= 2.2.0) | snort-mysql (>= 2.2.0)
Recommends: oinkmaster
Homepage: http://www.snort.org/snort-rules/
Description: flexible Network Intrusion Detection System - ruleset
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules-based
logging and can perform content searching/matching in addition to
detecting a variety of other attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and much more.
Snort has a real-time alerting capability, with alerts being sent to
syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
This is the Snort default ruleset, which provides a basic set of network
intrusion detection rules developed by the Snort community. They can be
used as a basis for development of additional rules. Users using Snort to
defend networks in production environments are encouraged to update their
local rulesets as described in the included documentation or using the
oinkmaster package.
Package: snort-common-libraries
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Suggests: snort (>= 2.7.0) | snort-pgsql (>= 2.7.0) | snort-mysql (>= 2.7.0)
Conflicts: snort-common (<< 2.7.0-6)
Description: flexible Network Intrusion Detection System - libraries
Snort is a libpcap-based packet sniffer/logger which can be used as a
lightweight network intrusion detection system. It features rules-based
logging and can perform content searching/matching in addition to
detecting a variety of other attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, and much more.
Snort has a real-time alerting capability, with alerts being sent to
syslog, a separate "alert" file, or even to a Windows computer via Samba.
.
This package provides libraries used by all the Snort binary packages.
Reply to: