Hello Autosnort users,
I wanted to inform you all that I've recently made changes to autosnort offline scripts to include support for Debian 6 32-bit and 64-bit. I was able to make some minor changes to both scripts to do OS checks to fix issues specific to Debian while re-using code for portions of the script that are identical to the Ubuntu 12.04 32/64-bit offline install.
I've tested the scripts against Ubuntu 12.04 and Debian 6 -- 32 and 64-bit versions with a completely base install with absolutely no updates or extra packages added whatsoever -- with the exception of sshd.
The steps are pretty much exactly the same as the first version of the offline script:
1. Run the stage 1 shell script with create-sidmap.pl and dpkgorder text file for your OS and arch on a system with internet access that is as close to identical to your offline system as possible (meaning same ARCH, same OS version, and SAME installed packages), or to an system that is a completely baselined OS install with the same OS and arch as the offline operating system you plan to use the stage 2 shell script on.
2. Copy the rule tarball and the tarball created from the stage 1 shell script on your offline system. Answer the prompts, just like the regular, online autosnort installation script.
3. Reboot and you should be golden.
The dpkgorder file is a complete list of .deb files for each supported operating system (Debian or Ubuntu) and each supported arch (i686 or x86_64) that assumes a base OS install with nothing but sshd on it.
If you run the stage1 shell script from a completely base install of the same operating system and arch as your offline IDS system, you'll have absolutely everything you need to get snort and snort report up and running.
If you choose to to clone an exact copy of the offline system to run the stage1.sh script, that's fine too, you just have to make absolutely sure the two operating systems are as close to identical as you can get them to ensure that there aren't any missing packages, because if there's one thing I've learned from this whole offline installation endeavor is that a single missing dependency will cause the whole house of cards to come tumbling down, leaving you with a VERY ugly mess.
While I had the luxury of a VM, a baseline snapshot and a revert icon (I had to revert the Debian vms for testing more times than I can count this weekend), some of you won't have that luxury, so pay VERY close attention!
The scripts were committed right before this blog post and should be available via the autosnort github, located under the Ubuntu 12.04/offline directory.
The README should answer any remaining questions you might have or clarify steps pretty well. As always, if you have any further questions, I can be reached via twitter @da_667 or deusexmachina667 at gmail dot com.
Thank you all for using autosnort, and happy snorting!