Hello Autosnort Users!
It's been a long time since I've posted. My day job keeps me plenty busy. I apologize for the last of responsiveness over e-mail. If I haven't gotten to you it's not because I'm an unsociable jerk it's that I'm quite literally exhausted at the end of the day. I do work for the federal government right now helping them with their infosec things and my days are NEVER boring, suffice to say.
That being said, I wanted to announce that after what seems like forever I have new updates to autosnort, namely an offline version of the script that I've released for ubuntu 12.04 today.
Some of you may be wondering why would I go through the trouble? What good is it? How does it help me?
Well, to the average user, it's not likely to be terribly helpful, but to users in situations where you have to sneakernet software from point A to point B, or from a network with good internet access to one without internet access or very limited internet access, even for hackers and infosec enthusiasts that are participating in "Capture the Flag" events with limited internet access, an offline build of autosnort providing the latest version of snort and snort rules easily seems like a godsend.
The offline script, or scripts I should say, come in two stages:
Stage 1: as-offline-stage1.sh
When this script is ran on a system that is identical to your offline system (meaning a system running the same operating system (Ubuntu), Version (12.04), and architecture (32-bit/i386 || 64-bit/x86_64)), it will download all the required packages via apt-get, download them (without installing them on this system), grab the latest version of snort and daq as well as barnyard2, snortreport, and libdnet.
A copy of the perl script, create-sidmap.pl and dpkorder$arch.txt (where $arch is either x86_64 or i386) should be placed on this system as well; the script expects to find these two files so that they can be included in the tar file that has all the packages (.deb and .tar.gz) needed for the stage2/offline installer script.
Stage 2: as-offline-stage2.sh
This script is ran on the offline system you plan on installing snort to. The script requires the tarball generated from the stage1 script as well as a VRT rules tarball to work properly.
Essentially the script installs all the .deb packages in the CORRECT order, then installs all the downloaded source packages, much the same as the online version of the autosnort script (yay for code re-use!)
The end-product is a fully functional snort install, just like the online autosnort script.
Please note that create-sidmap.pl is a part of the Oinkmaster suite. In layman's terms, the Oinkmaster suite is a precursor to PulledPork. The Oinkmaster suite is released under the BSD license, by Sourcefire. I just want to make it abundantly clear here and now that this is NOT my software and if requested by the original creator of the script I will comply and remove it. It is included on my github page currently as a convenience and nothing more.
The reason the create-sidmap script is included is to assist offline users in generating a new sid-msg.map file. I noticed in the process of creating this script, that barnyard2 would log alerts just fine, but then snortreport wouldn't show me what the alert's message was only "snort alert [sid number]" which was very unhelpful. I eventually discovered this is due to the sid-msg.map file. Essentially, the sid-msg.map file is responsible for "mapping" the snort SID to the snort msg field in the rule, thus giving you the rule sid and message when you look at a rule via snortreport or the web interface of your choice instead of "snort alert" followed by the sid number. create-sidmap.pl resolves this problem quite easily.
I hope you all find the scripts useful!
Until next time, happy snorting.
