README.SLACKWARE
================

Documentation
-------------

This package builds a very basic snort implementation useful for monitoring
traffic as an IDS or packet logger and as a sort of improved tcpdump. More
information can be found at the following URLs:
  https://www.snort.org/               (homepage)
  https://www.snort.org/#documents     (documentation links)
  http://manual.snort.org/             (user manual)


Starting snort
--------------

An rc.snort file has been included for your convenience, but it needs to be
added to your init script of choice to run on boot. You should modify the
variables in /etc/rc.d/rc.snort to reflect the interface you want to monitor,
or start it as:

  IFACE=xxxx /etc/rc.d/rc.snort start|stop|restart

As an example, for eth1 you can put this in your /etc/rc.d/rc.local script:

  if [ -x /etc/rc.d/rc.snort ]; then
    IFACE=eth1 /etc/rc.d/rc.snort start
  fi

and put this in your /etc/rc.d/rc.local_shutdown:

  if [ -x /etc/rc.d/rc.snort ]; then
    IFACE=eth1 /etc/rc.d/rc.snort stop
  fi


Installing and Updating Rules
-----------------------------

In order for Snort to function properly, you need to download rules, and
you need to update the rules regularly.

You can get a paid subscription for the latest rules at
  https://www.snort.org/products

or you can register for free to download rules >30 days old at
  https://www.snort.org/users/sign_up
then download your rules from
  https://snort.org/downloads

The downloaded .tar.gz file contains rules and updated configuration files.
Be careful merging them, as you will probably have customized a few settings
in your snort.lua. You need to

1) put the new rules/*		into /etc/snort/rules/
2) review any changes to snort.lua
3) restart snort:
   # IFACE=xxxx /etc/rc.d/rc.snort restart

You can use update_rules.sh script to update the rules for you.
Run the following command to add/update rules:

update_rules.sh /path/to/snort3-community-rules.tar.gz