# snort.pp

# Miah Johnson - <miahNO$P4M@chia-pet.org>

# Describes how to install Snort.

 

class snort {

 

  include virt_users, virt_groups

  realize(

    Group["snort"],

    User["snort"],

  )

 

  package { pcre:

    ensure => "installed",

    before => Package["snort", "snort-mysql"],

  }

 

  package { mysql:

    name => $operatingsystem ? {

       default => "mysql",

       opensuse => "libmysqlclient15",

    },

    ensure => "installed",

    before => Package["snort-mysql"],

  }

 

  package { snort:

    ensure => "installed",

    require => [ File["nstrepo"], Package["pcre"] ],

  }

 

  package { snort-mysql:

    ensure => "installed",

    require => package["snort"],

  }

 

  file { "/etc/snort/rules":

    ensure => "directory",

    mode => "750",

    owner => "root",

    group => "snort",

    recurse => "true",

    before => Exec["extract-snort-rules"],

    require => Package["snort"],

    }

 

  file { "/etc/snort/xfer.tgz":

    source => "puppet://puppet/nst/xfer.tgz",

    alias => "snort-rules",

    before => Exec["extract-snort-rules"],

    require => File["/etc/snort/rules"],

    checksum => "md5lite",

    }

 

  exec { "tar zxf xfer.tgz -C /etc/snort/rules":

    path => ["/bin", "/sbin", "/usr/bin", "/usr/sbin"],

    cwd => "/etc/snort",

    alias => "extract-snort-rules",

    subscribe => File["snort-rules"],

    refreshonly => "true",

    }

 

  file { "/var/run/snort":

    ensure => "directory",

    mode => "770",

    owner => "root",

    group => "snort"

    }

 

  service { "snortd":

    enable => "false",

    ensure => "stopped",

    require => Package["snort"],

  }

 

}

 

define snort::daemon (

 $dev,

 $sensor_name,

 $bpf_rules,

 $home_net = "any",

 $ext_net = "any",

 $dns_srv = "$HOME_NET",

 $smtp_srv = "$HOME_NET",

 $telnet_srv = "$HOME_NET",

 $snmp_srv = "$HOME_NET",

 $http_srv = "$HOME_NET",

 $sql_srv = "$HOME_NET",

 $http_prt = "80",

 $shc_prt = "!80",

 $orcl_prt = "1521",

 $aim_srv = "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24",

 $db_type = "mysql",

 $db_user = "snort",

 $db_pass = "64m0nsn0rt",

 $db_name = "snort",

 # demarc.reinternal.com

 $db_host = "10.104.138.241",

 $snort_opts = ["-A", "fast", "-b", "-D", "-o"],

 $snort_usr = "snort",

 $snort_grp = "snort"

 )

# $dev - which device to bind snort to. eg, any or eth0

# $sensor_name - the name to use for mysql reporting, initscripts,

# configuration files, and log directories.

# $bpf_rules - Multiple rules allowed, use an array.

# $name - name the daemon, eg snort1, snort2, keep under 12 chars.

 

 {

  include snort

 

  file { "/etc/snort/bpf-$sensor_name.conf":

    ensure => "present",

    content => template("snort/bpf.conf.erb"),

    notify => Service["snortd-$sensor_name"],

    require => File["/etc/snort/rules"],

    }

 

  file { "/etc/snort/snort-$sensor_name.conf":

    ensure => "present",

    content => template("snort/snort.conf.erb"),

    notify => Service["snortd-$sensor_name"],

    require => File["/etc/snort/rules"],

    }

 

 

  file { "/var/log/snort-$sensor_name":

    ensure => "directory",

    mode => "770",

    owner => "root",

    group => "snort",

    }

 

  file { "/etc/sysconfig/snort-$sensor_name":

    ensure => "present",

    owner => "root",

    group => "snort",

    mode => "640",

    content => template("snort/sysconfig.erb"),

    alias => "snortcfg-$sensor_name",

    notify => Service["snortd-$sensor_name"]

    }

 

  file { "/etc/init.d/snortd-$sensor_name":

    ensure => "present",

    owner => "root",

    group => "root",

    mode => "755",

    content => $operatingsystem ? {

      default => template("snort/snortd.rhel.erb"),

      suse => template("snort/snortd.suse.erb"),

      opensuse => template("snort/snortd.suse.erb"),

      },

    }

 

  file { "/etc/logrotate.d/snort-$sensor_name":

    ensure => "present",

    owner => "root",

    group => "root",

    mode => "644",

    content => template("snort/logrotate.erb"),

    }

 

  service { "snortd-$sensor_name":

    enable => "true",

    ensure => "running",

    hasstatus => "true",

    subscribe => file["snortcfg-$sensor_name", "snort-rules"],

    require => Package["snort", "snort-mysql"],

  }

 

}