From 1b73b07ee83b10b0e95d06699e2a9dcb7d319015 Mon Sep 17 00:00:00 2001 From: maniacikarus Date: Sun, 29 Jul 2007 17:55:20 +0000 Subject: [PATCH] Guardian in Snort eingebaut QoS CGI wegen den Language Anpassungen korrigiert Tripwire Policy soll Snortregeln ignorieren Network Skript angepasst git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@726 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8 --- config/tripwire/twpol.txt | 4 +- html/cgi-bin/ids.cgi | 41 ++--- html/cgi-bin/qos.cgi | 22 +-- src/initscripts/init.d/network | 310 +++++++++++++++++---------------- src/initscripts/init.d/snort | 143 ++++++++------- 5 files changed, 273 insertions(+), 247 deletions(-) diff --git a/config/tripwire/twpol.txt b/config/tripwire/twpol.txt index 5591e7dc45..9cdcce89fc 100644 --- a/config/tripwire/twpol.txt +++ b/config/tripwire/twpol.txt @@ -33,13 +33,13 @@ SIG_HI = 100 ; # Critical files that are significant point /bin -> $(SEC_CRIT) ; /boot -> $(SEC_CRIT) ; /etc -> $(SEC_CRIT) ; + /etc/snort/rules/ -> $(Dynamic) ; /lib -> $(SEC_CRIT) ; /root -> $(SEC_CRIT) ; /root/.bash_history -> $(Dynamic) ; /sbin -> $(SEC_CRIT) ; /usr -> $(SEC_CRIT) ; - !/usr/src ; - !/usr/share/clamav ; + /usr/share/clamav -> $(Dynamic) ; /etc/mtab -> $(SEC_CONFIG) -i ; # Inode number changes on any mount/unmount #don't scan the individual reports diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 51c9f8c69c..a0b31e5374 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -43,6 +43,7 @@ $snortsettings{'ENABLE_SNORT'} = 'off'; $snortsettings{'ENABLE_SNORT_GREEN'} = 'off'; $snortsettings{'ENABLE_SNORT_BLUE'} = 'off'; $snortsettings{'ENABLE_SNORT_ORANGE'} = 'off'; +$snortsettings{'ENABLE_GUARDIAN'} = 'off'; $snortsettings{'ACTION'} = ''; $snortsettings{'RULES'} = ''; $snortsettings{'OINKCODE'} = ''; @@ -278,6 +279,12 @@ if ($snortsettings{'ACTION'} eq $Lang::tr{'save'}) } else { unlink "${General::swroot}/snort/enable_orange"; } + if ($snortsettings{'ENABLE_GUARDIAN'} eq 'on') + { + system ('/usr/bin/touch', "${General::swroot}/guardian/enable"); + } else { + unlink "${General::swroot}/guardian/enable"; + } system('/usr/local/bin/snortctrl restart >/dev/null'); @@ -320,6 +327,9 @@ $checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='c $checked{'ENABLE_SNORT_ORANGE'}{'off'} = ''; $checked{'ENABLE_SNORT_ORANGE'}{'on'} = ''; $checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'"; +$checked{'ENABLE_GUARDIAN'}{'off'} = ''; +$checked{'ENABLE_GUARDIAN'}{'on'} = ''; +$checked{'ENABLE_GUARDIAN'}{$snortsettings{'ENABLE_GUARDIAN'}} = "checked='checked'"; $selected{'RULES'}{'nothing'} = ''; $selected{'RULES'}{'community'} = ''; $selected{'RULES'}{'registered'} = ''; @@ -366,35 +376,22 @@ if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system2'}); print < - - - + - -END -; + print "       BLUE Snort"; } if ($netsettings{'ORANGE_DEV'} ne '') { -print < - - -END -; + print "       ORANGE Snort"; } + print "       RED Snort"; +if ( -e "/var/ipfire/guardian/guardian.conf" ) { + print "       Guardian"; +} + print < - - + diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi index 396f88195f..606e928948 100644 --- a/html/cgi-bin/qos.cgi +++ b/html/cgi-bin/qos.cgi @@ -611,9 +611,9 @@ END
- GREEN Snort
GREEN Snort END ; if ($netsettings{'BLUE_DEV'} ne '') { -print < - - BLUE Snort
- ORANGE Snort
- RED Snort
  -
$Lang::tr{'downlink speed'}: $qossettings{'INC_SPD'} kbps +
$Lang::tr{'downlink speed'}: $qossettings{'INC_SPD'} -
$Lang::tr{'uplink speed'}: $qossettings{'OUT_SPD'} kbps +
$Lang::tr{'uplink speed'}: $qossettings{'OUT_SPD'}
END ; @@ -623,10 +623,10 @@ END
-
$Lang::tr{'downlink std class'}: $qossettings{'DEFCLASS_INC'} +
$Lang::tr{'downlink std class'}: $qossettings{'DEFCLASS_INC'} -
$Lang::tr{'uplink std class'}: $qossettings{'DEFCLASS_OUT'} -
ACKs: $qossettings{'ACK'} +
$Lang::tr{'uplink std class'}: $qossettings{'DEFCLASS_OUT'} +
ACKs: $qossettings{'ACK'}
@@ -750,12 +750,12 @@ sub changebandwidth {
$Lang::tr{'down and up speed'} -
$Lang::tr{'downlink speed'}: -   kbps -   -
$Lang::tr{'uplink speed'}: -   kbps -   +
$Lang::tr{'downlink speed'}: + +   +
$Lang::tr{'uplink speed'}: + +  
END diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 5580533a75..61d8c591d2 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -20,168 +20,178 @@ DO="${1}" shift if [ -n "${1}" ]; then - ALL=0 - for i in green red blue orange; do - eval "${i}=0" - done + ALL=0 + for i in green red blue orange; do + eval "${i}=0" + done else - ALL=1 - for i in green red blue orange; do - eval "${i}=1" - done + ALL=1 + for i in green red blue orange; do + eval "${i}=1" + done fi while [ ! $# = 0 ]; do - for i in green red blue orange; do - if [ "${i}" == "${1}" ]; then - eval "${i}=1" - shift - fi - done + for i in green red blue orange; do + if [ "${i}" == "${1}" ]; then + eval "${i}=1" + shift + fi + done done case "${DO}" in - start) - if [ "${ALL}" == "1" ]; then - boot_mesg "Loading iptables helper modules" - modprobe iptable_nat || failed=1 - modprobe ip_conntrack || failed=1 - modprobe ip_conntrack_ftp || failed=1 - modprobe ip_nat_ftp || failed=1 - modprobe ip_conntrack_h323 || failed=1 - modprobe ip_nat_h323 || failed=1 - modprobe ip_conntrack_irc || failed=1 - modprobe ip_nat_irc || failed=1 - modprobe ip_conntrack_mms || failed=1 - modprobe ip_nat_mms || failed=1 - modprobe ip_conntrack_pptp || failed=1 - modprobe ip_nat_pptp || failed=1 - modprobe ip_conntrack_sip || failed=1 - modprobe ip_nat_sip || failed=1 - (exit ${failed}) - evaluate_retval - - boot_mesg "Setting up IPFire firewall rules" - /etc/rc.d/init.d/firewall start; evaluate_retval - - boot_mesg "Setting up IP Accounting" - /etc/rc.d/helper/writeipac.pl || failed=1 - /usr/sbin/fetchipac -S || failed=1 - (exit ${failed}) - evaluate_retval - - boot_mesg "Setting IPFire DMZ pinholes" - /usr/local/bin/setdmzholes; evaluate_retval - - if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then - boot_mesg "Setting up wireless firewall rules" - /usr/local/bin/restartwireless; evaluate_retval - fi - - # Start DNSMASQ with defaults - killall -KILL dnsmasq 2> /dev/null - sleep 1 - if [ "$DOMAIN_NAME_GREEN" == "" ]; then - /usr/sbin/dnsmasq -l /var/state/dhcp/dhcpd.leases - else - /usr/sbin/dnsmasq -l /var/state/dhcp/dhcpd.leases -s "$DOMAIN_NAME_GREEN" - fi - fi - - # Starting interfaces... - # GREEN - if [ "$green" == "1" ]; then - name=green /etc/rc.d/init.d/net/ifup - fi - - # BLUE - if [ "$blue" == "1" ]; then - if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then - name=blue /etc/rc.d/init.d/net/ifup - fi - fi - - # ORANGE - if [ "$orange" == "1" ]; then - if [ "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "4" ]; then - name=orange /etc/rc.d/init.d/net/ifup - fi - fi + start) + if [ "${ALL}" == "1" ]; then + boot_mesg "Loading iptables helper modules" + modprobe iptable_nat || failed=1 + modprobe ip_conntrack || failed=1 + modprobe ip_conntrack_ftp || failed=1 + modprobe ip_nat_ftp || failed=1 + modprobe ip_conntrack_h323 || failed=1 + modprobe ip_nat_h323 || failed=1 + modprobe ip_conntrack_irc || failed=1 + modprobe ip_nat_irc || failed=1 + modprobe ip_conntrack_mms || failed=1 + modprobe ip_nat_mms || failed=1 + modprobe ip_conntrack_pptp || failed=1 + modprobe ip_nat_pptp || failed=1 + modprobe ip_conntrack_sip || failed=1 + modprobe ip_nat_sip || failed=1 + (exit ${failed}) + evaluate_retval + + boot_mesg "Setting up IPFire firewall rules" + /etc/rc.d/init.d/firewall start; evaluate_retval + + boot_mesg "Setting up IP Accounting" + /etc/rc.d/helper/writeipac.pl || failed=1 + /usr/sbin/fetchipac -S || failed=1 + (exit ${failed}) + evaluate_retval + + boot_mesg "Setting IPFire DMZ pinholes" + /usr/local/bin/setdmzholes; evaluate_retval + + if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then + boot_mesg "Setting up wireless firewall rules" + /usr/local/bin/restartwireless; evaluate_retval + fi + + # Start DNSMASQ with defaults + killall -KILL dnsmasq 2> /dev/null + sleep 1 + if [ "$DOMAIN_NAME_GREEN" == "" ]; then + /usr/sbin/dnsmasq -l /var/state/dhcp/dhcpd.leases + else + /usr/sbin/dnsmasq -l /var/state/dhcp/dhcpd.leases -s "$DOMAIN_NAME_GREEN" + fi + fi + + # Starting interfaces... + # GREEN + if [ "$green" == "1" ]; then + name=green /etc/rc.d/init.d/net/ifup + fi + + # BLUE + if [ "$blue" == "1" ]; then + if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then + name=blue /etc/rc.d/init.d/net/ifup + fi + fi + + # ORANGE + if [ "$orange" == "1" ]; then + if [ "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "4" ]; then + name=orange /etc/rc.d/init.d/net/ifup + fi + fi + + # RED + if [ "$red" == "1" ]; then + if [ "$CONFIG_TYPE" = "1" -o "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then + # Remove possible leftover files + rm -f /var/ipfire/red/{active,device,dial-on-demand,dns1,dns2,local-ipaddress,remote-ipaddress,resolv.conf} + if [ "$AUTOCONNECT" == "off" ]; then + echo -n # Do anything + else + name=red /etc/rc.d/init.d/net/ifup + fi + fi + fi + + if [ -f "/var/ipfire/ovpn/enable" -o -f "/var/ipfire/ovpn/enable_blue" -o -f "/var/ipfire/ovpn/enable_orange" ];then + boot_mesg "Setting OpenVPN Rules if enabled" + /etc/rc.d/init.d/firewall startovpn; evaluate_retval + + boot_mesg "Setting OpenVPN if enabled" + /usr/local/bin/openvpnctrl -s; evaluate_retval + fi - # RED - if [ "$red" == "1" ]; then - if [ "$CONFIG_TYPE" = "1" -o "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then - # Remove possible leftover files - rm -f /var/ipfire/red/{active,device,dial-on-demand,dns1,dns2,local-ipaddress,remote-ipaddress,resolv.conf} - if [ "$AUTOCONNECT" == "off" ]; then - echo -n # Do anything - else - name=red /etc/rc.d/init.d/net/ifup - fi - boot_mesg "Setting OpenVPN Rules if enabled" - /etc/rc.d/init.d/firewall startovpn; evaluate_retval - fi - fi - - boot_mesg "Setting OpenVPN if enabled" - /usr/local/bin/openvpnctrl -s; evaluate_retval - - boot_mesg "Starting Snort if enabled" - /etc/rc.d/init.d/snort start; evaluate_retval - ;; + if [ -f "/var/ipfire/snort/enable" -o -f "/var/ipfire/snort/enable_blue" -o -f "/var/ipfire/snort/enable_orange" ];then + boot_mesg "Starting Snort if enabled" + /etc/rc.d/init.d/snort start; evaluate_retval + fi + ;; - stop) - # Stopping interfaces... - # GREEN - if [ "$green" == "1" ]; then - name=green /etc/rc.d/init.d/net/ifdown - fi - - # BLUE - if [ "$blue" == "1" ]; then - if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then - name=blue /etc/rc.d/init.d/net/ifdown - fi - fi - - # ORANGE - if [ "$orange" == "1" ]; then - if [ "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "4" ]; then - name=orange /etc/rc.d/init.d/net/ifdown - fi - fi + stop) + # Stopping interfaces... + # GREEN + if [ "$green" == "1" ]; then + name=green /etc/rc.d/init.d/net/ifdown + fi + + # BLUE + if [ "$blue" == "1" ]; then + if [ "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then + name=blue /etc/rc.d/init.d/net/ifdown + fi + fi + + # ORANGE + if [ "$orange" == "1" ]; then + if [ "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "4" ]; then + name=orange /etc/rc.d/init.d/net/ifdown + fi + fi + + # RED + if [ "$red" == "1" ]; then + if [ "$CONFIG_TYPE" = "1" -o "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then + name=red /etc/rc.d/init.d/net/ifdown + fi + fi + + if [ -f "/var/ipfire/ovpn/enable" -o -f "/var/ipfire/ovpn/enable_blue" -o -f "/var/ipfire/ovpn/enable_orange" ];then + boot_mesg "Deleting OpenVPN Rules if enabled" + /etc/rc.d/init.d/firewall stopovpn; evaluate_retval - # RED - if [ "$red" == "1" ]; then - if [ "$CONFIG_TYPE" = "1" -o "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "3" -o "$CONFIG_TYPE" = "4" ]; then - name=red /etc/rc.d/init.d/net/ifdown - boot_mesg "Deleting OpenVPN Rules if enabled" - /etc/rc.d/init.d/firewall stopovpn; evaluate_retval - fi - fi - - boot_mesg "Stopping OpenVPN if enabled" - /usr/local/bin/openvpnctrl -k; evaluate_retval - - boot_mesg "Stopping Snort if enabled" - /etc/rc.d/init.d/snort stop; evaluate_retval - ;; + boot_mesg "Stopping OpenVPN if enabled" + /usr/local/bin/openvpnctrl -k; evaluate_retval + fi + + if [ -f "/var/ipfire/snort/enable" -o -f "/var/ipfire/snort/enable_blue" -o -f "/var/ipfire/snort/enable_orange" ];then + boot_mesg "Stopping Snort if enabled" + /etc/rc.d/init.d/snort stop; evaluate_retval + fi + ;; - restart) - for i in green red blue orange; do - if [ "${!i}" == "1" ]; then - ARGS+=" ${i}" - fi - done - ${0} stop ${ARGS} - sleep 1 - ${0} start ${ARGS} - ;; + restart) + for i in green red blue orange; do + if [ "${!i}" == "1" ]; then + ARGS+=" ${i}" + fi + done + ${0} stop ${ARGS} + sleep 1 + ${0} start ${ARGS} + ;; - *) - echo "Usage: ${0} {start|stop|restart}" - exit 1 - ;; + *) + echo "Usage: ${0} {start|stop|restart}" + exit 1 + ;; esac # End /etc/rc.d/init.d/network diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort index baedcf3b90..567443f4ed 100755 --- a/src/initscripts/init.d/snort +++ b/src/initscripts/init.d/snort @@ -15,97 +15,116 @@ . /etc/sysconfig/rc . ${rc_functions} +PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/snort/settings) if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then - HOME_NET+="$ORANGE_ADDRESS," - DEVICES+="$ORANGE_DEV " + HOME_NET+="$ORANGE_ADDRESS," + DEVICES+="$ORANGE_DEV " fi if [ "$ENABLE_SNORT_GREEN" == "on" ]; then - HOME_NET+="$GREEN_ADDRESS," - DEVICES+="$GREEN_DEV " + HOME_NET+="$GREEN_ADDRESS," + DEVICES+="$GREEN_DEV " fi if [ "$ENABLE_SNORT_BLUE" == "on" ]; then - HOME_NET+="$BLUE_ADDRESS," - DEVICES+="$BLUE_DEV " + HOME_NET+="$BLUE_ADDRESS," + DEVICES+="$BLUE_DEV " fi if [ "$ENABLE_SNORT" == "on" ]; then - LOCAL_IP=`cat /var/ipfire/red/local-ipaddress` - if [ "$LOCAL_IP" ]; then - HOME_NET+="$LOCAL_IP," - else - exit 1 ## Add error handling here - fi - DEVICES+=`cat /var/ipfire/red/iface` + LOCAL_IP=`cat /var/ipfire/red/local-ipaddress` + if [ "$LOCAL_IP" ]; then + HOME_NET+="$LOCAL_IP," + else + exit 1 ## Add error handling here + fi + DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null` fi COUNT=`echo $HOME_NET | wc -m` HOME_NET=`echo $HOME_NET | cut -c $[$COUNT - 2]` -echo "var HOME_NET [$HOME_NET]" > /etc/snort/vars -echo "var EXTERNAL_NET ANY" >> /etc/snort/vars +echo "var HOME_NET [$HOME_NET]" > /etc/snort/vars +echo "var EXTERNAL_NET ANY" >> /etc/snort/vars DNS1=`cat /var/ipfire/red/dns1 2>/dev/null` DNS2=`cat /var/ipfire/red/dns2 2>/dev/null` if [ "$DNS2" ]; then - echo "var DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars + echo "var DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars else - echo "var DNS_SERVERS $DNS1" >> /etc/snort/vars + echo "var DNS_SERVERS $DNS1" >> /etc/snort/vars fi case "$1" in - start) - for DEVICE in $DEVICES; do - boot_mesg "Starting Intrusion Detection System on $DEVICE..." - /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/ - evaluate_retval - chmod 644 /var/run/snort_$DEVICE.pid - done - ;; - - stop) - DEVICES="" - if [ -r /var/run/snort_$BLUE_DEV.pid ]; then - DEVICES+="$BLUE_DEV " - fi - if [ -r /var/run/snort_$GREEN_DEV.pid ]; then - DEVICES+="$GREEN_DEV " - fi - if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then - DEVICES+="$ORANGE_DEV " - fi + start) + for DEVICE in $DEVICES; do + boot_mesg "Starting Intrusion Detection System on $DEVICE..." + /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/ + evaluate_retval + chmod 644 /var/run/snort_$DEVICE.pid + done + + + if [ -r /var/ipfire/guardian/enable ]; then + IFACE=`/bin/cat /var/ipfire/red/iface 2>/dev/null | /usr/bin/tr -d '\012'` + sed -e "s/^Interface.*/Interface ${IFACE}/" /var/ipfire/guardian/guardian.conf > temp + mv temp /var/ipfire/guardian/guardian.conf + + boot_mesg "Starting Guardian..." + loadproc /usr/local/bin/guardian.pl -c /var/ipfire/guardian/guardian.conf + fi + ;; + + stop) + DEVICES="" + if [ -r /var/run/snort_$BLUE_DEV.pid ]; then + DEVICES+="$BLUE_DEV " + fi + + if [ -r /var/run/snort_$GREEN_DEV.pid ]; then + DEVICES+="$GREEN_DEV " + fi + + if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then + DEVICES+="$ORANGE_DEV " + fi - RED=`cat /var/ipfire/red/iface` - if [ -r /var/run/snort_$RED.pid ]; then - DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null` - fi + RED=`cat /var/ipfire/red/iface 2>/dev/null` + if [ -r /var/run/snort_$RED.pid ]; then + DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null` + fi - for DEVICE in $DEVICES; do - boot_mesg "Stopping Intrusion Detection System on $DEVICE..." - killproc -p /var/run/snort_$DEVICE.pid /var/run - done - - rm /var/run/snort_* >/dev/null 2>/dev/null - ;; - - status) - statusproc /usr/sbin/snort - ;; - - restart) - $0 stop - $0 start - ;; - - *) - echo "Usage: $0 {start|stop|restart|status}" - exit 1 - ;; + for DEVICE in $DEVICES; do + boot_mesg "Stopping Intrusion Detection System on $DEVICE..." + killproc -p /var/run/snort_$DEVICE.pid /var/run + done + + rm /var/run/snort_* >/dev/null 2>/dev/null + + if [ -r /var/ipfire/guardian/enable ]; then + boot_mesg "Stopping Guardian..." + killproc /usr/local/bin/guardian.pl + fi + ;; + + status) + statusproc /usr/sbin/snort + ;; + + restart) + $0 stop + $0 start + ;; + + *) + echo "Usage: $0 {start|stop|restart|status}" + exit 1 + ;; esac # End $rc_base/init.d/snort -- 2.39.2