[ipfire-2.x.git] / config / suricata / convert-snort

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2019 IPFire Development Team <info@ipfire.org>                #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

use strict;

require '/var/ipfire/general-functions.pl';
require "${General::swroot}/ids-functions.pl";

# Snort settings file, which contains the settings from the WUI.
my $snort_settings_file = "${General::swroot}/snort/settings";

# Main snort config file.
my $snort_config_file = "/etc/snort/snort.conf";

# Snort rules tarball.
my $snort_rules_tarball = "/var/tmp/snortrules.tar.gz";

# Check if a snort settings file exists.
unless( -f "$snort_settings_file") {
        print "$snort_settings_file not found - Nothing to do. Exiting!\n";
        exit(0);
}

# Check if the snort settings file is empty.
if (-z "$snort_settings_file") {
	print "$snort_settings_file is empty - Nothing to do. Exiting!\n";
	exit(0);
}

#
## Step 1: Setup directory and file layout, if not present and set correct
##         ownership. The converter runs as a privileged user, but the files
##         needs to be full access-able by the WUI user and group (nobody:nobody).
#

# User and group of the WUI.
my $uname = "nobody";
my $grname = "nobody";

# The chown function implemented in perl requies the user and group as nummeric id's.
my $uid = getpwnam($uname);
my $gid = getgrnam($grname);

# Check if the settings directory exists.
unless (-d $IDS::settingsdir) {
	# Create the directory.
	mkdir($IDS::settingsdir);
}

# Check if the rules directory exists.
unless (-d $IDS::rulespath) {
	# Create the directory.
	mkdir($IDS::rulespath);
}

# Set correct ownership for the settings and rules folder.
chown($uid, $gid, $IDS::settingsdir);
chown($uid, $gid, $IDS::rulespath);

# Create file layout, if not exists yet.
&IDS::check_and_create_filelayout();

# Set correct ownership for the files - Open settings directory and do a directory listing.
opendir(DIR, $IDS::settingsdir) or die $!;
        # Loop through the direcory.
        while (my $file = readdir(DIR)) {

                # We only want files.
                next unless (-f "$IDS::settingsdir/$file");

		# Set correct ownership for the files.
		chown($uid, $gid, "$IDS::settingsdir/$file");
	}

closedir(DIR);

#
## Step 2: Import snort settings and convert to the required format for the new IDS
##         (suricata).
#

# Hash which contains the "old" snort settings.
my %snortsettings;

# Hash which contains the IDS (suricata) settings.
#
# Add default value for MONITOR_TRAFFIC_ONLY which will be "on"
# when migrating from snort to the new IDS.
my %idssettings = (
	"MONITOR_TRAFFIC_ONLY" => "on",
);

# Hash which contains the RULES settings.
#
# Set default value for UPDATE_INTERVAL to weekly.
my %rulessettings = (
	"AUTOUPDATE_INTERVAL" => "weekly",
);

# Get all available network zones.
my @network_zones = &IDS::get_available_network_zones();

# Read-in snort settings file.
&General::readhash("$snort_settings_file", \%snortsettings);

# Loop through the array of network zones.
foreach my $zone (@network_zones) {
	# Convert current zone into upper case.
	my $zone_upper = uc($zone);

	# Check if the current network zone is "red".
	if($zone eq "red") {
		# Check if snort was enabled and enabled on red.
		if ($snortsettings{"ENABLE_SNORT"} eq "on") {
			# Enable the IDS.
			$idssettings{"ENABLE_IDS"} = "on";

			# Enable the IDS on RED.
			$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
		}
	} else {
		# Check if snort was enabled on the current zone.
		if ($snortsettings{"ENABLE_SNORT_$zone_upper"} eq "on") {
			# Enable the IDS on this zone too.
			$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
		}
	}
}

# Grab the choosen ruleset from snort settings hash and store it in the rules
# settings hash.
$rulessettings{"RULES"} = $snortsettings{"RULES"};

# Check if an oinkcode has been provided.
if($snortsettings{"OINKCODE"}) {
	# Take the oinkcode from snort settings hash and store it in the rules
	# settings hash.
	$rulessettings{"OINKCODE"} = $snortsettings{"OINKCODE"};
}

#
## Step 3: Import guardian settings and whitelist if the addon is installed.
#

# Pakfire meta file for owncloud.
# (File exists when the addon is installed.)
my $guardian_meta = "/opt/pakfire/db/installed/meta-guardian";

# Check if the guardian addon is installed.
if (-f $guardian_meta) {
	# File which contains the taken setting for guardian.
	my $guardian_settings_file = "${General::swroot}/guardian/settings";

	# File which contains the white-listed hosts.
	my $guardian_ignored_file = "${General::swroot}/guardian/ignored";

	# Hash which will contain the settings of guardian.
	my %guardiansettings;

	# Check if the settings file of guardian is empty.
	unless (-z $guardian_settings_file) {
		# Read-in settings.
		&General::readhash("$guardian_settings_file", \%guardiansettings);
	}

	# Check if guardian is not configured to take actions on snort events.
	if ($guardiansettings{"GUARDIAN_MONITOR_SNORT"} eq "on") {
		# Change the IDS into MONITOR_TRAFFIC_ONLY mode.
		$idssettings{"MONITOR_TRAFFIC_ONLY"} = "off";
	}

	# Check if guardian has any white-listed hosts configured.
	unless (-z $guardian_ignored_file) {
		# Temporary hash to store the ignored hosts.
		my %ignored_hosts;

		# Read-in white-listed hosts and store them in the hash.
		&General::readhasharray($guardian_ignored_file, \%ignored_hosts);

		# Write-out the white-listed hosts for the IDS system.
		&General::writehasharray($IDS::ignored_file, \%ignored_hosts);

		# Call subfunction to generate the file for white-listing the hosts.
		&IDS::generate_ignored_file();
	}

}

#
## Step 4: Save IDS and rules settings.
#

# Write IDS settings.
&General::writehash("$IDS::ids_settings_file", \%idssettings);

# Write rules settings.
&General::writehash("$IDS::rules_settings_file", \%rulessettings);

#
## Step 5: Generate and write the file to modify the ruleset.
#

# Converters default is to only monitor the traffic, so set the IDS action to
# "alert".
my $IDS_action = "alert";

# Check if the traffic only should be monitored.
if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") {
	# Swith IDS action to alert only.
	$IDS_action = "drop";
}

# Call subfunction and pass the desired IDS action.
&IDS::write_modify_sids_file($IDS_action);

#
## Step 6: Move rulestarball to its new location.
#

# Check if a rulestarball has been downloaded yet.
if (-f $snort_rules_tarball) {
	# Load perl module which contains the move command.
	use File::Copy;

	# Move the rulestarball to the new location.
	move($snort_rules_tarball, $IDS::rulestarball);

	# Set correct ownership.
	chown($uid, $gid, $IDS::rulestarball);
}

#
## Step 7: Call oinkmaster to extract and setup the rules structures.
#

# Check if a rulestarball is present.
if (-f $IDS::rulestarball) {
	# Launch oinkmaster by calling the subfunction.
	&IDS::oinkmaster();
}

#
## Step 8: Grab used ruleset files from snort config file and convert
##         them into the new format.
#

# Check if the snort config file exists.
unless (-f $snort_config_file) {
	print "$snort_config_file does not exist - Nothing to do. Exiting!\n";
	exit(0);
}

# Array to store the enabled rules files.
my @enabled_rule_files;

# Open snort config file.
open(SNORTCONF, $snort_config_file) or die "Could not open $snort_config_file. $!\n";

# Loop through the file content.
while (my $line = <SNORTCONF>) {
	# Skip comments.
	next if ($line =~ /\#/);

	# Skip blank  lines.
	next if ($line =~ /^\s*$/);

	# Remove newlines.
	chomp($line);

	# Check for a line with .rules
	if ($line =~ /\.rules$/) {
		# Parse out rule file name
		my $rulefile = $line;
		$rulefile =~ s/\$RULE_PATH\///i;
		$rulefile =~ s/ ?include ?//i;

		# Add the enabled rulefile to the array of enabled rule files.
		push(@enabled_rule_files, $rulefile);
	}
}

# Close filehandle.
close(SNORTCONF);

# Pass the array of enabled rule files to the subfunction and write the file.
&IDS::write_used_rulefiles_file(@enabled_rule_files);

#
## Step 9: Generate file for the HOME Net.
#

# Call subfunction to generate the file.
&IDS::generate_home_net_file();

#
## Step 10: Setup automatic ruleset updates.
#

# Check if a ruleset is configured.
if($rulessettings{"RULES"}) {
	# Call suricatactrl and setup the periodic update mechanism.
	&IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
}

#
## Step 11: Start the IDS if enabled.
#

# Check if the IDS should be started.
if($idssettings{"ENABLE_IDS"} eq "on") {
	# Call suricatactrl and launch the IDS.
	&IDS::call_suricatactrl("start");
}
Commit	Line	Data
5b0b4182 SS	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2019 IPFire Development Team <info@ipfire.org> #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	use strict;
	23
	24	require '/var/ipfire/general-functions.pl';
	25	require "${General::swroot}/ids-functions.pl";
	26
	27	# Snort settings file, which contains the settings from the WUI.
	28	my $snort_settings_file = "${General::swroot}/snort/settings";
	29
	30	# Main snort config file.
	31	my $snort_config_file = "/etc/snort/snort.conf";
	32
	33	# Snort rules tarball.
	34	my $snort_rules_tarball = "/var/tmp/snortrules.tar.gz";
	35
	36	# Check if a snort settings file exists.
	37	unless( -f "$snort_settings_file") {
	38	print "$snort_settings_file not found - Nothing to do. Exiting!\n";
	39	exit(0);
	40	}
	41
	42	# Check if the snort settings file is empty.
	43	if (-z "$snort_settings_file") {
	44	print "$snort_settings_file is empty - Nothing to do. Exiting!\n";
	45	exit(0);
	46	}
	47
	48	#
	49	## Step 1: Setup directory and file layout, if not present and set correct
	50	## ownership. The converter runs as a privileged user, but the files
	51	## needs to be full access-able by the WUI user and group (nobody:nobody).
	52	#
	53
	54	# User and group of the WUI.
	55	my $uname = "nobody";
	56	my $grname = "nobody";
	57
	58	# The chown function implemented in perl requies the user and group as nummeric id's.
	59	my $uid = getpwnam($uname);
	60	my $gid = getgrnam($grname);
	61
	62	# Check if the settings directory exists.
	63	unless (-d $IDS::settingsdir) {
	64	# Create the directory.
65	mkdir($IDS::settingsdir);
66	}
67
68	# Check if the rules directory exists.
69	unless (-d $IDS::rulespath) {
70	# Create the directory.
71	mkdir($IDS::rulespath);
72	}
73
74	# Set correct ownership for the settings and rules folder.
75	chown($uid, $gid, $IDS::settingsdir);
76	chown($uid, $gid, $IDS::rulespath);
77
78	# Create file layout, if not exists yet.
79	&IDS::check_and_create_filelayout();
80
81	# Set correct ownership for the files - Open settings directory and do a directory listing.
82	opendir(DIR, $IDS::settingsdir) or die $!;
83	# Loop through the direcory.
84	while (my $file = readdir(DIR)) {
85
86	# We only want files.
87	next unless (-f "$IDS::settingsdir/$file");
88
89	# Set correct ownership for the files.
90	chown($uid, $gid, "$IDS::settingsdir/$file");
91	}
92
93	closedir(DIR);
94
95	#
96	## Step 2: Import snort settings and convert to the required format for the new IDS
97	## (suricata).
98	#
99
100	# Hash which contains the "old" snort settings.
101	my %snortsettings;
102
103	# Hash which contains the IDS (suricata) settings.
104	#
105	# Add default value for MONITOR_TRAFFIC_ONLY which will be "on"
106	# when migrating from snort to the new IDS.
107	my %idssettings = (
108	"MONITOR_TRAFFIC_ONLY" => "on",
109	);
110
111	# Hash which contains the RULES settings.
112	#
113	# Set default value for UPDATE_INTERVAL to weekly.
114	my %rulessettings = (
115	"AUTOUPDATE_INTERVAL" => "weekly",
116	);
117
118	# Get all available network zones.
119	my @network_zones = &IDS::get_available_network_zones();
120
121	# Read-in snort settings file.
122	&General::readhash("$snort_settings_file", \%snortsettings);
123
124	# Loop through the array of network zones.
125	foreach my $zone (@network_zones) {
126	# Convert current zone into upper case.
127	my $zone_upper = uc($zone);
128
129	# Check if the current network zone is "red".
130	if($zone eq "red") {
131	# Check if snort was enabled and enabled on red.
132	if ($snortsettings{"ENABLE_SNORT"} eq "on") {
133	# Enable the IDS.
134	$idssettings{"ENABLE_IDS"} = "on";
135
136	# Enable the IDS on RED.
137	$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
138	}
139	} else {
140	# Check if snort was enabled on the current zone.
141	if ($snortsettings{"ENABLE_SNORT_$zone_upper"} eq "on") {
142	# Enable the IDS on this zone too.
143	$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
144	}
145	}
146	}
147
148	# Grab the choosen ruleset from snort settings hash and store it in the rules
149	# settings hash.
150	$rulessettings{"RULES"} = $snortsettings{"RULES"};
151
152	# Check if an oinkcode has been provided.
153	if($snortsettings{"OINKCODE"}) {
154	# Take the oinkcode from snort settings hash and store it in the rules
155	# settings hash.
156	$rulessettings{"OINKCODE"} = $snortsettings{"OINKCODE"};
157	}
158
159	#
160	## Step 3: Import guardian settings and whitelist if the addon is installed.
161	#
162
163	# Pakfire meta file for owncloud.
164	# (File exists when the addon is installed.)
165	my $guardian_meta = "/opt/pakfire/db/installed/meta-guardian";
166
167	# Check if the guardian addon is installed.
168	if (-f $guardian_meta) {
169	# File which contains the taken setting for guardian.
170	my $guardian_settings_file = "${General::swroot}/guardian/settings";
171
172	# File which contains the white-listed hosts.
173	my $guardian_ignored_file = "${General::swroot}/guardian/ignored";
174
175	# Hash which will contain the settings of guardian.
176	my %guardiansettings;
177
178	# Check if the settings file of guardian is empty.
179	unless (-z $guardian_settings_file) {
180	# Read-in settings.
181	&General::readhash("$guardian_settings_file", \%guardiansettings);
182	}
183
184	# Check if guardian is not configured to take actions on snort events.
185	if ($guardiansettings{"GUARDIAN_MONITOR_SNORT"} eq "on") {
186	# Change the IDS into MONITOR_TRAFFIC_ONLY mode.
187	$idssettings{"MONITOR_TRAFFIC_ONLY"} = "off";
188	}
189
190	# Check if guardian has any white-listed hosts configured.
191	unless (-z $guardian_ignored_file) {
192	# Temporary hash to store the ignored hosts.
193	my %ignored_hosts;
194
195	# Read-in white-listed hosts and store them in the hash.
196	&General::readhasharray($guardian_ignored_file, \%ignored_hosts);
197
198	# Write-out the white-listed hosts for the IDS system.
199	&General::writehasharray($IDS::ignored_file, \%ignored_hosts);
200
201	# Call subfunction to generate the file for white-listing the hosts.
202	&IDS::generate_ignored_file();
203	}
204
205	}
206
207	#
208	## Step 4: Save IDS and rules settings.
209	#
210
211	# Write IDS settings.
212	&General::writehash("$IDS::ids_settings_file", \%idssettings);
213
214	# Write rules settings.
215	&General::writehash("$IDS::rules_settings_file", \%rulessettings);
216
217	#
218	## Step 5: Generate and write the file to modify the ruleset.
219	#
220
221	# Converters default is to only monitor the traffic, so set the IDS action to
222	# "alert".
223	my $IDS_action = "alert";
224
225	# Check if the traffic only should be monitored.
226	if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") {
227	# Swith IDS action to alert only.
228	$IDS_action = "drop";
229	}
230
231	# Call subfunction and pass the desired IDS action.
232	&IDS::write_modify_sids_file($IDS_action);
233
234	#
235	## Step 6: Move rulestarball to its new location.
236	#
237
238	# Check if a rulestarball has been downloaded yet.
239	if (-f $snort_rules_tarball) {
240	# Load perl module which contains the move command.
241	use File::Copy;
242
243	# Move the rulestarball to the new location.
244	move($snort_rules_tarball, $IDS::rulestarball);
245
246	# Set correct ownership.
247	chown($uid, $gid, $IDS::rulestarball);
248	}
249
250	#
251	## Step 7: Call oinkmaster to extract and setup the rules structures.
252	#
253
254	# Check if a rulestarball is present.
255	if (-f $IDS::rulestarball) {
256	# Launch oinkmaster by calling the subfunction.
257	&IDS::oinkmaster();
258	}
259
260	#
261	## Step 8: Grab used ruleset files from snort config file and convert
262	## them into the new format.
263	#
264
265	# Check if the snort config file exists.
266	unless (-f $snort_config_file) {
267	print "$snort_config_file does not exist - Nothing to do. Exiting!\n";
268	exit(0);
269	}
270
271	# Array to store the enabled rules files.
272	my @enabled_rule_files;
273
274	# Open snort config file.
275	open(SNORTCONF, $snort_config_file) or die "Could not open $snort_config_file. $!\n";
276
277	# Loop through the file content.
278	while (my $line = <SNORTCONF>) {
279	# Skip comments.
280	next if ($line =~ /\#/);
281
282	# Skip blank lines.
283	next if ($line =~ /^\s*$/);
284
285	# Remove newlines.
286	chomp($line);
287
288	# Check for a line with .rules
289	if ($line =~ /\.rules$/) {
290	# Parse out rule file name
291	my $rulefile = $line;
292	$rulefile =~ s/\$RULE_PATH\///i;
293	$rulefile =~ s/ ?include ?//i;
294
295	# Add the enabled rulefile to the array of enabled rule files.
296	push(@enabled_rule_files, $rulefile);
297	}
298	}
299
300	# Close filehandle.
301	close(SNORTCONF);
302
303	# Pass the array of enabled rule files to the subfunction and write the file.
304	&IDS::write_used_rulefiles_file(@enabled_rule_files);
305
306	#
307	## Step 9: Generate file for the HOME Net.
308	#
309
310	# Call subfunction to generate the file.
311	&IDS::generate_home_net_file();
312
313	#
314	## Step 10: Setup automatic ruleset updates.
315	#
316
317	# Check if a ruleset is configured.
318	if($rulessettings{"RULES"}) {
319	# Call suricatactrl and setup the periodic update mechanism.
320	&IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
321	}
322
323	#
324	## Step 11: Start the IDS if enabled.
325	#
326
327	# Check if the IDS should be started.
328	if($idssettings{"ENABLE_IDS"} eq "on") {
329	# Call suricatactrl and launch the IDS.
330	&IDS::call_suricatactrl("start");
331	}