[ipfire-2.x.git] / config / suricata / convert-snort

#!/usr/bin/perl
###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2019 IPFire Development Team <info@ipfire.org>                #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

use strict;

require '/var/ipfire/general-functions.pl';
require "${General::swroot}/ids-functions.pl";

# Snort settings file, which contains the settings from the WUI.
my $snort_settings_file = "${General::swroot}/snort/settings";

# Main snort config file.
my $snort_config_file = "/etc/snort/snort.conf";

# Snort rules tarball.
my $snort_rules_tarball = "/var/tmp/snortrules.tar.gz";

# Check if a snort settings file exists.
unless( -f "$snort_settings_file") {
        print "$snort_settings_file not found - Nothing to do. Exiting!\n";
        exit(0);
}

# Check if the snort settings file is empty.
if (-z "$snort_settings_file") {
	print "$snort_settings_file is empty - Nothing to do. Exiting!\n";
	exit(0);
}

#
## Step 1: Setup directory and file layout, if not present and set correct
##         ownership. The converter runs as a privileged user, but the files
##         needs to be full access-able by the WUI user and group (nobody:nobody).
#

# Check if the settings directory exists.
unless (-d $IDS::settingsdir) {
	# Create the directory.
	mkdir($IDS::settingsdir);
}

# Check if the rules directory exists.
unless (-d $IDS::rulespath) {
	# Create the directory.
	mkdir($IDS::rulespath);
}

# Create file layout, if not exists yet.
&IDS::check_and_create_filelayout();

# Set correct ownership for settingsdir and rulespath.
&IDS::set_ownership("$IDS::settingsdir");
&IDS::set_ownership("$IDS::rulespath");

#
## Step 2: Import snort settings and convert to the required format for the new IDS
##         (suricata).
#

# Hash which contains the "old" snort settings.
my %snortsettings;

# Hash which contains the IDS (suricata) settings.
#
# Add default value for MONITOR_TRAFFIC_ONLY which will be "on"
# when migrating from snort to the new IDS.
my %idssettings = (
	"MONITOR_TRAFFIC_ONLY" => "on",
);

# Hash which contains the RULES settings.
#
# Set default value for UPDATE_INTERVAL to weekly.
my %rulessettings = (
	"AUTOUPDATE_INTERVAL" => "weekly",
);

# Get all available network zones.
my @network_zones = &IDS::get_available_network_zones();

# Read-in snort settings file.
&General::readhash("$snort_settings_file", \%snortsettings);

# Loop through the array of network zones.
foreach my $zone (@network_zones) {
	# Convert current zone into upper case.
	my $zone_upper = uc($zone);

	# Check if the current network zone is "red".
	if($zone eq "red") {
		# Check if snort was enabled and enabled on red.
		if ($snortsettings{"ENABLE_SNORT"} eq "on") {
			# Enable the IDS.
			$idssettings{"ENABLE_IDS"} = "on";

			# Enable the IDS on RED.
			$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
		}
	} else {
		# Check if snort was enabled on the current zone.
		if ($snortsettings{"ENABLE_SNORT_$zone_upper"} eq "on") {
			# Enable the IDS on this zone too.
			$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
		}
	}
}

# Grab the choosen ruleset from snort settings hash and store it in the rules
# settings hash.
$rulessettings{"RULES"} = $snortsettings{"RULES"};

# Check if an oinkcode has been provided.
if($snortsettings{"OINKCODE"}) {
	# Take the oinkcode from snort settings hash and store it in the rules
	# settings hash.
	$rulessettings{"OINKCODE"} = $snortsettings{"OINKCODE"};
}

#
## Step 3: Import guardian settings and whitelist if the addon is installed.
#

# Pakfire meta file for owncloud.
# (File exists when the addon is installed.)
my $guardian_meta = "/opt/pakfire/db/installed/meta-guardian";

# Check if the guardian addon is installed.
if (-f $guardian_meta) {
	# File which contains the taken setting for guardian.
	my $guardian_settings_file = "${General::swroot}/guardian/settings";

	# File which contains the white-listed hosts.
	my $guardian_ignored_file = "${General::swroot}/guardian/ignored";

	# Hash which will contain the settings of guardian.
	my %guardiansettings;

	# Check if the settings file of guardian is empty.
	unless (-z $guardian_settings_file) {
		# Read-in settings.
		&General::readhash("$guardian_settings_file", \%guardiansettings);
	}

	# Check if guardian is not configured to take actions on snort events.
	if ($guardiansettings{"GUARDIAN_MONITOR_SNORT"} eq "on") {
		# Change the IDS into MONITOR_TRAFFIC_ONLY mode.
		$idssettings{"MONITOR_TRAFFIC_ONLY"} = "off";
	}

	# Check if guardian has any white-listed hosts configured.
	unless (-z $guardian_ignored_file) {
		# Temporary hash to store the ignored hosts.
		my %ignored_hosts;

		# Read-in white-listed hosts and store them in the hash.
		&General::readhasharray($guardian_ignored_file, \%ignored_hosts);

		# Write-out the white-listed hosts for the IDS system.
		&General::writehasharray($IDS::ignored_file, \%ignored_hosts);

		# Call subfunction to generate the file for white-listing the hosts.
		&IDS::generate_ignored_file();
	}

}

#
## Step 4: Save IDS and rules settings.
#

# Write IDS settings.
&General::writehash("$IDS::ids_settings_file", \%idssettings);

# Write rules settings.
&General::writehash("$IDS::rules_settings_file", \%rulessettings);

#
## Step 5: Generate and write the file to modify the ruleset.
#

# Converters default is to only monitor the traffic, so set the IDS action to
# "alert".
my $IDS_action = "alert";

# Check if the traffic only should be monitored.
if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") {
	# Swith IDS action to alert only.
	$IDS_action = "drop";
}

# Call subfunction and pass the desired IDS action.
&IDS::write_modify_sids_file($IDS_action);

#
## Step 6: Move rulestarball to its new location.
#

# Check if a rulestarball has been downloaded yet.
if (-f $snort_rules_tarball) {
	# Load perl module which contains the move command.
	use File::Copy;

	# Move the rulestarball to the new location.
	move($snort_rules_tarball, $IDS::rulestarball);

	# Set correct ownership.
	chown($uid, $gid, $IDS::rulestarball);
}

#
## Step 7: Call oinkmaster to extract and setup the rules structures.
#

# Check if a rulestarball is present.
if (-f $IDS::rulestarball) {
	# Launch oinkmaster by calling the subfunction.
	&IDS::oinkmaster();
}

#
## Step 8: Grab used ruleset files from snort config file and convert
##         them into the new format.
#

# Check if the snort config file exists.
unless (-f $snort_config_file) {
	print "$snort_config_file does not exist - Nothing to do. Exiting!\n";
	exit(0);
}

# Array to store the enabled rules files.
my @enabled_rule_files;

# Open snort config file.
open(SNORTCONF, $snort_config_file) or die "Could not open $snort_config_file. $!\n";

# Loop through the file content.
while (my $line = <SNORTCONF>) {
	# Skip comments.
	next if ($line =~ /\#/);

	# Skip blank  lines.
	next if ($line =~ /^\s*$/);

	# Remove newlines.
	chomp($line);

	# Check for a line with .rules
	if ($line =~ /\.rules$/) {
		# Parse out rule file name
		my $rulefile = $line;
		$rulefile =~ s/\$RULE_PATH\///i;
		$rulefile =~ s/ ?include ?//i;

		# Add the enabled rulefile to the array of enabled rule files.
		push(@enabled_rule_files, $rulefile);
	}
}

# Close filehandle.
close(SNORTCONF);

# Pass the array of enabled rule files to the subfunction and write the file.
&IDS::write_used_rulefiles_file(@enabled_rule_files);

#
## Step 9: Generate file for the HOME Net.
#

# Call subfunction to generate the file.
&IDS::generate_home_net_file();

#
## Step 10: Setup automatic ruleset updates.
#

# Check if a ruleset is configured.
if($rulessettings{"RULES"}) {
	# Call suricatactrl and setup the periodic update mechanism.
	&IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
}

#
## Step 11: Start the IDS if enabled.
#

# Check if the IDS should be started.
if($idssettings{"ENABLE_IDS"} eq "on") {
	# Call suricatactrl and launch the IDS.
	&IDS::call_suricatactrl("start");
}
Commit	Line	Data
	1	#!/usr/bin/perl
	2	###############################################################################
	3	# #
	4	# IPFire.org - A linux based firewall #
	5	# Copyright (C) 2019 IPFire Development Team <info@ipfire.org> #
	6	# #
	7	# This program is free software: you can redistribute it and/or modify #
	8	# it under the terms of the GNU General Public License as published by #
	9	# the Free Software Foundation, either version 3 of the License, or #
	10	# (at your option) any later version. #
	11	# #
	12	# This program is distributed in the hope that it will be useful, #
	13	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	14	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	15	# GNU General Public License for more details. #
	16	# #
	17	# You should have received a copy of the GNU General Public License #
	18	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
	19	# #
	20	###############################################################################
	21
	22	use strict;
	23
	24	require '/var/ipfire/general-functions.pl';
	25	require "${General::swroot}/ids-functions.pl";
	26
	27	# Snort settings file, which contains the settings from the WUI.
	28	my $snort_settings_file = "${General::swroot}/snort/settings";
	29
	30	# Main snort config file.
	31	my $snort_config_file = "/etc/snort/snort.conf";
	32
	33	# Snort rules tarball.
	34	my $snort_rules_tarball = "/var/tmp/snortrules.tar.gz";
	35
	36	# Check if a snort settings file exists.
	37	unless( -f "$snort_settings_file") {
	38	print "$snort_settings_file not found - Nothing to do. Exiting!\n";
	39	exit(0);
	40	}
	41
	42	# Check if the snort settings file is empty.
	43	if (-z "$snort_settings_file") {
	44	print "$snort_settings_file is empty - Nothing to do. Exiting!\n";
	45	exit(0);
	46	}
	47
	48	#
	49	## Step 1: Setup directory and file layout, if not present and set correct
	50	## ownership. The converter runs as a privileged user, but the files
	51	## needs to be full access-able by the WUI user and group (nobody:nobody).
	52	#
	53
	54	# Check if the settings directory exists.
	55	unless (-d $IDS::settingsdir) {
	56	# Create the directory.
	57	mkdir($IDS::settingsdir);
	58	}
	59
	60	# Check if the rules directory exists.
	61	unless (-d $IDS::rulespath) {
	62	# Create the directory.
	63	mkdir($IDS::rulespath);
	64	}
	65
	66	# Create file layout, if not exists yet.
	67	&IDS::check_and_create_filelayout();
	68
	69	# Set correct ownership for settingsdir and rulespath.
	70	&IDS::set_ownership("$IDS::settingsdir");
	71	&IDS::set_ownership("$IDS::rulespath");
	72
	73	#
	74	## Step 2: Import snort settings and convert to the required format for the new IDS
	75	## (suricata).
	76	#
	77
	78	# Hash which contains the "old" snort settings.
	79	my %snortsettings;
	80
	81	# Hash which contains the IDS (suricata) settings.
	82	#
	83	# Add default value for MONITOR_TRAFFIC_ONLY which will be "on"
	84	# when migrating from snort to the new IDS.
	85	my %idssettings = (
	86	"MONITOR_TRAFFIC_ONLY" => "on",
	87	);
	88
	89	# Hash which contains the RULES settings.
	90	#
	91	# Set default value for UPDATE_INTERVAL to weekly.
	92	my %rulessettings = (
	93	"AUTOUPDATE_INTERVAL" => "weekly",
	94	);
	95
	96	# Get all available network zones.
	97	my @network_zones = &IDS::get_available_network_zones();
	98
	99	# Read-in snort settings file.
	100	&General::readhash("$snort_settings_file", \%snortsettings);
	101
	102	# Loop through the array of network zones.
	103	foreach my $zone (@network_zones) {
	104	# Convert current zone into upper case.
	105	my $zone_upper = uc($zone);
	106
	107	# Check if the current network zone is "red".
	108	if($zone eq "red") {
	109	# Check if snort was enabled and enabled on red.
	110	if ($snortsettings{"ENABLE_SNORT"} eq "on") {
	111	# Enable the IDS.
	112	$idssettings{"ENABLE_IDS"} = "on";
	113
	114	# Enable the IDS on RED.
	115	$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
	116	}
	117	} else {
	118	# Check if snort was enabled on the current zone.
	119	if ($snortsettings{"ENABLE_SNORT_$zone_upper"} eq "on") {
	120	# Enable the IDS on this zone too.
	121	$idssettings{"ENABLE_IDS_$zone_upper"} = "on";
	122	}
	123	}
	124	}
	125
	126	# Grab the choosen ruleset from snort settings hash and store it in the rules
	127	# settings hash.
	128	$rulessettings{"RULES"} = $snortsettings{"RULES"};
	129
	130	# Check if an oinkcode has been provided.
	131	if($snortsettings{"OINKCODE"}) {
	132	# Take the oinkcode from snort settings hash and store it in the rules
	133	# settings hash.
	134	$rulessettings{"OINKCODE"} = $snortsettings{"OINKCODE"};
	135	}
	136
	137	#
	138	## Step 3: Import guardian settings and whitelist if the addon is installed.
	139	#
	140
	141	# Pakfire meta file for owncloud.
	142	# (File exists when the addon is installed.)
	143	my $guardian_meta = "/opt/pakfire/db/installed/meta-guardian";
	144
	145	# Check if the guardian addon is installed.
	146	if (-f $guardian_meta) {
	147	# File which contains the taken setting for guardian.
	148	my $guardian_settings_file = "${General::swroot}/guardian/settings";
	149
	150	# File which contains the white-listed hosts.
	151	my $guardian_ignored_file = "${General::swroot}/guardian/ignored";
	152
	153	# Hash which will contain the settings of guardian.
	154	my %guardiansettings;
	155
	156	# Check if the settings file of guardian is empty.
	157	unless (-z $guardian_settings_file) {
	158	# Read-in settings.
	159	&General::readhash("$guardian_settings_file", \%guardiansettings);
	160	}
	161
	162	# Check if guardian is not configured to take actions on snort events.
	163	if ($guardiansettings{"GUARDIAN_MONITOR_SNORT"} eq "on") {
	164	# Change the IDS into MONITOR_TRAFFIC_ONLY mode.
	165	$idssettings{"MONITOR_TRAFFIC_ONLY"} = "off";
	166	}
	167
	168	# Check if guardian has any white-listed hosts configured.
	169	unless (-z $guardian_ignored_file) {
	170	# Temporary hash to store the ignored hosts.
	171	my %ignored_hosts;
	172
	173	# Read-in white-listed hosts and store them in the hash.
	174	&General::readhasharray($guardian_ignored_file, \%ignored_hosts);
	175
	176	# Write-out the white-listed hosts for the IDS system.
	177	&General::writehasharray($IDS::ignored_file, \%ignored_hosts);
	178
	179	# Call subfunction to generate the file for white-listing the hosts.
	180	&IDS::generate_ignored_file();
	181	}
	182
	183	}
	184
	185	#
	186	## Step 4: Save IDS and rules settings.
	187	#
	188
	189	# Write IDS settings.
	190	&General::writehash("$IDS::ids_settings_file", \%idssettings);
	191
	192	# Write rules settings.
	193	&General::writehash("$IDS::rules_settings_file", \%rulessettings);
	194
	195	#
	196	## Step 5: Generate and write the file to modify the ruleset.
	197	#
	198
	199	# Converters default is to only monitor the traffic, so set the IDS action to
	200	# "alert".
	201	my $IDS_action = "alert";
	202
	203	# Check if the traffic only should be monitored.
	204	if ($idssettings{"MONITOR_TRAFFIC_ONLY"} eq "off") {
	205	# Swith IDS action to alert only.
	206	$IDS_action = "drop";
	207	}
	208
	209	# Call subfunction and pass the desired IDS action.
	210	&IDS::write_modify_sids_file($IDS_action);
	211
	212	#
	213	## Step 6: Move rulestarball to its new location.
	214	#
	215
	216	# Check if a rulestarball has been downloaded yet.
	217	if (-f $snort_rules_tarball) {
	218	# Load perl module which contains the move command.
	219	use File::Copy;
	220
	221	# Move the rulestarball to the new location.
	222	move($snort_rules_tarball, $IDS::rulestarball);
	223
	224	# Set correct ownership.
	225	chown($uid, $gid, $IDS::rulestarball);
	226	}
	227
	228	#
	229	## Step 7: Call oinkmaster to extract and setup the rules structures.
	230	#
	231
	232	# Check if a rulestarball is present.
	233	if (-f $IDS::rulestarball) {
	234	# Launch oinkmaster by calling the subfunction.
	235	&IDS::oinkmaster();
	236	}
	237
	238	#
	239	## Step 8: Grab used ruleset files from snort config file and convert
	240	## them into the new format.
	241	#
	242
	243	# Check if the snort config file exists.
	244	unless (-f $snort_config_file) {
	245	print "$snort_config_file does not exist - Nothing to do. Exiting!\n";
	246	exit(0);
	247	}
	248
	249	# Array to store the enabled rules files.
	250	my @enabled_rule_files;
	251
	252	# Open snort config file.
	253	open(SNORTCONF, $snort_config_file) or die "Could not open $snort_config_file. $!\n";
	254
	255	# Loop through the file content.
	256	while (my $line = <SNORTCONF>) {
	257	# Skip comments.
	258	next if ($line =~ /\#/);
	259
	260	# Skip blank lines.
	261	next if ($line =~ /^\s*$/);
	262
	263	# Remove newlines.
	264	chomp($line);
	265
	266	# Check for a line with .rules
	267	if ($line =~ /\.rules$/) {
	268	# Parse out rule file name
	269	my $rulefile = $line;
	270	$rulefile =~ s/\$RULE_PATH\///i;
	271	$rulefile =~ s/ ?include ?//i;
	272
	273	# Add the enabled rulefile to the array of enabled rule files.
	274	push(@enabled_rule_files, $rulefile);
	275	}
	276	}
	277
	278	# Close filehandle.
	279	close(SNORTCONF);
	280
	281	# Pass the array of enabled rule files to the subfunction and write the file.
	282	&IDS::write_used_rulefiles_file(@enabled_rule_files);
	283
	284	#
	285	## Step 9: Generate file for the HOME Net.
	286	#
	287
	288	# Call subfunction to generate the file.
	289	&IDS::generate_home_net_file();
	290
	291	#
	292	## Step 10: Setup automatic ruleset updates.
	293	#
	294
	295	# Check if a ruleset is configured.
	296	if($rulessettings{"RULES"}) {
	297	# Call suricatactrl and setup the periodic update mechanism.
	298	&IDS::call_suricatactrl("cron", $rulessettings{'AUTOUPDATE_INTERVAL'});
	299	}
	300
	301	#
	302	## Step 11: Start the IDS if enabled.
	303	#
	304
	305	# Check if the IDS should be started.
	306	if($idssettings{"ENABLE_IDS"} eq "on") {
	307	# Call suricatactrl and launch the IDS.
	308	&IDS::call_suricatactrl("start");
	309	}