Snort scripts and config update.
authorArne Fitzenreiter <arne_f@ipfire.org>
Thu, 17 Jun 2010 21:23:02 +0000 (23:23 +0200)
committerArne Fitzenreiter <arne_f@ipfire.org>
Thu, 17 Jun 2010 21:23:02 +0000 (23:23 +0200)
config/rootfiles/common/initscripts
config/rootfiles/core/38/filelists/files
config/rootfiles/core/38/update.sh
config/snort/snort.conf
lfs/initscripts
src/initscripts/init.d/snort

index c4747ac..d50af87 100644 (file)
@@ -118,6 +118,7 @@ etc/rc.d/rc0.d/K08fcron
 etc/rc.d/rc0.d/K28apache
 etc/rc.d/rc0.d/K30sshd
 etc/rc.d/rc0.d/K45random
+etc/rc.d/rc0.d/K78snort
 etc/rc.d/rc0.d/K79leds
 etc/rc.d/rc0.d/K80network
 #etc/rc.d/rc0.d/K84bluetooth
@@ -152,6 +153,7 @@ etc/rc.d/rc6.d/K08fcron
 etc/rc.d/rc6.d/K28apache
 etc/rc.d/rc6.d/K30sshd
 etc/rc.d/rc6.d/K45random
+etc/rc.d/rc6.d/K78snort
 etc/rc.d/rc6.d/K79leds
 etc/rc.d/rc6.d/K80network
 #etc/rc.d/rc6.d/K84bluetooth
index 3459b83..0110c6b 100644 (file)
@@ -6,8 +6,10 @@ etc/rc.d/init.d/leds
 etc/rc.d/init.d/rc
 etc/rc.d/init.d/snort
 etc/rc.d/init.d/networking/red.up/50-ovpn
+etc/rc.d/rc0.d/K78snort
 etc/rc.d/rc0.d/K79leds
 etc/rc.d/rc3.d/S21leds
+etc/rc.d/rc6.d/K78snort
 etc/rc.d/rc6.d/K79leds
 etc/udev/rules.d/52-nut-usbups.rules
 etc/udev/rules.d/xpp.rules
index 350a372..3cb9654 100644 (file)
@@ -70,6 +70,7 @@ tar cjvf /var/ipfire/backup/core-upgrade_$KVER.tar.bz2 \
 /etc/init.d/collectd stop
 /etc/init.d/squid stop
 /etc/init.d/ipsec stop
+/etc/init.d/snort stop
 
 echo
 echo Update Kernel to $KVER ...
@@ -90,9 +91,10 @@ rm -rf /lib/modules/2.6.27.31-ipfire-xen
 rm -rf /usr/lib/ipsec
 rm -rf /usr/libexec/ipsec
 #
-# old snort libs ...
+# old snort libs and rules ...
 #
 rm -rf /usr/lib/snort_*
+rm -rf /etc/snort
 
 #
 # Backup grub.conf
index 2b294eb..bf46406 100644 (file)
 # Step #1: Set the network variables.  For more information, see README.variables
 ###################################################
 
+include /etc/snort/vars
+
 # Setup the network addresses you are protecting
-var HOME_NET any
+# taken from /etc/snort vars
+#var HOME_NET any
 
 # Set up the external network addresses.  A good start may be "any"
 var EXTERNAL_NET any
 
 # List of DNS servers on your network 
-var DNS_SERVERS $HOME_NET
+# taken from /etc/snort vars
+#var DNS_SERVERS $HOME_NET
 
 # List of SMTP servers on your network
 var SMTP_SERVERS $HOME_NET
@@ -45,6 +49,9 @@ var TELNET_SERVERS $HOME_NET
 # List of ports you run web servers on
 portvar HTTP_PORTS  [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]
 
+# List of ssh ports
+portvar SSH_PORTS  [22,222]
+
 # List of ports you want to look for SHELLCODE on.
 portvar SHELLCODE_PORTS !80
 
@@ -61,6 +68,7 @@ var RULE_PATH /etc/snort/rules
 var SO_RULE_PATH /etc/snort/so_rules
 var PREPROC_RULE_PATH /etc/snort/preproc_rules
 
+
 ###################################################
 # Step #2: Configure the decoder.  For more information, see README.decode
 ###################################################
@@ -299,5 +307,3 @@ include /etc/snort/rules/reference.config
 
 # site specific rules
 
-# Event thresholding or suppression commands. See threshold.conf 
-# include threshold.conf
\ No newline at end of file
index 38870b8..a9fadf4 100644 (file)
@@ -119,6 +119,8 @@ $(TARGET) :
        ln -sf ../init.d/fcron       /etc/rc.d/rc0.d/K08fcron
        ln -sf ../init.d/fcron       /etc/rc.d/rc3.d/S40fcron
        ln -sf ../init.d/fcron       /etc/rc.d/rc6.d/K08fcron
+       ln -sf ../init.d/snort       /etc/rc.d/rc0.d/K78snort
+       ln -sf ../init.d/snort       /etc/rc.d/rc6.d/K78snort
        ln -sf ../init.d/network     /etc/rc.d/rc0.d/K80network
        ln -sf ../init.d/network     /etc/rc.d/rc3.d/S20network
        ln -sf ../init.d/network     /etc/rc.d/rc6.d/K80network
index 5446094..6323e2b 100644 (file)
@@ -20,57 +20,57 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
 
-if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then
-        HOME_NET+="$ORANGE_ADDRESS,"
-        DEVICES+="$ORANGE_DEV "
-fi
+case "$1" in
+        start)
+               if [ "$BLUE_NETADDRESS" ]; then
+                       BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK,"
+                       BLUE_IP="$BLUE_ADDRESS,"
+               fi
 
-if [ "$ENABLE_SNORT_GREEN" == "on" ]; then
-        HOME_NET+="$GREEN_ADDRESS,"
-        DEVICES+="$GREEN_DEV "
-fi
+               if [ "$ORANGE_NETADDRESS" ]; then
+                       ORANGE_NET="$ORANGE_NETADDRESS/$ORANGE_NETMASK,"
+                       ORANGE_IP="$ORANGE_ADDRESS,"
+               fi
 
-if [ "$ENABLE_SNORT_BLUE" == "on" ]; then
-        HOME_NET+="$BLUE_ADDRESS,"
-        DEVICES+="$BLUE_DEV "
-fi
+               if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then
+                       DEVICES+="$ORANGE_DEV "
+                       HOMENET+="$ORANGE_IP"
+               else
+                       HOMENET+="$ORANGE_NET"
+               fi
 
-if [ "$ENABLE_SNORT" == "on" ]; then
-        LOCAL_IP=`cat /var/ipfire/red/local-ipaddress`
-        if [ "$LOCAL_IP" ]; then
-                HOME_NET+="$LOCAL_IP,"
-        else
-                exit 1 ## Add error handling here
-        fi
-        DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
-fi
+               if [ "$ENABLE_SNORT_BLUE" == "on" ]; then
+                       DEVICES+="$BLUE_DEV "
+                       HOMENET+="$BLUE_IP"
+               else
+                       HOMENET+="$BLUE_NET"
+               fi
 
-COUNT=`echo $HOME_NET | wc -m`
-HOME_NET=`echo $HOME_NET | cut -c $[$COUNT - 2]`
-echo "var HOME_NET [$HOME_NET]" >       /etc/snort/vars
-echo "var EXTERNAL_NET ANY" >>          /etc/snort/vars
+               if [ "$ENABLE_SNORT_GREEN" == "on" ]; then
+                       DEVICES+="$GREEN_DEV "
+                       HOMENET+="$GREEN_ADDRESS,"
+               else
+                       HOMENET+="$GREEN_NETADDRESS/$GREEN_NETMASK,"
+               fi
 
-DNS1=`cat /var/ipfire/red/dns1 2>/dev/null`
-DNS2=`cat /var/ipfire/red/dns2 2>/dev/null`
+               if [ "$ENABLE_SNORT" == "on" ]; then
+                       DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
+                       LOCAL_IP=`cat /var/ipfire/red/local-ipaddress 2>/dev/null`
+                       if [ "$LOCAL_IP" ]; then
+                               HOMENET+="$LOCAL_IP,"
+                       fi
+               fi
+               HOMENET+="127.0.0.1"
+               echo "var HOME_NET [$HOMENET]" > /etc/snort/vars
 
-if [ "$DNS2" ]; then
-        echo "var DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars
-else
-        echo "var DNS_SERVERS $DNS1" >> /etc/snort/vars
-fi 
+               DNS1=`cat /var/ipfire/red/dns1 2>/dev/null`
+               DNS2=`cat /var/ipfire/red/dns2 2>/dev/null`
 
-case "$1" in
-        start)
-               # Disable incompatible rules
-                boot_mesg "Check/Fix Intrusion Detection rules..."
-               for file in $(ls /etc/snort/rules/*.rules 2>/dev/null); do
-                       sed -i 's|^alert.*!\[\$DNS_SERVERS|#&|g' $file
-                       sed -i 's|^alert.*!\$SSH_PORTS|#&|g' $file
-                       sed -i 's|^alert.*!\$HOME_NET|#&|g' $file
-                       sed -i 's|^alert.*!\$SQL_SERVERS|#&|g' $file
-               done
-               echo_ok
+               if [ "$DNS2" ]; then
+                       echo "var DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars
+               else
+                       echo "var DNS_SERVERS $DNS1" >> /etc/snort/vars
+               fi
 
                 for DEVICE in $DEVICES; do
                         boot_mesg "Starting Intrusion Detection System on $DEVICE..."