Snort scripts and config update.

author Arne Fitzenreiter <arne_f@ipfire.org>

Thu, 17 Jun 2010 21:23:02 +0000 (23:23 +0200)

committer Arne Fitzenreiter <arne_f@ipfire.org>

Thu, 17 Jun 2010 21:23:02 +0000 (23:23 +0200)
author Arne Fitzenreiter <arne_f@ipfire.org>
Thu, 17 Jun 2010 21:23:02 +0000 (23:23 +0200)
committer Arne Fitzenreiter <arne_f@ipfire.org>
Thu, 17 Jun 2010 21:23:02 +0000 (23:23 +0200)
diff --git a/config/rootfiles/common/initscripts b/config/rootfiles/common/initscripts

index c4747aca9b4a91e13303e1b342aa4fb3bd112408..d50af877a154dddff0d064a26d75a3cdb457492f 100644 (file)
--- a/config/rootfiles/common/initscripts
+++ b/config/rootfiles/common/initscripts
@@ -118,6 +118,7 @@ etc/rc.d/rc0.d/K08fcron
  etc/rc.d/rc0.d/K28apache
  etc/rc.d/rc0.d/K30sshd
  etc/rc.d/rc0.d/K45random
  etc/rc.d/rc0.d/K28apache
  etc/rc.d/rc0.d/K30sshd
  etc/rc.d/rc0.d/K45random
+etc/rc.d/rc0.d/K78snort
  etc/rc.d/rc0.d/K79leds
  etc/rc.d/rc0.d/K80network
  #etc/rc.d/rc0.d/K84bluetooth
  etc/rc.d/rc0.d/K79leds
  etc/rc.d/rc0.d/K80network
  #etc/rc.d/rc0.d/K84bluetooth
@@ -152,6 +153,7 @@ etc/rc.d/rc6.d/K08fcron
  etc/rc.d/rc6.d/K28apache
  etc/rc.d/rc6.d/K30sshd
  etc/rc.d/rc6.d/K45random
  etc/rc.d/rc6.d/K28apache
  etc/rc.d/rc6.d/K30sshd
  etc/rc.d/rc6.d/K45random
+etc/rc.d/rc6.d/K78snort
  etc/rc.d/rc6.d/K79leds
  etc/rc.d/rc6.d/K80network
  #etc/rc.d/rc6.d/K84bluetooth
  etc/rc.d/rc6.d/K79leds
  etc/rc.d/rc6.d/K80network
  #etc/rc.d/rc6.d/K84bluetooth
diff --git a/config/rootfiles/core/38/filelists/files b/config/rootfiles/core/38/filelists/files

index 3459b83a7a4df206782acf8c797139b8ce801671..0110c6bb3fd59f5f90071529f3ceebe83cf9eaa0 100644 (file)
--- a/config/rootfiles/core/38/filelists/files
+++ b/config/rootfiles/core/38/filelists/files
@@ -6,8 +6,10 @@ etc/rc.d/init.d/leds
  etc/rc.d/init.d/rc
  etc/rc.d/init.d/snort
  etc/rc.d/init.d/networking/red.up/50-ovpn
  etc/rc.d/init.d/rc
  etc/rc.d/init.d/snort
  etc/rc.d/init.d/networking/red.up/50-ovpn
+etc/rc.d/rc0.d/K78snort
  etc/rc.d/rc0.d/K79leds
  etc/rc.d/rc3.d/S21leds
  etc/rc.d/rc0.d/K79leds
  etc/rc.d/rc3.d/S21leds
+etc/rc.d/rc6.d/K78snort
  etc/rc.d/rc6.d/K79leds
  etc/udev/rules.d/52-nut-usbups.rules
  etc/udev/rules.d/xpp.rules
  etc/rc.d/rc6.d/K79leds
  etc/udev/rules.d/52-nut-usbups.rules
  etc/udev/rules.d/xpp.rules
diff --git a/config/rootfiles/core/38/update.sh b/config/rootfiles/core/38/update.sh

index 350a37204820228c5d64c59614c04283cf686d42..3cb9654eec034928247ccf95a9f4804606458e9e 100644 (file)
--- a/config/rootfiles/core/38/update.sh
+++ b/config/rootfiles/core/38/update.sh
@@ -70,6 +70,7 @@ tar cjvf /var/ipfire/backup/core-upgrade_$KVER.tar.bz2 \
  /etc/init.d/collectd stop
  /etc/init.d/squid stop
  /etc/init.d/ipsec stop
  /etc/init.d/collectd stop
  /etc/init.d/squid stop
  /etc/init.d/ipsec stop
+/etc/init.d/snort stop
  
  echo
  echo Update Kernel to $KVER ...
  
  echo
  echo Update Kernel to $KVER ...
@@ -90,9 +91,10 @@ rm -rf /lib/modules/2.6.27.31-ipfire-xen
  rm -rf /usr/lib/ipsec
  rm -rf /usr/libexec/ipsec
  #
  rm -rf /usr/lib/ipsec
  rm -rf /usr/libexec/ipsec
  #
-# old snort libs ...
+# old snort libs and rules ...
  #
  rm -rf /usr/lib/snort_*
  #
  rm -rf /usr/lib/snort_*
+rm -rf /etc/snort
  
  #
  # Backup grub.conf
  
  #
  # Backup grub.conf
diff --git a/config/snort/snort.conf b/config/snort/snort.conf

index 2b294eb0ad10f53699ec2230883d53cad49f64ac..bf4640624b45cdb14f502a0cea26d60de829860a 100644 (file)
--- a/config/snort/snort.conf
+++ b/config/snort/snort.conf
@@ -21,14 +21,18 @@
  # Step #1: Set the network variables.  For more information, see README.variables
  ###################################################
  
  # Step #1: Set the network variables.  For more information, see README.variables
  ###################################################
  
+include /etc/snort/vars
+
  # Setup the network addresses you are protecting
  # Setup the network addresses you are protecting
-var HOME_NET any
+# taken from /etc/snort vars
+#var HOME_NET any
  
  # Set up the external network addresses.  A good start may be "any"
  var EXTERNAL_NET any
  
  # List of DNS servers on your network 
  
  # Set up the external network addresses.  A good start may be "any"
  var EXTERNAL_NET any
  
  # List of DNS servers on your network 
-var DNS_SERVERS $HOME_NET
+# taken from /etc/snort vars
+#var DNS_SERVERS $HOME_NET
  
  # List of SMTP servers on your network
  var SMTP_SERVERS $HOME_NET
  
  # List of SMTP servers on your network
  var SMTP_SERVERS $HOME_NET
@@ -45,6 +49,9 @@ var TELNET_SERVERS $HOME_NET
  # List of ports you run web servers on
  portvar HTTP_PORTS  [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]
  
  # List of ports you run web servers on
  portvar HTTP_PORTS  [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999]
  
+# List of ssh ports
+portvar SSH_PORTS  [22,222]
+
  # List of ports you want to look for SHELLCODE on.
  portvar SHELLCODE_PORTS !80
  
  # List of ports you want to look for SHELLCODE on.
  portvar SHELLCODE_PORTS !80
  
@@ -61,6 +68,7 @@ var RULE_PATH /etc/snort/rules
  var SO_RULE_PATH /etc/snort/so_rules
  var PREPROC_RULE_PATH /etc/snort/preproc_rules
  
  var SO_RULE_PATH /etc/snort/so_rules
  var PREPROC_RULE_PATH /etc/snort/preproc_rules
  
+
  ###################################################
  # Step #2: Configure the decoder.  For more information, see README.decode
  ###################################################
  ###################################################
  # Step #2: Configure the decoder.  For more information, see README.decode
  ###################################################
@@ -299,5 +307,3 @@ include /etc/snort/rules/reference.config
  
  # site specific rules
  
  
  # site specific rules
  
-# Event thresholding or suppression commands. See threshold.conf 
-# include threshold.conf
-\ No newline at end of file
diff --git a/lfs/initscripts b/lfs/initscripts

index 38870b84a35c4ab665075d6c26e348dcd911e605..a9fadf4de8bbd047b3a06a1691b35bc2c25d8db5 100644 (file)
--- a/lfs/initscripts
+++ b/lfs/initscripts
@@ -119,6 +119,8 @@ $(TARGET) :
         ln -sf ../init.d/fcron       /etc/rc.d/rc0.d/K08fcron
         ln -sf ../init.d/fcron       /etc/rc.d/rc3.d/S40fcron
         ln -sf ../init.d/fcron       /etc/rc.d/rc6.d/K08fcron
         ln -sf ../init.d/fcron       /etc/rc.d/rc0.d/K08fcron
         ln -sf ../init.d/fcron       /etc/rc.d/rc3.d/S40fcron
         ln -sf ../init.d/fcron       /etc/rc.d/rc6.d/K08fcron
+       ln -sf ../init.d/snort       /etc/rc.d/rc0.d/K78snort
+       ln -sf ../init.d/snort       /etc/rc.d/rc6.d/K78snort
         ln -sf ../init.d/network     /etc/rc.d/rc0.d/K80network
         ln -sf ../init.d/network     /etc/rc.d/rc3.d/S20network
         ln -sf ../init.d/network     /etc/rc.d/rc6.d/K80network
         ln -sf ../init.d/network     /etc/rc.d/rc0.d/K80network
         ln -sf ../init.d/network     /etc/rc.d/rc3.d/S20network
         ln -sf ../init.d/network     /etc/rc.d/rc6.d/K80network
diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort

index 544609434e529425d1305fa7723abf9105d43077..6323e2be9054e4d58c161e5d85165bd5c946519a 100644 (file)
--- a/src/initscripts/init.d/snort
+++ b/src/initscripts/init.d/snort
@@ -20,57 +20,57 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
  eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
  eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
  
  eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
  eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
  
-if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then
-        HOME_NET+="$ORANGE_ADDRESS,"
-        DEVICES+="$ORANGE_DEV "
-fi
+case "$1" in
+        start)
+               if [ "$BLUE_NETADDRESS" ]; then
+                       BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK,"
+                       BLUE_IP="$BLUE_ADDRESS,"
+               fi
  
  
-if [ "$ENABLE_SNORT_GREEN" == "on" ]; then
-        HOME_NET+="$GREEN_ADDRESS,"
-        DEVICES+="$GREEN_DEV "
-fi
+               if [ "$ORANGE_NETADDRESS" ]; then
+                       ORANGE_NET="$ORANGE_NETADDRESS/$ORANGE_NETMASK,"
+                       ORANGE_IP="$ORANGE_ADDRESS,"
+               fi
  
  
-if [ "$ENABLE_SNORT_BLUE" == "on" ]; then
-        HOME_NET+="$BLUE_ADDRESS,"
-        DEVICES+="$BLUE_DEV "
-fi
+               if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then
+                       DEVICES+="$ORANGE_DEV "
+                       HOMENET+="$ORANGE_IP"
+               else
+                       HOMENET+="$ORANGE_NET"
+               fi
  
  
-if [ "$ENABLE_SNORT" == "on" ]; then
-        LOCAL_IP=`cat /var/ipfire/red/local-ipaddress`
-        if [ "$LOCAL_IP" ]; then
-                HOME_NET+="$LOCAL_IP,"
-        else
-                exit 1 ## Add error handling here
-        fi
-        DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
-fi
+               if [ "$ENABLE_SNORT_BLUE" == "on" ]; then
+                       DEVICES+="$BLUE_DEV "
+                       HOMENET+="$BLUE_IP"
+               else
+                       HOMENET+="$BLUE_NET"
+               fi
  
  
-COUNT=`echo $HOME_NET | wc -m`
-HOME_NET=`echo $HOME_NET | cut -c $[$COUNT - 2]`
- 
-echo "var HOME_NET [$HOME_NET]" >       /etc/snort/vars
-echo "var EXTERNAL_NET ANY" >>          /etc/snort/vars
+               if [ "$ENABLE_SNORT_GREEN" == "on" ]; then
+                       DEVICES+="$GREEN_DEV "
+                       HOMENET+="$GREEN_ADDRESS,"
+               else
+                       HOMENET+="$GREEN_NETADDRESS/$GREEN_NETMASK,"
+               fi
  
  
-DNS1=`cat /var/ipfire/red/dns1 2>/dev/null`
-DNS2=`cat /var/ipfire/red/dns2 2>/dev/null`
+               if [ "$ENABLE_SNORT" == "on" ]; then
+                       DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
+                       LOCAL_IP=`cat /var/ipfire/red/local-ipaddress 2>/dev/null`
+                       if [ "$LOCAL_IP" ]; then
+                               HOMENET+="$LOCAL_IP,"
+                       fi
+               fi
+               HOMENET+="127.0.0.1"
+               echo "var HOME_NET [$HOMENET]" > /etc/snort/vars
  
  
-if [ "$DNS2" ]; then
-        echo "var DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars
-else
-        echo "var DNS_SERVERS $DNS1" >> /etc/snort/vars
-fi 
+               DNS1=`cat /var/ipfire/red/dns1 2>/dev/null`
+               DNS2=`cat /var/ipfire/red/dns2 2>/dev/null`
  
  
-case "$1" in
-        start)
-               # Disable incompatible rules
-                boot_mesg "Check/Fix Intrusion Detection rules..."
-               for file in $(ls /etc/snort/rules/*.rules 2>/dev/null); do
-                       sed -i 's|^alert.*!\[\$DNS_SERVERS|#&|g' $file
-                       sed -i 's|^alert.*!\$SSH_PORTS|#&|g' $file
-                       sed -i 's|^alert.*!\$HOME_NET|#&|g' $file
-                       sed -i 's|^alert.*!\$SQL_SERVERS|#&|g' $file
-               done
-               echo_ok
+               if [ "$DNS2" ]; then
+                       echo "var DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars
+               else
+                       echo "var DNS_SERVERS $DNS1" >> /etc/snort/vars
+               fi
  
                  for DEVICE in $DEVICES; do
                          boot_mesg "Starting Intrusion Detection System on $DEVICE..."
  
                  for DEVICE in $DEVICES; do
                          boot_mesg "Starting Intrusion Detection System on $DEVICE..."
author	Arne Fitzenreiter <arne_f@ipfire.org>
	Thu, 17 Jun 2010 21:23:02 +0000 (23:23 +0200)
committer	Arne Fitzenreiter <arne_f@ipfire.org>
	Thu, 17 Jun 2010 21:23:02 +0000 (23:23 +0200)
config/rootfiles/common/initscripts		patch \| blob \| blame \| history
config/rootfiles/core/38/filelists/files		patch \| blob \| blame \| history
config/rootfiles/core/38/update.sh		patch \| blob \| blame \| history
config/snort/snort.conf		patch \| blob \| blame \| history
lfs/initscripts		patch \| blob \| blame \| history
src/initscripts/init.d/snort		patch \| blob \| blame \| history