From 8dc25f04ba659b6f88f0eef91258088c4b3fe978 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Thu, 17 Jun 2010 23:23:02 +0200 Subject: [PATCH] Snort scripts and config update. --- config/rootfiles/common/initscripts | 2 + config/rootfiles/core/38/filelists/files | 2 + config/rootfiles/core/38/update.sh | 4 +- config/snort/snort.conf | 14 ++-- lfs/initscripts | 2 + src/initscripts/init.d/snort | 88 ++++++++++++------------ 6 files changed, 63 insertions(+), 49 deletions(-) diff --git a/config/rootfiles/common/initscripts b/config/rootfiles/common/initscripts index c4747aca9b..d50af877a1 100644 --- a/config/rootfiles/common/initscripts +++ b/config/rootfiles/common/initscripts @@ -118,6 +118,7 @@ etc/rc.d/rc0.d/K08fcron etc/rc.d/rc0.d/K28apache etc/rc.d/rc0.d/K30sshd etc/rc.d/rc0.d/K45random +etc/rc.d/rc0.d/K78snort etc/rc.d/rc0.d/K79leds etc/rc.d/rc0.d/K80network #etc/rc.d/rc0.d/K84bluetooth @@ -152,6 +153,7 @@ etc/rc.d/rc6.d/K08fcron etc/rc.d/rc6.d/K28apache etc/rc.d/rc6.d/K30sshd etc/rc.d/rc6.d/K45random +etc/rc.d/rc6.d/K78snort etc/rc.d/rc6.d/K79leds etc/rc.d/rc6.d/K80network #etc/rc.d/rc6.d/K84bluetooth diff --git a/config/rootfiles/core/38/filelists/files b/config/rootfiles/core/38/filelists/files index 3459b83a7a..0110c6bb3f 100644 --- a/config/rootfiles/core/38/filelists/files +++ b/config/rootfiles/core/38/filelists/files @@ -6,8 +6,10 @@ etc/rc.d/init.d/leds etc/rc.d/init.d/rc etc/rc.d/init.d/snort etc/rc.d/init.d/networking/red.up/50-ovpn +etc/rc.d/rc0.d/K78snort etc/rc.d/rc0.d/K79leds etc/rc.d/rc3.d/S21leds +etc/rc.d/rc6.d/K78snort etc/rc.d/rc6.d/K79leds etc/udev/rules.d/52-nut-usbups.rules etc/udev/rules.d/xpp.rules diff --git a/config/rootfiles/core/38/update.sh b/config/rootfiles/core/38/update.sh index 350a372048..3cb9654eec 100644 --- a/config/rootfiles/core/38/update.sh +++ b/config/rootfiles/core/38/update.sh @@ -70,6 +70,7 @@ tar cjvf /var/ipfire/backup/core-upgrade_$KVER.tar.bz2 \ /etc/init.d/collectd stop /etc/init.d/squid stop /etc/init.d/ipsec stop +/etc/init.d/snort stop echo echo Update Kernel to $KVER ... @@ -90,9 +91,10 @@ rm -rf /lib/modules/2.6.27.31-ipfire-xen rm -rf /usr/lib/ipsec rm -rf /usr/libexec/ipsec # -# old snort libs ... +# old snort libs and rules ... # rm -rf /usr/lib/snort_* +rm -rf /etc/snort # # Backup grub.conf diff --git a/config/snort/snort.conf b/config/snort/snort.conf index 2b294eb0ad..bf4640624b 100644 --- a/config/snort/snort.conf +++ b/config/snort/snort.conf @@ -21,14 +21,18 @@ # Step #1: Set the network variables. For more information, see README.variables ################################################### +include /etc/snort/vars + # Setup the network addresses you are protecting -var HOME_NET any +# taken from /etc/snort vars +#var HOME_NET any # Set up the external network addresses. A good start may be "any" var EXTERNAL_NET any # List of DNS servers on your network -var DNS_SERVERS $HOME_NET +# taken from /etc/snort vars +#var DNS_SERVERS $HOME_NET # List of SMTP servers on your network var SMTP_SERVERS $HOME_NET @@ -45,6 +49,9 @@ var TELNET_SERVERS $HOME_NET # List of ports you run web servers on portvar HTTP_PORTS [80,2301,3128,7777,7779,8000,8008,8028,8080,8180,8888,9999] +# List of ssh ports +portvar SSH_PORTS [22,222] + # List of ports you want to look for SHELLCODE on. portvar SHELLCODE_PORTS !80 @@ -61,6 +68,7 @@ var RULE_PATH /etc/snort/rules var SO_RULE_PATH /etc/snort/so_rules var PREPROC_RULE_PATH /etc/snort/preproc_rules + ################################################### # Step #2: Configure the decoder. For more information, see README.decode ################################################### @@ -299,5 +307,3 @@ include /etc/snort/rules/reference.config # site specific rules -# Event thresholding or suppression commands. See threshold.conf -# include threshold.conf \ No newline at end of file diff --git a/lfs/initscripts b/lfs/initscripts index 38870b84a3..a9fadf4de8 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -119,6 +119,8 @@ $(TARGET) : ln -sf ../init.d/fcron /etc/rc.d/rc0.d/K08fcron ln -sf ../init.d/fcron /etc/rc.d/rc3.d/S40fcron ln -sf ../init.d/fcron /etc/rc.d/rc6.d/K08fcron + ln -sf ../init.d/snort /etc/rc.d/rc0.d/K78snort + ln -sf ../init.d/snort /etc/rc.d/rc6.d/K78snort ln -sf ../init.d/network /etc/rc.d/rc0.d/K80network ln -sf ../init.d/network /etc/rc.d/rc3.d/S20network ln -sf ../init.d/network /etc/rc.d/rc6.d/K80network diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort index 544609434e..6323e2be90 100644 --- a/src/initscripts/init.d/snort +++ b/src/initscripts/init.d/snort @@ -20,57 +20,57 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) eval $(/usr/local/bin/readhash /var/ipfire/snort/settings) -if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then - HOME_NET+="$ORANGE_ADDRESS," - DEVICES+="$ORANGE_DEV " -fi +case "$1" in + start) + if [ "$BLUE_NETADDRESS" ]; then + BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK," + BLUE_IP="$BLUE_ADDRESS," + fi -if [ "$ENABLE_SNORT_GREEN" == "on" ]; then - HOME_NET+="$GREEN_ADDRESS," - DEVICES+="$GREEN_DEV " -fi + if [ "$ORANGE_NETADDRESS" ]; then + ORANGE_NET="$ORANGE_NETADDRESS/$ORANGE_NETMASK," + ORANGE_IP="$ORANGE_ADDRESS," + fi -if [ "$ENABLE_SNORT_BLUE" == "on" ]; then - HOME_NET+="$BLUE_ADDRESS," - DEVICES+="$BLUE_DEV " -fi + if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then + DEVICES+="$ORANGE_DEV " + HOMENET+="$ORANGE_IP" + else + HOMENET+="$ORANGE_NET" + fi -if [ "$ENABLE_SNORT" == "on" ]; then - LOCAL_IP=`cat /var/ipfire/red/local-ipaddress` - if [ "$LOCAL_IP" ]; then - HOME_NET+="$LOCAL_IP," - else - exit 1 ## Add error handling here - fi - DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null` -fi + if [ "$ENABLE_SNORT_BLUE" == "on" ]; then + DEVICES+="$BLUE_DEV " + HOMENET+="$BLUE_IP" + else + HOMENET+="$BLUE_NET" + fi -COUNT=`echo $HOME_NET | wc -m` -HOME_NET=`echo $HOME_NET | cut -c $[$COUNT - 2]` - -echo "var HOME_NET [$HOME_NET]" > /etc/snort/vars -echo "var EXTERNAL_NET ANY" >> /etc/snort/vars + if [ "$ENABLE_SNORT_GREEN" == "on" ]; then + DEVICES+="$GREEN_DEV " + HOMENET+="$GREEN_ADDRESS," + else + HOMENET+="$GREEN_NETADDRESS/$GREEN_NETMASK," + fi -DNS1=`cat /var/ipfire/red/dns1 2>/dev/null` -DNS2=`cat /var/ipfire/red/dns2 2>/dev/null` + if [ "$ENABLE_SNORT" == "on" ]; then + DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null` + LOCAL_IP=`cat /var/ipfire/red/local-ipaddress 2>/dev/null` + if [ "$LOCAL_IP" ]; then + HOMENET+="$LOCAL_IP," + fi + fi + HOMENET+="127.0.0.1" + echo "var HOME_NET [$HOMENET]" > /etc/snort/vars -if [ "$DNS2" ]; then - echo "var DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars -else - echo "var DNS_SERVERS $DNS1" >> /etc/snort/vars -fi + DNS1=`cat /var/ipfire/red/dns1 2>/dev/null` + DNS2=`cat /var/ipfire/red/dns2 2>/dev/null` -case "$1" in - start) - # Disable incompatible rules - boot_mesg "Check/Fix Intrusion Detection rules..." - for file in $(ls /etc/snort/rules/*.rules 2>/dev/null); do - sed -i 's|^alert.*!\[\$DNS_SERVERS|#&|g' $file - sed -i 's|^alert.*!\$SSH_PORTS|#&|g' $file - sed -i 's|^alert.*!\$HOME_NET|#&|g' $file - sed -i 's|^alert.*!\$SQL_SERVERS|#&|g' $file - done - echo_ok + if [ "$DNS2" ]; then + echo "var DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars + else + echo "var DNS_SERVERS $DNS1" >> /etc/snort/vars + fi for DEVICE in $DEVICES; do boot_mesg "Starting Intrusion Detection System on $DEVICE..." -- 2.39.2