From: Russ Combs (rucombs) Date: Sat, 13 Apr 2019 15:58:34 +0000 (-0400) Subject: Merge pull request #1577 in SNORT/snort3 from ~RUCOMBS/snort3:optionz to master X-Git-Tag: 3.0.0-253~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=31d93a4ab35587af5c388774a4d9a96a56a0829e;p=thirdparty%2Fsnort3.git Merge pull request #1577 in SNORT/snort3 from ~RUCOMBS/snort3:optionz to master Squashed commit of the following: commit bdef92d85c5ca745f34b013e3b970db41db95122 Author: russ Date: Sat Apr 13 01:11:35 2019 -0400 doc: remove mention of obsolete LUA_PATH and required snort_config library commit fd6e7aab7c852c82fc5247d864e54e6c852c174b Author: russ Date: Sat Apr 13 00:20:47 2019 -0400 Lua: build-time stringify Lua files for use as C++ variables commit 0a54f6e497855af5cf3e8abcf26e13471618ecbf Author: russ Date: Fri Apr 12 21:19:01 2019 -0400 Lua: internalize snort_config.lua dependency This change eliminates the need to require('snort_config') in snort.lua. Instead, the file is built into Snort and directly injected into the Lua states before loading chunks. Similarly, internal defaults are handled the same for the top-level (eg -c) config file. Handling defaults in this way ensures that automatically activated builtin modules don't rely on separate C++ initializations and doesn't require additional code. commit 33b4714afee826843edac5e78accf04a4ec9a520 Author: russ Date: Thu Apr 11 13:02:39 2019 -0400 Lua: apply the necessary builtin defaults from one place commit a61926cd22264fc13f1afd598158c770c3df1f54 Author: russ Date: Thu Apr 11 13:01:52 2019 -0400 parser: fix defaults for alerts.order and network.checksum_eval --- diff --git a/README.md b/README.md index c80ca747a..584302020 100644 --- a/README.md +++ b/README.md @@ -126,7 +126,6 @@ Follow these steps: First set up the environment: ```shell -export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=$my_path/etc/snort ``` diff --git a/doc/appid.txt b/doc/appid.txt index 33efedcaf..357a1320b 100644 --- a/doc/appid.txt +++ b/doc/appid.txt @@ -69,8 +69,6 @@ will reduce performance. Below is a minimal Snort configuration that is sufficient to block flows based on a specific HTTP header: - require("snort_config") - dir = os.getenv('SNORT_LUA_PATH') if ( not dir ) then diff --git a/doc/enviro.txt b/doc/enviro.txt index 005c9fd66..ba2b77fb6 100644 --- a/doc/enviro.txt +++ b/doc/enviro.txt @@ -1,11 +1,6 @@ * *HOSTTYPE*: optional string that is output with the version at end of line. -* *LUA_PATH*: you must export as follows so LuaJIT can find required - files. - - LUA_PATH=$install_dir/include/snort/lua/\?.lua\;\; - * *SNORT_IGNORE*: the list of symbols Snort should ignore when parsing the Lua conf. Unknown symbols not in SNORT_IGNORE will cause warnings with --warn-unknown or fatals with --warn-unknown --pedantic. diff --git a/doc/errors.txt b/doc/errors.txt index 60a8abdca..7ef5f2442 100644 --- a/doc/errors.txt +++ b/doc/errors.txt @@ -1,10 +1,4 @@ -_FATAL: snort_config is required_ - -* add this line near top of file: - - require('snort_config') - _PANIC: unprotected error in call to Lua API (cannot open snort_defaults.lua: No such file or directory)_ diff --git a/doc/overview.txt b/doc/overview.txt index e227a522a..2f125a6d7 100644 --- a/doc/overview.txt +++ b/doc/overview.txt @@ -140,10 +140,6 @@ snort2lua will help you convert your conf and rules to the new format. ==== Environment -LUA_PATH must be set based on your install: - - LUA_PATH=$install_prefix/include/snort/lua/\?.lua\;\; - SNORT_LUA_PATH must be set to load auxiliary configuration files if you use the default snort.lua. For example: diff --git a/doc/tutorial.txt b/doc/tutorial.txt index 7eef4f7c2..725b75f57 100644 --- a/doc/tutorial.txt +++ b/doc/tutorial.txt @@ -113,7 +113,6 @@ c. Or use ccmake directly to configure and generate from an arbitrary build First set up the environment: - export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=$my_path/etc/snort/ Then give it a go: diff --git a/doc/usage.txt b/doc/usage.txt index b127e845b..7eb9ad73c 100644 --- a/doc/usage.txt +++ b/doc/usage.txt @@ -5,10 +5,8 @@ is in your PATH. === Environment -LUA_PATH is used directly by Lua to load and run required libraries. SNORT_LUA_PATH is used by Snort to load supplemental configuration files. - export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=$my_path/etc/snort diff --git a/lua/snort.lua.in b/lua/snort.lua.in index 92424bbaa..2e740b319 100644 --- a/lua/snort.lua.in +++ b/lua/snort.lua.in @@ -26,18 +26,8 @@ -- make install -- then: --- export LUA_PATH=$DIR/include/snort/lua/?.lua\;\; -- export SNORT_LUA_PATH=$DIR/etc/snort -lua_path = os.getenv('LUA_PATH') -if ( not lua_path ) then - package.path = '${CMAKE_INSTALL_FULL_INCLUDEDIR}/${INSTALL_SUFFIX}/lua/?.lua;?;' -end - --- this depends on LUA_PATH --- used to load this conf into Snort -require('snort_config') - -- this depends on SNORT_LUA_PATH -- where to find other config files conf_dir = os.getenv('SNORT_LUA_PATH') diff --git a/src/detection/fp_detect.cc b/src/detection/fp_detect.cc index 7bb88e0dd..c4a42f1e6 100644 --- a/src/detection/fp_detect.cc +++ b/src/detection/fp_detect.cc @@ -600,8 +600,8 @@ static inline int fpSessionAlerted(Packet* p, const OptTreeNode* otn) ** event. Otherwise if the ordering has it that pass rule events are ** processed after a drop or alert you will see the drops and alerts, ** and the pass event just causes us to stop processing any more events -** on the packet, but the packet does not pass. Also, the --alert-on-drop -** flag causes any drop/sdrop/reject rules to be loaded as alert rules. +** on the packet, but the packet does not pass. Also, the --treat-drop-as-alert +** flag causes any drop/block/reset rules to be loaded as alert rules. ** The default has been to ignore them on parsing. ** ** If this is less than clear, here's the $.02 version: @@ -613,7 +613,7 @@ static inline int fpSessionAlerted(Packet* p, const OptTreeNode* otn) ** the max_events and log fields are reduced to only needing the log ** events field. max_fields is harmless. ** ( drop rules may be honored as alerts in IDS mode (no -Q) by using -** the --alert-on-drop flag ) +** the --treat-drop-as-alert) ** ** FORMAL INPUTS ** OtnxMatchData * - omd to select event from. @@ -652,7 +652,7 @@ static inline int fpFinalSelectEvent(OtnxMatchData* o, Packet* p) * order is 'drop alert', and we log 3 for drop alerts do not * get logged. IF order is 'alert drop', and we log 3 for * alert, then no drops are logged. So, there should be a - * built in drop/sdrop/reject comes before alert/pass/log as + * built in drop/block/reset comes before alert/pass/log as * part of the natural ordering....Jan '06.. */ /* Sort the rules in this action group */ diff --git a/src/main/modules.cc b/src/main/modules.cc index 3ccdff864..f2470b874 100755 --- a/src/main/modules.cc +++ b/src/main/modules.cc @@ -687,7 +687,7 @@ static const Parameter alerts_params[] = { "log_references", Parameter::PT_BOOL, nullptr, "false", "include rule references in alert info (full only)" }, - { "order", Parameter::PT_STRING, nullptr, "pass drop alert log", + { "order", Parameter::PT_STRING, nullptr, "pass reset block drop alert log", "change the order of rule action application" }, { "rate_filter_memcap", Parameter::PT_INT, "0:max32", "1048576", @@ -1055,7 +1055,7 @@ static const Parameter network_params[] = "drop if checksum is bad" }, { "checksum_eval", Parameter::PT_MULTI, - "all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none", "none", + "all | ip | noip | tcp | notcp | udp | noudp | icmp | noicmp | none", "all", "checksums to verify" }, { "decode_drops", Parameter::PT_BOOL, nullptr, "false", diff --git a/src/main/modules.h b/src/main/modules.h index 03153e367..12df8e925 100644 --- a/src/main/modules.h +++ b/src/main/modules.h @@ -30,6 +30,7 @@ void module_init(); +const char* get_lua_defaults(); extern Trace TRACE_NAME(detection); // FIXIT-L refactor detection module out diff --git a/src/main/policy.cc b/src/main/policy.cc index 95ab6ffbb..9154f4219 100644 --- a/src/main/policy.cc +++ b/src/main/policy.cc @@ -147,7 +147,7 @@ PolicyMap::PolicyMap(PolicyMap* other_map) clone(other_map); else { - add_shell(new Shell); + add_shell(new Shell(nullptr, true)); empty_ips_policy = new IpsPolicy(ips_policy.size()); ips_policy.emplace_back(empty_ips_policy); } diff --git a/src/main/shell.cc b/src/main/shell.cc index 01f829567..79bc16ad8 100644 --- a/src/main/shell.cc +++ b/src/main/shell.cc @@ -39,8 +39,6 @@ using namespace snort; using namespace std; -#define required "require('snort_config'); " - //------------------------------------------------------------------------- // helper functions //------------------------------------------------------------------------- @@ -97,11 +95,11 @@ static bool load_config(lua_State* L, const char* file, const char* tweaks, bool return true; } -static void load_overrides(lua_State* L, string& s) +static void load_string(lua_State* L, const char* s) { Lua::ManageStack ms(L); - if ( luaL_loadstring(L, s.c_str()) ) + if ( luaL_loadstring(L, s) ) { const char* err = lua_tostring(L, -1); if ( strstr(err, "near '#'") ) @@ -120,10 +118,9 @@ static void run_config(lua_State* L, const char* t) lua_getglobal(L, "snort_config"); lua_getglobal(L, t); - if ( !lua_isfunction(L, -2) ) - FatalError("%s\n", "snort_config is required"); + assert(lua_isfunction(L, -2)); - else if ( lua_pcall(L, 1, 1, 0) ) + if ( lua_pcall(L, 1, 1, 0) ) { const char* err = lua_tostring(L, -1); FatalError("%s\n", err); @@ -138,7 +135,7 @@ static bool config_lua( return false; if ( !s.empty() ) - load_overrides(L, s); + load_string(L, s.c_str()); run_config(L, "_G"); @@ -149,7 +146,7 @@ static bool config_lua( // public methods //------------------------------------------------------------------------- -Shell::Shell(const char* s) +Shell::Shell(const char* s, bool load_defaults) { // FIXIT-M should wrap in Lua::State lua = luaL_newstate(); @@ -167,6 +164,11 @@ Shell::Shell(const char* s) set_file(s); loaded = false; + + load_string(lua, ModuleManager::get_lua_bootstrap()); + + if ( load_defaults ) + load_string(lua, ModuleManager::get_lua_coreinit()); } Shell::~Shell() @@ -189,9 +191,6 @@ void Shell::set_file(const char* s) void Shell::set_overrides(const char* s) { - if ( overrides.empty() ) - overrides = required; - overrides += s; } diff --git a/src/main/shell.h b/src/main/shell.h index 5808eff87..039d27257 100644 --- a/src/main/shell.h +++ b/src/main/shell.h @@ -34,7 +34,7 @@ struct SnortConfig; class Shell { public: - Shell(const char* file = nullptr); + Shell(const char* file = nullptr, bool load_defaults = false); ~Shell(); void set_file(const char*); diff --git a/src/main/snort.cc b/src/main/snort.cc index 7942a207e..c07e01a62 100644 --- a/src/main/snort.cc +++ b/src/main/snort.cc @@ -304,7 +304,7 @@ void Snort::init(int argc, char** argv) EventManager::instantiate(sc->output.c_str(), sc); if (SnortConfig::alert_before_pass()) - sc->rule_order = "drop sdrop reject alert pass log"; + sc->rule_order = "reset block drop alert pass log"; sc->setup(); FileService::post_init(); diff --git a/src/main/snort_module.cc b/src/main/snort_module.cc index 83d5b1219..617d062a6 100644 --- a/src/main/snort_module.cc +++ b/src/main/snort_module.cc @@ -284,8 +284,7 @@ static const Parameter s_params[] = "0 gets the number of CPU cores reported by the system; default is 1" }, { "--alert-before-pass", Parameter::PT_IMPLIED, nullptr, nullptr, - "process alert, drop, sdrop, or reject before pass; " - "default is pass before alert, drop,..." }, + "evaluate alert rules before pass rules; default is pass rules first" }, { "--bpf", Parameter::PT_STRING, nullptr, nullptr, " are standard BPF options, as seen in TCPDump" }, @@ -499,10 +498,10 @@ static const Parameter s_params[] = "enable Talos inline rule test mode (same as --tweaks talos -Q -q)", }, { "--treat-drop-as-alert", Parameter::PT_IMPLIED, nullptr, nullptr, - "converts drop, sdrop, and reject rules into alert rules during startup" }, + "converts drop, block, and reset rules into alert rules when loaded" }, { "--treat-drop-as-ignore", Parameter::PT_IMPLIED, nullptr, nullptr, - "use drop, sdrop, and reject rules to ignore session traffic when not inline" }, + "use drop, block, and reset rules to ignore session traffic when not inline" }, { "--tweaks", Parameter::PT_STRING, nullptr, nullptr, "tune configuration" }, diff --git a/src/managers/CMakeLists.txt b/src/managers/CMakeLists.txt index 6f158871f..358472e2b 100644 --- a/src/managers/CMakeLists.txt +++ b/src/managers/CMakeLists.txt @@ -1,7 +1,15 @@ set (LUA_INCLUDES - snort_config.lua + # required 'header' ${CMAKE_CURRENT_BINARY_DIR}/snort_plugin.lua + # deprecated dependency to be removed with RC + ${CMAKE_CURRENT_BINARY_DIR}/snort_config.lua +) + +set (CPP_INCLUDES + ${CMAKE_CURRENT_BINARY_DIR}/lua_plugffi.h + ${CMAKE_CURRENT_BINARY_DIR}/lua_bootstrap.h + ${CMAKE_CURRENT_BINARY_DIR}/lua_coreinit.h ) set( MANAGERS_INCLUDES @@ -11,6 +19,7 @@ set( MANAGERS_INCLUDES add_library( managers OBJECT ${MANAGERS_INCLUDES} + ${CPP_INCLUDES} action_manager.h action_manager.cc codec_manager.cc @@ -34,20 +43,31 @@ add_library( managers OBJECT connector_manager.h ) -install (FILES ${MANAGERS_INCLUDES} - DESTINATION "${INCLUDE_INSTALL_PATH}/managers" +add_custom_command ( + OUTPUT lua_plugffi.h snort_plugin.lua + COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/ffi_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR}/lua_plugin_defs.h > plugffi.lua + COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/lua_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR} plugffi > lua_plugffi.h + COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_BINARY_DIR}/plugffi.lua ${CMAKE_CURRENT_BINARY_DIR}/snort_plugin.lua +) + +add_custom_command ( + OUTPUT lua_bootstrap.h snort_config.lua + COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/lua_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR} bootstrap > lua_bootstrap.h + COMMAND ${CMAKE_COMMAND} -E copy ${CMAKE_CURRENT_SOURCE_DIR}/bootstrap.lua ${CMAKE_CURRENT_BINARY_DIR}/snort_config.lua ) add_custom_command ( - OUTPUT snort_plugin.lua - COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/ffi_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR}/lua_plugin_defs.h > snort_plugin.lua + OUTPUT lua_coreinit.h + COMMAND ${CMAKE_CURRENT_SOURCE_DIR}/lua_wrap.sh ${CMAKE_CURRENT_SOURCE_DIR} coreinit > lua_coreinit.h ) -add_custom_target ( snort_plugin DEPENDS snort_plugin.lua ) +include_directories (${CMAKE_CURRENT_BINARY_DIR}) -# FIXIT-L probably not the ideal way to ensure this gets built -add_dependencies ( managers snort_plugin ) +install (FILES ${MANAGERS_INCLUDES} + DESTINATION "${INCLUDE_INSTALL_PATH}/managers" +) install (FILES ${LUA_INCLUDES} DESTINATION "${INCLUDE_INSTALL_PATH}/lua" ) + diff --git a/src/managers/snort_config.lua b/src/managers/bootstrap.lua similarity index 100% rename from src/managers/snort_config.lua rename to src/managers/bootstrap.lua diff --git a/src/managers/coreinit.lua b/src/managers/coreinit.lua new file mode 100644 index 000000000..3fb0dc573 --- /dev/null +++ b/src/managers/coreinit.lua @@ -0,0 +1,67 @@ +--------------------------------------------------------------------------- +-- Copyright (C) 2019-2019 Cisco and/or its affiliates. All rights reserved. +-- +-- This program is free software; you can redistribute it and/or modify it +-- under the terms of the GNU General Public License Version 2 as published +-- by the Free Software Foundation. You may not use, modify or distribute +-- this program under any other version of the GNU General Public License. +-- +-- This program is distributed in the hope that it will be useful, but +-- WITHOUT ANY WARRANTY; without even the implied warranty of +-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +-- General Public License for more details. +-- +-- You should have received a copy of the GNU General Public License along +-- with this program; if not, write to the Free Software Foundation, Inc., +-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +--------------------------------------------------------------------------- +-- builtin_defaults.lua author Russ Combs + +--------------------------------------------------------------------------- +-- Snort uses this to configure Lua settings into C++ +--------------------------------------------------------------------------- + +-- builtin modules are included to always set defaults via parameters instead +-- of putting defaults in two places +-- these are loaded first and will get overridden if configured by the user +-- these modules are virtually always in play + +active = { } +alerts = { } +daq = { } +decode = { } +host_cache = { } +host_tracker = { } +hosts = { } +network = { } +output = { } +packets = { } +process = { } +search_engine = { } + +-- exceptions: + +--[[ +attribute_table = { } -- opt in only +classifications = { } -- pure list +detection = { } -- policy specific +event_filter = { } -- pure list +event_queue = { } -- pure list +file_id = { } -- opt in +high_availability = { } -- opt in +inspection = { } -- policy specific +ips = { } -- policy specific +latency = { } -- don't activate +memory = { } -- opt in +packet_tracer = { } -- opt in +perf_monitor = { } -- opt in +port_scan = { } -- opt in +profiler = { } -- don't activate +rate_filter = { } -- pure list +references = { } -- pure list +rule_state = { } -- pure list +side_channel = { } -- leaks! +snort = { } -- command line only +suppress = { } -- pure list +--]] + diff --git a/src/managers/lua_wrap.sh b/src/managers/lua_wrap.sh new file mode 100755 index 000000000..b08751607 --- /dev/null +++ b/src/managers/lua_wrap.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +src=$1/$2.lua +tag=$2 + +echo "static const char* lua_$tag = R\"[$tag](" +cat $src +echo ")[$tag]\";" + diff --git a/src/managers/module_manager.cc b/src/managers/module_manager.cc index a040c1501..f6becc88f 100644 --- a/src/managers/module_manager.cc +++ b/src/managers/module_manager.cc @@ -49,6 +49,10 @@ #include "plugin_manager.h" +// "Lua" includes +#include "lua_bootstrap.h" +#include "lua_coreinit.h" + using namespace snort; using namespace std; @@ -91,6 +95,16 @@ extern "C" bool set_alias(const char* from, const char* to); } +//------------------------------------------------------------------------- +// boot foo +//------------------------------------------------------------------------- + +const char* ModuleManager::get_lua_bootstrap() +{ return lua_bootstrap; } + +const char* ModuleManager::get_lua_coreinit() +{ return lua_coreinit; } + //------------------------------------------------------------------------- // ModHook foo //------------------------------------------------------------------------- diff --git a/src/managers/module_manager.h b/src/managers/module_manager.h index 345736e77..0ab619822 100644 --- a/src/managers/module_manager.h +++ b/src/managers/module_manager.h @@ -51,6 +51,9 @@ public: static const char* get_current_module(); SO_PUBLIC static std::list get_all_modules(); + static const char* get_lua_bootstrap(); + static const char* get_lua_coreinit(); + static void list_modules(const char* = nullptr); static void dump_modules(); static void show_modules(); diff --git a/src/parser/parser.cc b/src/parser/parser.cc index 1c3c97dda..dae7d837c 100644 --- a/src/parser/parser.cc +++ b/src/parser/parser.cc @@ -37,6 +37,7 @@ #include "hash/xhash.h" #include "helpers/directory.h" #include "log/messages.h" +#include "main/modules.h" #include "main/shell.h" #include "main/snort_config.h" #include "managers/event_manager.h" diff --git a/tools/snort2lua/helpers/converter.cc b/tools/snort2lua/helpers/converter.cc index 67b4c51c3..dae28e8a8 100644 --- a/tools/snort2lua/helpers/converter.cc +++ b/tools/snort2lua/helpers/converter.cc @@ -273,7 +273,8 @@ int Converter::parse_file( } std::string gid = rule_api.get_option("gid"); - if (0 == gid.compare(GID_REPUTATION) && 0 == rule_api.get_rule_old_action().compare("sdrop")) + if (0 == gid.compare(GID_REPUTATION) && 0 == + rule_api.get_rule_old_action().compare("sdrop")) { std::string sid = rule_api.get_option("sid"); table_api.open_table("suppress"); @@ -492,13 +493,9 @@ int Converter::convert( out << "-- make install\n"; out << "--\n"; out << "-- then:\n"; - out << "-- export LUA_PATH=$DIR/include/snort/lua/?.lua\\;\\;\n"; out << "-- export SNORT_LUA_PATH=$DIR/conf/\n"; out << "---------------------------------------------------------------------------\n"; out << "\n"; - out << "\n"; - out << "\n"; - out << "require(\"snort_config\")\n\n"; out << "dir = os.getenv('SNORT_LUA_PATH')\n"; out << "\n"; out << "if ( not dir ) then\n"; @@ -507,7 +504,6 @@ int Converter::convert( out << "\n"; out << "dofile(dir .. '/snort_defaults.lua')\n"; out << "\n"; - out << "\n"; data_api.print_data(out); if (!rule_api.empty())