#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
# shellcheck disable=SC2039,SC2155 # "local" not defined in POSIX sh
-PROG="/usr/bin/snort"
+PROG="$(command -v snort)"
MAIN="/usr/share/snort/main.uc"
-CONF_DIR="/var/snort.d"
+CONF_DIR=$(uci -q get snort.snort.temp_dir || echo "/var/snort.d")
CONF="${CONF_DIR}/snort_conf.lua"
-VERBOSE=
+ACTION="usage" # Show help by default.
+VERBOSE=false
+QUIET=false
TESTING=
+TABLE=
NLINES=0
+DATE_SPEC=
+PATTERN=
-[ ! -e "$CONF_DIR" ] && mkdir "$CONF_DIR"
+[ ! -e "$CONF_DIR" ] && mkdir -p "$CONF_DIR"
[ -e /dev/stdin ] && STDIN=/dev/stdin || STDIN=/proc/self/fd/0
[ -e /dev/stdout ] && STDOUT=/dev/stdout || STDOUT=/proc/self/fd/1
[ -t 2 ] && export TTY=1
die() {
- [ -n "$QUIET" ] || echo "$@" >&2
+ $QUIET || echo "$@" >&2
exit 1
}
nft_add_table() {
if [ "$(uci -q get snort.snort.method)" = "nfq" ]; then
- print nftables | nft $VERBOSE -f $STDIN
- [ -n "$VERBOSE" ] && nft list table inet snort
+ local options
+ $VERBOSE && options='-e'
+ print nftables | nft $options -f $STDIN
+ $VERBOSE && nft list table inet snort
fi
}
[ -e "$CONF" ] && rm "$CONF"
}
+resetup() {
+ QUIET=true check || die "The generated snort lua configuration contains errors, not restarting. Run 'snort-mgr check'"
+ teardown
+ setup
+}
+
update_rules() {
/usr/bin/snort-rules $TESTING
}
print() {
- # '$1' is file type to generate, one of:
- # config, snort or nftables
- TYPE=$1 utpl -S "$MAIN"
+ # '$1' is optional file type to generate, one of:
+ # config, snort, nftables or help
+ local table="${1:-$TABLE}"
+ utpl -D TYPE="$table" -D QUIET=$QUIET -S "$MAIN"
}
check() {
local manual=$(uci get snort.snort.manual)
[ "$manual" = 1 ] && return 0
- [ -n "$QUIET" ] && OUT=/dev/null || OUT=$STDOUT
+ $QUIET && OUT=/dev/null || OUT=$STDOUT
local warn no_rules
- if [ -n "$VERBOSE" ]; then
+ if $VERBOSE; then
warn='--warn-all'
no_rules=0
else
fi
local test_conf="${CONF_DIR}/test_conf.lua"
- _SNORT_WITHOUT_RULES="$no_rules" print snort > "${test_conf}" || die "Errors during generation of snort config."
+ _SNORT_WITHOUT_RULES="$no_rules" print snort > "${test_conf}" || die "Errors during generation of snort config"
if $PROG -T $warn -c "${test_conf}" 2> $OUT ; then
rm "${test_conf}"
else
- die "Errors in snort config tests. Examine ${test_conf} for issues."
+ die "Errors in snort config tests. Examine ${test_conf} for issues"
fi
if [ "$(uci -q get snort.snort.method)" = "nfq" ]; then
+ local options
local test_nft="${CONF_DIR}/test_conf.nft"
- print nftables > "${test_nft}" || die "Errors during generation of nftables config."
- if nft $VERBOSE --check -f "${test_nft}" ; then
+ print nftables > "${test_nft}" || die "Errors during generation of nftables config"
+ $VERBOSE && options='-e'
+ if nft $options --check -f "${test_nft}" ; then
rm "${test_nft}"
else
- die "Errors in nftables config tests. Examine ${test_nft} for issues."
+ die "Errors in nftables config tests. Examine ${test_nft} for issues"
fi
fi
}
+_filter_by_date() {
+ # Grab all the alert_json files in the log directory, scan them
+ # for matching timestamps and return those lines that match.
+ local log_dir="$1"
+
+ local operator date
+ case "$DATE_SPEC" in
+ ('') operator='>' ; date='' ;;
+ (-*) operator='<' ; date="${DATE_SPEC:1}" ;;
+ (+*) operator='>' ; date="${DATE_SPEC:1}" ;;
+ (today) operator='>' ; date=$(date +'%y/%m/%d-') ;;
+ (*) die "Invalid date specification '${DATE_SPEC}', did you forget the +/- prefix?" ;;
+ esac
+
+ # We need to create a single json array because 'jsonfilter -a' is
+ # severely broken.
+ awk '
+ BEGIN { print "[" }
+ { print $0"," }
+ END { print "{}]" }
+ ' "${log_dir}"/*alert_json.txt \
+ | jsonfilter -e '$[@.timestamp '${operator}' "'"${date}"'"]'
+}
+
report() {
- # Reported IPs have source port stripped, but destination port (if any)
- # retained.
- #
- # json notes
- # from alert_fast:
- # 08/30-11:39:57.639021 [**] [1:382:11] "PROTOCOL-ICMP PING Windows" [**] [Classification: Misc activity] [Priority: 3] {ICMP} 10.1.1.186 -> 10.1.1.20
- #
- # same event in alert_json (single line broken for clarity):
- # { "timestamp" : "08/30-11:39:57.639021", "pkt_num" : 5366, "proto" : "ICMP", "pkt_gen" : "raw",
- # "pkt_len" : 60, "dir" : "C2S", "src_ap" : "10.1.1.186:0", "dst_ap" : "10.1.1.20:0",
- # "rule" : "1:382:11", "action" : "allow" }
- #
- # Second part of "rule", 382, is "sid" in ruleset, suffixing 11 is "rev".
- # grep '\bsid:382\b' /etc/snort/rules/snort.rules (again, single line broken for clarity):
- # alert icmp $EXTERNAL_NET any -> $HOME_NET any ( msg:"PROTOCOL-ICMP PING Windows";
- # itype:8; content:"abcdefghijklmnop",depth 16; metadata:ruleset community;
- # classtype:misc-activity; sid:382; rev:11; )
- #
- # Not sure where the prefixing 1 comes from.
+ # Reported IPs have random source port stripped, but destination port
+ # (if any) retained.
+
+ local SORT="$(command -v sort)"
+ if [ ! -x "${SORT}" ] || ! "${SORT}" --version 2> /dev/null | grep -q "coreutils"; then
+ die "'snort-mgr report' requires coreutils-sort package"
+ fi
local logging=$(uci get snort.snort.logging)
local log_dir=$(uci get snort.snort.log_dir)
- local pattern="$1"
if [ "$logging" = 0 ]; then
- die "Logging is not enabled in snort config."
+ die "Logging is not enabled in snort config"
fi
+ #-- Collect the inputs --
+ local msg src srcP dst dstP dir gid sid
+ local tmp=$(mktemp -t snort.rep.XXXXXX)
+ _filter_by_date "${log_dir}" | while read -r line; do
+ unset -v src dst srcP dstP
+ eval "$(jsonfilter -s "$line" \
+ -e 'msg=$.msg' \
+ -e 'src=$.src_addr' \
+ -e 'dst=$.dst_addr' \
+ -e 'srcP=$.src_port' \
+ -e 'dstP=$.dst_port' \
+ -e 'dir=$.dir' \
+ -e 'gid=$.gid' \
+ -e 'sid=$.sid')"
+
+ # Append the port to the IP, but only if it's meaningful.
+ [ "$dir" = 'C2S' ] && [ -n "$dstP" ] && dst="${dst}(${dstP})"
+ [ "$dir" = 'S2C' ] && [ -n "$srcP" ] && src="${src}(${srcP})"
+
+ echo "$msg#$src#$dst#$dir#$gid#$sid"
+ done | grep -iE "$PATTERN" > "$tmp"
+
+ #-- Generate output --
+ local output
[ "$NLINES" = 0 ] && output="cat" || output="head -n $NLINES"
- local msg src dst dir
- tmp="/tmp/snort.report.$$"
- for file in "${log_dir}"/*alert_json.txt; do
- while read -r line; do
- eval $(jsonfilter -s "$line" -e 'msg=$.msg' -e 'src=$.src_ap' -e 'dst=$.dst_ap' -e 'dir=$.dir')
- src=$(echo "$src" | sed 's/:.*$//') # Delete all source ports.
- dst=$(echo "$dst" | sed 's/:0$//') # Delete unspecified dest port.
- echo "$msg#$src#$dst#$dir"
- done < "$file"
- done | grep -i "$pattern" > "$tmp"
-
- echo "Events involving ${pattern:-all IPs}"
- n_incidents="$(wc -l < $tmp)"
- lines=$(sort "$tmp" | uniq -c | sort -nr \
- | awk -F'#' '{printf "%-80s %s %-13s -> %s\n", $1, $4, $2, $3}')
- echo "$lines" | $output
- n_lines=$(echo "$lines" | wc -l)
- [ "$NLINES" -gt 0 ] && [ "$NLINES" -lt "$n_lines" ] && echo " ... Only showing $NLINES of $n_lines most frequent incidents."
- printf "%7d total incidents\n" "$n_incidents"
+ local lines=$($SORT "$tmp" | uniq -c | $SORT -nr | $output)
rm "$tmp"
+ if [ -z "$lines" ]; then
+ echo -n "There were no incidents "
+ [ -z "$PATTERN" ] && echo "reported." || echo "matching pattern '$PATTERN'."
+ return
+ fi
+
+ local n_total=$(cat "${log_dir}"/*alert_json.txt | wc -l)
+ local n_incidents=$(echo "$lines" | awk '{total += $1} END {print total}')
+ local mlen=$(echo "$lines" | awk -F'#' '{print $1}' | wc -L)
+ local slen=$(echo "$lines" | awk -F'#' '{print $2}' | wc -L)
+
+ echo "Events involving ${PATTERN:-all IPs} - $(date -Is)"
+ printf "%-*s %3s %5s %-3s %-*s %s\n" "$mlen" " Count Message" "gid" "sid" "Dir" "$slen" "Source" "Destination"
+ echo "$lines" | awk -F'#' '{printf "%-'"$mlen"'s %3d %5d %s %-'"$slen"'s %s\n", $1, $5, $6, $4, $2, $3}'
+
+ printf "%7d incidents shown of %d logged\n" "$n_incidents" "$n_total"
+
+ #-- Lookup rules and references, if requested. --
+ if $VERBOSE; then
+ local rules_dir="$(uci get snort.snort.config_dir)/rules"
+ local usids="$(echo "$lines" | awk -F'#' '{print $5 "#" $6}' | $SORT -u | $SORT -t'#' -k1n -k2n)"
+ local nsids="$(echo "$usids" | wc -w)"
+
+ echo ''
+ echo "$nsids unique rules triggered:"
+ local rule
+ local i=1
+ for sid in $usids; do
+ eval "$(echo "$sid" | awk -F'#' '{printf "export gid=%s;export sid=%s", $1, $2}')"
+ printf "%3d - gid=%3d sid=%5d " "$i" "$gid" "$sid"
+ rule=$(grep -Hn "\bsid:${sid};" "$rules_dir"/*.rules)
+ if [ "$gid" -ne 1 ] && echo "$rule" | grep -qv "\bgid:${gid};"; then
+ # Many rules have gid implicitly '1', zero any that are not
+ # explicit when expecting non-'1'.
+ rule=""
+ fi
+ if [ -n "$rule" ]; then
+ echo "$rule" | cut -c -120
+ else
+ rule=$($PROG --list-builtin | grep "^${gid}:${sid}\b")
+ if [ -n "$rule" ]; then
+ echo "BUILTIN: ${rule}"
+ fi
+ fi
+ i=$((i + 1))
+ done
+ echo ""
+ echo "Per-rule details may be viewed by specifying the appropriate gid and sid, e.g.:"
+ echo " https://www.snort.org/rule-docs/$gid-$sid"
+
+ # Look up the names of the IPs shown in report.
+ # Note, on my dev box, nslookup fires rule 1:14777, so you get lots
+ # of incidents if not suppressed.
+ echo ''
+ echo 'Hosts by name:'
+ local IP
+ local peerdns=$(ifstatus wan | jsonfilter -e '$["dns-server"][0]')
+ echo "$lines" | awk -F'#' '{printf "%s\n%s\n", $2, $3}' | sed 's/(.*//' | sort -u \
+ | while read -r IP; do
+ [ -z "$IP" ] && continue
+ n=$(nslookup "$IP" | awk '/name = / {n=$NF} END{print n}')
+ [ -z "$n" ] && [ -n "$peerdns" ] && n=$(nslookup "$IP" "$peerdns" | awk '/name = / {n=$NF} END{print n}')
+ [ -z "$n" ] && n='--unknown host--'
+ printf " %-39s %s\n" "$IP" "$n"
+ done | $SORT -b -k2
+ fi
}
status() {
echo -n 'snort is ' ; service snort status
- ps w | grep -E 'PID|snort' | grep -v grep
+ local mem_total mem_free
+ eval "$(ubus call system info | jsonfilter -e 'mem_total=$.memory.total' -e 'mem_free=$.memory.free')"
+ awk -v mem_total="$mem_total" -v mem_free="$mem_free" 'BEGIN {
+ mem_used = mem_total - mem_free;
+ printf "Total system memory=%.3fM Used=%.3fM (%.1f%%) Free=%.3fM (%.1f%%)\n",
+ mem_total/1024**2,
+ mem_used/1024**2, 100*mem_used/mem_total,
+ mem_free/1024**2, 100*mem_free/mem_total;
+ }'
+ busybox ps w | grep -E "PID|$PROG " | grep -v grep
+
+ if [ "$(uci -q get snort.snort.method)" = "nfq" ]; then
+ nft list table inet snort
+ fi
}
+#-------------------------------------------------------------------------------
-while [ -n "$1" ]; do
- case "$1" in
- -q)
- export QUIET=1
- shift
- ;;
- -v)
- export VERBOSE=-e
- shift
- ;;
- -t)
- TESTING=-t
- shift
- ;;
- -n)
- NLINES="$2"
- shift
- shift
- ;;
- *)
- break
- ;;
- esac
-done
+usage() {
+ local msg="$1"
+ [ -n "$msg" ] && printf "ERROR: %s\n\n" "$msg"
-case "$1" in
- setup)
- setup
- ;;
- teardown)
- teardown
- ;;
- resetup)
- QUIET=1 check || die "The generated snort lua configuration contains errors, not restarting. Run 'snort-mgr check'"
- teardown
- setup
- ;;
- update-rules)
- update_rules
- ;;
- check)
- check
- ;;
- print)
- print "$2"
- ;;
- report)
- report "$2"
- ;;
- status)
- status
- ;;
- *)
- cat <<USAGE
+ cat <<USAGE
Usage:
- -n = show only NLINES of output
- -q = quiet
- -v = verbose
- -t = testing mode
-
- $0 [-v] [-q] setup|teardown|resetup
+ $0 setup|teardown|resetup [-v/--verbose] [-q/--quiet]
Normally only used internally by init scripts to manage the generation
of configuration files and any needed firewall rules. None of these
resetup = shorthand for teardown and then setup.
- $0 [-n lines] report [pattern]
+ $0 report [-v/--verbose] [-n/--n-lines N] [-d/--date-spec D] [-p/--pattern P]
Report on incidents. Note this is somewhat experimental, so suggested
- improvements are quite welcome.
+ improvements are quite welcome. Reported Source and Destination are of
+ the form "ip(port)", with zero and random source ports stripped.
+ -v = Show the rules that were triggered, after report table.
+ -n N = Show only the N highest frequency incidents.
+ -d D = Filter entries by date specification in D.
+ -p P = Grep pattern to filter incidents, applied to all outputs.
pattern = A case-insensitive grep pattern used to filter output.
- $0 [-t] update-rules
+ The date specification for '-d' can be either literal 'today'
+ or a snort-formatted date prefixed by '-' or '+', meaning 'before'
+ and 'after', respectively. Snort date reporting has the format
+ 'YY/MM/DD-hh:mm:ss.ssssss', and you can use any prefix as a date.
+ For example,
+ > snort-mgr --date-spec +23/12/20-09 report
+ will process all incidents from from 2023-12-20 at 0900 and later.
+
+
+ $0 update-rules [-t/--testing]
- Download and install the snort ruleset. Testing mode generates a canned
- rule that matches IPv4 ping requests. A typical test scenario might look
- like:
+ Download and install the snort ruleset.
+ -t = Generate a test-only ruleset, don't download anything.
+
+ Testing mode generates a canned rule that matches IPv4 ping requests.
+ A typical test scenario might look like:
> snort-mgr -t update-rules
> /etc/init.d/snort start
> ping -c4 8.8.8.8
- > logread -e "TEST ALERT"
+ > snort-mgr report
- $0 print config|snort|nftables
+ $0 print config|snort|nftables|help
- Print the rendered file contents.
- config = Display contents of /etc/config/snort, but with all values and
- descriptions. Missing values shown with defaults.
- snort = The snort configuration file, which is a lua script.
- nftables = The nftables script used to define the input queues when using
- the 'nfq' DAQ.
- help = Display config file help.
+ Print the rendered file contents. Table types are:
+ config - Display contents of /etc/config/snort, but with all values and
+ descriptions. Missing entries rendered with defaults.
+ snort - The top-level snort configuration lua script, with includes.
+ nftables - The nftables script used to define the input queues when using
+ the 'nfq' DAQ, with any included content.
+ help - Display config file help.
- $0 [-q] check
+ $0 check [-q/--quiet]
Test the rendered config using snort's check mode without
applying it to the running system.
$0 status
- Print the nfq counter values and blah blah blah
+ Print the service status, system memory use and if nfq is the current daq,
+ then the nftables with counter values and so on.
USAGE
- ;;
-esac
+ exit 1
+}
+
+while [ -n "$1" ]; do
+ case "$1" in
+ -h|--help)
+ usage
+ ;;
+ -q|--quiet)
+ QUIET=true
+ ;;
+ -v|--verbose)
+ VERBOSE=true
+ ;;
+ -t|--testing)
+ TESTING=-t
+ ;;
+ -n|--n-lines)
+ [ -z "$2" ] && usage "'--n-lines' requires a value"
+ NLINES="$2"
+ shift
+ ;;
+ -d|--date-spec)
+ [ -z "$2" ] && usage "'--date-spec' requires a value"
+ DATE_SPEC="$2"
+ shift
+ ;;
+ -p|--pattern)
+ [ -z "$2" ] && usage "'--pattern' requires a value"
+ PATTERN="$2"
+ shift
+ ;;
+ print)
+ [ -z "$2" ] && usage "'print' requires a table type"
+ ACTION="$1"
+ TABLE="$2"
+ shift
+ ;;
+ setup|teardown|resetup|update-rules|check|report|status)
+ ACTION="$1"
+ ;;
+ *)
+ usage "'$1' is not a valid command or option"
+ ;;
+ esac
+ shift
+done
+
+[ -n "$ACTION" ] && eval "$ACTION"
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
-# shellcheck disable=SC2039 # "local" not defined in POSIX sh
+# shellcheck disable=SC2039,SC2155 # "local" not defined in POSIX sh
alias log='logger -s -t "snort-rules[$$]" -p "info"'
-[ "$1" = "-t" ] && testing=true || testing=false
-
download_rules() {
# Further information:
# https://www.snort.org/products#rule_subscriptions
#
# Also, what to do about "subscription" vs Talos_LightSPD rules when subbed?
# Add a "use_rules" list or option or something?
- oinkcode=$(uci -q get snort.snort.oinkcode)
-
-
+ local oinkcode=$(uci -q get snort.snort.oinkcode)
local conf_dir=$(uci -q get snort.snort.config_dir || echo "/etc/snort")
- local rules_file="$conf_dir/rules/snort.rules"
+ local rules_dir="$conf_dir/rules"
local data_dir=$(uci -q get snort.snort.temp_dir || echo "/var/snort.d")
local data_tar="$data_dir/rules.tar.gz"
+ local new_rules
+ local rules_file
+ local archive_loc
+
# Make sure everything exists.
[ -d "$data_dir" ] || mkdir -p "$data_dir"
-
if $testing ; then
log "Generating testing rules..."
- new_rules="$data_dir/testing.rules"
- rm -f "$new_rules"
- echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v4"; icode:0; itype: 8; sid:10000010; rev:001;)' >> "$new_rules"
- #echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v6"; icode:0; itype:33; sid:10000011; rev:001;)' >> "$new_rules"
- #echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v6"; icode:0; itype:34; sid:10000012; rev:001;)' >> "$new_rules"
+ archive_loc="testing-rules"
+ new_rules="$data_dir/$archive_loc"
+ rm -fr "$new_rules"
+ mkdir -p "$new_rules"
+ rules_file="$new_rules/testing.rules"
+ {
+ echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v4"; icode:0; itype: 8; sid:99010;)'
+ echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v6"; icode:0; itype:33; sid:99011;)'
+ echo 'alert icmp any any <> any any (msg:"TEST ALERT ICMP v6"; icode:0; itype:34; sid:99012;)'
+ } >> "$rules_file"
else
if [ -z "$oinkcode" ]; then
# If you do not have a subscription, then we use the community rules:
log "Downloading community rules..."
url="https://www.snort.org/downloads/community/snort3-community-rules.tar.gz"
+ archive_loc="snort3-community-rules"
else
# If you have a subscription and its corresponding oinkcode, use this:
log "Downloading subscription rules..."
url="https://www.snort.org/rules/snortrules-snapshot-$snortver.tar.gz?oinkcode=$oinkcode"
+ # Non-community tar contains many "*.rules" file, we only care about
+ # the one directory.
+ archive_loc="rules"
fi
wget "$url" -O "$data_tar" 2>&1 | log || exit 1
- # ??? Does non-community tar contain just the one "*.rules" file, too???
- new_rules=$(tar tzf "$data_tar" | grep '\.rules$')
- new_rules="$data_dir/$new_rules"
-
old_rules="$data_dir/old.rules"
- if [ -e "$new_rules" ]; then
- # Before we overwrite with the new download.
- log "Stashing old rules to $old_rules ..."
- mv -f "$new_rules" "$old_rules"
+ if $backup; then
+ rm -fr "$old_rules"
+ mkdir -p "$old_rules"
+
+ for rules_file in "$rules_dir"/*; do
+ # Before we overwrite with the new download.
+ log "Stashing '$rules_file' to '$old_rules/'..."
+ mv -f "$rules_file" "$old_rules/"
+ done
fi
- log "Unpacking $data_tar ..."
- tar xzvf "$data_tar" -C "$data_dir" | log || exit 1
- if [ -e "$old_rules" ] && ! cmp -s "$new_rules" "$old_rules" ; then
- diff "$new_rules" "$old_rules" 2>&1 | log
- fi
+ log "Unpacking '$data_tar'..."
+ tar xzvof "$data_tar" "$archive_loc" -C "$data_dir" | log || exit 1
+
+ # Get rid of the non-rule files and aggregator.
+ new_rules="$data_dir/$archive_loc"
+ find "$new_rules" \( -iname 'includes.rules' -o ! -iname '*.rules' -type f \) -exec rm '{}' \;
+
+ # Old unfinished experiment with diffing old and new rules.
+ #for rules_file in "$new_rules"/*; do
+ #blah blah
+ #if [ -e "$old_rules" ] && ! cmp -s "$new_rules" "$old_rules" ; then
+ # diff "$new_rules" "$old_rules" 2>&1 | log
+ #fi
fi
- rm -f "$rules_file"
- ln -s "$new_rules" "$rules_file"
+
+ mkdir -p "$conf_dir"
+ rm -fr "$rules_dir"
+ if $persist; then
+ mv -f "$new_rules" "$rules_dir"
+ else
+ ln -s "$new_rules" "$rules_dir"
+ fi
log "Snort rules loaded, restart snort now."
}
+
+#-------------------------------------------------------------------------------
+
+testing=false
+persist=false
+backup=false
+
+usage() {
+ local msg="$1"
+ [ -n "$msg" ] && printf "ERROR: %s\n\n" "$msg"
+
+ cat <<USAGE
+Usage:
+
+ $0 [-b/--backup] [-t/--testing] [-p/--persist]
+
+ -b = Attempt to copy current rules to '\$temp_dir/old.rules/' before
+ installing new rules.
+
+ -t = Don't download any rules, instead create synthetic testing rules.
+
+ -p = Move the downloaded rules to '\$conf_dir/rules/' (usually '/etc/snort/'),
+ so that they persist across reboots and sysupgrades. If you do not
+ specify this option, then the rules are stored in '\$temp_dir', and a
+ symbolic link is created to them.
+
+After running 'snort-rules', you should run 'snort-mgr check -v' to verify
+that there are no errors.
+
+USAGE
+ exit 1
+}
+
+while [ -n "$1" ]; do
+ case "$1" in
+ -h|--help)
+ usage
+ ;;
+ -b|--backup)
+ backup=true
+ ;;
+ -t|--testing)
+ testing=true
+ ;;
+ -p|--persist)
+ persist=true
+ ;;
+ *)
+ usage "'$1' is not a valid option"
+ ;;
+ esac
+ shift
+done
+
download_rules
{%
// SPDX-License-Identifier: GPL-2.0
-// Create some snort-format-specific items.
+import { lsdir } from 'fs';
-let home_net = snort.home_net == 'any' ? "'any'" : snort.home_net;
-let external_net = snort.external_net;
+// Create some snort-format-specific items.
let line_mode = snort.mode == "ids" ? "tap" : "inline";
let mod_mode = snort.mode == "ids" ? "passive" : "inline";
-- Do not edit, automatically generated. See /usr/share/snort/templates.
-- These must be defined before processing snort.lua
-HOME_NET = [[ {{ home_net }} ]]
-EXTERNAL_NET = [[ {{ external_net }} ]]
+HOME_NET = [[ {{ snort.home_net }} ]]
+EXTERNAL_NET = [[ {{ snort.external_net }} ]]
include('{{ snort.config_dir }}/snort.lua')
['-Q'] = true,
{% endif %}
['--daq'] = '{{ snort.method }}',
---['--daq-dir'] = '/usr/lib/daq/',
{% if (snort.method == 'nfq'): %}
['--max-packet-threads'] = {{ nfq.thread_count }},
{% endif %}
}
ips = {
+ -- View all options with "snort --help-module ips"
mode = '{{ line_mode }}',
variables = default_variables,
+--enable_builtin_rules=true,
{% if (snort.action != 'default'): %}
action_override = '{{ snort.action }}',
{% endif %}
{% if (getenv("_SNORT_WITHOUT_RULES") == "1"): %}
-- WARNING: THIS IS A TEST-ONLY CONFIGURATION WITHOUT ANY RULES.
{% else %}
- include = '{{ snort.config_dir }}/' .. RULE_PATH .. '/snort.rules',
+ rules = [[
+{%
+ let rules_dir = snort.config_dir + '/rules';
+ for (let rule in lsdir(rules_dir)) {
+ if (wildcard(rule, '*includes.rules', true)) continue;
+ if (wildcard(rule, '*.rules', true)) {
+ printf(` include ${rules_dir}/${rule}\n`);
+ }
+ }
+%}
+ ]],
{% endif -%}
}
daq = {
+ -- View all options with "snort --help-module daq"
inputs = {{ inputs }},
snaplen = {{ snort.snaplen }},
module_dirs = { '/usr/lib/daq/', },
}
}
-alert_syslog = {
- level = 'info',
-}
+-- alert_syslog = { level = 'info', } -- Generate output to syslog.
+alert_syslog = nil -- Disable output to syslog
{% if (int(snort.logging)): %}
-- Note that this is also the location of the PID file, if you use it.
-output.logdir = '{{ snort.log_dir }}'
+output = {
+ -- View all options with "snort --help-module output"
+ logdir = '{{ snort.log_dir }}',
+
+ show_year = true, -- Include year in timestamps.
+ -- See also 'process.utc = true' if you wish to record timestamps
+ -- in UTC.
+}
--- alert_full = { file = true, }
+--[[
+alert_full = {
+ -- View all options with "snort --help-config alert_full"
+ file = true,
+}
+--]]
--[[
alert_fast = {
--- bool alert_fast.file = false: output to alert_fast.txt instead of stdout
--- bool alert_fast.packet = false: output packet dump with alert
--- int alert_fast.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
+ -- View all options with "snort --help-config alert_fast"
file = true,
packet = false,
}
--]]
alert_json = {
--- bool alert_json.file = false: output to alert_json.txt instead of stdout
--- int alert_json.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
--- string alert_json.separator = , : separate fields with this character sequence
--- multi alert_json.fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap'
--- Rule action: selected fields will be output in given order left to right.
--- { action | class | b64_data | client_bytes | client_pkts | dir
--- | dst_addr | dst_ap | dst_port | eth_dst | eth_len | eth_src
--- | eth_type | flowstart_time | geneve_vni | gid | icmp_code
--- | icmp_id | icmp_seq | icmp_type | iface | ip_id | ip_len
--- | msg | mpls | pkt_gen | pkt_len | pkt_num | priority
--- | proto | rev | rule | seconds | server_bytes | server_pkts
--- | service | sgt | sid | src_addr | src_ap | src_port | target
--- | tcp_ack | tcp_flags | tcp_len | tcp_seq | tcp_win | timestamp
--- | tos | ttl | udp_len | vlan }
-
--- This is a minimal set of fields that simply supports 'snort-mgr report'
--- and minimizes log size:
- fields = 'dir src_ap dst_ap msg',
-
--- This set also supports the report, but closely matches 'alert_fast' contents.
---fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_ap dst_ap rule action msg',
-
+ -- View all options with "snort --help-config alert_json"
file = true,
-}
---[[
-unified2 = {
- limit = 10, -- int unified2.limit = 0: set maximum size in MB before rollover (0 is unlimited) { 0:maxSZ }
+ -- This is a minimal set of fields that simply supports 'snort-mgr report'
+ -- and minimizes log size, but loses a lot of information:
+--fields = 'timestamp dir src_addr src_port dst_addr dst_port gid sid msg',
+
+ -- This is our preferred smallish set, which also supports the report, but
+ -- more closely matches 'alert_fast' contents.
+ fields = [[
+ timestamp
+ pkt_num pkt_gen pkt_len
+ proto
+ dir
+ src_addr src_port
+ dst_addr dst_port
+ gid sid rev
+ action
+ msg
+ ]],
}
---]]
{% endif -%}
}
file_policy = {
- enable_type = true,
+ enable_type = true,
enable_signature = true,
rules = {
use = {
- verdict = 'log',
- enable_file_type = true,
+ verdict = 'log',
+ enable_file_type = true,
enable_file_signature = true,
}
}
-- To use openappid with snort, 'opkg install openappid' and enable in config.
{% if (int(snort.openappid)): %}
appid = {
- log_stats = true,
+ -- View all options with "snort --help-module appid"
+ log_stats = true,
app_detector_dir = '/usr/lib/openappid',
app_stats_period = 60,
}
if (snort.include) {
// We use the ucode include here, so that the included file is also
// part of the template and can use values passed in from the config.
- printf("-- The following content from included file '%s'\n", snort.include);
+ printf(rpad(`-- Include from '${snort.include}'`, ">", 80) + "\n");
include(snort.include, { snort, nfq });
+ printf(rpad("-- End of included file.", "<", 80) + "\n");
}
%}
projects / feed / packages.git / commitdiff