Feature #1771
IDS/IPS (snort)
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-snort | |||
| Target version: | v6.5 | |||
| Resolution: | NEEDINFO: | No |
Associated revisions
createlinks, shorewall templates: add NFQUEUE support. Refs #1771
rules template: fix syntax for httpd-admin service. Refs #1771
policy template: redirect loc2net traffic to NFQUEUE when nfqueue property is enabled. Refs #1771
First import - snort 2.9.5.5-1. Refs #1771
shorewall templates: add NFQ support for extra zones. Refs #1771
Firewall policy: enable NFQ if needed. Refs #1771
First import. Refs #1771
First import. Refs #1771
spec: refactor all paths. Refs #1771
Update to snort 2.9.6.1. Refs #1771
Web UI: apply configuration. Refs #1771
createlinks, actions: add nethserver-pulledpork-save event. Refs #1771
createlinks: fix daemon restart. Refs #1771
templates: add FILE_DATA_PORTS var. Refs #1771
DB defaults: rename snort to snortd. Refs #1771
spec: add snortalog dependency. Refs #1771
Web interface: fix syntax in translation. Refs #1771
Force rules download, avoid errors on snort restart. Refs #1771
sudoers template: fix wrapper path. Refs #1771
Inline help: add IPS rst files. Refs #1771
Fixed logrotate patch. Refs #1771
- Updated to upstream version 2.9.6.2
- Added tarball SHA1SUM, to support build-rpm builds
Rebuild for snort-2.9.6.2. Refs #1771
Added nethserver-ips group. Refs #1771
History
#1
Updated by Giacomo Sanchietti over 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
- Dependencies:
- libnetfilter_queue (from epel)
- libnfnetlink from (centalt)
- libmnl
- libdnet
- daq, need to be built
- Configuration:
- create a simple template for snort.conf
- Add pulledpork dependency
- Pulledpork rpm: ftp://ftp.pbone.net/mirror/ftp5.gwdg.de/pub/opensuse/repositories/home:/deadpoint/openSUSE_12.3/src/pulledpork-0.6.1-5.1.src.rpm
- Depends on: perl-Crypt-SSLeay perl-Archive-Tar
- Fixes:
touch /etc/snort/rules/black_list.rules touch /etc/snort/rules/white_list.rules mkdir -p /usr/lib/snort_dynamicrules mkdir /etc/snort/rules/iplists/
- Fix init script and sysconfig
--- /etc/init.d/snortd.ori 2013-10-15 09:36:44.375726032 +0200 +++ /etc/init.d/snortd 2013-10-15 10:25:13.615957284 +0200 @@ -45,6 +45,8 @@ if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" +elif [ "$INTERFACE"X = "NFQX" ]; then + INTERFACE="-Q" else INTERFACE="-i $INTERFACE" fi @@ -98,7 +100,9 @@ start) echo -n "Starting snort: " cd $LOGDIR - if [ "$INTERFACE" = "-i ALL" ]; then + if [ "$INTERFACE" = "-Q" ]; then + daemon /usr/sbin/snort $ALERTMODE $BINARY_LOG $NO_PACKET_LOG $DUMP_APP -D $PRINT_INTERFACE -u $USER -g $GROUP $CONF $PASS_FIRST $BPFFILE $BPF $INTERFACE + elif [ "$INTERFACE" = "-i ALL" ]; then for i in `cat /proc/net/dev|grep eth|awk -F ":" '{ print $1; }'` do mkdir -p "$LOGDIR/$i" --- /etc/sysconfig/snort.ori 2013-10-15 09:35:37.972316309 +0200 +++ /etc/sysconfig/snort 2013-10-15 10:14:19.865403270 +0200 @@ -12,7 +12,7 @@ # What interface should snort listen on? [Pick only 1 of the next 3!] # This is -i {interface} on the command line # This is the snort.conf config interface: {interface} directive -INTERFACE=eth0 +INTERFACE=NFQ # # The following two options are not directly supported on the command line # or in the conf file and assume the same Snort configuration for all @@ -23,6 +23,9 @@ # # To listen only on given interfaces use this: #INTERFACE="eth1 eth2 eth3 eth4 eth5" +# +# To use NFQ mode +#INTERFACE=NFQ # Where is Snort's configuration file? - Add Shorewall NFQUEUE support
#2
Updated by Giacomo Sanchietti over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3
Updated by Filippo Carletti over 7 years ago
I'm using pulledpork 0.7.0.
#4
Updated by Giacomo Sanchietti over 7 years ago
- Assignee deleted (
Giacomo Sanchietti)
#5
Updated by Giacomo Sanchietti about 7 years ago
- Target version changed from ~FUTURE to v6.5
#6
Updated by Giacomo Sanchietti about 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee set to Giacomo Sanchietti
- % Done changed from 30 to 60
- snort
- daq
- snortalog
- pulledpork
- nethserver-pulledpork
- nethserver-snort
TODO: add inline help and manual pages. See: nethserver-snort.
#7
Updated by Giacomo Sanchietti about 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-pulledpork-0.0.1-1.ns6.noarch.rpm
- nethserver-snort-0.0.1-6.0gite92f8f26.ns6.noarch.rpm
- snortalog-0.0.1-1.ns6.noarch.rpm
- daq-2.0.2-1.x86_64.rpm
- snort-2.9.6.1-1.x86_64.rpm
- pulledpork-0.7.0-2.noarch.rpm
- nethserver-firewall-base-1.1.0-50.0git08bb326d.ns6.noarch
- nethserver-base-2.2.1-42.0git6cfa99e8.ns6.noarch
- Enable Snort from web interface
- Check nfqueue is enabled and snort is running
- Change policy from web interface
- Check changes are reflected in pulledpork and snort
#9
Updated by Giacomo Sanchietti about 7 years ago
- pulledpork will always try to download new rule sets
- snort will not fail to start if pulledpork can't download rule sets
- nethserver-snort-0.0.1-5.0git32850266.ns6.noarch.rpm
- nethserver-pulledpork-0.0.1-1.0git74309add.ns6.noarch.rpm
#10
Updated by Giacomo Sanchietti about 7 years ago
- Assignee set to Davide Marini
#11
Updated by Davide Marini about 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Test case 1 and 2 verified, everything worked as expected.
Just a little note: snort is logging a lot and when it restarts syslogd starts to drop snort messages due to massive logging, i.g.:
Jun 5 15:29:44 server rsyslogd-2177: imuxsock begins to drop messages from pid 5715 due to rate-limiting
Because of this behaviour we can't see the active rules on the log file because they're dropped from syslogd.
#12
Updated by Giacomo Sanchietti about 7 years ago
- Assignee deleted (
Davide Marini)
#13
Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to ON_QA
- % Done changed from 90 to 70
Rebuilt with snort-2.9.6.2, to fix logrotate patch
In nethserver-testing:
snort-2.9.6.2-1.x86_64.rpm
snort-debuginfo-2.9.6.2-1.x86_64.rpm
nethserver-snort-0.0.1-8.0giteb37c66e.ns6.noarch.rpm
Packager note
Release with nethserver-snort-0.0.1-8.0giteb37c66e.ns6.noarch.rpm
#14
Updated by Filippo Carletti almost 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Installed nethserver-snort on a new system, snort starts, rules are correct and logrotation works.
Aug 19 14:43:09 localhost snort[12207]: 16381 Snort rules read
#15
Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-snort-1.0.0-1.ns6.noarch.rpm
nethserver-openvpn-1.1.0-1.ns6.noarch.rpm
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
...and also dependencies:
nethserver-pulledpork-1.0.0-1.ns6.src.rpm
pulledpork-0.7.0-2.noarch.rpm