From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH] snort: Also monitor assigned alias addresses on red. Date: Fri, 16 Oct 2015 18:37:16 +0200 Message-ID: <1445013436.2021.22.camel@ipfire.org> In-Reply-To: <1445010532.18375.76.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7338065112373502680==" List-Id: --===============7338065112373502680== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > On Fri, 2015-10-16 at 12:09 +0200, Timo Eissler wrote: > > Reviewed-by: Timo Eissler > > I don't think that this patch is okay. > > > Am 16.10.2015 um 11:41 schrieb Stefan Schantl: > > > These changes will allow snort to also inspect the traffic for > > > one or more configured alias addresses, which has not been done > > > in > > > the past. > > What consequences did that have? What does this patch change? Is > anything of that user-visible or breaking backward-compatibility? The current situation is, that snort if enabled on red, only inspects the traffic which is desired to the statically configured red address. If some alias addresses have been assigned to the red interface the traffic to these addresses will not be checked by snort and completely bypasses the IDS. There is no user interaction required, nor visible-effects or any backward-compatiblity required, only a restart of snort after the update process to protect all red addresses. > > There are some formatting inconsistencies in this patch. > > > > > > > diff --git a/src/initscripts/init.d/snort > > > b/src/initscripts/init.d/snort > > > index e03c80f..47e7998 100644 > > > --- a/src/initscripts/init.d/snort > > > +++ b/src/initscripts/init.d/snort > > > @@ -20,6 +20,8 @@ > > > PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin > > > ; > > > export PATH > > > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > > > eval $(/usr/local/bin/readhash /var/ipfire/snort/settings) > > > > > > +ALIASFILE="/var/ipfire/ethernet/aliases" > > > + > > > case "$1" in > > > start) > > > if [ "$BLUE_NETADDRESS" ]; then > > > @@ -59,6 +61,19 @@ case "$1" in > > > if [ "$LOCAL_IP" ]; then > > > HOMENET+="$LOCAL_IP," > > > fi > > > + > > > + # Check if the red device is set to > > > static > > > and > > > + # any aliases have been configured. > > > + if [ "$RED_TYPE" == "STATIC" ] && [ -s > > > "${ALIASFILE}" ]; then > > RED_TYPE does not have curly braces, ALIASFILE has these. > > Pick one based on the rest of the script and be consistent, please. Thanks for the hint, I will upload a reworked patch soon. > > > > + # Read in aliases file. > > > + while IFS="," read -r address > > > mode > > > remark; do > > > + # Check if the alias is > > > enabled. > > > + [ "${mode}" = "on" ] || > > > continue > > > + > > > + # Add alias to the list > > > of > > > HOMENET addresses. > > > + HOMENET+="${address}," > > > + done < "${ALIASFILE}" > > > + fi > > > fi > > > HOMENET+="127.0.0.1" > > > echo "ipvar HOME_NET [$HOMENET]" > > > > /etc/snort/vars > > -Michael --===============7338065112373502680== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEKCmlRSWNCQUFC Q2dBR0JRSldJU2U4QUFvSkVFN1hUaFdQazdMZW9NY1AvaWNlMnZqNGFtMCtVZUFXLy9SQmZQcGQK SmVMOVB0cmpSUHJNdGJmamlpSmJCaVRVU0c4anNRWVdhRnhpYUMzTU1EckI3Z1Z1ZWZCRFowTjg1 WU9iTVVpOQpiM0Q0bHFZNERqTC8zVVVvemNuNzNmQzROVnN2YmRXSTRKZFo3SUZqOTRIM213d1FC NUpDeEwwTG0vbUxndTRrCmtqbzZoUTJnUUpvTmp2SE43KzI1bTBabFEzTnVRODRNRXNjMUYyZGlT N0tMRXJLK3cvU0wxa0k0T2h2eFB4OEwKd2o2TUtjVS9xWkF2dXUrU3hxVzFoaHVRZ0gySXRnZ29V ajJHdldidzFkcit6NWlmb2x2NS85YWRHbnhvMWY4QgpKZDQxWGw1Y3RBSzhuNHV2MWJVMjAweDk3 QXE1clJidUsyNzBuMU1UT3hiWk1HWjVnK01hclJkLzVTNS90UHBvCjkwMTVYTmNnQ3Q2T2VxTDUw dnByNmxvWG9BWE5zZS9ocE8vZHFjbm5WNW5lZ2grWTFQTVowS2dnN01SQ2tuYUoKZlJmZ3BlbStD dW1EWTFweFJTTWh2eW5xYUVqWnpvNEpHNDFIb2dhYjl1aDRhdmNMR2dTS3hjd3RRVStpV016Kwp4 cFdjdXRYZkczRnJLd3RRMFdSclZxOUVlbnpGQmxQOFZDd1pTdE8xNnQ5QmhUSkN6VjV5Mm9LYmhu eXl3Qk5KCkVkbWhtUWUvdFhWZFpzNzBaMmczR1gyRXRyVTFYTzV6bE5JeTdIbVN5eG9oc2JEeEUy TUdhYVBSekFJczZIYWYKaUxWZVhhSXBlV1JQWG93SDQydmxPZDhlUnQvaWdDa1pHazdMWlg2dzUy RkFiTStVQ09aYWNEU0s4WmlRcFJTNQpJd2t6YUg3b1FMSlVHREpIY042TAo9Z3ZsQwotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============7338065112373502680==--