[PATCH] snort: Also monitor assigned alias addresses on red.

[PATCH] snort: Also monitor assigned alias addresses on red.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1797 bytes --]

These changes will allow snort to also inspect the traffic for
one or more configured alias addresses, which has not been done in the past.

To do this we will now check if, the RED interface has been set to STATIC (which
is required to use the aliases function) and any aliases have been configured. In
case of this, the modified code will add all enabled alias addresses to the HOMENET
variable in which snort is storing all the monitored addresses.

Fixes #10619.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 src/initscripts/init.d/snort | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort
index e03c80f..47e7998 100644
--- a/src/initscripts/init.d/snort
+++ b/src/initscripts/init.d/snort
@@ -20,6 +20,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
 
+ALIASFILE="/var/ipfire/ethernet/aliases"
+
 case "$1" in
         start)
 		if [ "$BLUE_NETADDRESS" ]; then
@@ -59,6 +61,19 @@ case "$1" in
 			if [ "$LOCAL_IP" ]; then
 				HOMENET+="$LOCAL_IP,"
 			fi
+
+			# Check if the red device is set to static and
+			# any aliases have been configured.
+			if [ "$RED_TYPE" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then
+				# Read in aliases file.
+				while IFS="," read -r address mode remark; do
+					# Check if the alias is enabled.
+					[ "${mode}" = "on" ] || continue
+
+					# Add alias to the list of HOMENET addresses.
+					HOMENET+="${address},"
+				done < "${ALIASFILE}"
+			fi
 		fi
 		HOMENET+="127.0.0.1"
 		echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars
-- 
2.4.3

Re: [PATCH] snort: Also monitor assigned alias addresses on red.

[Timo Eissler]

[-- Attachment #1: Type: text/plain, Size: 2163 bytes --]

Reviewed-by: Timo Eissler <timo.eissler(a)ipfire.org>

Am 16.10.2015 um 11:41 schrieb Stefan Schantl:
> These changes will allow snort to also inspect the traffic for
> one or more configured alias addresses, which has not been done in the past.
>
> To do this we will now check if, the RED interface has been set to STATIC (which
> is required to use the aliases function) and any aliases have been configured. In
> case of this, the modified code will add all enabled alias addresses to the HOMENET
> variable in which snort is storing all the monitored addresses.
>
> Fixes #10619.
>
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  src/initscripts/init.d/snort | 15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort
> index e03c80f..47e7998 100644
> --- a/src/initscripts/init.d/snort
> +++ b/src/initscripts/init.d/snort
> @@ -20,6 +20,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
>  eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
>  eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
>  
> +ALIASFILE="/var/ipfire/ethernet/aliases"
> +
>  case "$1" in
>          start)
>  		if [ "$BLUE_NETADDRESS" ]; then
> @@ -59,6 +61,19 @@ case "$1" in
>  			if [ "$LOCAL_IP" ]; then
>  				HOMENET+="$LOCAL_IP,"
>  			fi
> +
> +			# Check if the red device is set to static and
> +			# any aliases have been configured.
> +			if [ "$RED_TYPE" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then
> +				# Read in aliases file.
> +				while IFS="," read -r address mode remark; do
> +					# Check if the alias is enabled.
> +					[ "${mode}" = "on" ] || continue
> +
> +					# Add alias to the list of HOMENET addresses.
> +					HOMENET+="${address},"
> +				done < "${ALIASFILE}"
> +			fi
>  		fi
>  		HOMENET+="127.0.0.1"
>  		echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars

-- 
Timo Eissler
Senior Project Engineer / Consultant

Am Zuckerberg 54
D-71640 Ludwigsburg

Tel.: +49 7141 4094003
Mobil.: +49 151 20650311
Email: timo(a)teissler.de



[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH] snort: Also monitor assigned alias addresses on red.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2511 bytes --]

On Fri, 2015-10-16 at 12:09 +0200, Timo Eissler wrote:
> Reviewed-by: Timo Eissler <timo.eissler(a)ipfire.org>

I don't think that this patch is okay.

> Am 16.10.2015 um 11:41 schrieb Stefan Schantl:
> > These changes will allow snort to also inspect the traffic for
> > one or more configured alias addresses, which has not been done in
> > the past.

What consequences did that have? What does this patch change? Is
anything of that user-visible or breaking backward-compatibility?

> > 
> > To do this we will now check if, the RED interface has been set to
> > STATIC (which
> > is required to use the aliases function) and any aliases have been
> > configured. In
> > case of this, the modified code will add all enabled alias
> > addresses to the HOMENET
> > variable in which snort is storing all the monitored addresses.
> > 
> > Fixes #10619.
> > 
> > Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > ---
> >  src/initscripts/init.d/snort | 15 +++++++++++++++
> >  1 file changed, 15 insertions(+)

There are some formatting inconsistencies in this patch.

> > 
> > diff --git a/src/initscripts/init.d/snort
> > b/src/initscripts/init.d/snort
> > index e03c80f..47e7998 100644
> > --- a/src/initscripts/init.d/snort
> > +++ b/src/initscripts/init.d/snort
> > @@ -20,6 +20,8 @@
> > PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;
> > export PATH
> >  eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
> >  eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
> >  
> > +ALIASFILE="/var/ipfire/ethernet/aliases"
> > +
> >  case "$1" in
> >          start)
> >  		if [ "$BLUE_NETADDRESS" ]; then
> > @@ -59,6 +61,19 @@ case "$1" in
> >  			if [ "$LOCAL_IP" ]; then
> >  				HOMENET+="$LOCAL_IP,"
> >  			fi
> > +
> > +			# Check if the red device is set to static
> > and
> > +			# any aliases have been configured.
> > +			if [ "$RED_TYPE" == "STATIC" ] && [ -s
> > "${ALIASFILE}" ]; then

RED_TYPE does not have curly braces, ALIASFILE has these.

Pick one based on the rest of the script and be consistent, please.

> > +				# Read in aliases file.
> > +				while IFS="," read -r address mode
> > remark; do
> > +					# Check if the alias is
> > enabled.
> > +					[ "${mode}" = "on" ] ||
> > continue
> > +
> > +					# Add alias to the list of
> > HOMENET addresses.
> > +					HOMENET+="${address},"
> > +				done < "${ALIASFILE}"
> > +			fi
> >  		fi
> >  		HOMENET+="127.0.0.1"
> >  		echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars

-Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH] snort: Also monitor assigned alias addresses on red.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2679 bytes --]

> On Fri, 2015-10-16 at 12:09 +0200, Timo Eissler wrote:
> > Reviewed-by: Timo Eissler <timo.eissler(a)ipfire.org>
> 
> I don't think that this patch is okay.
> 
> > Am 16.10.2015 um 11:41 schrieb Stefan Schantl:
> > > These changes will allow snort to also inspect the traffic for
> > > one or more configured alias addresses, which has not been done
> > > in
> > > the past.
> 
> What consequences did that have? What does this patch change? Is
> anything of that user-visible or breaking backward-compatibility?

The current situation is, that snort if enabled on red, only inspects
the traffic which is desired to the statically configured red address.

If some alias addresses have been assigned to the red interface the
traffic to these addresses will not be checked by snort and completely
bypasses the IDS.

There is no user interaction required, nor visible-effects or any
backward-compatiblity required, only a restart of snort after the
update process to protect all red addresses.


> 
> There are some formatting inconsistencies in this patch.
> 
> > > 
> > > diff --git a/src/initscripts/init.d/snort
> > > b/src/initscripts/init.d/snort
> > > index e03c80f..47e7998 100644
> > > --- a/src/initscripts/init.d/snort
> > > +++ b/src/initscripts/init.d/snort
> > > @@ -20,6 +20,8 @@
> > > PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin
> > > ;
> > > export PATH
> > >  eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
> > >  eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
> > >  
> > > +ALIASFILE="/var/ipfire/ethernet/aliases"
> > > +
> > >  case "$1" in
> > >          start)
> > >  		if [ "$BLUE_NETADDRESS" ]; then
> > > @@ -59,6 +61,19 @@ case "$1" in
> > >  			if [ "$LOCAL_IP" ]; then
> > >  				HOMENET+="$LOCAL_IP,"
> > >  			fi
> > > +
> > > +			# Check if the red device is set to
> > > static
> > > and
> > > +			# any aliases have been configured.
> > > +			if [ "$RED_TYPE" == "STATIC" ] && [ -s
> > > "${ALIASFILE}" ]; then
> 
> RED_TYPE does not have curly braces, ALIASFILE has these.
> 
> Pick one based on the rest of the script and be consistent, please.

Thanks for the hint, I will upload a reworked patch soon.
> 
> > > +				# Read in aliases file.
> > > +				while IFS="," read -r address
> > > mode
> > > remark; do
> > > +					# Check if the alias is
> > > enabled.
> > > +					[ "${mode}" = "on" ] ||
> > > continue
> > > +
> > > +					# Add alias to the list
> > > of
> > > HOMENET addresses.
> > > +					HOMENET+="${address},"
> > > +				done < "${ALIASFILE}"
> > > +			fi
> > >  		fi
> > >  		HOMENET+="127.0.0.1"
> > >  		echo "ipvar HOME_NET [$HOMENET]" >
> > > /etc/snort/vars
> 
> -Michael

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH] snort: Also monitor assigned alias addresses on red.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2999 bytes --]

On Fri, 2015-10-16 at 18:37 +0200, Stefan Schantl wrote:
> > On Fri, 2015-10-16 at 12:09 +0200, Timo Eissler wrote:
> > > Reviewed-by: Timo Eissler <timo.eissler(a)ipfire.org>
> > 
> > I don't think that this patch is okay.
> > 
> > > Am 16.10.2015 um 11:41 schrieb Stefan Schantl:
> > > > These changes will allow snort to also inspect the traffic for
> > > > one or more configured alias addresses, which has not been done
> > > > in
> > > > the past.
> > 
> > What consequences did that have? What does this patch change? Is
> > anything of that user-visible or breaking backward-compatibility?
> 
> The current situation is, that snort if enabled on red, only inspects
> the traffic which is desired to the statically configured red
> address.
> 
> If some alias addresses have been assigned to the red interface the
> traffic to these addresses will not be checked by snort and
> completely
> bypasses the IDS.
> 
> There is no user interaction required, nor visible-effects or any
> backward-compatiblity required, only a restart of snort after the
> update process to protect all red addresses.

Please include that description in the new version of the patch.

> 
> 
> > 
> > There are some formatting inconsistencies in this patch.
> > 
> > > > 
> > > > diff --git a/src/initscripts/init.d/snort
> > > > b/src/initscripts/init.d/snort
> > > > index e03c80f..47e7998 100644
> > > > --- a/src/initscripts/init.d/snort
> > > > +++ b/src/initscripts/init.d/snort
> > > > @@ -20,6 +20,8 @@
> > > > PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sb
> > > > in
> > > > ;
> > > > export PATH
> > > >  eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
> > > >  eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
> > > >  
> > > > +ALIASFILE="/var/ipfire/ethernet/aliases"
> > > > +
> > > >  case "$1" in
> > > >          start)
> > > >  		if [ "$BLUE_NETADDRESS" ]; then
> > > > @@ -59,6 +61,19 @@ case "$1" in
> > > >  			if [ "$LOCAL_IP" ]; then
> > > >  				HOMENET+="$LOCAL_IP,"
> > > >  			fi
> > > > +
> > > > +			# Check if the red device is set to
> > > > static
> > > > and
> > > > +			# any aliases have been configured.
> > > > +			if [ "$RED_TYPE" == "STATIC" ] && [ -s
> > > > "${ALIASFILE}" ]; then
> > 
> > RED_TYPE does not have curly braces, ALIASFILE has these.
> > 
> > Pick one based on the rest of the script and be consistent, please.
> 
> Thanks for the hint, I will upload a reworked patch soon.
> > 
> > > > +				# Read in aliases file.
> > > > +				while IFS="," read -r address
> > > > mode
> > > > remark; do
> > > > +					# Check if the alias
> > > > is
> > > > enabled.
> > > > +					[ "${mode}" = "on" ]
> > > > ||
> > > > continue
> > > > +
> > > > +					# Add alias to the
> > > > list
> > > > of
> > > > HOMENET addresses.
> > > > +					HOMENET+="${address},"
> > > > +				done < "${ALIASFILE}"
> > > > +			fi
> > > >  		fi
> > > >  		HOMENET+="127.0.0.1"
> > > >  		echo "ipvar HOME_NET [$HOMENET]" >
> > > > /etc/snort/vars
> > 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

[PATCH] snort: Also monitor assigned alias addresses on red.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2288 bytes --]

These changes will allow snort to also inspect the traffic for
one or more configured alias addresses, which has not been done in the past.

The current situation is, that snort if enabled on red, only inspects
the traffic which is desired to the statically configured red address.

If some alias addresses have been assigned to the red interface the
traffic to these addresses will not be checked by snort and
completely bypasses the IDS.

There is no user interaction required, nor visible-effects or any
backward-compatiblity required, only a restart of snort after the
update process to protect all red addresses.

To do this we will now check if, the RED interface has been set to STATIC (which
is required to use the aliases function) and any aliases have been configured. In
case of this, the modified code will add all enabled alias addresses to the HOMENET
variable in which snort is storing all the monitored addresses.

Fixes #10619.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 src/initscripts/init.d/snort | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort
index e03c80f..58edf1e 100644
--- a/src/initscripts/init.d/snort
+++ b/src/initscripts/init.d/snort
@@ -20,6 +20,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
 
+ALIASFILE="/var/ipfire/ethernet/aliases"
+
 case "$1" in
         start)
 		if [ "$BLUE_NETADDRESS" ]; then
@@ -59,6 +61,19 @@ case "$1" in
 			if [ "$LOCAL_IP" ]; then
 				HOMENET+="$LOCAL_IP,"
 			fi
+
+			# Check if the red device is set to static and
+			# any aliases have been configured.
+			if [ "${RED_TYPE}" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then
+				# Read in aliases file.
+				while IFS="," read -r address mode remark; do
+					# Check if the alias is enabled.
+					[ "${mode}" = "on" ] || continue
+
+					# Add alias to the list of HOMENET addresses.
+					HOMENET+="${address},"
+				done < "${ALIASFILE}"
+			fi
 		fi
 		HOMENET+="127.0.0.1"
 		echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars
-- 
2.4.3