From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] core 130: Remove snort settings dir after convert has run. Date: Mon, 18 Mar 2019 19:15:25 +0000 Message-ID: <624EC748-F95B-4EF5-865C-79B587A5A64F@ipfire.org> In-Reply-To: <4cb758d60f918d342c9ec0ea989a4494a1ecf760.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9215456201825986139==" List-Id: --===============9215456201825986139== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Okay... > On 18 Mar 2019, at 19:15, Stefan Schantl wrot= e: >=20 >> Why would the converter read snort.conf? >=20 > Because the enabled rule files (categories) are stored in this file. >=20 >>=20 >> I agree. >=20 > Thanks, so please ignore the current patch. >=20 > I'll send a new one to take care of all of this. >=20 >>=20 >>> On 18 Mar 2019, at 19:11, Stefan Schantl >>> wrote: >>>=20 >>>> Hi, >>>>=20 >>>> I do not see why the converter does not take care of the removal. >>>> That would only be one place. >>>=20 >>> Me, too - I simply implemented it in the same way all other >>> converters >>> will be handled by the backup.pl script.... >>>=20 >>> But I found an other really important issue in the core 130 >>> update.sh >>> and the converter. >>>=20 >>> The "/etc/snort/snort.conf" will be deleted very early. Exactly >>> before >>> the converter has been the chance to read the settings from this >>> file. >>>=20 >>> I'll send a patch to do the removal of the whole snort stuff and >>> the >>> settings in one step after the converter has done it's work, if you >>> agree with me. >>>=20 >>>> But I will merge this if you want me to. >>>>=20 >>>> -Michael >>>>=20 >>>>> On 18 Mar 2019, at 19:04, Stefan Schantl < >>>>> stefan.schantl(a)ipfire.org >>>>>> wrote: >>>>>> Almost? >>>>>=20 >>>>> As long as the files are present, the settings will be >>>>> converted. >>>>> May >>>>> in special cases if a user does something really weird may the >>>>> converter will fail, but in this case I think it even would be >>>>> better >>>>> start a new clean IPS configuration. >>>>>=20 >>>>>> How is this directory removed when a backup was restored? >>>>>>=20 >>>>>=20 >>>>> By the backup.pl script. It checks if after the backup a snort >>>>> settings >>>>> dir (/var/ipfire/snort) exists, launches the converter and >>>>> afterwards >>>>> deletes the directory. >>>>>=20 >>>>> See: >>>>>=20 >>>>> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3D8c27372438dd2= 67648cba48b86d85a594f14be1c >>>>>=20 >>>>>> -Michael >>>>>>=20 >>>>>>> On 18 Mar 2019, at 18:56, Stefan Schantl < >>>>>>> stefan.schantl(a)ipfire.org >>>>>>>> wrote: >>>>>>>=20 >>>>>>> Hello Michael, >>>>>>>> Hi, >>>>>>>>=20 >>>>>>>> What happens when the converter has failed? Is that a >>>>>>>> possibility? >>>>>>>=20 >>>>>>> There is almost no risk, that this would be happened. >>>>>>>=20 >>>>>>> It contains checks if all corresponding files are present >>>>>>> and >>>>>>> will >>>>>>> contain the settings from them - I do not see a case where >>>>>>> any >>>>>>> problems >>>>>>> can be happen. >>>>>>>=20 >>>>>>> Best regards, >>>>>>>=20 >>>>>>> -Stefan >>>>>>>=20 >>>>>>>> -Michael >>>>>>>>=20 >>>>>>>>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>>>>>>>> stefan.schantl(a)ipfire.org >>>>>>>>>> wrote: >>>>>>>>>=20 >>>>>>>>> When all settings have been converted, the files and >>>>>>>>> directory >>>>>>>>> are >>>>>>>>> not >>>>>>>>> needed anymore. >>>>>>>>>=20 >>>>>>>>> If they will be left and at a later time an backup will >>>>>>>>> be >>>>>>>>> restored, the >>>>>>>>> converter will be started by the backup script again >>>>>>>>> and >>>>>>>>> would >>>>>>>>> be >>>>>>>>> restore those >>>>>>>>> old snort settings and replace the current IPS >>>>>>>>> settings. >>>>>>>>>=20 >>>>>>>>> Signed-off-by: Stefan Schantl < >>>>>>>>> stefan.schantl(a)ipfire.org> >>>>>>>>> --- >>>>>>>>> config/rootfiles/core/130/update.sh | 3 +++ >>>>>>>>> 1 file changed, 3 insertions(+) >>>>>>>>>=20 >>>>>>>>> diff --git a/config/rootfiles/core/130/update.sh >>>>>>>>> b/config/rootfiles/core/130/update.sh >>>>>>>>> index d33321c32..f3dc0d85a 100644 >>>>>>>>> --- a/config/rootfiles/core/130/update.sh >>>>>>>>> +++ b/config/rootfiles/core/130/update.sh >>>>>>>>> @@ -74,6 +74,9 @@ ldconfig >>>>>>>>> # Migrate snort configuration to suricata >>>>>>>>> /usr/sbin/convert-snort >>>>>>>>>=20 >>>>>>>>> +# Remove snort settings >>>>>>>>> +rm -rvf /var/ipfire/snort >>>>>>>>> + >>>>>>>>> # Start services >>>>>>>>> /etc/init.d/collectd restart >>>>>>>>> /etc/init.d/firewall restart >>>>>>>>> --=20 >>>>>>>>> 2.20.1 >>>>>>>>>=20 --===============9215456201825986139==--