From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH] core 130: Remove snort settings dir after convert has run. Date: Mon, 18 Mar 2019 20:31:20 +0100 Message-ID: <72b6e0a312fdc30c8cfa9cc8fd2367bb017ed782.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0932910129358722301==" List-Id: --===============0932910129358722301== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable >=20 > Hi, >=20 > On March 18, 2019 7:12:35 PM UTC, Michael Tremer < > michael.tremer(a)ipfire.org> wrote: > > Why would the converter read snort.conf? > >=20 > > I agree. > >=20 > > > On 18 Mar 2019, at 19:11, Stefan Schantl < > > > stefan.schantl(a)ipfire.org> > > wrote: > > > > Hi, > > > >=20 > > > > I do not see why the converter does not take care of the > > > > removal. > > > > That would only be one place. > > >=20 > > > Me, too - I simply implemented it in the same way all other > > converters > > > will be handled by the backup.pl script.... > > >=20 > > > But I found an other really important issue in the core 130 > > > update.sh > > > and the converter. > > >=20 > > > The "/etc/snort/snort.conf" will be deleted very early. Exactly > > before > > > the converter has been the chance to read the settings from this > > file. > > > I'll send a patch to do the removal of the whole snort stuff and > > > the > > > settings in one step after the converter has done it's work, if > > > you > > > agree with me. > > >=20 > > > > But I will merge this if you want me to. > > > >=20 > > > > -Michael > > > >=20 > > > > > On 18 Mar 2019, at 19:04, Stefan Schantl < > > > > > stefan.schantl(a)ipfire.org > > > > > > wrote: > > > > > > Almost? > > > > >=20 > > > > > As long as the files are present, the settings will be > > > > > converted. >=20 > I did tuned snort using official documentation - I did created > threshold.conf which contains all treatment for special trafic like > false positives, IP range exclusions for a signature or multiple > snort signatures that triggers false positives. >=20 > Will such customization (as defined in snort manual) will be > transfered or simply erased? Hello Horace, the threshold.conf will not be touched or read by the converter script, so any custom settings will not be converted and because the file is located in "/etc/snort/" it would be deleted (!) during update. >=20 > > > > > May > > > > > in special cases if a user does something really weird may > > > > > the > > > > > converter will fail, but in this case I think it even would > > > > > be > > > > > better > > > > > start a new clean IPS configuration. >=20 > Will creation of threshold.conf be considered weird? >=20 > Thanks, > Horace >=20 >=20 > > > > > > How is this directory removed when a backup was restored? > > > > > >=20 > > > > >=20 > > > > > By the backup.pl script. It checks if after the backup a > > > > > snort > > > > > settings > > > > > dir (/var/ipfire/snort) exists, launches the converter and > > > > > afterwards > > > > > deletes the directory. > > > > >=20 > > > > > See: > > > > >=20 > > > > >=20 > > https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3D8c27372438dd267= 648cba48b86d85a594f14be1c > > > > > > -Michael > > > > > >=20 > > > > > > > On 18 Mar 2019, at 18:56, Stefan Schantl < > > > > > > > stefan.schantl(a)ipfire.org > > > > > > > > wrote: > > > > > > >=20 > > > > > > > Hello Michael, > > > > > > > > Hi, > > > > > > > >=20 > > > > > > > > What happens when the converter has failed? Is that a > > > > > > > > possibility? > > > > > > >=20 > > > > > > > There is almost no risk, that this would be happened. > > > > > > >=20 > > > > > > > It contains checks if all corresponding files are present > > > > > > > and > > > > > > > will > > > > > > > contain the settings from them - I do not see a case > > > > > > > where any > > > > > > > problems > > > > > > > can be happen. > > > > > > >=20 > > > > > > > Best regards, > > > > > > >=20 > > > > > > > -Stefan > > > > > > >=20 > > > > > > > > -Michael > > > > > > > >=20 > > > > > > > > > On 18 Mar 2019, at 18:46, Stefan Schantl < > > > > > > > > > stefan.schantl(a)ipfire.org > > > > > > > > > > wrote: > > > > > > > > >=20 > > > > > > > > > When all settings have been converted, the files and > > > > > > > > > directory > > > > > > > > > are > > > > > > > > > not > > > > > > > > > needed anymore. > > > > > > > > >=20 > > > > > > > > > If they will be left and at a later time an backup > > > > > > > > > will be > > > > > > > > > restored, the > > > > > > > > > converter will be started by the backup script again > > > > > > > > > and > > > > > > > > > would > > > > > > > > > be > > > > > > > > > restore those > > > > > > > > > old snort settings and replace the current IPS > > > > > > > > > settings. > > > > > > > > >=20 > > > > > > > > > Signed-off-by: Stefan Schantl < > > > > > > > > > stefan.schantl(a)ipfire.org> > > > > > > > > > --- > > > > > > > > > config/rootfiles/core/130/update.sh | 3 +++ > > > > > > > > > 1 file changed, 3 insertions(+) > > > > > > > > >=20 > > > > > > > > > diff --git a/config/rootfiles/core/130/update.sh > > > > > > > > > b/config/rootfiles/core/130/update.sh > > > > > > > > > index d33321c32..f3dc0d85a 100644 > > > > > > > > > --- a/config/rootfiles/core/130/update.sh > > > > > > > > > +++ b/config/rootfiles/core/130/update.sh > > > > > > > > > @@ -74,6 +74,9 @@ ldconfig > > > > > > > > > # Migrate snort configuration to suricata > > > > > > > > > /usr/sbin/convert-snort > > > > > > > > >=20 > > > > > > > > > +# Remove snort settings > > > > > > > > > +rm -rvf /var/ipfire/snort > > > > > > > > > + > > > > > > > > > # Start services > > > > > > > > > /etc/init.d/collectd restart > > > > > > > > > /etc/init.d/firewall restart > > > > > > > > > --=20 > > > > > > > > > 2.20.1 > > > > > > > > >=20 >=20 > -- > Horace Michael (aka H&M) > Please excuse my typos and brevity. Sent from a Smartphone.=20 --===============0932910129358722301== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRSXpCQUFCQ2dBZEZpRUVXTzBOWHRTcnZo YXN5dERuVHRkT0ZZK1RzdDRGQWx5UDhnZ0FDZ2tRVHRkT0ZZK1QKc3Q3dkJRLy9ZZGhXL3lRNWdJ UEJkMGRucWFFblo3NThDcmRBWm4wbFZkb3ZGQlNPR25ITjhUeFNGWmRsTnRxSAoyYkpOV2VCeHdi dlMvRlhUdGpaYmVNZlkwOEdZOGlLd05jWDlJbk82RFRhQ2VaUTRwTTFRcmxua3JRanFWMGhICmtt NmRwSHlLK3prbTQyT2pEMWJmQ1prNHFxUjhhVWlla0N1SVkyd1kxaDNrTXl0b2dWZ1M1Zm9BeVBv NnBLdCsKTldmbFRCLzJhekJFcXB6djJGZmdCcE55REhwTGtyQzhhQi83Q21MWGh4KzVXUHpFOGdK Y2RqM0REZWhONTFXLwo0UXVmZ3pwWUI0Yktaa05NWmp2Y2V4WnZTQUQ4Ujg5U1E2UzdYL0t2Yzlz MXNHVzVjRk1LSXV1clB1ZTFILzJQCmxhUUNtdDJUTWZQSHRldUJHRC84bUd5YmJkazllZGo3QWN0 c25wcXZqRklpRmh1NzJZVjBWV1UwdnA2VUtMdUkKWE5NMTdkcFZMenZvNmVZaXIwVE1hcWhUbmRW dm1VdFhYM1c5azJJY0gyQ3RtbENPZVJJd2QvUDBkU3NFa3FIdQptRC9kYjZDZkNiZUNEREtrTHF3 clpUWGVnTWxDUlJ1NjhrWVA1NlJGeUozbFNWMXBFWTJPQm1rYWV5cHdQckxjCjVVUFREc3U5b0VX NkJjT2JKaFFKVkJzZTB6STFOVThiMkd3Mnk4cWExeWoranN3eGJudzNoakFkSmNKTC9FeEsKbEZH SW9LU2txY1BrQkptMGZFZDJSckdYNFV5ek5UZXFCb0U1S1Fid29GaEFmMVJaSHVFN2hDWmVJTkxk bStiaAovWVljZFBXeDZ4QTlNeWZFcmI2eHJONkZ4bFFLTTMwN1l0NEhLQlhlSjZwWjlUTkVuMUE9 Cj1wQUNQCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============0932910129358722301==--