From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject:
 Re: [PATCH] core 130: Remove snort settings dir after convert has run.
Date: Mon, 18 Mar 2019 19:22:46 +0000
Message-ID: <B474DAD2-173D-49AA-837B-81482AF0A268@ipfire.org>
In-Reply-To: <C1CC97E6-34DB-4362-8649-422E014773FD@gmx.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8774805815957577005=="
List-Id: <development.lists.ipfire.org>

--===============8774805815957577005==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

Only the settings from /var/ipfire/ids/settings will be transferred.

Suricata uses a different configuration file syntax.

-Michael

> On 18 Mar 2019, at 19:20, Horace Michael <horace.michael(a)gmx.com> wrote:
>=20
>=20
>=20
> Hi,
>=20
> On March 18, 2019 7:12:35 PM UTC, Michael Tremer <michael.tremer(a)ipfire.o=
rg> wrote:
>> Why would the converter read snort.conf?
>>=20
>> I agree.
>>=20
>>> On 18 Mar 2019, at 19:11, Stefan Schantl <stefan.schantl(a)ipfire.org>
>> wrote:
>>>=20
>>>> Hi,
>>>>=20
>>>> I do not see why the converter does not take care of the removal.
>>>> That would only be one place.
>>>=20
>>> Me, too - I simply implemented it in the same way all other
>> converters
>>> will be handled by the backup.pl script....
>>>=20
>>> But I found an other really important issue in the core 130 update.sh
>>> and the converter.
>>>=20
>>> The "/etc/snort/snort.conf" will be deleted very early. Exactly
>> before
>>> the converter has been the chance to read the settings from this
>> file.
>>>=20
>>> I'll send a patch to do the removal of the whole snort stuff and the
>>> settings in one step after the converter has done it's work, if you
>>> agree with me.
>>>=20
>>>>=20
>>>> But I will merge this if you want me to.
>>>>=20
>>>> -Michael
>>>>=20
>>>>> On 18 Mar 2019, at 19:04, Stefan Schantl <stefan.schantl(a)ipfire.org
>>>>>> wrote:
>>>>>=20
>>>>>> Almost?
>>>>>=20
>>>>> As long as the files are present, the settings will be converted.
>=20
> I did tuned snort using official documentation - I did created threshold.co=
nf which contains all treatment for special trafic like false positives, IP r=
ange exclusions for a signature or multiple snort signatures that triggers fa=
lse positives.
>=20
> Will such customization (as defined in snort manual) will be transfered or =
simply erased?
>=20
>>>>> May
>>>>> in special cases if a user does something really weird may the
>>>>> converter will fail, but in this case I think it even would be
>>>>> better
>>>>> start a new clean IPS configuration.
>=20
> Will creation of threshold.conf be considered weird?
>=20
> Thanks,
> Horace
>=20
>=20
>>>>>=20
>>>>>> How is this directory removed when a backup was restored?
>>>>>>=20
>>>>>=20
>>>>> By the backup.pl script. It checks if after the backup a snort
>>>>> settings
>>>>> dir (/var/ipfire/snort) exists, launches the converter and
>>>>> afterwards
>>>>> deletes the directory.
>>>>>=20
>>>>> See:
>>>>>=20
>>>>>=20
>> https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3D8c27372438dd2676=
48cba48b86d85a594f14be1c
>>>>>=20
>>>>>> -Michael
>>>>>>=20
>>>>>>> On 18 Mar 2019, at 18:56, Stefan Schantl <
>>>>>>> stefan.schantl(a)ipfire.org
>>>>>>>> wrote:
>>>>>>>=20
>>>>>>> Hello Michael,
>>>>>>>> Hi,
>>>>>>>>=20
>>>>>>>> What happens when the converter has failed? Is that a
>>>>>>>> possibility?
>>>>>>>=20
>>>>>>> There is almost no risk, that this would be happened.
>>>>>>>=20
>>>>>>> It contains checks if all corresponding files are present and
>>>>>>> will
>>>>>>> contain the settings from them - I do not see a case where any
>>>>>>> problems
>>>>>>> can be happen.
>>>>>>>=20
>>>>>>> Best regards,
>>>>>>>=20
>>>>>>> -Stefan
>>>>>>>=20
>>>>>>>> -Michael
>>>>>>>>=20
>>>>>>>>> On 18 Mar 2019, at 18:46, Stefan Schantl <
>>>>>>>>> stefan.schantl(a)ipfire.org
>>>>>>>>>> wrote:
>>>>>>>>>=20
>>>>>>>>> When all settings have been converted, the files and
>>>>>>>>> directory
>>>>>>>>> are
>>>>>>>>> not
>>>>>>>>> needed anymore.
>>>>>>>>>=20
>>>>>>>>> If they will be left and at a later time an backup will be
>>>>>>>>> restored, the
>>>>>>>>> converter will be started by the backup script again and
>>>>>>>>> would
>>>>>>>>> be
>>>>>>>>> restore those
>>>>>>>>> old snort settings and replace the current IPS settings.
>>>>>>>>>=20
>>>>>>>>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>>>>>>>>> ---
>>>>>>>>> config/rootfiles/core/130/update.sh | 3 +++
>>>>>>>>> 1 file changed, 3 insertions(+)
>>>>>>>>>=20
>>>>>>>>> diff --git a/config/rootfiles/core/130/update.sh
>>>>>>>>> b/config/rootfiles/core/130/update.sh
>>>>>>>>> index d33321c32..f3dc0d85a 100644
>>>>>>>>> --- a/config/rootfiles/core/130/update.sh
>>>>>>>>> +++ b/config/rootfiles/core/130/update.sh
>>>>>>>>> @@ -74,6 +74,9 @@ ldconfig
>>>>>>>>> # Migrate snort configuration to suricata
>>>>>>>>> /usr/sbin/convert-snort
>>>>>>>>>=20
>>>>>>>>> +# Remove snort settings
>>>>>>>>> +rm -rvf /var/ipfire/snort
>>>>>>>>> +
>>>>>>>>> # Start services
>>>>>>>>> /etc/init.d/collectd restart
>>>>>>>>> /etc/init.d/firewall restart
>>>>>>>>> --=20
>>>>>>>>> 2.20.1
>>>>>>>>>=20
>=20
> --
> Horace Michael (aka H&M)
> Please excuse my typos and brevity. Sent from a Smartphone.


--===============8774805815957577005==--