Hi, On March 18, 2019 7:12:35 PM UTC, Michael Tremer wrote: >Why would the converter read snort.conf? > >I agree. > >> On 18 Mar 2019, at 19:11, Stefan Schantl >wrote: >> >>> Hi, >>> >>> I do not see why the converter does not take care of the removal. >>> That would only be one place. >> >> Me, too - I simply implemented it in the same way all other >converters >> will be handled by the backup.pl script.... >> >> But I found an other really important issue in the core 130 update.sh >> and the converter. >> >> The "/etc/snort/snort.conf" will be deleted very early. Exactly >before >> the converter has been the chance to read the settings from this >file. >> >> I'll send a patch to do the removal of the whole snort stuff and the >> settings in one step after the converter has done it's work, if you >> agree with me. >> >>> >>> But I will merge this if you want me to. >>> >>> -Michael >>> >>>> On 18 Mar 2019, at 19:04, Stefan Schantl >>>> wrote: >>>> >>>>> Almost? >>>> >>>> As long as the files are present, the settings will be converted. I did tuned snort using official documentation - I did created threshold.conf which contains all treatment for special trafic like false positives, IP range exclusions for a signature or multiple snort signatures that triggers false positives. Will such customization (as defined in snort manual) will be transfered or simply erased? >>>> May >>>> in special cases if a user does something really weird may the >>>> converter will fail, but in this case I think it even would be >>>> better >>>> start a new clean IPS configuration. Will creation of threshold.conf be considered weird? Thanks, Horace >>>> >>>>> How is this directory removed when a backup was restored? >>>>> >>>> >>>> By the backup.pl script. It checks if after the backup a snort >>>> settings >>>> dir (/var/ipfire/snort) exists, launches the converter and >>>> afterwards >>>> deletes the directory. >>>> >>>> See: >>>> >>>> >https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c >>>> >>>>> -Michael >>>>> >>>>>> On 18 Mar 2019, at 18:56, Stefan Schantl < >>>>>> stefan.schantl(a)ipfire.org >>>>>>> wrote: >>>>>> >>>>>> Hello Michael, >>>>>>> Hi, >>>>>>> >>>>>>> What happens when the converter has failed? Is that a >>>>>>> possibility? >>>>>> >>>>>> There is almost no risk, that this would be happened. >>>>>> >>>>>> It contains checks if all corresponding files are present and >>>>>> will >>>>>> contain the settings from them - I do not see a case where any >>>>>> problems >>>>>> can be happen. >>>>>> >>>>>> Best regards, >>>>>> >>>>>> -Stefan >>>>>> >>>>>>> -Michael >>>>>>> >>>>>>>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>>>>>>> stefan.schantl(a)ipfire.org >>>>>>>>> wrote: >>>>>>>> >>>>>>>> When all settings have been converted, the files and >>>>>>>> directory >>>>>>>> are >>>>>>>> not >>>>>>>> needed anymore. >>>>>>>> >>>>>>>> If they will be left and at a later time an backup will be >>>>>>>> restored, the >>>>>>>> converter will be started by the backup script again and >>>>>>>> would >>>>>>>> be >>>>>>>> restore those >>>>>>>> old snort settings and replace the current IPS settings. >>>>>>>> >>>>>>>> Signed-off-by: Stefan Schantl >>>>>>>> --- >>>>>>>> config/rootfiles/core/130/update.sh | 3 +++ >>>>>>>> 1 file changed, 3 insertions(+) >>>>>>>> >>>>>>>> diff --git a/config/rootfiles/core/130/update.sh >>>>>>>> b/config/rootfiles/core/130/update.sh >>>>>>>> index d33321c32..f3dc0d85a 100644 >>>>>>>> --- a/config/rootfiles/core/130/update.sh >>>>>>>> +++ b/config/rootfiles/core/130/update.sh >>>>>>>> @@ -74,6 +74,9 @@ ldconfig >>>>>>>> # Migrate snort configuration to suricata >>>>>>>> /usr/sbin/convert-snort >>>>>>>> >>>>>>>> +# Remove snort settings >>>>>>>> +rm -rvf /var/ipfire/snort >>>>>>>> + >>>>>>>> # Start services >>>>>>>> /etc/init.d/collectd restart >>>>>>>> /etc/init.d/firewall restart >>>>>>>> -- >>>>>>>> 2.20.1 >>>>>>>> -- Horace Michael (aka H&M) Please excuse my typos and brevity. Sent from a Smartphone.