From mboxrd@z Thu Jan 1 00:00:00 1970 From: Horace Michael To: development@lists.ipfire.org Subject: Re: [PATCH] core 130: Remove snort settings dir after convert has run. Date: Mon, 18 Mar 2019 19:20:42 +0000 Message-ID: In-Reply-To: <0DAF84CB-ED9A-44CA-BAC4-A56F38C66B49@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5798942939692429965==" List-Id: --===============5798942939692429965== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On March 18, 2019 7:12:35 PM UTC, Michael Tremer wrote: >Why would the converter read snort.conf? > >I agree. > >> On 18 Mar 2019, at 19:11, Stefan Schantl >wrote: >>=20 >>> Hi, >>>=20 >>> I do not see why the converter does not take care of the removal. >>> That would only be one place. >>=20 >> Me, too - I simply implemented it in the same way all other >converters >> will be handled by the backup.pl script.... >>=20 >> But I found an other really important issue in the core 130 update.sh >> and the converter. >>=20 >> The "/etc/snort/snort.conf" will be deleted very early. Exactly >before >> the converter has been the chance to read the settings from this >file. >>=20 >> I'll send a patch to do the removal of the whole snort stuff and the >> settings in one step after the converter has done it's work, if you >> agree with me. >>=20 >>>=20 >>> But I will merge this if you want me to. >>>=20 >>> -Michael >>>=20 >>>> On 18 Mar 2019, at 19:04, Stefan Schantl >>>> wrote: >>>>=20 >>>>> Almost? >>>>=20 >>>> As long as the files are present, the settings will be converted. I did tuned snort using official documentation - I did created threshold.conf= which contains all treatment for special trafic like false positives, IP ran= ge exclusions for a signature or multiple snort signatures that triggers fals= e positives. Will such customization (as defined in snort manual) will be transfered or si= mply erased? >>>> May >>>> in special cases if a user does something really weird may the >>>> converter will fail, but in this case I think it even would be >>>> better >>>> start a new clean IPS configuration. Will creation of threshold.conf be considered weird? Thanks, Horace >>>>=20 >>>>> How is this directory removed when a backup was restored? >>>>>=20 >>>>=20 >>>> By the backup.pl script. It checks if after the backup a snort >>>> settings >>>> dir (/var/ipfire/snort) exists, launches the converter and >>>> afterwards >>>> deletes the directory. >>>>=20 >>>> See: >>>>=20 >>>> >https://git.ipfire.org/?p=3Dipfire-2.x.git;a=3Dcommit;h=3D8c27372438dd267648= cba48b86d85a594f14be1c >>>>=20 >>>>> -Michael >>>>>=20 >>>>>> On 18 Mar 2019, at 18:56, Stefan Schantl < >>>>>> stefan.schantl(a)ipfire.org >>>>>>> wrote: >>>>>>=20 >>>>>> Hello Michael, >>>>>>> Hi, >>>>>>>=20 >>>>>>> What happens when the converter has failed? Is that a >>>>>>> possibility? >>>>>>=20 >>>>>> There is almost no risk, that this would be happened. >>>>>>=20 >>>>>> It contains checks if all corresponding files are present and >>>>>> will >>>>>> contain the settings from them - I do not see a case where any >>>>>> problems >>>>>> can be happen. >>>>>>=20 >>>>>> Best regards, >>>>>>=20 >>>>>> -Stefan >>>>>>=20 >>>>>>> -Michael >>>>>>>=20 >>>>>>>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>>>>>>> stefan.schantl(a)ipfire.org >>>>>>>>> wrote: >>>>>>>>=20 >>>>>>>> When all settings have been converted, the files and >>>>>>>> directory >>>>>>>> are >>>>>>>> not >>>>>>>> needed anymore. >>>>>>>>=20 >>>>>>>> If they will be left and at a later time an backup will be >>>>>>>> restored, the >>>>>>>> converter will be started by the backup script again and >>>>>>>> would >>>>>>>> be >>>>>>>> restore those >>>>>>>> old snort settings and replace the current IPS settings. >>>>>>>>=20 >>>>>>>> Signed-off-by: Stefan Schantl >>>>>>>> --- >>>>>>>> config/rootfiles/core/130/update.sh | 3 +++ >>>>>>>> 1 file changed, 3 insertions(+) >>>>>>>>=20 >>>>>>>> diff --git a/config/rootfiles/core/130/update.sh >>>>>>>> b/config/rootfiles/core/130/update.sh >>>>>>>> index d33321c32..f3dc0d85a 100644 >>>>>>>> --- a/config/rootfiles/core/130/update.sh >>>>>>>> +++ b/config/rootfiles/core/130/update.sh >>>>>>>> @@ -74,6 +74,9 @@ ldconfig >>>>>>>> # Migrate snort configuration to suricata >>>>>>>> /usr/sbin/convert-snort >>>>>>>>=20 >>>>>>>> +# Remove snort settings >>>>>>>> +rm -rvf /var/ipfire/snort >>>>>>>> + >>>>>>>> # Start services >>>>>>>> /etc/init.d/collectd restart >>>>>>>> /etc/init.d/firewall restart >>>>>>>> --=20 >>>>>>>> 2.20.1 >>>>>>>>=20 -- Horace Michael (aka H&M) Please excuse my typos and brevity. Sent from a Smartphone.=20 --===============5798942939692429965==--