Hello,
Only the settings from /var/ipfire/ids/settings will be transferred.
Suricata uses a different configuration file syntax.
-Michael
On 18 Mar 2019, at 19:20, Horace Michael horace.michael@gmx.com wrote:
Hi,
On March 18, 2019 7:12:35 PM UTC, Michael Tremer michael.tremer@ipfire.org wrote:
Why would the converter read snort.conf?
I agree.
On 18 Mar 2019, at 19:11, Stefan Schantl stefan.schantl@ipfire.org
wrote:
Hi,
I do not see why the converter does not take care of the removal. That would only be one place.
Me, too - I simply implemented it in the same way all other
converters
will be handled by the backup.pl script....
But I found an other really important issue in the core 130 update.sh and the converter.
The "/etc/snort/snort.conf" will be deleted very early. Exactly
before
the converter has been the chance to read the settings from this
file.
I'll send a patch to do the removal of the whole snort stuff and the settings in one step after the converter has done it's work, if you agree with me.
But I will merge this if you want me to.
-Michael
On 18 Mar 2019, at 19:04, Stefan Schantl <stefan.schantl@ipfire.org
wrote:
Almost?
As long as the files are present, the settings will be converted.
I did tuned snort using official documentation - I did created threshold.conf which contains all treatment for special trafic like false positives, IP range exclusions for a signature or multiple snort signatures that triggers false positives.
Will such customization (as defined in snort manual) will be transfered or simply erased?
May in special cases if a user does something really weird may the converter will fail, but in this case I think it even would be better start a new clean IPS configuration.
Will creation of threshold.conf be considered weird?
Thanks, Horace
How is this directory removed when a backup was restored?
By the backup.pl script. It checks if after the backup a snort settings dir (/var/ipfire/snort) exists, launches the converter and afterwards deletes the directory.
See:
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b...
-Michael
> On 18 Mar 2019, at 18:56, Stefan Schantl < > stefan.schantl@ipfire.org >> wrote: > > Hello Michael, >> Hi, >> >> What happens when the converter has failed? Is that a >> possibility? > > There is almost no risk, that this would be happened. > > It contains checks if all corresponding files are present and > will > contain the settings from them - I do not see a case where any > problems > can be happen. > > Best regards, > > -Stefan > >> -Michael >> >>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>> stefan.schantl@ipfire.org >>>> wrote: >>> >>> When all settings have been converted, the files and >>> directory >>> are >>> not >>> needed anymore. >>> >>> If they will be left and at a later time an backup will be >>> restored, the >>> converter will be started by the backup script again and >>> would >>> be >>> restore those >>> old snort settings and replace the current IPS settings. >>> >>> Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org >>> --- >>> config/rootfiles/core/130/update.sh | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/config/rootfiles/core/130/update.sh >>> b/config/rootfiles/core/130/update.sh >>> index d33321c32..f3dc0d85a 100644 >>> --- a/config/rootfiles/core/130/update.sh >>> +++ b/config/rootfiles/core/130/update.sh >>> @@ -74,6 +74,9 @@ ldconfig >>> # Migrate snort configuration to suricata >>> /usr/sbin/convert-snort >>> >>> +# Remove snort settings >>> +rm -rvf /var/ipfire/snort >>> + >>> # Start services >>> /etc/init.d/collectd restart >>> /etc/init.d/firewall restart >>> -- >>> 2.20.1 >>>
-- Horace Michael (aka H&M) Please excuse my typos and brevity. Sent from a Smartphone.