Issues 853 854 855

debian/changelog

@@ -1,3 +1,9 @@
+securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion129) trusty; urgency=medium
+
+  * Issues 853 854 855 
+
+ -- Doug Burks <doug.burks@gmail.com>  Fri, 05 Feb 2016 13:40:05 -0500
+
 securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion128) trusty; urgency=medium
 
   * check for snorby output before trying to disable 

debian/patches/Issues-853-854-855

@@ -0,0 +1,239 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion129) trusty; urgency=medium
+ .
+   * Issues 853 854 855
+Author: Doug Burks <doug.burks@gmail.com>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart
++++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart
+@@ -468,7 +468,7 @@ do
+ 	[ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && $ACTION "/usr/bin/pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" "$SENSOR_USER"
+
+ 	# restart snort_agent
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null; then
++        if [ "$ENGINE" == "suricata" ]; then
+ 		[ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && $ACTION "/usr/bin/snort_agent.tcl" "-c $SNORT_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/snort_agent.log" "snort_agent (sguil)" "$SENSOR_USER"
+ 	else
+                 for i in `seq 1 $IDS_LB_PROCS`; do
+@@ -514,13 +514,17 @@ do
+         sed -i "s|^config daq_var: clusterid=.*$|config daq_var: clusterid=$CLUSTER_ID|g" /etc/nsm/$SENSOR/snort.conf
+         # Update suricata.yaml with new $CLUSTER_ID
+         sed -i "s|cluster-id:.*$|cluster-id: $CLUSTER_ID|g" /etc/nsm/$SENSOR/suricata.yaml
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++	# PF_RING 6.2.0 won't allow an empty BPF file
++	BPF_OPTION=""
++	BPF_IDS=/etc/nsm/$SENSOR/bpf-ids.conf
++	[ -s $BPF_IDS ] && BPF_OPTION="-F $BPF_IDS"
++	# Suricata or Snort?
++        if [ "$ENGINE" == "suricata" ]; then
+ 		# copy IDS_LB_PROCS from sensor.conf
+ 		IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2`
+                 sed -i "s|    threads: .*|    threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml
+ 		# start Suricata
+-                [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)"
++                [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)"
+ 	else
+ 		# Need to set a unique PF_RING CLUSTER_ID for each interface
+                 CLUSTER_ID=`grep -n $SENSOR /etc/nsm/sensortab |cut -d\: -f1`; let CLUSTER_ID+=50
+@@ -533,27 +537,20 @@ do
+                         UNI_DIR=$SENSOR_LOG_DIR/snort-$i
+ 			mkdir -p $UNI_DIR
+ 			chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
+-                        [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)"
++			[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT $BPF_OPTION -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)"
+ 		done
+ 	fi
+
+ 	# restart barnyard2
+ 	# If running Suricata, we only have a single instance of barnyard2.
+         # If running Snort with pfring load-balancing, we have one instance of barnyard2 per Snort instance.
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-        then
++        if [ "$ENGINE" == "suricata" ]; then
+                 # we only have a single instance of barnyard2
+
+ 		# make sure the waldo file exists and is owned by proper user
+ 		touch $BARNYARD2_WALDO
+ 		chown $SENSOR_USER:$SENSOR_GROUP $BARNYARD2_WALDO
+
+-                # update the barnyard2 config for the new version of barnyard2
+-                # that adds the disable_signature_reference_table option
+-                if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then 
+-                        sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG
+-                fi
+-
+ 		# start barnyard2
+ 		[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && $ACTION "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $SENSOR_LOG_DIR -f snort.unified2 -w $BARNYARD2_WALDO -i 1 $BARNYARD2_OPTIONS" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "$PROCESS_LOG_DIR/$SENSOR/barnyard2.log" "barnyard2 (spooler, unified2 format)"
+ 	else
+@@ -575,12 +572,6 @@ do
+ 			touch $WALDO
+ 			chown $SENSOR_USER:$SENSOR_GROUP $WALDO
+
+-	                # update the barnyard2 config for the new version of barnyard2
+-        	        # that adds the disable_signature_reference_table option
+-                	if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then 
+-                        	sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG
+-                	fi
+-
+ 			# start barnyard2
+ 			[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && $ACTION "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $UNI_DIR -f snort.unified2 -w $WALDO -i $i $BARNYARD2_OPTIONS" "$PID" "$LOG" "barnyard2-$i (spooler, unified2 format)"
+ 		done
+--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start
++++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start
+@@ -472,7 +472,7 @@ do
+ 	[ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_start "/usr/bin/pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" "$SENSOR_USER"
+
+ 	# need multiple snort_agents if running multiple snorts
+-	if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null; then
++	if [ "$ENGINE" == "suricata" ]; then
+ 		[ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_start "/usr/bin/snort_agent.tcl" "-c $SNORT_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/snort_agent.log" "snort_agent (sguil)" "$SENSOR_USER"
+ 	else
+ 		# Start $IDS_LB_PROCS instances of snort_agent
+@@ -522,13 +522,17 @@ do
+ 	sed -i "s|^config daq_var: clusterid=.*$|config daq_var: clusterid=$CLUSTER_ID|g" /etc/nsm/$SENSOR/snort.conf
+ 	# Update suricata.yaml with new $CLUSTER_ID
+ 	sed -i "s|cluster-id:.*$|cluster-id: $CLUSTER_ID|g" /etc/nsm/$SENSOR/suricata.yaml
+-	if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++	# PF_RING 6.2.0 won't allow an empty BPF file
++	BPF_OPTION=""
++	BPF_IDS=/etc/nsm/$SENSOR/bpf-ids.conf
++	[ -s $BPF_IDS ] && BPF_OPTION="-F $BPF_IDS"
++	# Snort or Suricata?
++	if [ "$ENGINE" == "suricata" ]; then
+ 		# copy IDS_LB_PROCS from sensor.conf
+ 		IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2`
+ 		sed -i "s|    threads: .*|    threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml
+ 		# start Suricata
+-   		[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)"
++   		[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)"
+ 	else	
+ 		# Start $IDS_LB_PROCS instances of Snort using pfring load-balancing
+ 		for i in `seq 1 $IDS_LB_PROCS`; do
+@@ -538,27 +542,20 @@ do
+ 			UNI_DIR=$SENSOR_LOG_DIR/snort-$i
+ 			mkdir -p $UNI_DIR
+ 			chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR
+-   			[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)"
++   			[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT $BPF_OPTION -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)"
+ 		done
+ 	fi
+
+ 	# start barnyard2
+ 	# If running Suricata, we only need a single instance of barnyard2.
+ 	# If running Snort with pfring load-balancing, we need one instance of barnyard2 per Snort instance.
+-	if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++	if [ "$ENGINE" == "suricata" ]; then
+ 		# we only need a single instance of barnyard2 for suricata
+
+ 		# make sure the waldo file exists and is owned by proper user
+ 		touch $BARNYARD2_WALDO
+ 		chown $SENSOR_USER:$SENSOR_GROUP $BARNYARD2_WALDO
+
+-		# update the barnyard2 config for the new version of barnyard2
+-		# that adds the disable_signature_reference_table option
+-		if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then 
+-			sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG
+-		fi
+-		
+ 		# start barnyard2
+ 		[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_start "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $SENSOR_LOG_DIR -f snort.unified2 -w $BARNYARD2_WALDO -i 1 $BARNYARD2_OPTIONS" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "$PROCESS_LOG_DIR/$SENSOR/barnyard2.log" "barnyard2 (spooler, unified2 format)"
+ 	else
+@@ -580,12 +577,6 @@ do
+ 			touch $WALDO
+ 			chown $SENSOR_USER:$SENSOR_GROUP $WALDO
+
+-			# update the barnyard2 config for the new version of barnyard2
+-			# that adds the disable_signature_reference_table option
+-			if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then 
+-				sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG
+-			fi
+-		
+ 			# start barnyard2
+ 			[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_start "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $UNI_DIR -f snort.unified2 -w $WALDO -i $i $BARNYARD2_OPTIONS" "$PID" "$LOG" "barnyard2-$i (spooler, unified2 format)"
+ 		done
+--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-status
++++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-status
+@@ -377,8 +377,7 @@ do
+ 	[ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_status "pcap_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "pcap_agent (sguil)"
+
+ 	# snort_agent
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++        if [ "$ENGINE" == "suricata" ]; then
+ 		[ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_status "snort_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "snort_agent (sguil)"
+ 	else
+                 for i in `seq 1 $IDS_LB_PROCS`; do
+@@ -387,8 +386,7 @@ do
+ 	fi
+
+ 	# status the IDS engine
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++        if [ "$ENGINE" == "suricata" ]; then
+ 		[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_status "suricata" "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "suricata (alert data)"
+ 	else
+                 for i in `seq 1 $IDS_LB_PROCS`; do
+@@ -397,8 +395,7 @@ do
+ 	fi
+
+ 	# status barnyard2
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++        if [ "$ENGINE" == "suricata" ]; then
+ 		[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_status "barnyard2" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "barnyard2 (spooler, unified2 format)"
+ 	else
+                 for i in `seq 1 $IDS_LB_PROCS`; do
+--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-stop
++++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-stop
+@@ -378,8 +378,7 @@ do
+ 	[ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_stop "pcap_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "pcap_agent (sguil)"
+
+ 	# stop the snort_agent
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++        if [ "$ENGINE" == "suricata" ]; then
+ 		[ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_stop "snort_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "snort_agent (sguil)"
+ 	else
+ 		for i in `seq 1 $IDS_LB_PROCS`; do
+@@ -388,8 +387,7 @@ do
+ 	fi
+
+ 	# stop the IDS engine
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++        if [ "$ENGINE" == "suricata" ]; then
+    		[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_stop "suricata" "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "suricata (alert data)"
+ 	else
+ 		for i in `seq 1 $IDS_LB_PROCS`; do
+@@ -398,8 +396,7 @@ do
+ 	fi
+
+ 	# stop barnyard2
+-        if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null
+-	then
++        if [ "$ENGINE" == "suricata" ]; then
+ 		[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_stop "barnyard2" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "barnyard2 (spooler, unified2 format)"
+ 	else
+ 		for i in `seq 1 $IDS_LB_PROCS`; do

debian/patches/series

@@ -123,3 +123,4 @@ ensure-non-threaded-tcl8.6-for-sguild
 update-etcinitsecurityonion.conf-to-remove-Snorby-and-add-back-Xplico
 disable-snorby-output-in-all-barnyard2.conf-files
 check-for-snorby-output-before-trying-to-disable
+Issues-853-854-855