This repository has been archived by the owner on Apr 19, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
272 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,239 @@ | ||
Description: <short summary of the patch> | ||
TODO: Put a short summary on the line above and replace this paragraph | ||
with a longer explanation of this change. Complete the meta-information | ||
with other relevant fields (see below for details). To make it easier, the | ||
information below has been extracted from the changelog. Adjust it or drop | ||
it. | ||
. | ||
securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion129) trusty; urgency=medium | ||
. | ||
* Issues 853 854 855 | ||
Author: Doug Burks <doug.burks@gmail.com> | ||
|
||
--- | ||
The information above should follow the Patch Tagging Guidelines, please | ||
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here | ||
are templates for supplementary fields that you might want to add: | ||
|
||
Origin: <vendor|upstream|other>, <url of original patch> | ||
Bug: <url in upstream bugtracker> | ||
Bug-Debian: http://bugs.debian.org/<bugnumber> | ||
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> | ||
Forwarded: <no|not-needed|url proving that it has been forwarded> | ||
Reviewed-By: <name and email of someone who approved the patch> | ||
Last-Update: <YYYY-MM-DD> | ||
|
||
--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart | ||
+++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart | ||
@@ -468,7 +468,7 @@ do | ||
[ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && $ACTION "/usr/bin/pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" "$SENSOR_USER" | ||
|
||
# restart snort_agent | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null; then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
[ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && $ACTION "/usr/bin/snort_agent.tcl" "-c $SNORT_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/snort_agent.log" "snort_agent (sguil)" "$SENSOR_USER" | ||
else | ||
for i in `seq 1 $IDS_LB_PROCS`; do | ||
@@ -514,13 +514,17 @@ do | ||
sed -i "s|^config daq_var: clusterid=.*$|config daq_var: clusterid=$CLUSTER_ID|g" /etc/nsm/$SENSOR/snort.conf | ||
# Update suricata.yaml with new $CLUSTER_ID | ||
sed -i "s|cluster-id:.*$|cluster-id: $CLUSTER_ID|g" /etc/nsm/$SENSOR/suricata.yaml | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ # PF_RING 6.2.0 won't allow an empty BPF file | ||
+ BPF_OPTION="" | ||
+ BPF_IDS=/etc/nsm/$SENSOR/bpf-ids.conf | ||
+ [ -s $BPF_IDS ] && BPF_OPTION="-F $BPF_IDS" | ||
+ # Suricata or Snort? | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
# copy IDS_LB_PROCS from sensor.conf | ||
IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2` | ||
sed -i "s| threads: .*| threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml | ||
# start Suricata | ||
- [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" | ||
+ [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" | ||
else | ||
# Need to set a unique PF_RING CLUSTER_ID for each interface | ||
CLUSTER_ID=`grep -n $SENSOR /etc/nsm/sensortab |cut -d\: -f1`; let CLUSTER_ID+=50 | ||
@@ -533,27 +537,20 @@ do | ||
UNI_DIR=$SENSOR_LOG_DIR/snort-$i | ||
mkdir -p $UNI_DIR | ||
chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR | ||
- [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" | ||
+ [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT $BPF_OPTION -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" | ||
done | ||
fi | ||
|
||
# restart barnyard2 | ||
# If running Suricata, we only have a single instance of barnyard2. | ||
# If running Snort with pfring load-balancing, we have one instance of barnyard2 per Snort instance. | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
# we only have a single instance of barnyard2 | ||
|
||
# make sure the waldo file exists and is owned by proper user | ||
touch $BARNYARD2_WALDO | ||
chown $SENSOR_USER:$SENSOR_GROUP $BARNYARD2_WALDO | ||
|
||
- # update the barnyard2 config for the new version of barnyard2 | ||
- # that adds the disable_signature_reference_table option | ||
- if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then | ||
- sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG | ||
- fi | ||
- | ||
# start barnyard2 | ||
[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && $ACTION "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $SENSOR_LOG_DIR -f snort.unified2 -w $BARNYARD2_WALDO -i 1 $BARNYARD2_OPTIONS" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "$PROCESS_LOG_DIR/$SENSOR/barnyard2.log" "barnyard2 (spooler, unified2 format)" | ||
else | ||
@@ -575,12 +572,6 @@ do | ||
touch $WALDO | ||
chown $SENSOR_USER:$SENSOR_GROUP $WALDO | ||
|
||
- # update the barnyard2 config for the new version of barnyard2 | ||
- # that adds the disable_signature_reference_table option | ||
- if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then | ||
- sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG | ||
- fi | ||
- | ||
# start barnyard2 | ||
[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && $ACTION "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $UNI_DIR -f snort.unified2 -w $WALDO -i $i $BARNYARD2_OPTIONS" "$PID" "$LOG" "barnyard2-$i (spooler, unified2 format)" | ||
done | ||
--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start | ||
+++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start | ||
@@ -472,7 +472,7 @@ do | ||
[ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_start "/usr/bin/pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" "$SENSOR_USER" | ||
|
||
# need multiple snort_agents if running multiple snorts | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null; then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
[ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_start "/usr/bin/snort_agent.tcl" "-c $SNORT_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/snort_agent.log" "snort_agent (sguil)" "$SENSOR_USER" | ||
else | ||
# Start $IDS_LB_PROCS instances of snort_agent | ||
@@ -522,13 +522,17 @@ do | ||
sed -i "s|^config daq_var: clusterid=.*$|config daq_var: clusterid=$CLUSTER_ID|g" /etc/nsm/$SENSOR/snort.conf | ||
# Update suricata.yaml with new $CLUSTER_ID | ||
sed -i "s|cluster-id:.*$|cluster-id: $CLUSTER_ID|g" /etc/nsm/$SENSOR/suricata.yaml | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ # PF_RING 6.2.0 won't allow an empty BPF file | ||
+ BPF_OPTION="" | ||
+ BPF_IDS=/etc/nsm/$SENSOR/bpf-ids.conf | ||
+ [ -s $BPF_IDS ] && BPF_OPTION="-F $BPF_IDS" | ||
+ # Snort or Suricata? | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
# copy IDS_LB_PROCS from sensor.conf | ||
IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2` | ||
sed -i "s| threads: .*| threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml | ||
# start Suricata | ||
- [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" | ||
+ [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" | ||
else | ||
# Start $IDS_LB_PROCS instances of Snort using pfring load-balancing | ||
for i in `seq 1 $IDS_LB_PROCS`; do | ||
@@ -538,27 +542,20 @@ do | ||
UNI_DIR=$SENSOR_LOG_DIR/snort-$i | ||
mkdir -p $UNI_DIR | ||
chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR | ||
- [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" | ||
+ [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT $BPF_OPTION -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" | ||
done | ||
fi | ||
|
||
# start barnyard2 | ||
# If running Suricata, we only need a single instance of barnyard2. | ||
# If running Snort with pfring load-balancing, we need one instance of barnyard2 per Snort instance. | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
# we only need a single instance of barnyard2 for suricata | ||
|
||
# make sure the waldo file exists and is owned by proper user | ||
touch $BARNYARD2_WALDO | ||
chown $SENSOR_USER:$SENSOR_GROUP $BARNYARD2_WALDO | ||
|
||
- # update the barnyard2 config for the new version of barnyard2 | ||
- # that adds the disable_signature_reference_table option | ||
- if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then | ||
- sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG | ||
- fi | ||
- | ||
# start barnyard2 | ||
[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_start "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $SENSOR_LOG_DIR -f snort.unified2 -w $BARNYARD2_WALDO -i 1 $BARNYARD2_OPTIONS" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "$PROCESS_LOG_DIR/$SENSOR/barnyard2.log" "barnyard2 (spooler, unified2 format)" | ||
else | ||
@@ -580,12 +577,6 @@ do | ||
touch $WALDO | ||
chown $SENSOR_USER:$SENSOR_GROUP $WALDO | ||
|
||
- # update the barnyard2 config for the new version of barnyard2 | ||
- # that adds the disable_signature_reference_table option | ||
- if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then | ||
- sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG | ||
- fi | ||
- | ||
# start barnyard2 | ||
[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_start "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $UNI_DIR -f snort.unified2 -w $WALDO -i $i $BARNYARD2_OPTIONS" "$PID" "$LOG" "barnyard2-$i (spooler, unified2 format)" | ||
done | ||
--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-status | ||
+++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-status | ||
@@ -377,8 +377,7 @@ do | ||
[ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_status "pcap_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "pcap_agent (sguil)" | ||
|
||
# snort_agent | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
[ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_status "snort_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "snort_agent (sguil)" | ||
else | ||
for i in `seq 1 $IDS_LB_PROCS`; do | ||
@@ -387,8 +386,7 @@ do | ||
fi | ||
|
||
# status the IDS engine | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_status "suricata" "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "suricata (alert data)" | ||
else | ||
for i in `seq 1 $IDS_LB_PROCS`; do | ||
@@ -397,8 +395,7 @@ do | ||
fi | ||
|
||
# status barnyard2 | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_status "barnyard2" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "barnyard2 (spooler, unified2 format)" | ||
else | ||
for i in `seq 1 $IDS_LB_PROCS`; do | ||
--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-stop | ||
+++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-stop | ||
@@ -378,8 +378,7 @@ do | ||
[ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_stop "pcap_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "pcap_agent (sguil)" | ||
|
||
# stop the snort_agent | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
[ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_stop "snort_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "snort_agent (sguil)" | ||
else | ||
for i in `seq 1 $IDS_LB_PROCS`; do | ||
@@ -388,8 +387,7 @@ do | ||
fi | ||
|
||
# stop the IDS engine | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
[ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_stop "suricata" "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "suricata (alert data)" | ||
else | ||
for i in `seq 1 $IDS_LB_PROCS`; do | ||
@@ -398,8 +396,7 @@ do | ||
fi | ||
|
||
# stop barnyard2 | ||
- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null | ||
- then | ||
+ if [ "$ENGINE" == "suricata" ]; then | ||
[ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_stop "barnyard2" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "barnyard2 (spooler, unified2 format)" | ||
else | ||
for i in `seq 1 $IDS_LB_PROCS`; do |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.