diff --git a/debian/changelog b/debian/changelog index 7b90790..b5db24d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion129) trusty; urgency=medium + + * Issues 853 854 855 + + -- Doug Burks Fri, 05 Feb 2016 13:40:05 -0500 + securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion128) trusty; urgency=medium * check for snorby output before trying to disable diff --git a/debian/patches/Issues-853-854-855 b/debian/patches/Issues-853-854-855 new file mode 100644 index 0000000..0d12627 --- /dev/null +++ b/debian/patches/Issues-853-854-855 @@ -0,0 +1,239 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-nsmnow-admin-scripts (20120724-0ubuntu0securityonion129) trusty; urgency=medium + . + * Issues 853 854 855 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-restart ++++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-restart +@@ -468,7 +468,7 @@ do + [ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && $ACTION "/usr/bin/pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" "$SENSOR_USER" + + # restart snort_agent +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null; then ++ if [ "$ENGINE" == "suricata" ]; then + [ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && $ACTION "/usr/bin/snort_agent.tcl" "-c $SNORT_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/snort_agent.log" "snort_agent (sguil)" "$SENSOR_USER" + else + for i in `seq 1 $IDS_LB_PROCS`; do +@@ -514,13 +514,17 @@ do + sed -i "s|^config daq_var: clusterid=.*$|config daq_var: clusterid=$CLUSTER_ID|g" /etc/nsm/$SENSOR/snort.conf + # Update suricata.yaml with new $CLUSTER_ID + sed -i "s|cluster-id:.*$|cluster-id: $CLUSTER_ID|g" /etc/nsm/$SENSOR/suricata.yaml +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ # PF_RING 6.2.0 won't allow an empty BPF file ++ BPF_OPTION="" ++ BPF_IDS=/etc/nsm/$SENSOR/bpf-ids.conf ++ [ -s $BPF_IDS ] && BPF_OPTION="-F $BPF_IDS" ++ # Suricata or Snort? ++ if [ "$ENGINE" == "suricata" ]; then + # copy IDS_LB_PROCS from sensor.conf + IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2` + sed -i "s| threads: .*| threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml + # start Suricata +- [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" ++ [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" + else + # Need to set a unique PF_RING CLUSTER_ID for each interface + CLUSTER_ID=`grep -n $SENSOR /etc/nsm/sensortab |cut -d\: -f1`; let CLUSTER_ID+=50 +@@ -533,27 +537,20 @@ do + UNI_DIR=$SENSOR_LOG_DIR/snort-$i + mkdir -p $UNI_DIR + chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR +- [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" ++ [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT $BPF_OPTION -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" + done + fi + + # restart barnyard2 + # If running Suricata, we only have a single instance of barnyard2. + # If running Snort with pfring load-balancing, we have one instance of barnyard2 per Snort instance. +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ if [ "$ENGINE" == "suricata" ]; then + # we only have a single instance of barnyard2 + + # make sure the waldo file exists and is owned by proper user + touch $BARNYARD2_WALDO + chown $SENSOR_USER:$SENSOR_GROUP $BARNYARD2_WALDO + +- # update the barnyard2 config for the new version of barnyard2 +- # that adds the disable_signature_reference_table option +- if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then +- sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG +- fi +- + # start barnyard2 + [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && $ACTION "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $SENSOR_LOG_DIR -f snort.unified2 -w $BARNYARD2_WALDO -i 1 $BARNYARD2_OPTIONS" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "$PROCESS_LOG_DIR/$SENSOR/barnyard2.log" "barnyard2 (spooler, unified2 format)" + else +@@ -575,12 +572,6 @@ do + touch $WALDO + chown $SENSOR_USER:$SENSOR_GROUP $WALDO + +- # update the barnyard2 config for the new version of barnyard2 +- # that adds the disable_signature_reference_table option +- if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then +- sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG +- fi +- + # start barnyard2 + [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && $ACTION "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $UNI_DIR -f snort.unified2 -w $WALDO -i $i $BARNYARD2_OPTIONS" "$PID" "$LOG" "barnyard2-$i (spooler, unified2 format)" + done +--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-start ++++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-start +@@ -472,7 +472,7 @@ do + [ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_start "/usr/bin/pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" "$SENSOR_USER" + + # need multiple snort_agents if running multiple snorts +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null; then ++ if [ "$ENGINE" == "suricata" ]; then + [ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_start "/usr/bin/snort_agent.tcl" "-c $SNORT_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/snort_agent.log" "snort_agent (sguil)" "$SENSOR_USER" + else + # Start $IDS_LB_PROCS instances of snort_agent +@@ -522,13 +522,17 @@ do + sed -i "s|^config daq_var: clusterid=.*$|config daq_var: clusterid=$CLUSTER_ID|g" /etc/nsm/$SENSOR/snort.conf + # Update suricata.yaml with new $CLUSTER_ID + sed -i "s|cluster-id:.*$|cluster-id: $CLUSTER_ID|g" /etc/nsm/$SENSOR/suricata.yaml +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ # PF_RING 6.2.0 won't allow an empty BPF file ++ BPF_OPTION="" ++ BPF_IDS=/etc/nsm/$SENSOR/bpf-ids.conf ++ [ -s $BPF_IDS ] && BPF_OPTION="-F $BPF_IDS" ++ # Snort or Suricata? ++ if [ "$ENGINE" == "suricata" ]; then + # copy IDS_LB_PROCS from sensor.conf + IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2` + sed -i "s| threads: .*| threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml + # start Suricata +- [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" ++ [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" + else + # Start $IDS_LB_PROCS instances of Snort using pfring load-balancing + for i in `seq 1 $IDS_LB_PROCS`; do +@@ -538,27 +542,20 @@ do + UNI_DIR=$SENSOR_LOG_DIR/snort-$i + mkdir -p $UNI_DIR + chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR +- [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" ++ [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT $BPF_OPTION -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" + done + fi + + # start barnyard2 + # If running Suricata, we only need a single instance of barnyard2. + # If running Snort with pfring load-balancing, we need one instance of barnyard2 per Snort instance. +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ if [ "$ENGINE" == "suricata" ]; then + # we only need a single instance of barnyard2 for suricata + + # make sure the waldo file exists and is owned by proper user + touch $BARNYARD2_WALDO + chown $SENSOR_USER:$SENSOR_GROUP $BARNYARD2_WALDO + +- # update the barnyard2 config for the new version of barnyard2 +- # that adds the disable_signature_reference_table option +- if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then +- sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG +- fi +- + # start barnyard2 + [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_start "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $SENSOR_LOG_DIR -f snort.unified2 -w $BARNYARD2_WALDO -i 1 $BARNYARD2_OPTIONS" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "$PROCESS_LOG_DIR/$SENSOR/barnyard2.log" "barnyard2 (spooler, unified2 format)" + else +@@ -580,12 +577,6 @@ do + touch $WALDO + chown $SENSOR_USER:$SENSOR_GROUP $WALDO + +- # update the barnyard2 config for the new version of barnyard2 +- # that adds the disable_signature_reference_table option +- if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then +- sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG +- fi +- + # start barnyard2 + [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_start "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $UNI_DIR -f snort.unified2 -w $WALDO -i $i $BARNYARD2_OPTIONS" "$PID" "$LOG" "barnyard2-$i (spooler, unified2 format)" + done +--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-status ++++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-status +@@ -377,8 +377,7 @@ do + [ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_status "pcap_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "pcap_agent (sguil)" + + # snort_agent +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ if [ "$ENGINE" == "suricata" ]; then + [ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_status "snort_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "snort_agent (sguil)" + else + for i in `seq 1 $IDS_LB_PROCS`; do +@@ -387,8 +386,7 @@ do + fi + + # status the IDS engine +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ if [ "$ENGINE" == "suricata" ]; then + [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_status "suricata" "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "suricata (alert data)" + else + for i in `seq 1 $IDS_LB_PROCS`; do +@@ -397,8 +395,7 @@ do + fi + + # status barnyard2 +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ if [ "$ENGINE" == "suricata" ]; then + [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_status "barnyard2" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "barnyard2 (spooler, unified2 format)" + else + for i in `seq 1 $IDS_LB_PROCS`; do +--- securityonion-nsmnow-admin-scripts-20120724.orig/usr/sbin/nsm_sensor_ps-stop ++++ securityonion-nsmnow-admin-scripts-20120724/usr/sbin/nsm_sensor_ps-stop +@@ -378,8 +378,7 @@ do + [ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_stop "pcap_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "pcap_agent (sguil)" + + # stop the snort_agent +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ if [ "$ENGINE" == "suricata" ]; then + [ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_stop "snort_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "snort_agent (sguil)" + else + for i in `seq 1 $IDS_LB_PROCS`; do +@@ -388,8 +387,7 @@ do + fi + + # stop the IDS engine +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ if [ "$ENGINE" == "suricata" ]; then + [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_stop "suricata" "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "suricata (alert data)" + else + for i in `seq 1 $IDS_LB_PROCS`; do +@@ -398,8 +396,7 @@ do + fi + + # stop barnyard2 +- if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null +- then ++ if [ "$ENGINE" == "suricata" ]; then + [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_stop "barnyard2" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "barnyard2 (spooler, unified2 format)" + else + for i in `seq 1 $IDS_LB_PROCS`; do diff --git a/debian/patches/series b/debian/patches/series index 3171d35..2590e06 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -123,3 +123,4 @@ ensure-non-threaded-tcl8.6-for-sguild update-etcinitsecurityonion.conf-to-remove-Snorby-and-add-back-Xplico disable-snorby-output-in-all-barnyard2.conf-files check-for-snorby-output-before-trying-to-disable +Issues-853-854-855 diff --git a/usr/sbin/nsm_sensor_ps-restart b/usr/sbin/nsm_sensor_ps-restart index 471cc9f..7a3434b 100755 --- a/usr/sbin/nsm_sensor_ps-restart +++ b/usr/sbin/nsm_sensor_ps-restart @@ -468,7 +468,7 @@ do [ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && $ACTION "/usr/bin/pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" "$SENSOR_USER" # restart snort_agent - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null; then + if [ "$ENGINE" == "suricata" ]; then [ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && $ACTION "/usr/bin/snort_agent.tcl" "-c $SNORT_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/snort_agent.log" "snort_agent (sguil)" "$SENSOR_USER" else for i in `seq 1 $IDS_LB_PROCS`; do @@ -514,13 +514,17 @@ do sed -i "s|^config daq_var: clusterid=.*$|config daq_var: clusterid=$CLUSTER_ID|g" /etc/nsm/$SENSOR/snort.conf # Update suricata.yaml with new $CLUSTER_ID sed -i "s|cluster-id:.*$|cluster-id: $CLUSTER_ID|g" /etc/nsm/$SENSOR/suricata.yaml - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + # PF_RING 6.2.0 won't allow an empty BPF file + BPF_OPTION="" + BPF_IDS=/etc/nsm/$SENSOR/bpf-ids.conf + [ -s $BPF_IDS ] && BPF_OPTION="-F $BPF_IDS" + # Suricata or Snort? + if [ "$ENGINE" == "suricata" ]; then # copy IDS_LB_PROCS from sensor.conf IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2` sed -i "s| threads: .*| threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml # start Suricata - [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" + [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" else # Need to set a unique PF_RING CLUSTER_ID for each interface CLUSTER_ID=`grep -n $SENSOR /etc/nsm/sensortab |cut -d\: -f1`; let CLUSTER_ID+=50 @@ -533,27 +537,20 @@ do UNI_DIR=$SENSOR_LOG_DIR/snort-$i mkdir -p $UNI_DIR chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR - [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" + [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && $ACTION "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT $BPF_OPTION -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" done fi # restart barnyard2 # If running Suricata, we only have a single instance of barnyard2. # If running Snort with pfring load-balancing, we have one instance of barnyard2 per Snort instance. - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + if [ "$ENGINE" == "suricata" ]; then # we only have a single instance of barnyard2 # make sure the waldo file exists and is owned by proper user touch $BARNYARD2_WALDO chown $SENSOR_USER:$SENSOR_GROUP $BARNYARD2_WALDO - # update the barnyard2 config for the new version of barnyard2 - # that adds the disable_signature_reference_table option - if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then - sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG - fi - # start barnyard2 [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && $ACTION "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $SENSOR_LOG_DIR -f snort.unified2 -w $BARNYARD2_WALDO -i 1 $BARNYARD2_OPTIONS" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "$PROCESS_LOG_DIR/$SENSOR/barnyard2.log" "barnyard2 (spooler, unified2 format)" else @@ -575,12 +572,6 @@ do touch $WALDO chown $SENSOR_USER:$SENSOR_GROUP $WALDO - # update the barnyard2 config for the new version of barnyard2 - # that adds the disable_signature_reference_table option - if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then - sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG - fi - # start barnyard2 [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && $ACTION "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $UNI_DIR -f snort.unified2 -w $WALDO -i $i $BARNYARD2_OPTIONS" "$PID" "$LOG" "barnyard2-$i (spooler, unified2 format)" done diff --git a/usr/sbin/nsm_sensor_ps-start b/usr/sbin/nsm_sensor_ps-start index 997d862..926f788 100755 --- a/usr/sbin/nsm_sensor_ps-start +++ b/usr/sbin/nsm_sensor_ps-start @@ -472,7 +472,7 @@ do [ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_start "/usr/bin/pcap_agent.tcl" "-c $PCAP_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/pcap_agent.log" "pcap_agent (sguil)" "$SENSOR_USER" # need multiple snort_agents if running multiple snorts - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null; then + if [ "$ENGINE" == "suricata" ]; then [ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_start "/usr/bin/snort_agent.tcl" "-c $SNORT_AGENT_CONFIG" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "$PROCESS_LOG_DIR/$SENSOR/snort_agent.log" "snort_agent (sguil)" "$SENSOR_USER" else # Start $IDS_LB_PROCS instances of snort_agent @@ -522,13 +522,17 @@ do sed -i "s|^config daq_var: clusterid=.*$|config daq_var: clusterid=$CLUSTER_ID|g" /etc/nsm/$SENSOR/snort.conf # Update suricata.yaml with new $CLUSTER_ID sed -i "s|cluster-id:.*$|cluster-id: $CLUSTER_ID|g" /etc/nsm/$SENSOR/suricata.yaml - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + # PF_RING 6.2.0 won't allow an empty BPF file + BPF_OPTION="" + BPF_IDS=/etc/nsm/$SENSOR/bpf-ids.conf + [ -s $BPF_IDS ] && BPF_OPTION="-F $BPF_IDS" + # Snort or Suricata? + if [ "$ENGINE" == "suricata" ]; then # copy IDS_LB_PROCS from sensor.conf IDS_LB_PROCS=`grep IDS_LB_PROCS /etc/nsm/$SENSOR/sensor.conf | cut -d\= -f2` sed -i "s| threads: .*| threads: $IDS_LB_PROCS|g" /etc/nsm/$SENSOR/suricata.yaml # start Suricata - [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" + [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "suricata" "--user $SENSOR_USER --group $SENSOR_GROUP -c /etc/nsm/$SENSOR/suricata.yaml --pfring=$SENSOR_INTERFACE_SHORT $BPF_OPTION -l $SENSOR_LOG_DIR " "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "$PROCESS_LOG_DIR/$SENSOR/suricata.log" "suricata (alert data)" else # Start $IDS_LB_PROCS instances of Snort using pfring load-balancing for i in `seq 1 $IDS_LB_PROCS`; do @@ -538,27 +542,20 @@ do UNI_DIR=$SENSOR_LOG_DIR/snort-$i mkdir -p $UNI_DIR chown $SENSOR_USER:$SENSOR_GROUP $UNI_DIR - [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT -F /etc/nsm/$SENSOR/bpf-ids.conf -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" + [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_start "snort" "-c $SNORT_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -i $SENSOR_INTERFACE_SHORT $BPF_OPTION -l $UNI_DIR --perfmon-file $PERFMON $SNORT_OPTIONS" "$PID" "$LOG" "snort-$i (alert data)" done fi # start barnyard2 # If running Suricata, we only need a single instance of barnyard2. # If running Snort with pfring load-balancing, we need one instance of barnyard2 per Snort instance. - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + if [ "$ENGINE" == "suricata" ]; then # we only need a single instance of barnyard2 for suricata # make sure the waldo file exists and is owned by proper user touch $BARNYARD2_WALDO chown $SENSOR_USER:$SENSOR_GROUP $BARNYARD2_WALDO - # update the barnyard2 config for the new version of barnyard2 - # that adds the disable_signature_reference_table option - if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then - sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG - fi - # start barnyard2 [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_start "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $SENSOR_LOG_DIR -f snort.unified2 -w $BARNYARD2_WALDO -i 1 $BARNYARD2_OPTIONS" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "$PROCESS_LOG_DIR/$SENSOR/barnyard2.log" "barnyard2 (spooler, unified2 format)" else @@ -580,12 +577,6 @@ do touch $WALDO chown $SENSOR_USER:$SENSOR_GROUP $WALDO - # update the barnyard2 config for the new version of barnyard2 - # that adds the disable_signature_reference_table option - if ! grep disable_signature_reference_table $BARNYARD2_CONFIG >/dev/null 2>&1; then - sed -i 's|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|output database: alert, mysql, user=root dbname=snorby host=127.0.0.1 disable_signature_reference_table|g' $BARNYARD2_CONFIG - fi - # start barnyard2 [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_start "barnyard2" "-c $BARNYARD2_CONFIG -u $SENSOR_USER -g $SENSOR_GROUP -d $UNI_DIR -f snort.unified2 -w $WALDO -i $i $BARNYARD2_OPTIONS" "$PID" "$LOG" "barnyard2-$i (spooler, unified2 format)" done diff --git a/usr/sbin/nsm_sensor_ps-status b/usr/sbin/nsm_sensor_ps-status index b90bed9..aa19282 100755 --- a/usr/sbin/nsm_sensor_ps-status +++ b/usr/sbin/nsm_sensor_ps-status @@ -377,8 +377,7 @@ do [ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_status "pcap_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "pcap_agent (sguil)" # snort_agent - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + if [ "$ENGINE" == "suricata" ]; then [ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_status "snort_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "snort_agent (sguil)" else for i in `seq 1 $IDS_LB_PROCS`; do @@ -387,8 +386,7 @@ do fi # status the IDS engine - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + if [ "$ENGINE" == "suricata" ]; then [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_status "suricata" "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "suricata (alert data)" else for i in `seq 1 $IDS_LB_PROCS`; do @@ -397,8 +395,7 @@ do fi # status barnyard2 - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + if [ "$ENGINE" == "suricata" ]; then [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_status "barnyard2" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "barnyard2 (spooler, unified2 format)" else for i in `seq 1 $IDS_LB_PROCS`; do diff --git a/usr/sbin/nsm_sensor_ps-stop b/usr/sbin/nsm_sensor_ps-stop index 660bb0d..1ab022e 100755 --- a/usr/sbin/nsm_sensor_ps-stop +++ b/usr/sbin/nsm_sensor_ps-stop @@ -378,8 +378,7 @@ do [ "$PCAP_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_PCAP_AGENT" ] && process_stop "pcap_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/pcap_agent.pid" "pcap_agent (sguil)" # stop the snort_agent - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + if [ "$ENGINE" == "suricata" ]; then [ "$SNORT_AGENT_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_AGENT" ] && process_stop "snort_agent.tcl" "$PROCESS_PID_DIR/$SENSOR/snort_agent.pid" "snort_agent (sguil)" else for i in `seq 1 $IDS_LB_PROCS`; do @@ -388,8 +387,7 @@ do fi # stop the IDS engine - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + if [ "$ENGINE" == "suricata" ]; then [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ -z "$SKIP_SNORT_ALERT" ] && process_stop "suricata" "$PROCESS_PID_DIR/$SENSOR/suricata.pid" "suricata (alert data)" else for i in `seq 1 $IDS_LB_PROCS`; do @@ -398,8 +396,7 @@ do fi # stop barnyard2 - if grep -i "suricata" /etc/nsm/securityonion.conf >/dev/null - then + if [ "$ENGINE" == "suricata" ]; then [ "$BARNYARD2_ENABLED" == "yes" ] && [ -z "$SKIP_BARNYARD2" ] && process_stop "barnyard2" "$PROCESS_PID_DIR/$SENSOR/barnyard2.pid" "barnyard2 (spooler, unified2 format)" else for i in `seq 1 $IDS_LB_PROCS`; do