snort: Also monitor assigned alias addresses on red.
| Message ID | DUB406-EAS200DC98D1C2F670F0F781B99C3D0@phx.gbl |
|---|---|
| State | Not Applicable, archived |
| Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.tremer.info [172.28.1.200]) by septima.ipfire.org (Postfix) with ESMTP id 55F9C62021 for <patchwork@ipfire.org>; Fri, 16 Oct 2015 18:53:36 +0200 (CEST) Received: from hedwig.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 1F36AD6E; Fri, 16 Oct 2015 18:53:36 +0200 (CEST) Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=157.55.2.39; helo=dub004-omc3s30.hotmail.com; envelope-from=blago.culjak@hotmail.com; receiver=development@lists.ipfire.org Received: from DUB004-OMC3S30.hotmail.com (dub004-omc3s30.hotmail.com [157.55.2.39]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPS id 9F81C1A1 for <development@lists.ipfire.org>; Fri, 16 Oct 2015 18:53:32 +0200 (CEST) Received: from DUB406-EAS200 ([157.55.2.8]) by DUB004-OMC3S30.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23008); Fri, 16 Oct 2015 09:53:32 -0700 X-TMN: [1khiaFqpzIL/SAN9o4mFdx6+lo2U0rGM] X-Originating-Email: [blago.culjak@hotmail.com] Message-ID: <DUB406-EAS200DC98D1C2F670F0F781B99C3D0@phx.gbl> Content-Type: multipart/alternative; boundary="_27be2a3d-8322-444d-a238-63b15e17df95_" MIME-Version: 1.0 To: Stefan Schantl <stefan.schantl@ipfire.org>, <development@lists.ipfire.org> From: Blago Culjak <blago.culjak@hotmail.com> Subject: RE: [PATCH] snort: Also monitor assigned alias addresses on red. Date: Fri, 16 Oct 2015 18:53:03 +0200 X-OriginalArrivalTime: 16 Oct 2015 16:53:32.0450 (UTC) FILETIME=[30BCF820:01D10833] X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <http://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <http://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Message
Blago Culjak
Oct. 17, 2015, 3:53 a.m. UTC
Hello Stefan, Do you think if this fix for IDS on green is also possible? There are multiple topics on forum about this issue. IDS on green doesn't work. Poslano s mog Windows Phonea
Comments
> Hello Stefan, > Do you think if this fix for IDS on green is also possible? > > There are multiple topics on forum about this issue. IDS on green > doesn't work. Hello Blago, your described problem does not belong to the discussed one. This issue will be one of the next one on my list. -Stefan > > > Poslano s mog Windows Phonea > > > > > Šalje: > > Stefan Schantl > > Poslano: > > 16.10.2015. 18:49 > > Prima: > > development@lists.ipfire.org > > Predmet: > > [PATCH] snort: Also monitor assigned alias addresses on red. > > > > > These changes will allow snort to also inspect the traffic for > > one or more configured alias addresses, which has not been done in the past. > > > The current situation is, that snort if enabled on red, only inspects > > the traffic which is desired to the statically configured red address. > > > If some alias addresses have been assigned to the red interface the > > traffic to these addresses will not be checked by snort and > > completely bypasses the IDS. > > > There is no user interaction required, nor visible-effects or any > > backward-compatiblity required, only a restart of snort after the > > update process to protect all red addresses. > > > To do this we will now check if, the RED interface has been set to STATIC (which > > is required to use the aliases function) and any aliases have been configured. In > > case of this, the modified code will add all enabled alias addresses to the HOMENET > > variable in which snort is storing all the monitored addresses. > > > Fixes #10619. > > > Signed-off-by: Stefan Schantl > > --- > > src/initscripts/init.d/snort | 15 +++++++++++++++ > > 1 file changed, 15 insertions(+) > > > diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort > > index e03c80f..58edf1e 100644 > > --- a/src/initscripts/init.d/snort > > +++ b/src/initscripts/init.d/snort > > @@ -20,6 +20,8 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH > > eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) > > eval $(/usr/local/bin/readhash /var/ipfire/snort/settings) > > > > +ALIASFILE="/var/ipfire/ethernet/aliases" > > + > > case "$1" in > > start) > > if [ "$BLUE_NETADDRESS" ]; then > > @@ -59,6 +61,19 @@ case "$1" in > > if [ "$LOCAL_IP" ]; then > > HOMENET+="$LOCAL_IP," > > fi > > + > > + # Check if the red device is set to static and > > + # any aliases have been configured. > > + if [ "${RED_TYPE}" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then > > + # Read in aliases file. > > + while IFS="," read -r address mode remark; do > > + # Check if the alias is enabled. > > + [ "${mode}" = "on" ] || continue > > + > > + # Add alias to the list of HOMENET addresses. > > + HOMENET+="${address}," > > + done < "${ALIASFILE}" > > + fi > > fi > > HOMENET+="127.0.0.1" > > echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars >