Message ID | 20190318184625.3095-1-stefan.schantl@ipfire.org |
---|---|
State | Accepted |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 868E684ECB6 for <patchwork@web07.i.ipfire.org>; Mon, 18 Mar 2019 18:46:34 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44NQBd57x5z50cwr; Mon, 18 Mar 2019 18:46:33 +0000 (GMT) Received: from tuxedo.stevee (213162073003.public.t-mobile.at [213.162.73.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44NQBb1zMTz50cwr; Mon, 18 Mar 2019 18:46:31 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552934791; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references; bh=Mx3mOcvqM9EP7DoWcYTpYbQhFVamOw9IgHcxh05Yv3U=; b=uvQbHJhc2WDqZJf84yfi+heQq6L8wnvc3ahWCm9+hI0tgzYPmtm8aQqACfcjsqdLjL+TaN zVHxm/I9uOf8eGE0zVyIRvzJuKxDbFhpdF4+kXVvjxQq95Y3UNWWGBpqeBgnbAlOez3W/J aUjeH31cB5/i6oEHi3pdlx4LYCQS1+PaYGITtCufw+J1ca6JK1zuDoqhoxRuqaUo9Id7oo cbE9Qa4sxqcH313k4lX+E/ywFL3IJKX1pzJCviTA6nlzkU6hF5Iou0QwET/cAmflUxLtQH U7SXlyEDv0ZJycApJMd+xvLzG94+AJ37tOIiX/ispyR1/X528R/nNHupUkxnVA== From: Stefan Schantl <stefan.schantl@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] core 130: Remove snort settings dir after convert has run. Date: Mon, 18 Mar 2019 19:46:25 +0100 Message-Id: <20190318184625.3095-1-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [5.00 / 11.00]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_MISSING_CHARSET(2.50)[]; BROKEN_CONTENT_TYPE(1.50)[]; DKIM_SIGNED(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:~]; ASN(0.00)[asn:8412, ipnet:213.162.64.0/19, country:AT] Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
core 130: Remove snort settings dir after convert has run.
|
|
Commit Message
Stefan Schantl
March 19, 2019, 5:46 a.m. UTC
When all settings have been converted, the files and directory are not
needed anymore.
If they will be left and at a later time an backup will be restored, the
converter will be started by the backup script again and would be restore those
old snort settings and replace the current IPS settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
config/rootfiles/core/130/update.sh | 3 +++
1 file changed, 3 insertions(+)
Comments
Hi, What happens when the converter has failed? Is that a possibility? -Michael > On 18 Mar 2019, at 18:46, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > When all settings have been converted, the files and directory are not > needed anymore. > > If they will be left and at a later time an backup will be restored, the > converter will be started by the backup script again and would be restore those > old snort settings and replace the current IPS settings. > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > --- > config/rootfiles/core/130/update.sh | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/config/rootfiles/core/130/update.sh b/config/rootfiles/core/130/update.sh > index d33321c32..f3dc0d85a 100644 > --- a/config/rootfiles/core/130/update.sh > +++ b/config/rootfiles/core/130/update.sh > @@ -74,6 +74,9 @@ ldconfig > # Migrate snort configuration to suricata > /usr/sbin/convert-snort > > +# Remove snort settings > +rm -rvf /var/ipfire/snort > + > # Start services > /etc/init.d/collectd restart > /etc/init.d/firewall restart > -- > 2.20.1 >
Hello Michael, > Hi, > > What happens when the converter has failed? Is that a possibility? There is almost no risk, that this would be happened. It contains checks if all corresponding files are present and will contain the settings from them - I do not see a case where any problems can be happen. Best regards, -Stefan > > -Michael > > > On 18 Mar 2019, at 18:46, Stefan Schantl <stefan.schantl@ipfire.org > > > wrote: > > > > When all settings have been converted, the files and directory are > > not > > needed anymore. > > > > If they will be left and at a later time an backup will be > > restored, the > > converter will be started by the backup script again and would be > > restore those > > old snort settings and replace the current IPS settings. > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > --- > > config/rootfiles/core/130/update.sh | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/config/rootfiles/core/130/update.sh > > b/config/rootfiles/core/130/update.sh > > index d33321c32..f3dc0d85a 100644 > > --- a/config/rootfiles/core/130/update.sh > > +++ b/config/rootfiles/core/130/update.sh > > @@ -74,6 +74,9 @@ ldconfig > > # Migrate snort configuration to suricata > > /usr/sbin/convert-snort > > > > +# Remove snort settings > > +rm -rvf /var/ipfire/snort > > + > > # Start services > > /etc/init.d/collectd restart > > /etc/init.d/firewall restart > > -- > > 2.20.1 > >
Almost? How is this directory removed when a backup was restored? -Michael > On 18 Mar 2019, at 18:56, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > > Hello Michael, >> Hi, >> >> What happens when the converter has failed? Is that a possibility? > > There is almost no risk, that this would be happened. > > It contains checks if all corresponding files are present and will > contain the settings from them - I do not see a case where any problems > can be happen. > > Best regards, > > -Stefan > >> >> -Michael >> >>> On 18 Mar 2019, at 18:46, Stefan Schantl <stefan.schantl@ipfire.org >>>> wrote: >>> >>> When all settings have been converted, the files and directory are >>> not >>> needed anymore. >>> >>> If they will be left and at a later time an backup will be >>> restored, the >>> converter will be started by the backup script again and would be >>> restore those >>> old snort settings and replace the current IPS settings. >>> >>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>> --- >>> config/rootfiles/core/130/update.sh | 3 +++ >>> 1 file changed, 3 insertions(+) >>> >>> diff --git a/config/rootfiles/core/130/update.sh >>> b/config/rootfiles/core/130/update.sh >>> index d33321c32..f3dc0d85a 100644 >>> --- a/config/rootfiles/core/130/update.sh >>> +++ b/config/rootfiles/core/130/update.sh >>> @@ -74,6 +74,9 @@ ldconfig >>> # Migrate snort configuration to suricata >>> /usr/sbin/convert-snort >>> >>> +# Remove snort settings >>> +rm -rvf /var/ipfire/snort >>> + >>> # Start services >>> /etc/init.d/collectd restart >>> /etc/init.d/firewall restart >>> -- >>> 2.20.1 >>>
> Almost? As long as the files are present, the settings will be converted. May in special cases if a user does something really weird may the converter will fail, but in this case I think it even would be better start a new clean IPS configuration. > > How is this directory removed when a backup was restored? > By the backup.pl script. It checks if after the backup a snort settings dir (/var/ipfire/snort) exists, launches the converter and afterwards deletes the directory. See: https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c > -Michael > > > On 18 Mar 2019, at 18:56, Stefan Schantl <stefan.schantl@ipfire.org > > > wrote: > > > > Hello Michael, > > > Hi, > > > > > > What happens when the converter has failed? Is that a > > > possibility? > > > > There is almost no risk, that this would be happened. > > > > It contains checks if all corresponding files are present and will > > contain the settings from them - I do not see a case where any > > problems > > can be happen. > > > > Best regards, > > > > -Stefan > > > > > -Michael > > > > > > > On 18 Mar 2019, at 18:46, Stefan Schantl < > > > > stefan.schantl@ipfire.org > > > > > wrote: > > > > > > > > When all settings have been converted, the files and directory > > > > are > > > > not > > > > needed anymore. > > > > > > > > If they will be left and at a later time an backup will be > > > > restored, the > > > > converter will be started by the backup script again and would > > > > be > > > > restore those > > > > old snort settings and replace the current IPS settings. > > > > > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > > > --- > > > > config/rootfiles/core/130/update.sh | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/config/rootfiles/core/130/update.sh > > > > b/config/rootfiles/core/130/update.sh > > > > index d33321c32..f3dc0d85a 100644 > > > > --- a/config/rootfiles/core/130/update.sh > > > > +++ b/config/rootfiles/core/130/update.sh > > > > @@ -74,6 +74,9 @@ ldconfig > > > > # Migrate snort configuration to suricata > > > > /usr/sbin/convert-snort > > > > > > > > +# Remove snort settings > > > > +rm -rvf /var/ipfire/snort > > > > + > > > > # Start services > > > > /etc/init.d/collectd restart > > > > /etc/init.d/firewall restart > > > > -- > > > > 2.20.1 > > > >
Hi, I do not see why the converter does not take care of the removal. That would only be one place. But I will merge this if you want me to. -Michael > On 18 Mar 2019, at 19:04, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > >> Almost? > > As long as the files are present, the settings will be converted. May > in special cases if a user does something really weird may the > converter will fail, but in this case I think it even would be better > start a new clean IPS configuration. > >> >> How is this directory removed when a backup was restored? >> > > By the backup.pl script. It checks if after the backup a snort settings > dir (/var/ipfire/snort) exists, launches the converter and afterwards > deletes the directory. > > See: > > https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c > >> -Michael >> >>> On 18 Mar 2019, at 18:56, Stefan Schantl <stefan.schantl@ipfire.org >>>> wrote: >>> >>> Hello Michael, >>>> Hi, >>>> >>>> What happens when the converter has failed? Is that a >>>> possibility? >>> >>> There is almost no risk, that this would be happened. >>> >>> It contains checks if all corresponding files are present and will >>> contain the settings from them - I do not see a case where any >>> problems >>> can be happen. >>> >>> Best regards, >>> >>> -Stefan >>> >>>> -Michael >>>> >>>>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>>>> stefan.schantl@ipfire.org >>>>>> wrote: >>>>> >>>>> When all settings have been converted, the files and directory >>>>> are >>>>> not >>>>> needed anymore. >>>>> >>>>> If they will be left and at a later time an backup will be >>>>> restored, the >>>>> converter will be started by the backup script again and would >>>>> be >>>>> restore those >>>>> old snort settings and replace the current IPS settings. >>>>> >>>>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>>>> --- >>>>> config/rootfiles/core/130/update.sh | 3 +++ >>>>> 1 file changed, 3 insertions(+) >>>>> >>>>> diff --git a/config/rootfiles/core/130/update.sh >>>>> b/config/rootfiles/core/130/update.sh >>>>> index d33321c32..f3dc0d85a 100644 >>>>> --- a/config/rootfiles/core/130/update.sh >>>>> +++ b/config/rootfiles/core/130/update.sh >>>>> @@ -74,6 +74,9 @@ ldconfig >>>>> # Migrate snort configuration to suricata >>>>> /usr/sbin/convert-snort >>>>> >>>>> +# Remove snort settings >>>>> +rm -rvf /var/ipfire/snort >>>>> + >>>>> # Start services >>>>> /etc/init.d/collectd restart >>>>> /etc/init.d/firewall restart >>>>> -- >>>>> 2.20.1 >>>>>
> Hi, > > I do not see why the converter does not take care of the removal. > That would only be one place. Me, too - I simply implemented it in the same way all other converters will be handled by the backup.pl script.... But I found an other really important issue in the core 130 update.sh and the converter. The "/etc/snort/snort.conf" will be deleted very early. Exactly before the converter has been the chance to read the settings from this file. I'll send a patch to do the removal of the whole snort stuff and the settings in one step after the converter has done it's work, if you agree with me. > > But I will merge this if you want me to. > > -Michael > > > On 18 Mar 2019, at 19:04, Stefan Schantl <stefan.schantl@ipfire.org > > > wrote: > > > > > Almost? > > > > As long as the files are present, the settings will be converted. > > May > > in special cases if a user does something really weird may the > > converter will fail, but in this case I think it even would be > > better > > start a new clean IPS configuration. > > > > > How is this directory removed when a backup was restored? > > > > > > > By the backup.pl script. It checks if after the backup a snort > > settings > > dir (/var/ipfire/snort) exists, launches the converter and > > afterwards > > deletes the directory. > > > > See: > > > > https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c > > > > > -Michael > > > > > > > On 18 Mar 2019, at 18:56, Stefan Schantl < > > > > stefan.schantl@ipfire.org > > > > > wrote: > > > > > > > > Hello Michael, > > > > > Hi, > > > > > > > > > > What happens when the converter has failed? Is that a > > > > > possibility? > > > > > > > > There is almost no risk, that this would be happened. > > > > > > > > It contains checks if all corresponding files are present and > > > > will > > > > contain the settings from them - I do not see a case where any > > > > problems > > > > can be happen. > > > > > > > > Best regards, > > > > > > > > -Stefan > > > > > > > > > -Michael > > > > > > > > > > > On 18 Mar 2019, at 18:46, Stefan Schantl < > > > > > > stefan.schantl@ipfire.org > > > > > > > wrote: > > > > > > > > > > > > When all settings have been converted, the files and > > > > > > directory > > > > > > are > > > > > > not > > > > > > needed anymore. > > > > > > > > > > > > If they will be left and at a later time an backup will be > > > > > > restored, the > > > > > > converter will be started by the backup script again and > > > > > > would > > > > > > be > > > > > > restore those > > > > > > old snort settings and replace the current IPS settings. > > > > > > > > > > > > Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> > > > > > > --- > > > > > > config/rootfiles/core/130/update.sh | 3 +++ > > > > > > 1 file changed, 3 insertions(+) > > > > > > > > > > > > diff --git a/config/rootfiles/core/130/update.sh > > > > > > b/config/rootfiles/core/130/update.sh > > > > > > index d33321c32..f3dc0d85a 100644 > > > > > > --- a/config/rootfiles/core/130/update.sh > > > > > > +++ b/config/rootfiles/core/130/update.sh > > > > > > @@ -74,6 +74,9 @@ ldconfig > > > > > > # Migrate snort configuration to suricata > > > > > > /usr/sbin/convert-snort > > > > > > > > > > > > +# Remove snort settings > > > > > > +rm -rvf /var/ipfire/snort > > > > > > + > > > > > > # Start services > > > > > > /etc/init.d/collectd restart > > > > > > /etc/init.d/firewall restart > > > > > > -- > > > > > > 2.20.1 > > > > > >
Why would the converter read snort.conf? I agree. > On 18 Mar 2019, at 19:11, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > >> Hi, >> >> I do not see why the converter does not take care of the removal. >> That would only be one place. > > Me, too - I simply implemented it in the same way all other converters > will be handled by the backup.pl script.... > > But I found an other really important issue in the core 130 update.sh > and the converter. > > The "/etc/snort/snort.conf" will be deleted very early. Exactly before > the converter has been the chance to read the settings from this file. > > I'll send a patch to do the removal of the whole snort stuff and the > settings in one step after the converter has done it's work, if you > agree with me. > >> >> But I will merge this if you want me to. >> >> -Michael >> >>> On 18 Mar 2019, at 19:04, Stefan Schantl <stefan.schantl@ipfire.org >>>> wrote: >>> >>>> Almost? >>> >>> As long as the files are present, the settings will be converted. >>> May >>> in special cases if a user does something really weird may the >>> converter will fail, but in this case I think it even would be >>> better >>> start a new clean IPS configuration. >>> >>>> How is this directory removed when a backup was restored? >>>> >>> >>> By the backup.pl script. It checks if after the backup a snort >>> settings >>> dir (/var/ipfire/snort) exists, launches the converter and >>> afterwards >>> deletes the directory. >>> >>> See: >>> >>> https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c >>> >>>> -Michael >>>> >>>>> On 18 Mar 2019, at 18:56, Stefan Schantl < >>>>> stefan.schantl@ipfire.org >>>>>> wrote: >>>>> >>>>> Hello Michael, >>>>>> Hi, >>>>>> >>>>>> What happens when the converter has failed? Is that a >>>>>> possibility? >>>>> >>>>> There is almost no risk, that this would be happened. >>>>> >>>>> It contains checks if all corresponding files are present and >>>>> will >>>>> contain the settings from them - I do not see a case where any >>>>> problems >>>>> can be happen. >>>>> >>>>> Best regards, >>>>> >>>>> -Stefan >>>>> >>>>>> -Michael >>>>>> >>>>>>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>>>>>> stefan.schantl@ipfire.org >>>>>>>> wrote: >>>>>>> >>>>>>> When all settings have been converted, the files and >>>>>>> directory >>>>>>> are >>>>>>> not >>>>>>> needed anymore. >>>>>>> >>>>>>> If they will be left and at a later time an backup will be >>>>>>> restored, the >>>>>>> converter will be started by the backup script again and >>>>>>> would >>>>>>> be >>>>>>> restore those >>>>>>> old snort settings and replace the current IPS settings. >>>>>>> >>>>>>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>>>>>> --- >>>>>>> config/rootfiles/core/130/update.sh | 3 +++ >>>>>>> 1 file changed, 3 insertions(+) >>>>>>> >>>>>>> diff --git a/config/rootfiles/core/130/update.sh >>>>>>> b/config/rootfiles/core/130/update.sh >>>>>>> index d33321c32..f3dc0d85a 100644 >>>>>>> --- a/config/rootfiles/core/130/update.sh >>>>>>> +++ b/config/rootfiles/core/130/update.sh >>>>>>> @@ -74,6 +74,9 @@ ldconfig >>>>>>> # Migrate snort configuration to suricata >>>>>>> /usr/sbin/convert-snort >>>>>>> >>>>>>> +# Remove snort settings >>>>>>> +rm -rvf /var/ipfire/snort >>>>>>> + >>>>>>> # Start services >>>>>>> /etc/init.d/collectd restart >>>>>>> /etc/init.d/firewall restart >>>>>>> -- >>>>>>> 2.20.1 >>>>>>>
> Why would the converter read snort.conf? Because the enabled rule files (categories) are stored in this file. > > I agree. Thanks, so please ignore the current patch. I'll send a new one to take care of all of this. > > > On 18 Mar 2019, at 19:11, Stefan Schantl <stefan.schantl@ipfire.org > > > wrote: > > > > > Hi, > > > > > > I do not see why the converter does not take care of the removal. > > > That would only be one place. > > > > Me, too - I simply implemented it in the same way all other > > converters > > will be handled by the backup.pl script.... > > > > But I found an other really important issue in the core 130 > > update.sh > > and the converter. > > > > The "/etc/snort/snort.conf" will be deleted very early. Exactly > > before > > the converter has been the chance to read the settings from this > > file. > > > > I'll send a patch to do the removal of the whole snort stuff and > > the > > settings in one step after the converter has done it's work, if you > > agree with me. > > > > > But I will merge this if you want me to. > > > > > > -Michael > > > > > > > On 18 Mar 2019, at 19:04, Stefan Schantl < > > > > stefan.schantl@ipfire.org > > > > > wrote: > > > > > Almost? > > > > > > > > As long as the files are present, the settings will be > > > > converted. > > > > May > > > > in special cases if a user does something really weird may the > > > > converter will fail, but in this case I think it even would be > > > > better > > > > start a new clean IPS configuration. > > > > > > > > > How is this directory removed when a backup was restored? > > > > > > > > > > > > > By the backup.pl script. It checks if after the backup a snort > > > > settings > > > > dir (/var/ipfire/snort) exists, launches the converter and > > > > afterwards > > > > deletes the directory. > > > > > > > > See: > > > > > > > > https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c > > > > > > > > > -Michael > > > > > > > > > > > On 18 Mar 2019, at 18:56, Stefan Schantl < > > > > > > stefan.schantl@ipfire.org > > > > > > > wrote: > > > > > > > > > > > > Hello Michael, > > > > > > > Hi, > > > > > > > > > > > > > > What happens when the converter has failed? Is that a > > > > > > > possibility? > > > > > > > > > > > > There is almost no risk, that this would be happened. > > > > > > > > > > > > It contains checks if all corresponding files are present > > > > > > and > > > > > > will > > > > > > contain the settings from them - I do not see a case where > > > > > > any > > > > > > problems > > > > > > can be happen. > > > > > > > > > > > > Best regards, > > > > > > > > > > > > -Stefan > > > > > > > > > > > > > -Michael > > > > > > > > > > > > > > > On 18 Mar 2019, at 18:46, Stefan Schantl < > > > > > > > > stefan.schantl@ipfire.org > > > > > > > > > wrote: > > > > > > > > > > > > > > > > When all settings have been converted, the files and > > > > > > > > directory > > > > > > > > are > > > > > > > > not > > > > > > > > needed anymore. > > > > > > > > > > > > > > > > If they will be left and at a later time an backup will > > > > > > > > be > > > > > > > > restored, the > > > > > > > > converter will be started by the backup script again > > > > > > > > and > > > > > > > > would > > > > > > > > be > > > > > > > > restore those > > > > > > > > old snort settings and replace the current IPS > > > > > > > > settings. > > > > > > > > > > > > > > > > Signed-off-by: Stefan Schantl < > > > > > > > > stefan.schantl@ipfire.org> > > > > > > > > --- > > > > > > > > config/rootfiles/core/130/update.sh | 3 +++ > > > > > > > > 1 file changed, 3 insertions(+) > > > > > > > > > > > > > > > > diff --git a/config/rootfiles/core/130/update.sh > > > > > > > > b/config/rootfiles/core/130/update.sh > > > > > > > > index d33321c32..f3dc0d85a 100644 > > > > > > > > --- a/config/rootfiles/core/130/update.sh > > > > > > > > +++ b/config/rootfiles/core/130/update.sh > > > > > > > > @@ -74,6 +74,9 @@ ldconfig > > > > > > > > # Migrate snort configuration to suricata > > > > > > > > /usr/sbin/convert-snort > > > > > > > > > > > > > > > > +# Remove snort settings > > > > > > > > +rm -rvf /var/ipfire/snort > > > > > > > > + > > > > > > > > # Start services > > > > > > > > /etc/init.d/collectd restart > > > > > > > > /etc/init.d/firewall restart > > > > > > > > -- > > > > > > > > 2.20.1 > > > > > > > >
Okay... > On 18 Mar 2019, at 19:15, Stefan Schantl <stefan.schantl@ipfire.org> wrote: > >> Why would the converter read snort.conf? > > Because the enabled rule files (categories) are stored in this file. > >> >> I agree. > > Thanks, so please ignore the current patch. > > I'll send a new one to take care of all of this. > >> >>> On 18 Mar 2019, at 19:11, Stefan Schantl <stefan.schantl@ipfire.org >>>> wrote: >>> >>>> Hi, >>>> >>>> I do not see why the converter does not take care of the removal. >>>> That would only be one place. >>> >>> Me, too - I simply implemented it in the same way all other >>> converters >>> will be handled by the backup.pl script.... >>> >>> But I found an other really important issue in the core 130 >>> update.sh >>> and the converter. >>> >>> The "/etc/snort/snort.conf" will be deleted very early. Exactly >>> before >>> the converter has been the chance to read the settings from this >>> file. >>> >>> I'll send a patch to do the removal of the whole snort stuff and >>> the >>> settings in one step after the converter has done it's work, if you >>> agree with me. >>> >>>> But I will merge this if you want me to. >>>> >>>> -Michael >>>> >>>>> On 18 Mar 2019, at 19:04, Stefan Schantl < >>>>> stefan.schantl@ipfire.org >>>>>> wrote: >>>>>> Almost? >>>>> >>>>> As long as the files are present, the settings will be >>>>> converted. >>>>> May >>>>> in special cases if a user does something really weird may the >>>>> converter will fail, but in this case I think it even would be >>>>> better >>>>> start a new clean IPS configuration. >>>>> >>>>>> How is this directory removed when a backup was restored? >>>>>> >>>>> >>>>> By the backup.pl script. It checks if after the backup a snort >>>>> settings >>>>> dir (/var/ipfire/snort) exists, launches the converter and >>>>> afterwards >>>>> deletes the directory. >>>>> >>>>> See: >>>>> >>>>> https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c >>>>> >>>>>> -Michael >>>>>> >>>>>>> On 18 Mar 2019, at 18:56, Stefan Schantl < >>>>>>> stefan.schantl@ipfire.org >>>>>>>> wrote: >>>>>>> >>>>>>> Hello Michael, >>>>>>>> Hi, >>>>>>>> >>>>>>>> What happens when the converter has failed? Is that a >>>>>>>> possibility? >>>>>>> >>>>>>> There is almost no risk, that this would be happened. >>>>>>> >>>>>>> It contains checks if all corresponding files are present >>>>>>> and >>>>>>> will >>>>>>> contain the settings from them - I do not see a case where >>>>>>> any >>>>>>> problems >>>>>>> can be happen. >>>>>>> >>>>>>> Best regards, >>>>>>> >>>>>>> -Stefan >>>>>>> >>>>>>>> -Michael >>>>>>>> >>>>>>>>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>>>>>>>> stefan.schantl@ipfire.org >>>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> When all settings have been converted, the files and >>>>>>>>> directory >>>>>>>>> are >>>>>>>>> not >>>>>>>>> needed anymore. >>>>>>>>> >>>>>>>>> If they will be left and at a later time an backup will >>>>>>>>> be >>>>>>>>> restored, the >>>>>>>>> converter will be started by the backup script again >>>>>>>>> and >>>>>>>>> would >>>>>>>>> be >>>>>>>>> restore those >>>>>>>>> old snort settings and replace the current IPS >>>>>>>>> settings. >>>>>>>>> >>>>>>>>> Signed-off-by: Stefan Schantl < >>>>>>>>> stefan.schantl@ipfire.org> >>>>>>>>> --- >>>>>>>>> config/rootfiles/core/130/update.sh | 3 +++ >>>>>>>>> 1 file changed, 3 insertions(+) >>>>>>>>> >>>>>>>>> diff --git a/config/rootfiles/core/130/update.sh >>>>>>>>> b/config/rootfiles/core/130/update.sh >>>>>>>>> index d33321c32..f3dc0d85a 100644 >>>>>>>>> --- a/config/rootfiles/core/130/update.sh >>>>>>>>> +++ b/config/rootfiles/core/130/update.sh >>>>>>>>> @@ -74,6 +74,9 @@ ldconfig >>>>>>>>> # Migrate snort configuration to suricata >>>>>>>>> /usr/sbin/convert-snort >>>>>>>>> >>>>>>>>> +# Remove snort settings >>>>>>>>> +rm -rvf /var/ipfire/snort >>>>>>>>> + >>>>>>>>> # Start services >>>>>>>>> /etc/init.d/collectd restart >>>>>>>>> /etc/init.d/firewall restart >>>>>>>>> -- >>>>>>>>> 2.20.1 >>>>>>>>>
Hi, On March 18, 2019 7:12:35 PM UTC, Michael Tremer <michael.tremer@ipfire.org> wrote: >Why would the converter read snort.conf? > >I agree. > >> On 18 Mar 2019, at 19:11, Stefan Schantl <stefan.schantl@ipfire.org> >wrote: >> >>> Hi, >>> >>> I do not see why the converter does not take care of the removal. >>> That would only be one place. >> >> Me, too - I simply implemented it in the same way all other >converters >> will be handled by the backup.pl script.... >> >> But I found an other really important issue in the core 130 update.sh >> and the converter. >> >> The "/etc/snort/snort.conf" will be deleted very early. Exactly >before >> the converter has been the chance to read the settings from this >file. >> >> I'll send a patch to do the removal of the whole snort stuff and the >> settings in one step after the converter has done it's work, if you >> agree with me. >> >>> >>> But I will merge this if you want me to. >>> >>> -Michael >>> >>>> On 18 Mar 2019, at 19:04, Stefan Schantl <stefan.schantl@ipfire.org >>>>> wrote: >>>> >>>>> Almost? >>>> >>>> As long as the files are present, the settings will be converted. I did tuned snort using official documentation - I did created threshold.conf which contains all treatment for special trafic like false positives, IP range exclusions for a signature or multiple snort signatures that triggers false positives. Will such customization (as defined in snort manual) will be transfered or simply erased? >>>> May >>>> in special cases if a user does something really weird may the >>>> converter will fail, but in this case I think it even would be >>>> better >>>> start a new clean IPS configuration. Will creation of threshold.conf be considered weird? Thanks, Horace >>>> >>>>> How is this directory removed when a backup was restored? >>>>> >>>> >>>> By the backup.pl script. It checks if after the backup a snort >>>> settings >>>> dir (/var/ipfire/snort) exists, launches the converter and >>>> afterwards >>>> deletes the directory. >>>> >>>> See: >>>> >>>> >https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c >>>> >>>>> -Michael >>>>> >>>>>> On 18 Mar 2019, at 18:56, Stefan Schantl < >>>>>> stefan.schantl@ipfire.org >>>>>>> wrote: >>>>>> >>>>>> Hello Michael, >>>>>>> Hi, >>>>>>> >>>>>>> What happens when the converter has failed? Is that a >>>>>>> possibility? >>>>>> >>>>>> There is almost no risk, that this would be happened. >>>>>> >>>>>> It contains checks if all corresponding files are present and >>>>>> will >>>>>> contain the settings from them - I do not see a case where any >>>>>> problems >>>>>> can be happen. >>>>>> >>>>>> Best regards, >>>>>> >>>>>> -Stefan >>>>>> >>>>>>> -Michael >>>>>>> >>>>>>>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>>>>>>> stefan.schantl@ipfire.org >>>>>>>>> wrote: >>>>>>>> >>>>>>>> When all settings have been converted, the files and >>>>>>>> directory >>>>>>>> are >>>>>>>> not >>>>>>>> needed anymore. >>>>>>>> >>>>>>>> If they will be left and at a later time an backup will be >>>>>>>> restored, the >>>>>>>> converter will be started by the backup script again and >>>>>>>> would >>>>>>>> be >>>>>>>> restore those >>>>>>>> old snort settings and replace the current IPS settings. >>>>>>>> >>>>>>>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>>>>>>> --- >>>>>>>> config/rootfiles/core/130/update.sh | 3 +++ >>>>>>>> 1 file changed, 3 insertions(+) >>>>>>>> >>>>>>>> diff --git a/config/rootfiles/core/130/update.sh >>>>>>>> b/config/rootfiles/core/130/update.sh >>>>>>>> index d33321c32..f3dc0d85a 100644 >>>>>>>> --- a/config/rootfiles/core/130/update.sh >>>>>>>> +++ b/config/rootfiles/core/130/update.sh >>>>>>>> @@ -74,6 +74,9 @@ ldconfig >>>>>>>> # Migrate snort configuration to suricata >>>>>>>> /usr/sbin/convert-snort >>>>>>>> >>>>>>>> +# Remove snort settings >>>>>>>> +rm -rvf /var/ipfire/snort >>>>>>>> + >>>>>>>> # Start services >>>>>>>> /etc/init.d/collectd restart >>>>>>>> /etc/init.d/firewall restart >>>>>>>> -- >>>>>>>> 2.20.1 >>>>>>>> -- Horace Michael (aka H&M) Please excuse my typos and brevity. Sent from a Smartphone.
Hello, Only the settings from /var/ipfire/ids/settings will be transferred. Suricata uses a different configuration file syntax. -Michael > On 18 Mar 2019, at 19:20, Horace Michael <horace.michael@gmx.com> wrote: > > > > Hi, > > On March 18, 2019 7:12:35 PM UTC, Michael Tremer <michael.tremer@ipfire.org> wrote: >> Why would the converter read snort.conf? >> >> I agree. >> >>> On 18 Mar 2019, at 19:11, Stefan Schantl <stefan.schantl@ipfire.org> >> wrote: >>> >>>> Hi, >>>> >>>> I do not see why the converter does not take care of the removal. >>>> That would only be one place. >>> >>> Me, too - I simply implemented it in the same way all other >> converters >>> will be handled by the backup.pl script.... >>> >>> But I found an other really important issue in the core 130 update.sh >>> and the converter. >>> >>> The "/etc/snort/snort.conf" will be deleted very early. Exactly >> before >>> the converter has been the chance to read the settings from this >> file. >>> >>> I'll send a patch to do the removal of the whole snort stuff and the >>> settings in one step after the converter has done it's work, if you >>> agree with me. >>> >>>> >>>> But I will merge this if you want me to. >>>> >>>> -Michael >>>> >>>>> On 18 Mar 2019, at 19:04, Stefan Schantl <stefan.schantl@ipfire.org >>>>>> wrote: >>>>> >>>>>> Almost? >>>>> >>>>> As long as the files are present, the settings will be converted. > > I did tuned snort using official documentation - I did created threshold.conf which contains all treatment for special trafic like false positives, IP range exclusions for a signature or multiple snort signatures that triggers false positives. > > Will such customization (as defined in snort manual) will be transfered or simply erased? > >>>>> May >>>>> in special cases if a user does something really weird may the >>>>> converter will fail, but in this case I think it even would be >>>>> better >>>>> start a new clean IPS configuration. > > Will creation of threshold.conf be considered weird? > > Thanks, > Horace > > >>>>> >>>>>> How is this directory removed when a backup was restored? >>>>>> >>>>> >>>>> By the backup.pl script. It checks if after the backup a snort >>>>> settings >>>>> dir (/var/ipfire/snort) exists, launches the converter and >>>>> afterwards >>>>> deletes the directory. >>>>> >>>>> See: >>>>> >>>>> >> https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c >>>>> >>>>>> -Michael >>>>>> >>>>>>> On 18 Mar 2019, at 18:56, Stefan Schantl < >>>>>>> stefan.schantl@ipfire.org >>>>>>>> wrote: >>>>>>> >>>>>>> Hello Michael, >>>>>>>> Hi, >>>>>>>> >>>>>>>> What happens when the converter has failed? Is that a >>>>>>>> possibility? >>>>>>> >>>>>>> There is almost no risk, that this would be happened. >>>>>>> >>>>>>> It contains checks if all corresponding files are present and >>>>>>> will >>>>>>> contain the settings from them - I do not see a case where any >>>>>>> problems >>>>>>> can be happen. >>>>>>> >>>>>>> Best regards, >>>>>>> >>>>>>> -Stefan >>>>>>> >>>>>>>> -Michael >>>>>>>> >>>>>>>>> On 18 Mar 2019, at 18:46, Stefan Schantl < >>>>>>>>> stefan.schantl@ipfire.org >>>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> When all settings have been converted, the files and >>>>>>>>> directory >>>>>>>>> are >>>>>>>>> not >>>>>>>>> needed anymore. >>>>>>>>> >>>>>>>>> If they will be left and at a later time an backup will be >>>>>>>>> restored, the >>>>>>>>> converter will be started by the backup script again and >>>>>>>>> would >>>>>>>>> be >>>>>>>>> restore those >>>>>>>>> old snort settings and replace the current IPS settings. >>>>>>>>> >>>>>>>>> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> >>>>>>>>> --- >>>>>>>>> config/rootfiles/core/130/update.sh | 3 +++ >>>>>>>>> 1 file changed, 3 insertions(+) >>>>>>>>> >>>>>>>>> diff --git a/config/rootfiles/core/130/update.sh >>>>>>>>> b/config/rootfiles/core/130/update.sh >>>>>>>>> index d33321c32..f3dc0d85a 100644 >>>>>>>>> --- a/config/rootfiles/core/130/update.sh >>>>>>>>> +++ b/config/rootfiles/core/130/update.sh >>>>>>>>> @@ -74,6 +74,9 @@ ldconfig >>>>>>>>> # Migrate snort configuration to suricata >>>>>>>>> /usr/sbin/convert-snort >>>>>>>>> >>>>>>>>> +# Remove snort settings >>>>>>>>> +rm -rvf /var/ipfire/snort >>>>>>>>> + >>>>>>>>> # Start services >>>>>>>>> /etc/init.d/collectd restart >>>>>>>>> /etc/init.d/firewall restart >>>>>>>>> -- >>>>>>>>> 2.20.1 >>>>>>>>> > > -- > Horace Michael (aka H&M) > Please excuse my typos and brevity. Sent from a Smartphone.
> > Hi, > > On March 18, 2019 7:12:35 PM UTC, Michael Tremer < > michael.tremer@ipfire.org> wrote: > > Why would the converter read snort.conf? > > > > I agree. > > > > > On 18 Mar 2019, at 19:11, Stefan Schantl < > > > stefan.schantl@ipfire.org> > > wrote: > > > > Hi, > > > > > > > > I do not see why the converter does not take care of the > > > > removal. > > > > That would only be one place. > > > > > > Me, too - I simply implemented it in the same way all other > > converters > > > will be handled by the backup.pl script.... > > > > > > But I found an other really important issue in the core 130 > > > update.sh > > > and the converter. > > > > > > The "/etc/snort/snort.conf" will be deleted very early. Exactly > > before > > > the converter has been the chance to read the settings from this > > file. > > > I'll send a patch to do the removal of the whole snort stuff and > > > the > > > settings in one step after the converter has done it's work, if > > > you > > > agree with me. > > > > > > > But I will merge this if you want me to. > > > > > > > > -Michael > > > > > > > > > On 18 Mar 2019, at 19:04, Stefan Schantl < > > > > > stefan.schantl@ipfire.org > > > > > > wrote: > > > > > > Almost? > > > > > > > > > > As long as the files are present, the settings will be > > > > > converted. > > I did tuned snort using official documentation - I did created > threshold.conf which contains all treatment for special trafic like > false positives, IP range exclusions for a signature or multiple > snort signatures that triggers false positives. > > Will such customization (as defined in snort manual) will be > transfered or simply erased? Hello Horace, the threshold.conf will not be touched or read by the converter script, so any custom settings will not be converted and because the file is located in "/etc/snort/" it would be deleted (!) during update. > > > > > > May > > > > > in special cases if a user does something really weird may > > > > > the > > > > > converter will fail, but in this case I think it even would > > > > > be > > > > > better > > > > > start a new clean IPS configuration. > > Will creation of threshold.conf be considered weird? > > Thanks, > Horace > > > > > > > > How is this directory removed when a backup was restored? > > > > > > > > > > > > > > > > By the backup.pl script. It checks if after the backup a > > > > > snort > > > > > settings > > > > > dir (/var/ipfire/snort) exists, launches the converter and > > > > > afterwards > > > > > deletes the directory. > > > > > > > > > > See: > > > > > > > > > > > > https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=8c27372438dd267648cba48b86d85a594f14be1c > > > > > > -Michael > > > > > > > > > > > > > On 18 Mar 2019, at 18:56, Stefan Schantl < > > > > > > > stefan.schantl@ipfire.org > > > > > > > > wrote: > > > > > > > > > > > > > > Hello Michael, > > > > > > > > Hi, > > > > > > > > > > > > > > > > What happens when the converter has failed? Is that a > > > > > > > > possibility? > > > > > > > > > > > > > > There is almost no risk, that this would be happened. > > > > > > > > > > > > > > It contains checks if all corresponding files are present > > > > > > > and > > > > > > > will > > > > > > > contain the settings from them - I do not see a case > > > > > > > where any > > > > > > > problems > > > > > > > can be happen. > > > > > > > > > > > > > > Best regards, > > > > > > > > > > > > > > -Stefan > > > > > > > > > > > > > > > -Michael > > > > > > > > > > > > > > > > > On 18 Mar 2019, at 18:46, Stefan Schantl < > > > > > > > > > stefan.schantl@ipfire.org > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > When all settings have been converted, the files and > > > > > > > > > directory > > > > > > > > > are > > > > > > > > > not > > > > > > > > > needed anymore. > > > > > > > > > > > > > > > > > > If they will be left and at a later time an backup > > > > > > > > > will be > > > > > > > > > restored, the > > > > > > > > > converter will be started by the backup script again > > > > > > > > > and > > > > > > > > > would > > > > > > > > > be > > > > > > > > > restore those > > > > > > > > > old snort settings and replace the current IPS > > > > > > > > > settings. > > > > > > > > > > > > > > > > > > Signed-off-by: Stefan Schantl < > > > > > > > > > stefan.schantl@ipfire.org> > > > > > > > > > --- > > > > > > > > > config/rootfiles/core/130/update.sh | 3 +++ > > > > > > > > > 1 file changed, 3 insertions(+) > > > > > > > > > > > > > > > > > > diff --git a/config/rootfiles/core/130/update.sh > > > > > > > > > b/config/rootfiles/core/130/update.sh > > > > > > > > > index d33321c32..f3dc0d85a 100644 > > > > > > > > > --- a/config/rootfiles/core/130/update.sh > > > > > > > > > +++ b/config/rootfiles/core/130/update.sh > > > > > > > > > @@ -74,6 +74,9 @@ ldconfig > > > > > > > > > # Migrate snort configuration to suricata > > > > > > > > > /usr/sbin/convert-snort > > > > > > > > > > > > > > > > > > +# Remove snort settings > > > > > > > > > +rm -rvf /var/ipfire/snort > > > > > > > > > + > > > > > > > > > # Start services > > > > > > > > > /etc/init.d/collectd restart > > > > > > > > > /etc/init.d/firewall restart > > > > > > > > > -- > > > > > > > > > 2.20.1 > > > > > > > > > > > -- > Horace Michael (aka H&M) > Please excuse my typos and brevity. Sent from a Smartphone.
diff --git a/config/rootfiles/core/130/update.sh b/config/rootfiles/core/130/update.sh index d33321c32..f3dc0d85a 100644 --- a/config/rootfiles/core/130/update.sh +++ b/config/rootfiles/core/130/update.sh @@ -74,6 +74,9 @@ ldconfig # Migrate snort configuration to suricata /usr/sbin/convert-snort +# Remove snort settings +rm -rvf /var/ipfire/snort + # Start services /etc/init.d/collectd restart /etc/init.d/firewall restart