| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
| |
- Parameter not set in two places:
/usr/bin/snort-mgr: eval: line 125: options: parameter not set
Reported-by: @klingon888
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
A recent change in the ucode interpeter caused a failure when using
the 'in' operator.
https://github.com/jow-/ucode/commit/be767ae197babd656d4f5d9c2d5013e39ddbe656
Reported in a forum post by @graysky2.
https://forum.openwrt.org/t/194218/28
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
|
| |
|
|
|
|
|
|
| |
- Add missing 'ucode' package dependency
- Proto-ify the ConfigItem objects
- Fix indentation and tab usage
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
|
| |
|
|
|
|
|
| |
- Enable missing variable checking by default
- Explicitly check variables are defined in all 'rm' commands
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reporting
- Use json alert data for 10x speed improvement in report generation
- Include both gid and sid, plus packet direction in report output
- Add by-date incident filtering
- Add verbose mode which displays actual rules triggered and their source
- Attempt to look up host names from IPs in verbose mode
- Clean up display of port number involved in incidents
Rules
- Complete downloader for subscription rules using oinkcode (only tested
with snort.org's "free" tier subscription)
- Auto-detect multiple rules files and include them in lua 'ips.rules'
- Add '--backup' option to copy out current rules before installing new
- Add '--persistent' option to 'snort-rules', storing in persistent location
CLI interface
- Completely rework command line option parsing in all user scripts
- Allow options and commands to be in any order on command line
- Add long-form names for all options ('--help' for '-h' and so on)
- Detect errors properly in options, enhance help pages
Bug fixes
- Use 'mkdir -p' on all directory creation
- Use proper tmp directory from 'snort.snort.temp_dir' everywhere
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Allow use of rules as-defined, and don't override their actions. This
is generally the best way to use the ruleset, and overriding their
actions should only be undertaken when you fully understand how it
affects their use.
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Delete legacy configuration files homenet.lua and local.lua
- Add snort config 'include' to allow user customizations in the lua
- Enhance 'check' to test generated nftables file
- Suppress inclusion of rules file when doing silent config check
- Suppress warnings on configuration check unless '-v'erbose
- Replace text logging with json logging to reduce footprint and make reports easier
- Fix some typos in the snort.uc template
- Fix up some error messages suggesting solutions
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
- Add many options to config file.
- Move rules and generated snort.lua to /tmp.
- Add script for downloading rules.
- Add preliminary reporting capabilites.
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
* Use Boolean true for enable inline mode which is more intuitive that older ''
* Add skeleton section for openappid since it has been merged[1]
1. https://github.com/openwrt/packages/commit/2d4e7d5fd343652d0852337184d56522ef5af83d
Signed-off-by: John Audia <therealgraysky@proton.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds /etc/snort/local.lua and /etc/snort/homenet.lua for user
defined config options which is more simplistic than modifying upstream
files directly. That can be tedious and decisive to maintain in sync with
upstream changes. The init script has been adjusted accordingly.
Acknowledgment to amish who maintains the Arch Linux snort-nfqueue package[1]
for these ideas and initial code.
Another modification is dropping the following args in the call to
/usr/bin/snort by the init system as these options are provided in
/etc/snort/local.lua:
* --daq-dir /usr/lib/daq/
* -A "$alert_module"
Instructions to configure snort3:
1. Edit /etc/snort/homenet.lua and redefine HOME_NET and EXTERNAL_NET, for example:
HOME_NET = [[ 10.9.8.0/24 192.168.1.0/24 ]]
EXTERNAL_NET = "!$HOME_NET"
2. Edit /etc/snort/local.lua to setup options unique to your use case of snort.
The default ones I included should be sane for the role of IDS (alert only),
but users may easily uncomment some options therein to use IPS (drop) mode.
3. Install or symlink rules to /etc/snort/rules/snort.rules and optionally
edit /etc/snort/local.lua to define extra rules files if not using a unified
'snort.rules'
References:
1. https://aur.archlinux.org/packages/snort-nfqueue
Signed-off-by: John Audia <therealgraysky@proton.me>
|
| |
|
|
|
|
|
|
| |
Include default configuration files to have something to start from.
Also include snort2lua to help convert snort2 rules to snort3 to also
help with bootstrapping the configuration.
Signed-off-by: Michal Hrusecky <michal.hrusecky@turris.com>
|
|
|
Signed-off-by: W. Michael Petullo <mike@flyn.org>
|