root/honeywall/trunk/rpm-devel/roo-base/src/hw/sbin/hwruleupdate @ 60

Revision 60, 10.6 KB (checked in by rmcmillen, 11 years ago)

Addresses Ticket #38. Added changes to ensure a new sid-msg.map file is created and loaded when rules are changed or added.

Line 
1#!/bin/sh
2
3# Copyright (C) <2005> <The Honeynet Project>
4#
5# This program is free software; you can redistribute it and/or modify it
6# under the terms of the GNU General Public License as published by the
7# Free Software Foundation; either version 2 of the License, or (at your
8# option) any later version.
9#
10# This program is distributed in the hope that it will be useful, but
11# WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13# General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License along
16# with this program; if not, write to the Free Software Foundation, Inc.,
17# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18################################################################################
19
20################################################################################
21# Declarations etc...
22################################################################################
23# Get Hw VARs
24. /etc/rc.d/init.d/hwfuncs.sub
25hw_setvars
26
27# Figure out the running snort ver
28SNORT_VER=$(rpm -q --queryformat '%{VERSION} \n' snort | sed 's/\(.\)\.\(.\).*/\1\.\2/')
29# snort config file
30SNORT_CONF="/etc/hflow/snort.conf"
31# snort rules dir
32SNORT_RD="/etc/snort/rules"
33# snort rules backup dir
34SNORT_RDB="/var/log/snortrules/snort"
35# snortconfig config file
36SNORTCONFIG_CONF="/hw/etc/snortconfig.conf"
37# snort_inline rules dir
38INLINE_RD="/etc/snort_inline/rules"
39# snort_inline rules backup dir
40INLINE_RDB="/var/log/snortrules/inline"
41# oinkmaster config file
42OINK_CONF="/etc/oinkmaster.conf"
43# log file for this process
44LOG="/var/log/hwruleupdate"
45# Make sur eit exists... I think 'logger' chokes if not
46[ ! -f "${LOG}" ] && touch ${LOG}
47
48################################################################################
49# Sanity checks
50################################################################################
51# Figure out the name of this program for logging etc.
52if [ -n "$(basename ${0})" ]; then
53        PROG=$(basename ${0})
54else
55        PROG="hwruleupdate"
56fi
57
58# Be sure we got a snort version
59if [ -z "${SNORT_VER}" ]; then
60        logger -t ${PROG} -f ${LOG} "Error detecting snort version"
61        exit 1
62fi
63
64# Must be root to run this (loggin to std syslog here)
65if [ "$(id -u)" -ne 0 ]; then
66        logger -t ${PROG} "Error: User $(id -un) attempting to run ${PROG}"
67        exit 1
68fi
69
70################################################################################
71# BEGIN functions
72################################################################################
73do_usage() {
74
75cat << EOF_USAGE
76${PROG}: Snort Rules Update Processor
77
78  Usage:
79  No Argument:           Report usage
80  --update-rules         Update snort rules (IDS and IPS)
81                          - Download rules with oinkmaster (--update-rules-ids)
82                          - If new rules or updated rules come in...
83                            - Backup IDS rules to ${SNORT_RDB}
84                            - Update existing IDS rules
85                          - If IDS rules are updated....
86                            - Backup IPS rules to ${INLINE_RDB}
87                            - Copy/Convert IDS rules for IPS use (--snortconfig)
88                            - Restart Snort/Snort_Inline IF HwSNORT_RESTART=yes
89  --update-rules-ids     Update snort rules (IDS only)
90                          - Download rules with oinkmaster
91                          - If new rules or updated rules come in...
92                            - Backup existing IDS rules to ${SNORT_RDB}
93                            - Update existing IDS rules
94                            - Restart Snort IF HwSNORT_RESTART=yes
95  --update-rules-custom  Update snort rules (IDS only)
96                         For custom use, uses /etc/oinkmaster.conf for URL
97                          - Download rules with oinkmaster
98                          - If new rules or updated rules come in...
99                            - Backup existing IDS rules to ${SNORT_RDB}
100                            - Update existing IDS rules
101                            - Restart Snort IF HwSNORT_RESTART=yes
102  --snortconfig          Run snortconfig
103                          - Backup IPS rules to ${INLINE_RDB}
104                          - Copy/Convert IDS rules for IPS use (--snortconfig)
105                          - Restart Snort_Inline IF HwSNORT_RESTART=yes
106  --restart-snort        Restart Snort (IDS)
107  --restart-inline       Restart Snort_Inline (IPS)
108  --restart-both         Restart Snort (IDS) and Snort_Inline (IPS)
109
110  Current values of related Variables:
111   HwRULE_ENABLE: ${HwRULE_ENABLE}
112   HwRULE_DAY: ${HwRULE_DAY}
113   HwRULE_HOUR: ${HwRULE_HOUR}
114   HwSNORT_RESTART: ${HwSNORT_RESTART}
115   HwOINKCODE: ${HwOINKCODE}
116
117EOF_USAGE
118return 0
119}
120
121################################################################################
122snort_config() {
123# Convert snort IDS rules for IPS use
124[ ! -d "${INLINE_RD}" ]  && mkdir -p ${INLINE_RD}
125[ ! -d "${INLINE_RDB}" ] && mkdir -p ${INLINE_RDB}
126
127# Keep (2) backups of the inline rules
128# ${INLINE_RDB}/filename = latest backup
129# ${INLINE_RDB}/filename~ = next to latest (oldest) backup
130
131if [ "$(ls ${INLINE_RD} | wc -l)" -gt 0 ]; then
132        for RULE in $(cd ${INLINE_RD}; ls); do
133                logger -t ${PROG} -f ${LOG} "Backing up rule ${RULE}"
134                install -o root -m 0644 -b ${INLINE_RD}/${RULE} ${INLINE_RDB}
135        done
136fi
137
138# Convert the IDS rules for use in IPS (Inline) mode
139snortconfig \
140-f ${SNORT_CONF} \
141-config ${SNORTCONFIG_CONF} \
142-directory ${INLINE_RD} \
143-honeynet >> ${LOG} 2>&1
144
145return 0
146}
147
148################################################################################
149update_rules_ids() {
150# Update snort IDS rules with oinkmaster
151RULES_CHANGE=""
152
153if [ -z "${HwOINKCODE}" -o -n "$(echo ${HwOINKCODE} | sed 's/[[:alnum:]]//g')" ]; then
154        logger -t ${PROG} -f ${LOG} "Error, HwOINKCODE invalid or not defined"
155        exit 1
156fi
157
158if [ ! -d "${SNORT_RDB}" ]; then
159        mkdir -p ${SNORT_RDB}
160fi
161
162# Capture rules dir conditions.  Yeah this is not the most exact way but:
163# It's simple, fast, fairly accurate and it wont kill anything to run snortconfig anyway (hopefully ;P)
164# If nothing really changed all we lose by running snortconfig is a few CPU cycles
165PRE_RD=$(ls -l ${SNORT_RD})
166PRE_RDB=$(ls -l ${SNORT_RDB})
167
168# Figure out which major version of snort we're running
169#SNORT_VERSION="$(rpm -q snort --queryformat '%{VERSION}\n')"
170#SNORT_VER="$(echo "${SNORT_VERSION}" | gawk -F '.' '{ print $1"."$2 }')"
171# Above no longer necessary.. Sourcefire isn't updatting version on rules file...
172
173# Run it already
174# -C Config file
175# -o Output Rule dir
176# -b Backup dir
177# -u URL to get new rule stest from
178oinkmaster.pl \
179-C ${OINK_CONF} \
180-o ${SNORT_RD} \
181-b ${SNORT_RDB} \
182-u  http://www.snort.org/pub-bin/oinkmaster.cgi/${HwOINKCODE}/rules/snortrules-snapshot-${SNORT_VER}.tar.gz \
183>> ${LOG} 2>&1
184
185POST_RD=$(ls -l ${SNORT_RD})
186POST_RDB=$(ls -l ${SNORT_RDB})
187
188if [ "${PRE_RD}" != "${POST_RD}" -o "${PRE_RDB}" != "${POST_RDB}" ]; then
189# Rules changed, updates came in (or sombody is messing with us)
190        RULE_CHANGE="YUP"
191        ##create new sid-msg.map
192        /usr/bin/create-sidmap.pl ${SNORT_RD} > ${SNORT_RD}/sid-msg.map
193        ##Upload new sid-msg.map to db
194        /etc/init.d/hw-mysqld load_snort_sigs >> ${LOG} 2>&1
195else
196# No rules changed, no updates...
197        RULE_CHANGE="NOPE"
198fi
199
200return 0
201}
202
203################################################################################
204update_rules_custom() {
205# Update snort IDS rules with oinkmaster
206# "RAW" call to oinkmaster for custom updates (uses /etc/oinkmaster.conf)
207RULES_CHANGE=""
208
209if [ ! -d "${SNORT_RDB}" ]; then
210        mkdir -p ${SNORT_RDB}
211fi
212
213# Capture rules dir conditions.  Yeah this is not the most exact way but:
214# It's simple, fast, fairly accurate and it wont kill anything to run snortconfig anyway (hopefully ;P)
215# If nothing really changed all we lose by running snortconfig is a few CPU cycles
216PRE_RD=$(ls -l ${SNORT_RD})
217PRE_RDB=$(ls -l ${SNORT_RDB})
218
219# Run it already
220# -C Config file
221# -o Output Rule dir
222# -b Backup dir
223oinkmaster.pl \
224-C ${OINK_CONF} \
225-o ${SNORT_RD} \
226-b ${SNORT_RDB} \
227>> ${LOG} 2>&1
228
229POST_RD=$(ls -l ${SNORT_RD})
230POST_RDB=$(ls -l ${SNORT_RDB})
231
232if [ "${PRE_RD}" != "${POST_RD}" -o "${PRE_RDB}" != "${POST_RDB}" ]; then
233# Rules changed, updates came in (or sombody is messing with us)
234        RULE_CHANGE="YUP"
235        ##create new sid-msg.map
236        /usr/bin/create-sidmap.pl ${SNORT_RD} > ${SNORT_RD}/sid-msg.map
237        ##Upload new sid-msg.map to db
238        /etc/init.d/hw-mysqld load_snort_sigs >> ${LOG} 2>&1
239else
240# No rules changed, no updates...
241        RULE_CHANGE="NOPE"
242fi
243
244return 0
245}
246
247
248################################################################################
249# A means for people that want an interface to manually restart snort
250restart_snort() {
251/etc/init.d/hflow restart >> ${LOG} 2>&1
252return 0
253}
254
255################################################################################
256# A means for people that want an interface to manually restart snort inline
257restart_inline() {
258/etc/init.d/hw-snort_inline restart >> ${LOG} 2>&1
259return 0
260}
261
262################################################################################
263# A means for people to manually restart snort and snort_inline
264restart_both() {
265restart_snort
266restart_inline
267return 0
268}
269
270################################################################################
271# Restart snort IF configured to do so
272cond_restart_snort() {
273if [ "${HwSNORT_RESTART}" = "yes" ]; then
274        restart_snort
275fi
276return 0
277}
278
279################################################################################
280# Restart snort_inline IF configured to do so
281cond_restart_inline() {
282if [ "${HwSNORT_RESTART}" = "yes" ]; then
283        restart_inline
284fi
285return 0
286}
287
288################################################################################
289# Restart snort and snort_inline IF configured to do so
290cond_restart_both() {
291if [ "${HwSNORT_RESTART}" = "yes" ]; then
292        restart_both
293fi
294return 0
295}
296
297################################################################################
298################################################################################
299# END Function Section
300################################################################################
301
302case $1 in
303        --update-rules)
304                update_rules_ids
305                if [ "${RULE_CHANGE}" = "YUP" ]; then
306                        snort_config
307                        cond_restart_both
308                fi
309                exit 0 ;;
310
311        --update-rules-ids)
312                update_rules_ids
313                if [ "${RULE_CHANGE}" = "YUP" ]; then
314                        cond_restart_snort
315                fi
316                exit 0 ;;
317
318        --update-rules-custom)
319                update_rules_custom
320                if [ "${RULE_CHANGE}" = "YUP" ]; then
321                        cond_restart_snort
322                fi
323                exit 0 ;;
324
325        --snortconfig)
326                snort_config
327                cond_restart_inline
328                exit 0 ;;
329
330        --restart-snort)
331                restart_snort
332                exit 0 ;;
333
334        --restart-inline)
335                restart_inline
336                exit 0 ;;
337
338        --restart-both)
339                restart_both
340                exit 0 ;;
341
342                *)
343                do_usage
344                exit 1 ;;
345esac
346
347exit 0
348
Note: See TracBrowser for help on using the browser.