def main(argv):
"""
Main loop
"""
global _debug
_debug = False
app_id = "0"
classtypes = []
categories = []
msgs = []
iptables_script = ""
default_home_net = ""
default_interfaces = ""
try:
opts, args = getopt.getopt(argv, "hsincaqvx:d", [
"help", "app_id=", "classtypes=", "categories=", "msgs=",
"iptables_script=", "home_net=", "interfaces=", "debug"
])
except getopt.GetoptError:
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit()
elif opt in ("-d", "--debug"):
_debug = True
elif opt in ("-n", "--app_id"):
app_id = arg
elif opt in ("-c", "--classtypes"):
classtypes = arg.split(",")
elif opt in ("-a", "--categories"):
categories = arg.split(",")
elif opt in ("-m", "--msgs"):
msgs = arg.split(",")
elif opt in ("-i", "--iptables_script"):
iptables_script = arg
elif opt in ("-v", "--home_net"):
default_home_net = arg
if default_home_net.find(",") != -1:
default_home_net = "[" + default_home_net + "]"
elif opt in ("-x", "--interfaces"):
default_interfaces = arg.split(",")
if _debug == True:
print("app_id = " + app_id)
print("_debug = ", _debug)
settings = intrusion_prevention.IntrusionPreventionSettings(app_id)
if settings.exists() == False:
print("cannot find settings file")
sys.exit()
settings.load()
snort_conf = intrusion_prevention.SnortConf(_debug=_debug)
rules = settings.get_rules()
rules.save(snort_conf.get_variable("RULE_PATH"), classtypes, categories,
msgs)
rules.save(snort_conf.get_variable("PREPROC_RULE_PATH"), classtypes,
categories, msgs)
intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap(
rules)
intrusion_prevention_event_map.save()
# Override snort configuration variables with settings variables
for settings_variable in settings.get_variables():
snort_conf.set_variable(settings_variable["variable"],
settings_variable["definition"])
if snort_conf.get_variable('HOME_NET') == None:
snort_conf.set_variable("HOME_NET", default_home_net)
snort_conf.set_variable("EXTERNAL_NET", "!$HOME_NET")
interfaces = settings.get_interfaces()
interfaces = None
if interfaces == None:
interfaces = default_interfaces
for include in snort_conf.get_includes():
match_include_rule = re.search(
intrusion_prevention.SnortConf.include_rulepath_regex,
include["file_name"])
if match_include_rule:
snort_conf.set_include(include["file_name"], False)
snort_conf.set_include("$RULE_PATH/" +
os.path.basename(rules.get_file_name()))
snort_conf.set_include("$PREPROC_RULE_PATH/" +
os.path.basename(rules.get_file_name()))
snort_conf.save()
snort_debian_conf = intrusion_prevention.SnortDebianConf(_debug=_debug)
queue_num = "0"
ipf = open(iptables_script)
for line in ipf:
line = line.strip()
setting = line.split("=")
if setting[0] == "SNORT_QUEUE_NUM":
queue_num = setting[1]
ipf.close()
snort_debian_conf.set_variable("HOME_NET",
snort_conf.get_variable("HOME_NET"))
snort_debian_conf.set_variable(
"OPTIONS", "--daq-dir /usr/lib/daq --daq nfq --daq-var queue=" +
queue_num + " -Q")
snort_debian_conf.set_variable("INTERFACE", ":".join(interfaces))
snort_debian_conf.save()
def main(argv):
"""
Main
"""
global _debug
_debug = False
current_signatures_path = None
previous_signatures_path = None
settings_file_name = None
status_file_name = None
app_id = None
patch_file_name = None
settings_file_name = None
export_mode = False
summary = False
summary_report = []
try:
opts, args = getopt.getopt(argv, "hsrpnace:d", [
"help", "settings=", "signatures=", "previous_signatures=",
"app_id=", "status=", "patch=", "export", "debug", "summary"
])
except getopt.GetoptError:
print("ERROR")
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit()
elif opt in ("-d", "--debug"):
_debug = True
elif opt in ("-n", "--app_id"):
app_id = arg
elif opt in ("-r", "--signatures"):
current_signatures_path = arg
elif opt in ("-p", "--previous_signatures"):
previous_signatures_path = arg
elif opt in ("-s", "--settings"):
settings_file_name = arg
elif opt in ("-a", "--status"):
status_file_name = arg
elif opt in ("-p", "--patch"):
patch_file_name = arg
elif opt in ("-e", "--export"):
export_mode = True
elif opt in ("--summary"):
summary = True
if app_id == None:
print("Missing app_id")
sys.exit(1)
# if current_signatures_path == None:
# print("Missing signatures")
# sys.exit(1)
# if settings_file_name == None:
# ## Must never write to actual location.
# print("Missing settings file name")
# sys.exit(1)
if _debug == True:
if current_signatures_path != None:
print("current_signatures_path = " + current_signatures_path)
if previous_signatures_path != None:
print("previous_signatures_path = " + previous_signatures_path)
if settings_file_name != None:
print("settings_file_name = " + settings_file_name)
print("app = " + app_id)
print("_debug = ", _debug)
defaults = intrusion_prevention.IntrusionPreventionDefaults()
defaults.load()
patch = None
if patch_file_name != None:
patch = intrusion_prevention.IntrusionPreventionSettingsPatch()
patch.load(patch_file_name)
snort_conf = intrusion_prevention.SnortConf()
#
# Get previous rules
#
previous_snort_signatures = None
if previous_signatures_path != None:
previous_snort_signatures = intrusion_prevention.SnortSignatures(
app_id, previous_signatures_path)
previous_snort_signatures.load(True)
previous_snort_signatures.update_categories(defaults, True)
#
# Get settings
#
settings = intrusion_prevention.IntrusionPreventionSettings(app_id)
if settings.exists() == False:
settings.create()
else:
settings.load()
settings.convert()
# Apply patch
if patch != None:
settings.set_patch(patch)
# Update default rules (they may have changed from updates download)
settings.update_rules(defaults.get_rules())
#
# Get current signatures.
# Work is done on the current rule set as follows:
# * Process modify/delete diffs from previous into current settings signature set (rare case where users modify signatures directly)
# * Update current signatures with categories from defaults (combine otherwise uncategoriezed signatures into new categories)
# * Apply settings rules to current signatures.
# * Apply settings signatures to current signatures
# * For all signatures that have not been qualified by rules or signature mods, disable.
#
current_snort_signatures = None
if current_signatures_path != None:
current_snort_signatures = intrusion_prevention.SnortSignatures(
app_id, current_signatures_path)
current_snort_signatures.load(True)
if summary:
summary_report.append(
get_signature_report(current_snort_signatures, "initial"))
## new routine to get diffs between signature sets
# Apply category overrides from defaults.
# !!! will also need to be incorporated into UI signature downloads
current_snort_signatures.update_categories(defaults.get_categories())
# # !!! should be done from defaults
# # True sets log=yes. May not be good.
# # current_snort_signatures.update_categories(defaults, True)
# # settings.signatures.update_categories(defaults)
# settings.get_rules().update_signatures(settings.get_signatures())
# # if patch != None and "activeGroups" in patch.settings:
# # #
# # # Perform updates (e.g.,from signature distributions) preserving existing modifications.
# # #
# # settings.signatures.update( settings, snort_conf, current_snort_signatures, previous_snort_signatures, True )
# # else:
# # # handle rules here?
# # settings.signatures.update( settings, snort_conf, current_snort_signatures, previous_snort_signatures )
## should be in current signtures, pass in settings rules
settings.apply_rules(current_snort_signatures)
summary_report.append(
get_signature_report(current_snort_signatures, "rules"))
### should be in current signatures.
settings.disable_signatures(current_snort_signatures)
summary_report.append(
get_signature_report(current_snort_signatures, "final"))
# apply signature overrides from settings
# # profile_id = settings.settings["profileId"]
# # if patch != None and "profileId" in patch.settings:
# # profile_id = patch.settings["profileId"]
# # defaults_profile = defaults.get_profile(profile_id)
# # if defaults_profile != None:
# # if patch != None:
# # settings.set_patch(patch, defaults_profile)
# # else:
# # #
# # # Disable unenabled signatures.
# # #
# # settings.get_signatures().filter_group(settings.settings["activeGroups"], defaults_profile)
if export_mode:
settings.save(settings_file_name, key=patch.settings.keys()[0])
else:
settings.save(settings_file_name)
if summary:
for report in summary_report:
print report
sys.exit()
def main(argv):
"""
Main loop
"""
global _debug
_debug = False
app_id = "0"
classtypes = []
categories = []
msgs = []
iptables_script = ""
default_home_net = ""
default_interfaces = ""
signatures_path = None
try:
opts, args = getopt.getopt(argv, "hsincaqvx:d", [
"help", "app_id=", "classtypes=", "categories=", "msgs=",
"iptables_script=", "home_net=", "interfaces=", "debug",
"signatures="
])
except getopt.GetoptError:
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit()
elif opt in ("-d", "--debug"):
_debug = True
elif opt in ("-n", "--app_id"):
app_id = arg
elif opt in ("-c", "--classtypes"):
classtypes = arg.split(",")
elif opt in ("-a", "--categories"):
categories = arg.split(",")
elif opt in ("-m", "--msgs"):
msgs = arg.split(",")
elif opt in ("-i", "--iptables_script"):
iptables_script = arg
elif opt in ("-v", "--home_net"):
default_home_net = arg
if default_home_net.find(",") != -1:
default_home_net = "[" + default_home_net + "]"
elif opt in ("-x", "--interfaces"):
default_interfaces = arg.split(",")
elif opt in ("-r", "--signatures"):
signatures_path = arg
if _debug == True:
print("app_id = " + app_id)
print("_debug = ", _debug)
settings = intrusion_prevention.IntrusionPreventionSettings(app_id)
if settings.exists() == False:
print("cannot find settings file")
sys.exit()
settings.load()
snort_conf = intrusion_prevention.SnortConf(_debug=_debug)
## get current signatures
## apply settings signature mods
## apply rules
#
signatures = intrusion_prevention.SnortSignatures(app_id, signatures_path)
signatures.load(True)
for settings_signature in settings.settings["signatures"]["list"]:
if type(settings_signature) == dict:
for signature in signatures.get_signatures().values():
if signature.get_sid(
) == settings_signature["sid"] and signature.get_gid(
) == settings_signature["gid"]:
signature.set_action(settings_signature["log"],
settings_signature["block"])
else:
match_signature = re.search(SnortSignature.text_regex,
settings_signature)
if match_signature:
# signatures.add_signature(SnortSignature( match_signature, category, signature_path))
signatures.add_signature(
SnortSignature(match_signature, "unknown"))
## process rules over signatures
rules = []
for settings_rule in settings.settings["rules"]["list"]:
rules.append(IntrusionPreventionRule(settings_rule))
# rule = IntrusionPreventionRule(settings_rule)
# print rule.get_action()
# Process rules in action precedence order.
priority = {
'default': 0,
'log': 1,
'blocklog': 2,
'block': 3,
'disable': 4
}
for rule in sorted(rules, key=lambda rule: (priority[rule.get_action()])):
if not rule.get_enabled():
continue
# print rule.get_action()
for signature in signatures.get_signatures().values():
if rule.matches(signature):
# print "matched:" + signature.get_sid()
rule.set_signature_action(signature)
# For any rule that wasn't changed by rulees, disable.
for signature in signatures.get_signatures().values():
if not signature.get_action_changed():
signature.set_action(False, False)
# get signature report
# print len(signatures.get_signatures().values())
signatures.save(snort_conf.get_variable("RULE_PATH"), classtypes,
categories, msgs)
signatures.save(snort_conf.get_variable("PREPROC_RULE_PATH"), classtypes,
categories, msgs)
intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap(
signatures)
intrusion_prevention_event_map.save()
# Override snort configuration variables with settings variables
for settings_variable in settings.get_variables():
snort_conf.set_variable(settings_variable["variable"],
settings_variable["definition"])
if snort_conf.get_variable('HOME_NET') == None:
snort_conf.set_variable("HOME_NET", default_home_net)
snort_conf.set_variable("EXTERNAL_NET", "!$HOME_NET")
interfaces = settings.get_interfaces()
interfaces = None
if interfaces == None:
interfaces = default_interfaces
for include in snort_conf.get_includes():
match_include_signature = re.search(
intrusion_prevention.SnortConf.include_signaturepath_regex,
include["file_name"])
if match_include_signature:
snort_conf.set_include(include["file_name"], False)
snort_conf.set_include("$RULE_PATH/" +
os.path.basename(signatures.get_file_name()))
snort_conf.set_include("$PREPROC_RULE_PATH/" +
os.path.basename(signatures.get_file_name()))
snort_conf.save()
snort_debian_conf = intrusion_prevention.SnortDebianConf(_debug=_debug)
queue_num = "0"
ipf = open(iptables_script)
for line in ipf:
line = line.strip()
setting = line.split("=")
if setting[0] == "SNORT_QUEUE_NUM":
queue_num = setting[1]
ipf.close()
snort_debian_conf.set_variable("HOME_NET",
snort_conf.get_variable("HOME_NET"))
snort_debian_conf.set_variable(
"OPTIONS", "--daq-dir /usr/lib/daq --daq nfq --daq-var queue=" +
queue_num + " -Q")
snort_debian_conf.set_variable("INTERFACE", ":".join(interfaces))
snort_debian_conf.save()
def main(argv):
"""
Main
"""
global _debug
_debug = False
current_rules_path = None
previous_rules_path = None
settings_file_name = None
status_file_name = None
app_id = None
patch_file_name = None
settings_file_name = None
export_mode = False
try:
opts, args = getopt.getopt(argv, "hsrpnace:d", ["help", "settings=", "rules=", "previous_rules=", "app_id=", "status=", "patch=", "export", "debug"] )
except getopt.GetoptError:
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ( "-h", "--help"):
usage()
sys.exit()
elif opt in ( "-d", "--debug"):
_debug = True
elif opt in ( "-n", "--app_id"):
app_id = arg
elif opt in ( "-r", "--rules"):
current_rules_path = arg
elif opt in ( "-p", "--previous_rules"):
previous_rules_path = arg
elif opt in ( "-s", "--settings"):
settings_file_name = arg
elif opt in ( "-a", "--status"):
status_file_name = arg
elif opt in ( "-p", "--patch"):
patch_file_name = arg
elif opt in ( "-e", "--export"):
export_mode = True
if app_id == None:
print("Missing app_id")
sys.exit(1)
# if current_rules_path == None:
# print "Missing rules"
# sys.exit(1)
# if settings_file_name == None:
# ## Must never write to actual location.
# print "Missing settings file name"
# sys.exit(1)
if _debug == True:
if current_rules_path != None :
print("current_rules_path = " + current_rules_path)
if previous_rules_path != None:
print("previous_rules_path = " + previous_rules_path)
if settings_file_name != None:
print("settings_file_name = " + settings_file_name)
print("app = " + app_id)
print("_debug = ", _debug)
defaults = intrusion_prevention.IntrusionPreventionDefaults()
defaults.load()
patch = None
if patch_file_name != None:
patch = intrusion_prevention.IntrusionPreventionSettingsPatch()
patch.load(patch_file_name)
snort_conf = intrusion_prevention.SnortConf()
current_snort_rules = None
if current_rules_path != None:
current_snort_rules = intrusion_prevention.SnortRules( app_id, current_rules_path )
current_snort_rules.load( True )
current_snort_rules.update_categories(defaults, True)
previous_snort_rules = None
if previous_rules_path != None:
previous_snort_rules = intrusion_prevention.SnortRules( app_id, previous_rules_path )
previous_snort_rules.load( True )
previous_snort_rules.update_categories(defaults, True)
settings = intrusion_prevention.IntrusionPreventionSettings( app_id )
if settings.exists() == False:
settings.create()
else:
settings.load()
settings.convert()
if current_snort_rules != None:
settings.rules.update_categories(defaults)
if patch != None and "activeGroups" in patch.settings:
#
# Perform updates (e.g.,from rule distributions) preserving existing modifications.
#
settings.rules.update( settings, snort_conf, current_snort_rules, previous_snort_rules, True )
else:
settings.rules.update( settings, snort_conf, current_snort_rules, previous_snort_rules )
profile_id = settings.settings["profileId"]
if patch != None and "profileId" in patch.settings:
profile_id = patch.settings["profileId"]
defaults_profile = defaults.get_profile(profile_id)
if defaults_profile != None:
if patch != None:
settings.set_patch(patch, defaults_profile)
else:
#
# Disable unenabled rules.
#
settings.get_rules().filter_group(settings.settings["activeGroups"], defaults_profile)
if export_mode:
settings.save( settings_file_name, key=patch.settings.keys()[0] )
else:
settings.save( settings_file_name)
sys.exit()