def main(argv): """ Main loop """ global _debug _debug = False app_id = "0" classtypes = [] categories = [] msgs = [] iptables_script = "" default_home_net = "" default_interfaces = "" try: opts, args = getopt.getopt(argv, "hsincaqvx:d", [ "help", "app_id=", "classtypes=", "categories=", "msgs=", "iptables_script=", "home_net=", "interfaces=", "debug" ]) except getopt.GetoptError: usage() sys.exit(2) for opt, arg in opts: if opt in ("-h", "--help"): usage() sys.exit() elif opt in ("-d", "--debug"): _debug = True elif opt in ("-n", "--app_id"): app_id = arg elif opt in ("-c", "--classtypes"): classtypes = arg.split(",") elif opt in ("-a", "--categories"): categories = arg.split(",") elif opt in ("-m", "--msgs"): msgs = arg.split(",") elif opt in ("-i", "--iptables_script"): iptables_script = arg elif opt in ("-v", "--home_net"): default_home_net = arg if default_home_net.find(",") != -1: default_home_net = "[" + default_home_net + "]" elif opt in ("-x", "--interfaces"): default_interfaces = arg.split(",") if _debug == True: print("app_id = " + app_id) print("_debug = ", _debug) settings = intrusion_prevention.IntrusionPreventionSettings(app_id) if settings.exists() == False: print("cannot find settings file") sys.exit() settings.load() snort_conf = intrusion_prevention.SnortConf(_debug=_debug) rules = settings.get_rules() rules.save(snort_conf.get_variable("RULE_PATH"), classtypes, categories, msgs) rules.save(snort_conf.get_variable("PREPROC_RULE_PATH"), classtypes, categories, msgs) intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap( rules) intrusion_prevention_event_map.save() # Override snort configuration variables with settings variables for settings_variable in settings.get_variables(): snort_conf.set_variable(settings_variable["variable"], settings_variable["definition"]) if snort_conf.get_variable('HOME_NET') == None: snort_conf.set_variable("HOME_NET", default_home_net) snort_conf.set_variable("EXTERNAL_NET", "!$HOME_NET") interfaces = settings.get_interfaces() interfaces = None if interfaces == None: interfaces = default_interfaces for include in snort_conf.get_includes(): match_include_rule = re.search( intrusion_prevention.SnortConf.include_rulepath_regex, include["file_name"]) if match_include_rule: snort_conf.set_include(include["file_name"], False) snort_conf.set_include("$RULE_PATH/" + os.path.basename(rules.get_file_name())) snort_conf.set_include("$PREPROC_RULE_PATH/" + os.path.basename(rules.get_file_name())) snort_conf.save() snort_debian_conf = intrusion_prevention.SnortDebianConf(_debug=_debug) queue_num = "0" ipf = open(iptables_script) for line in ipf: line = line.strip() setting = line.split("=") if setting[0] == "SNORT_QUEUE_NUM": queue_num = setting[1] ipf.close() snort_debian_conf.set_variable("HOME_NET", snort_conf.get_variable("HOME_NET")) snort_debian_conf.set_variable( "OPTIONS", "--daq-dir /usr/lib/daq --daq nfq --daq-var queue=" + queue_num + " -Q") snort_debian_conf.set_variable("INTERFACE", ":".join(interfaces)) snort_debian_conf.save()
def main(argv): """ Main """ global _debug _debug = False current_signatures_path = None previous_signatures_path = None settings_file_name = None status_file_name = None app_id = None patch_file_name = None settings_file_name = None export_mode = False summary = False summary_report = [] try: opts, args = getopt.getopt(argv, "hsrpnace:d", [ "help", "settings=", "signatures=", "previous_signatures=", "app_id=", "status=", "patch=", "export", "debug", "summary" ]) except getopt.GetoptError: print("ERROR") usage() sys.exit(2) for opt, arg in opts: if opt in ("-h", "--help"): usage() sys.exit() elif opt in ("-d", "--debug"): _debug = True elif opt in ("-n", "--app_id"): app_id = arg elif opt in ("-r", "--signatures"): current_signatures_path = arg elif opt in ("-p", "--previous_signatures"): previous_signatures_path = arg elif opt in ("-s", "--settings"): settings_file_name = arg elif opt in ("-a", "--status"): status_file_name = arg elif opt in ("-p", "--patch"): patch_file_name = arg elif opt in ("-e", "--export"): export_mode = True elif opt in ("--summary"): summary = True if app_id == None: print("Missing app_id") sys.exit(1) # if current_signatures_path == None: # print("Missing signatures") # sys.exit(1) # if settings_file_name == None: # ## Must never write to actual location. # print("Missing settings file name") # sys.exit(1) if _debug == True: if current_signatures_path != None: print("current_signatures_path = " + current_signatures_path) if previous_signatures_path != None: print("previous_signatures_path = " + previous_signatures_path) if settings_file_name != None: print("settings_file_name = " + settings_file_name) print("app = " + app_id) print("_debug = ", _debug) defaults = intrusion_prevention.IntrusionPreventionDefaults() defaults.load() patch = None if patch_file_name != None: patch = intrusion_prevention.IntrusionPreventionSettingsPatch() patch.load(patch_file_name) snort_conf = intrusion_prevention.SnortConf() # # Get previous rules # previous_snort_signatures = None if previous_signatures_path != None: previous_snort_signatures = intrusion_prevention.SnortSignatures( app_id, previous_signatures_path) previous_snort_signatures.load(True) previous_snort_signatures.update_categories(defaults, True) # # Get settings # settings = intrusion_prevention.IntrusionPreventionSettings(app_id) if settings.exists() == False: settings.create() else: settings.load() settings.convert() # Apply patch if patch != None: settings.set_patch(patch) # Update default rules (they may have changed from updates download) settings.update_rules(defaults.get_rules()) # # Get current signatures. # Work is done on the current rule set as follows: # * Process modify/delete diffs from previous into current settings signature set (rare case where users modify signatures directly) # * Update current signatures with categories from defaults (combine otherwise uncategoriezed signatures into new categories) # * Apply settings rules to current signatures. # * Apply settings signatures to current signatures # * For all signatures that have not been qualified by rules or signature mods, disable. # current_snort_signatures = None if current_signatures_path != None: current_snort_signatures = intrusion_prevention.SnortSignatures( app_id, current_signatures_path) current_snort_signatures.load(True) if summary: summary_report.append( get_signature_report(current_snort_signatures, "initial")) ## new routine to get diffs between signature sets # Apply category overrides from defaults. # !!! will also need to be incorporated into UI signature downloads current_snort_signatures.update_categories(defaults.get_categories()) # # !!! should be done from defaults # # True sets log=yes. May not be good. # # current_snort_signatures.update_categories(defaults, True) # # settings.signatures.update_categories(defaults) # settings.get_rules().update_signatures(settings.get_signatures()) # # if patch != None and "activeGroups" in patch.settings: # # # # # # Perform updates (e.g.,from signature distributions) preserving existing modifications. # # # # # settings.signatures.update( settings, snort_conf, current_snort_signatures, previous_snort_signatures, True ) # # else: # # # handle rules here? # # settings.signatures.update( settings, snort_conf, current_snort_signatures, previous_snort_signatures ) ## should be in current signtures, pass in settings rules settings.apply_rules(current_snort_signatures) summary_report.append( get_signature_report(current_snort_signatures, "rules")) ### should be in current signatures. settings.disable_signatures(current_snort_signatures) summary_report.append( get_signature_report(current_snort_signatures, "final")) # apply signature overrides from settings # # profile_id = settings.settings["profileId"] # # if patch != None and "profileId" in patch.settings: # # profile_id = patch.settings["profileId"] # # defaults_profile = defaults.get_profile(profile_id) # # if defaults_profile != None: # # if patch != None: # # settings.set_patch(patch, defaults_profile) # # else: # # # # # # Disable unenabled signatures. # # # # # settings.get_signatures().filter_group(settings.settings["activeGroups"], defaults_profile) if export_mode: settings.save(settings_file_name, key=patch.settings.keys()[0]) else: settings.save(settings_file_name) if summary: for report in summary_report: print report sys.exit()
def main(argv): """ Main loop """ global _debug _debug = False app_id = "0" classtypes = [] categories = [] msgs = [] iptables_script = "" default_home_net = "" default_interfaces = "" signatures_path = None try: opts, args = getopt.getopt(argv, "hsincaqvx:d", [ "help", "app_id=", "classtypes=", "categories=", "msgs=", "iptables_script=", "home_net=", "interfaces=", "debug", "signatures=" ]) except getopt.GetoptError: usage() sys.exit(2) for opt, arg in opts: if opt in ("-h", "--help"): usage() sys.exit() elif opt in ("-d", "--debug"): _debug = True elif opt in ("-n", "--app_id"): app_id = arg elif opt in ("-c", "--classtypes"): classtypes = arg.split(",") elif opt in ("-a", "--categories"): categories = arg.split(",") elif opt in ("-m", "--msgs"): msgs = arg.split(",") elif opt in ("-i", "--iptables_script"): iptables_script = arg elif opt in ("-v", "--home_net"): default_home_net = arg if default_home_net.find(",") != -1: default_home_net = "[" + default_home_net + "]" elif opt in ("-x", "--interfaces"): default_interfaces = arg.split(",") elif opt in ("-r", "--signatures"): signatures_path = arg if _debug == True: print("app_id = " + app_id) print("_debug = ", _debug) settings = intrusion_prevention.IntrusionPreventionSettings(app_id) if settings.exists() == False: print("cannot find settings file") sys.exit() settings.load() snort_conf = intrusion_prevention.SnortConf(_debug=_debug) ## get current signatures ## apply settings signature mods ## apply rules # signatures = intrusion_prevention.SnortSignatures(app_id, signatures_path) signatures.load(True) for settings_signature in settings.settings["signatures"]["list"]: if type(settings_signature) == dict: for signature in signatures.get_signatures().values(): if signature.get_sid( ) == settings_signature["sid"] and signature.get_gid( ) == settings_signature["gid"]: signature.set_action(settings_signature["log"], settings_signature["block"]) else: match_signature = re.search(SnortSignature.text_regex, settings_signature) if match_signature: # signatures.add_signature(SnortSignature( match_signature, category, signature_path)) signatures.add_signature( SnortSignature(match_signature, "unknown")) ## process rules over signatures rules = [] for settings_rule in settings.settings["rules"]["list"]: rules.append(IntrusionPreventionRule(settings_rule)) # rule = IntrusionPreventionRule(settings_rule) # print rule.get_action() # Process rules in action precedence order. priority = { 'default': 0, 'log': 1, 'blocklog': 2, 'block': 3, 'disable': 4 } for rule in sorted(rules, key=lambda rule: (priority[rule.get_action()])): if not rule.get_enabled(): continue # print rule.get_action() for signature in signatures.get_signatures().values(): if rule.matches(signature): # print "matched:" + signature.get_sid() rule.set_signature_action(signature) # For any rule that wasn't changed by rulees, disable. for signature in signatures.get_signatures().values(): if not signature.get_action_changed(): signature.set_action(False, False) # get signature report # print len(signatures.get_signatures().values()) signatures.save(snort_conf.get_variable("RULE_PATH"), classtypes, categories, msgs) signatures.save(snort_conf.get_variable("PREPROC_RULE_PATH"), classtypes, categories, msgs) intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap( signatures) intrusion_prevention_event_map.save() # Override snort configuration variables with settings variables for settings_variable in settings.get_variables(): snort_conf.set_variable(settings_variable["variable"], settings_variable["definition"]) if snort_conf.get_variable('HOME_NET') == None: snort_conf.set_variable("HOME_NET", default_home_net) snort_conf.set_variable("EXTERNAL_NET", "!$HOME_NET") interfaces = settings.get_interfaces() interfaces = None if interfaces == None: interfaces = default_interfaces for include in snort_conf.get_includes(): match_include_signature = re.search( intrusion_prevention.SnortConf.include_signaturepath_regex, include["file_name"]) if match_include_signature: snort_conf.set_include(include["file_name"], False) snort_conf.set_include("$RULE_PATH/" + os.path.basename(signatures.get_file_name())) snort_conf.set_include("$PREPROC_RULE_PATH/" + os.path.basename(signatures.get_file_name())) snort_conf.save() snort_debian_conf = intrusion_prevention.SnortDebianConf(_debug=_debug) queue_num = "0" ipf = open(iptables_script) for line in ipf: line = line.strip() setting = line.split("=") if setting[0] == "SNORT_QUEUE_NUM": queue_num = setting[1] ipf.close() snort_debian_conf.set_variable("HOME_NET", snort_conf.get_variable("HOME_NET")) snort_debian_conf.set_variable( "OPTIONS", "--daq-dir /usr/lib/daq --daq nfq --daq-var queue=" + queue_num + " -Q") snort_debian_conf.set_variable("INTERFACE", ":".join(interfaces)) snort_debian_conf.save()
def main(argv): """ Main """ global _debug _debug = False current_rules_path = None previous_rules_path = None settings_file_name = None status_file_name = None app_id = None patch_file_name = None settings_file_name = None export_mode = False try: opts, args = getopt.getopt(argv, "hsrpnace:d", ["help", "settings=", "rules=", "previous_rules=", "app_id=", "status=", "patch=", "export", "debug"] ) except getopt.GetoptError: usage() sys.exit(2) for opt, arg in opts: if opt in ( "-h", "--help"): usage() sys.exit() elif opt in ( "-d", "--debug"): _debug = True elif opt in ( "-n", "--app_id"): app_id = arg elif opt in ( "-r", "--rules"): current_rules_path = arg elif opt in ( "-p", "--previous_rules"): previous_rules_path = arg elif opt in ( "-s", "--settings"): settings_file_name = arg elif opt in ( "-a", "--status"): status_file_name = arg elif opt in ( "-p", "--patch"): patch_file_name = arg elif opt in ( "-e", "--export"): export_mode = True if app_id == None: print("Missing app_id") sys.exit(1) # if current_rules_path == None: # print "Missing rules" # sys.exit(1) # if settings_file_name == None: # ## Must never write to actual location. # print "Missing settings file name" # sys.exit(1) if _debug == True: if current_rules_path != None : print("current_rules_path = " + current_rules_path) if previous_rules_path != None: print("previous_rules_path = " + previous_rules_path) if settings_file_name != None: print("settings_file_name = " + settings_file_name) print("app = " + app_id) print("_debug = ", _debug) defaults = intrusion_prevention.IntrusionPreventionDefaults() defaults.load() patch = None if patch_file_name != None: patch = intrusion_prevention.IntrusionPreventionSettingsPatch() patch.load(patch_file_name) snort_conf = intrusion_prevention.SnortConf() current_snort_rules = None if current_rules_path != None: current_snort_rules = intrusion_prevention.SnortRules( app_id, current_rules_path ) current_snort_rules.load( True ) current_snort_rules.update_categories(defaults, True) previous_snort_rules = None if previous_rules_path != None: previous_snort_rules = intrusion_prevention.SnortRules( app_id, previous_rules_path ) previous_snort_rules.load( True ) previous_snort_rules.update_categories(defaults, True) settings = intrusion_prevention.IntrusionPreventionSettings( app_id ) if settings.exists() == False: settings.create() else: settings.load() settings.convert() if current_snort_rules != None: settings.rules.update_categories(defaults) if patch != None and "activeGroups" in patch.settings: # # Perform updates (e.g.,from rule distributions) preserving existing modifications. # settings.rules.update( settings, snort_conf, current_snort_rules, previous_snort_rules, True ) else: settings.rules.update( settings, snort_conf, current_snort_rules, previous_snort_rules ) profile_id = settings.settings["profileId"] if patch != None and "profileId" in patch.settings: profile_id = patch.settings["profileId"] defaults_profile = defaults.get_profile(profile_id) if defaults_profile != None: if patch != None: settings.set_patch(patch, defaults_profile) else: # # Disable unenabled rules. # settings.get_rules().filter_group(settings.settings["activeGroups"], defaults_profile) if export_mode: settings.save( settings_file_name, key=patch.settings.keys()[0] ) else: settings.save( settings_file_name) sys.exit()