def main(argv):
"""
Main loop
"""
global _debug
_debug = False
app_id = "0"
classtypes = []
categories = []
msgs = []
iptables_script = ""
default_home_net = ""
default_interfaces = ""
signatures_path = None
try:
opts, args = getopt.getopt(argv, "hsincaqvx:d", [
"help", "app_id=", "classtypes=", "categories=", "msgs=",
"iptables_script=", "home_net=", "interfaces=", "debug",
"signatures="
])
except getopt.GetoptError:
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit()
elif opt in ("-d", "--debug"):
_debug = True
elif opt in ("-n", "--app_id"):
app_id = arg
elif opt in ("-c", "--classtypes"):
classtypes = arg.split(",")
elif opt in ("-a", "--categories"):
categories = arg.split(",")
elif opt in ("-m", "--msgs"):
msgs = arg.split(",")
elif opt in ("-i", "--iptables_script"):
iptables_script = arg
elif opt in ("-v", "--home_net"):
default_home_net = arg
if default_home_net.find(",") != -1:
default_home_net = "[" + default_home_net + "]"
elif opt in ("-x", "--interfaces"):
default_interfaces = arg.split(",")
elif opt in ("-r", "--signatures"):
signatures_path = arg
if _debug == True:
print("app_id = " + app_id)
print("_debug = ", _debug)
settings = intrusion_prevention.IntrusionPreventionSettings(app_id)
if settings.exists() == False:
print("cannot find settings file")
sys.exit()
settings.load()
snort_conf = intrusion_prevention.SnortConf(_debug=_debug)
## get current signatures
## apply settings signature mods
## apply rules
#
signatures = intrusion_prevention.SnortSignatures(app_id, signatures_path)
signatures.load(True)
for settings_signature in settings.settings["signatures"]["list"]:
if type(settings_signature) == dict:
for signature in signatures.get_signatures().values():
if signature.get_sid(
) == settings_signature["sid"] and signature.get_gid(
) == settings_signature["gid"]:
signature.set_action(settings_signature["log"],
settings_signature["block"])
else:
match_signature = re.search(SnortSignature.text_regex,
settings_signature)
if match_signature:
# signatures.add_signature(SnortSignature( match_signature, category, signature_path))
signatures.add_signature(
SnortSignature(match_signature, "unknown"))
## process rules over signatures
rules = []
for settings_rule in settings.settings["rules"]["list"]:
rules.append(IntrusionPreventionRule(settings_rule))
# rule = IntrusionPreventionRule(settings_rule)
# print rule.get_action()
# Process rules in action precedence order.
priority = {
'default': 0,
'log': 1,
'blocklog': 2,
'block': 3,
'disable': 4
}
for rule in sorted(rules, key=lambda rule: (priority[rule.get_action()])):
if not rule.get_enabled():
continue
# print rule.get_action()
for signature in signatures.get_signatures().values():
if rule.matches(signature):
# print "matched:" + signature.get_sid()
rule.set_signature_action(signature)
# For any rule that wasn't changed by rulees, disable.
for signature in signatures.get_signatures().values():
if not signature.get_action_changed():
signature.set_action(False, False)
# get signature report
# print len(signatures.get_signatures().values())
signatures.save(snort_conf.get_variable("RULE_PATH"), classtypes,
categories, msgs)
signatures.save(snort_conf.get_variable("PREPROC_RULE_PATH"), classtypes,
categories, msgs)
intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap(
signatures)
intrusion_prevention_event_map.save()
# Override snort configuration variables with settings variables
for settings_variable in settings.get_variables():
snort_conf.set_variable(settings_variable["variable"],
settings_variable["definition"])
if snort_conf.get_variable('HOME_NET') == None:
snort_conf.set_variable("HOME_NET", default_home_net)
snort_conf.set_variable("EXTERNAL_NET", "!$HOME_NET")
interfaces = settings.get_interfaces()
interfaces = None
if interfaces == None:
interfaces = default_interfaces
for include in snort_conf.get_includes():
match_include_signature = re.search(
intrusion_prevention.SnortConf.include_signaturepath_regex,
include["file_name"])
if match_include_signature:
snort_conf.set_include(include["file_name"], False)
snort_conf.set_include("$RULE_PATH/" +
os.path.basename(signatures.get_file_name()))
snort_conf.set_include("$PREPROC_RULE_PATH/" +
os.path.basename(signatures.get_file_name()))
snort_conf.save()
snort_debian_conf = intrusion_prevention.SnortDebianConf(_debug=_debug)
queue_num = "0"
ipf = open(iptables_script)
for line in ipf:
line = line.strip()
setting = line.split("=")
if setting[0] == "SNORT_QUEUE_NUM":
queue_num = setting[1]
ipf.close()
snort_debian_conf.set_variable("HOME_NET",
snort_conf.get_variable("HOME_NET"))
snort_debian_conf.set_variable(
"OPTIONS", "--daq-dir /usr/lib/daq --daq nfq --daq-var queue=" +
queue_num + " -Q")
snort_debian_conf.set_variable("INTERFACE", ":".join(interfaces))
snort_debian_conf.save()
def main(argv):
"""
Main loop
"""
global _debug
_debug = False
app_id = "0"
classtypes = []
categories = []
msgs = []
iptables_script = ""
default_home_net = ""
default_interfaces = ""
try:
opts, args = getopt.getopt(argv, "hsincaqvx:d", [
"help", "app_id=", "classtypes=", "categories=", "msgs=",
"iptables_script=", "home_net=", "interfaces=", "debug"
])
except getopt.GetoptError:
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit()
elif opt in ("-d", "--debug"):
_debug = True
elif opt in ("-n", "--app_id"):
app_id = arg
elif opt in ("-c", "--classtypes"):
classtypes = arg.split(",")
elif opt in ("-a", "--categories"):
categories = arg.split(",")
elif opt in ("-m", "--msgs"):
msgs = arg.split(",")
elif opt in ("-i", "--iptables_script"):
iptables_script = arg
elif opt in ("-v", "--home_net"):
default_home_net = arg
if default_home_net.find(",") != -1:
default_home_net = "[" + default_home_net + "]"
elif opt in ("-x", "--interfaces"):
default_interfaces = arg.split(",")
if _debug == True:
print("app_id = " + app_id)
print("_debug = ", _debug)
settings = intrusion_prevention.IntrusionPreventionSettings(app_id)
if settings.exists() == False:
print("cannot find settings file")
sys.exit()
settings.load()
snort_conf = intrusion_prevention.SnortConf(_debug=_debug)
rules = settings.get_rules()
rules.save(snort_conf.get_variable("RULE_PATH"), classtypes, categories,
msgs)
rules.save(snort_conf.get_variable("PREPROC_RULE_PATH"), classtypes,
categories, msgs)
intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap(
rules)
intrusion_prevention_event_map.save()
# Override snort configuration variables with settings variables
for settings_variable in settings.get_variables():
snort_conf.set_variable(settings_variable["variable"],
settings_variable["definition"])
if snort_conf.get_variable('HOME_NET') == None:
snort_conf.set_variable("HOME_NET", default_home_net)
snort_conf.set_variable("EXTERNAL_NET", "!$HOME_NET")
interfaces = settings.get_interfaces()
interfaces = None
if interfaces == None:
interfaces = default_interfaces
for include in snort_conf.get_includes():
match_include_rule = re.search(
intrusion_prevention.SnortConf.include_rulepath_regex,
include["file_name"])
if match_include_rule:
snort_conf.set_include(include["file_name"], False)
snort_conf.set_include("$RULE_PATH/" +
os.path.basename(rules.get_file_name()))
snort_conf.set_include("$PREPROC_RULE_PATH/" +
os.path.basename(rules.get_file_name()))
snort_conf.save()
snort_debian_conf = intrusion_prevention.SnortDebianConf(_debug=_debug)
queue_num = "0"
ipf = open(iptables_script)
for line in ipf:
line = line.strip()
setting = line.split("=")
if setting[0] == "SNORT_QUEUE_NUM":
queue_num = setting[1]
ipf.close()
snort_debian_conf.set_variable("HOME_NET",
snort_conf.get_variable("HOME_NET"))
snort_debian_conf.set_variable(
"OPTIONS", "--daq-dir /usr/lib/daq --daq nfq --daq-var queue=" +
queue_num + " -Q")
snort_debian_conf.set_variable("INTERFACE", ":".join(interfaces))
snort_debian_conf.save()
def main(argv):
"""
Main loop
"""
global _debug
_debug = False
default_home_net = ""
try:
opts, args = getopt.getopt(argv, "hsincaqvx:d", ["help", "home_net=", "debug"])
except getopt.GetoptError as error:
print(error)
usage()
sys.exit(2)
for opt, arg in opts:
if opt in ("-h", "--help"):
usage()
sys.exit()
elif opt in ("-d", "--debug"):
_debug = True
elif opt in ("-v", "--home_net"):
default_home_net = arg
if default_home_net.find(",") != -1:
default_home_net = "[" + default_home_net + "]"
if _debug is True:
print("_debug = %r" % (_debug))
settings = get_app_settings("intrusion-prevention")
if settings is None:
print("Unable to read settings")
sys.exit(2)
SuricataSignature.block_action = settings["blockAction"]
if _debug is True:
print("Loading signatures")
##
## Load known signatures
##
signatures = intrusion_prevention.SuricataSignatures()
signatures.load()
##
## Integrate modifications from settings.
##
for settings_signature in settings["signatures"]["list"]:
##
## Add a custom new rule.
##
match_signature = re.search(SuricataSignature.text_regex, settings_signature['signature'])
if match_signature:
signatures.add_signature(SuricataSignature(match_signature, settings_signature['category']))
if _debug is True:
print("Applying rules")
##
## Process rules over signatures
##
rules = []
for settings_rule in settings["rules"]["list"]:
rules.append(IntrusionPreventionRule(settings_rule))
##
## Network rules
##
for signature in signatures.get_signatures().values():
for rule in rules:
if not rule.get_enabled():
continue
if rule.matches(signature) and rule.get_action() == "whitelist":
rule.add_signature_network("source", signature, True)
rule.add_signature_network("destination", signature, True)
##
## Process rules in order.
##
for signature in signatures.get_signatures().values():
for rule in rules:
if not rule.get_enabled():
continue
if rule.matches(signature):
if rule.get_action() != "whitelist":
rule.set_signature_action(signature)
break
##
## Disable signatures not modified by any rule.
##
for signature in signatures.get_signatures().values():
if not signature.get_action_changed():
signature.set_action(False, False)
if _debug is True:
signature_action_counts = {
'disabled': 0,
'log': 0,
'block': 0
}
for signature in signatures.get_signatures().values():
action = signature.get_action()
if action["log"] is False and action["block"] is False:
signature_action_counts["disabled"] += 1
elif action["block"] is True:
signature_action_counts["block"] += 1
elif action["log"] is True:
signature_action_counts["log"] += 1
else:
print("Unknown Action")
print(action)
print(signature_action_counts)
signatures.save()
##
## Create event map
##
if _debug is True:
print("Creating event map")
intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap(signatures)
intrusion_prevention_event_map.save()
if _debug is True:
print("Modifying suricata configuration")
suricata_conf = intrusion_prevention.SuricataConf(_debug=_debug)
##
## Override suricata configuration variables with settings variables
## for settings_variable in settings.get_variables():
##
for settings_variable in settings["variables"]["list"]:
name = settings_variable["name"]
value = settings_variable["value"]
if settings_variable["name"] == "HOME_NET":
if settings_variable["value"] == "default":
value = default_home_net
if settings_variable["name"] == "EXTERNAL_NET":
if settings_variable["value"] == "default":
value = "any"
suricata_conf.set_variable(name, value)
if "suricataSettings" in settings:
suricata_conf.set(settings["suricataSettings"])
suricata_conf.save()
##
## Set nfq queue number for systemd
##
with open("/etc/systemd/system/suricata.service.d/local.conf", "w") as text_file:
text_file.write("[Service]\n")
text_file.write("Environment=\"NFQUEUE={0}\"\n".format(settings["iptablesNfqNumber"]))
call(["systemctl", "daemon-reload"])