def main(argv): """ Main loop """ global _debug _debug = False app_id = "0" classtypes = [] categories = [] msgs = [] iptables_script = "" default_home_net = "" default_interfaces = "" signatures_path = None try: opts, args = getopt.getopt(argv, "hsincaqvx:d", [ "help", "app_id=", "classtypes=", "categories=", "msgs=", "iptables_script=", "home_net=", "interfaces=", "debug", "signatures=" ]) except getopt.GetoptError: usage() sys.exit(2) for opt, arg in opts: if opt in ("-h", "--help"): usage() sys.exit() elif opt in ("-d", "--debug"): _debug = True elif opt in ("-n", "--app_id"): app_id = arg elif opt in ("-c", "--classtypes"): classtypes = arg.split(",") elif opt in ("-a", "--categories"): categories = arg.split(",") elif opt in ("-m", "--msgs"): msgs = arg.split(",") elif opt in ("-i", "--iptables_script"): iptables_script = arg elif opt in ("-v", "--home_net"): default_home_net = arg if default_home_net.find(",") != -1: default_home_net = "[" + default_home_net + "]" elif opt in ("-x", "--interfaces"): default_interfaces = arg.split(",") elif opt in ("-r", "--signatures"): signatures_path = arg if _debug == True: print("app_id = " + app_id) print("_debug = ", _debug) settings = intrusion_prevention.IntrusionPreventionSettings(app_id) if settings.exists() == False: print("cannot find settings file") sys.exit() settings.load() snort_conf = intrusion_prevention.SnortConf(_debug=_debug) ## get current signatures ## apply settings signature mods ## apply rules # signatures = intrusion_prevention.SnortSignatures(app_id, signatures_path) signatures.load(True) for settings_signature in settings.settings["signatures"]["list"]: if type(settings_signature) == dict: for signature in signatures.get_signatures().values(): if signature.get_sid( ) == settings_signature["sid"] and signature.get_gid( ) == settings_signature["gid"]: signature.set_action(settings_signature["log"], settings_signature["block"]) else: match_signature = re.search(SnortSignature.text_regex, settings_signature) if match_signature: # signatures.add_signature(SnortSignature( match_signature, category, signature_path)) signatures.add_signature( SnortSignature(match_signature, "unknown")) ## process rules over signatures rules = [] for settings_rule in settings.settings["rules"]["list"]: rules.append(IntrusionPreventionRule(settings_rule)) # rule = IntrusionPreventionRule(settings_rule) # print rule.get_action() # Process rules in action precedence order. priority = { 'default': 0, 'log': 1, 'blocklog': 2, 'block': 3, 'disable': 4 } for rule in sorted(rules, key=lambda rule: (priority[rule.get_action()])): if not rule.get_enabled(): continue # print rule.get_action() for signature in signatures.get_signatures().values(): if rule.matches(signature): # print "matched:" + signature.get_sid() rule.set_signature_action(signature) # For any rule that wasn't changed by rulees, disable. for signature in signatures.get_signatures().values(): if not signature.get_action_changed(): signature.set_action(False, False) # get signature report # print len(signatures.get_signatures().values()) signatures.save(snort_conf.get_variable("RULE_PATH"), classtypes, categories, msgs) signatures.save(snort_conf.get_variable("PREPROC_RULE_PATH"), classtypes, categories, msgs) intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap( signatures) intrusion_prevention_event_map.save() # Override snort configuration variables with settings variables for settings_variable in settings.get_variables(): snort_conf.set_variable(settings_variable["variable"], settings_variable["definition"]) if snort_conf.get_variable('HOME_NET') == None: snort_conf.set_variable("HOME_NET", default_home_net) snort_conf.set_variable("EXTERNAL_NET", "!$HOME_NET") interfaces = settings.get_interfaces() interfaces = None if interfaces == None: interfaces = default_interfaces for include in snort_conf.get_includes(): match_include_signature = re.search( intrusion_prevention.SnortConf.include_signaturepath_regex, include["file_name"]) if match_include_signature: snort_conf.set_include(include["file_name"], False) snort_conf.set_include("$RULE_PATH/" + os.path.basename(signatures.get_file_name())) snort_conf.set_include("$PREPROC_RULE_PATH/" + os.path.basename(signatures.get_file_name())) snort_conf.save() snort_debian_conf = intrusion_prevention.SnortDebianConf(_debug=_debug) queue_num = "0" ipf = open(iptables_script) for line in ipf: line = line.strip() setting = line.split("=") if setting[0] == "SNORT_QUEUE_NUM": queue_num = setting[1] ipf.close() snort_debian_conf.set_variable("HOME_NET", snort_conf.get_variable("HOME_NET")) snort_debian_conf.set_variable( "OPTIONS", "--daq-dir /usr/lib/daq --daq nfq --daq-var queue=" + queue_num + " -Q") snort_debian_conf.set_variable("INTERFACE", ":".join(interfaces)) snort_debian_conf.save()
def main(argv): """ Main loop """ global _debug _debug = False app_id = "0" classtypes = [] categories = [] msgs = [] iptables_script = "" default_home_net = "" default_interfaces = "" try: opts, args = getopt.getopt(argv, "hsincaqvx:d", [ "help", "app_id=", "classtypes=", "categories=", "msgs=", "iptables_script=", "home_net=", "interfaces=", "debug" ]) except getopt.GetoptError: usage() sys.exit(2) for opt, arg in opts: if opt in ("-h", "--help"): usage() sys.exit() elif opt in ("-d", "--debug"): _debug = True elif opt in ("-n", "--app_id"): app_id = arg elif opt in ("-c", "--classtypes"): classtypes = arg.split(",") elif opt in ("-a", "--categories"): categories = arg.split(",") elif opt in ("-m", "--msgs"): msgs = arg.split(",") elif opt in ("-i", "--iptables_script"): iptables_script = arg elif opt in ("-v", "--home_net"): default_home_net = arg if default_home_net.find(",") != -1: default_home_net = "[" + default_home_net + "]" elif opt in ("-x", "--interfaces"): default_interfaces = arg.split(",") if _debug == True: print("app_id = " + app_id) print("_debug = ", _debug) settings = intrusion_prevention.IntrusionPreventionSettings(app_id) if settings.exists() == False: print("cannot find settings file") sys.exit() settings.load() snort_conf = intrusion_prevention.SnortConf(_debug=_debug) rules = settings.get_rules() rules.save(snort_conf.get_variable("RULE_PATH"), classtypes, categories, msgs) rules.save(snort_conf.get_variable("PREPROC_RULE_PATH"), classtypes, categories, msgs) intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap( rules) intrusion_prevention_event_map.save() # Override snort configuration variables with settings variables for settings_variable in settings.get_variables(): snort_conf.set_variable(settings_variable["variable"], settings_variable["definition"]) if snort_conf.get_variable('HOME_NET') == None: snort_conf.set_variable("HOME_NET", default_home_net) snort_conf.set_variable("EXTERNAL_NET", "!$HOME_NET") interfaces = settings.get_interfaces() interfaces = None if interfaces == None: interfaces = default_interfaces for include in snort_conf.get_includes(): match_include_rule = re.search( intrusion_prevention.SnortConf.include_rulepath_regex, include["file_name"]) if match_include_rule: snort_conf.set_include(include["file_name"], False) snort_conf.set_include("$RULE_PATH/" + os.path.basename(rules.get_file_name())) snort_conf.set_include("$PREPROC_RULE_PATH/" + os.path.basename(rules.get_file_name())) snort_conf.save() snort_debian_conf = intrusion_prevention.SnortDebianConf(_debug=_debug) queue_num = "0" ipf = open(iptables_script) for line in ipf: line = line.strip() setting = line.split("=") if setting[0] == "SNORT_QUEUE_NUM": queue_num = setting[1] ipf.close() snort_debian_conf.set_variable("HOME_NET", snort_conf.get_variable("HOME_NET")) snort_debian_conf.set_variable( "OPTIONS", "--daq-dir /usr/lib/daq --daq nfq --daq-var queue=" + queue_num + " -Q") snort_debian_conf.set_variable("INTERFACE", ":".join(interfaces)) snort_debian_conf.save()
def main(argv): """ Main loop """ global _debug _debug = False default_home_net = "" try: opts, args = getopt.getopt(argv, "hsincaqvx:d", ["help", "home_net=", "debug"]) except getopt.GetoptError as error: print(error) usage() sys.exit(2) for opt, arg in opts: if opt in ("-h", "--help"): usage() sys.exit() elif opt in ("-d", "--debug"): _debug = True elif opt in ("-v", "--home_net"): default_home_net = arg if default_home_net.find(",") != -1: default_home_net = "[" + default_home_net + "]" if _debug is True: print("_debug = %r" % (_debug)) settings = get_app_settings("intrusion-prevention") if settings is None: print("Unable to read settings") sys.exit(2) SuricataSignature.block_action = settings["blockAction"] if _debug is True: print("Loading signatures") ## ## Load known signatures ## signatures = intrusion_prevention.SuricataSignatures() signatures.load() ## ## Integrate modifications from settings. ## for settings_signature in settings["signatures"]["list"]: ## ## Add a custom new rule. ## match_signature = re.search(SuricataSignature.text_regex, settings_signature['signature']) if match_signature: signatures.add_signature(SuricataSignature(match_signature, settings_signature['category'])) if _debug is True: print("Applying rules") ## ## Process rules over signatures ## rules = [] for settings_rule in settings["rules"]["list"]: rules.append(IntrusionPreventionRule(settings_rule)) ## ## Network rules ## for signature in signatures.get_signatures().values(): for rule in rules: if not rule.get_enabled(): continue if rule.matches(signature) and rule.get_action() == "whitelist": rule.add_signature_network("source", signature, True) rule.add_signature_network("destination", signature, True) ## ## Process rules in order. ## for signature in signatures.get_signatures().values(): for rule in rules: if not rule.get_enabled(): continue if rule.matches(signature): if rule.get_action() != "whitelist": rule.set_signature_action(signature) break ## ## Disable signatures not modified by any rule. ## for signature in signatures.get_signatures().values(): if not signature.get_action_changed(): signature.set_action(False, False) if _debug is True: signature_action_counts = { 'disabled': 0, 'log': 0, 'block': 0 } for signature in signatures.get_signatures().values(): action = signature.get_action() if action["log"] is False and action["block"] is False: signature_action_counts["disabled"] += 1 elif action["block"] is True: signature_action_counts["block"] += 1 elif action["log"] is True: signature_action_counts["log"] += 1 else: print("Unknown Action") print(action) print(signature_action_counts) signatures.save() ## ## Create event map ## if _debug is True: print("Creating event map") intrusion_prevention_event_map = intrusion_prevention.IntrusionPreventionEventMap(signatures) intrusion_prevention_event_map.save() if _debug is True: print("Modifying suricata configuration") suricata_conf = intrusion_prevention.SuricataConf(_debug=_debug) ## ## Override suricata configuration variables with settings variables ## for settings_variable in settings.get_variables(): ## for settings_variable in settings["variables"]["list"]: name = settings_variable["name"] value = settings_variable["value"] if settings_variable["name"] == "HOME_NET": if settings_variable["value"] == "default": value = default_home_net if settings_variable["name"] == "EXTERNAL_NET": if settings_variable["value"] == "default": value = "any" suricata_conf.set_variable(name, value) if "suricataSettings" in settings: suricata_conf.set(settings["suricataSettings"]) suricata_conf.save() ## ## Set nfq queue number for systemd ## with open("/etc/systemd/system/suricata.service.d/local.conf", "w") as text_file: text_file.write("[Service]\n") text_file.write("Environment=\"NFQUEUE={0}\"\n".format(settings["iptablesNfqNumber"])) call(["systemctl", "daemon-reload"])