Snort mailing list archives
Proposed changes to CentOS RPM
From: "Scott A. Wozny via Snort-devel" <snort-devel () lists snort org>
Date: Wed, 14 Oct 2020 00:20:39 +0000
In testing the 2.9.16 CentOS RPM package to use inline mode, I came across a couple issues I wanted to bring to the dev’s attention for consideration in the next RPM version. First, there is no convenient way to tell the init.d/snortd script not to present interfaces on the command line. If you place an INTERFACE= line or comment out the default INTERFACE=eth0 line in sysconfig/snort then this logic in init.d/snort: if [ "$INTERFACE"X = "X" ]; then INTERFACE="-i eth0" else INTERFACE="-i $INTERFACE" fi Forces a -i eth0 onto the command line, negating any use of config interface: in the snort.conf file, should one prefer to specify interfaces there. I propose that this logic be changed to: if [ "$INTERFACE"X = "X" ]; then INTERFACE="" else INTERFACE="-i $INTERFACE" fi Since the default sysconfig/snort file in the RPM includes a default INTERFACE=eth0 making the change I propose will not change default behaviour for basic OOTB snort -v tests and will allow those who want to provide their interfaces in snort.conf the ability to do so. I’ve made this change on my CentOS 7 test system and it takes interface settings from either location. For neatness sake, sysconfig/snort file’s INTERFACE section should also have commentary added indicating that INTERFACE= or just commenting out all INTERFACE lines is allowed but requires a config interface: parameter be added to snort.conf to replace it or snort will fail to start. Second, there is no convenient way to provide a -Q on the command line for inline mode. Without it, while snort is able to pass packets and match signatures (presumably from parsing the interfaces parameter and seeing the colons), it will not load normalizers or drop packets on sig firing. I originally thought that I could use config policy_mode: inline in snort.conf instead, but normalizers still wouldn’t load (and without the config polcy_mode: inline AS WELL as -Q Rules Objects and Preprocessor Objects won’t load, so both are needed). I propose adding to init.d/snortd (below the INTERFACE processing logic I mentioned above) the following: if [ "$INLINE_MODE"X = "1X" ]; then INLINE_MODE="-Q" else INLINE_MODE="" fi AND on the “Run with a single interface (default)” daemon line add $INLINE_MODE after $INTERFACE on that line. In addition, while there doesn’t HAVE to be, there should be something like this added to sysconfig/snort (maybe below the INTERFACE section): # Launch snort in inline mode? # -Q # Note: for full inline functionality also add this to snort.conf: # config policy_mode: inline INLINE_MODE=0 If you have any questions or concerns with these changes, please let me know. If there's a version control system I can make the changes to myself for approval, please let me know but I was only able to find the snort3 repo on github. So I figured I'd post here to get this to the right people. 🙂 Thanks, Scott
_______________________________________________ Snort-devel mailing list Snort-devel () lists snort org https://lists.snort.org/mailman/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Proposed changes to CentOS RPM Scott A. Wozny via Snort-devel (Oct 19)
- Re: Proposed changes to CentOS RPM Scott A. Wozny via Snort-devel (Oct 19)