1. Store
  2. Apps
  3. Hardware
  4. Support
  5. Solutions

ClearFoundation

Community Community Profile Philippe Eveleigh

About Me

Basic Information

Whereabouts

City / Town
Ottawa
Country
Canada

Web Links

Web Site
http://www.cognoquest.com
Philippe Eveleigh
Philippe Eveleigh
  • Karma
  • Member since
  • Sunday, 05 October 2003 10:49
  • Last online
  • yesterday
  • Profile views
  • 2284 views
2 days ago
Philippe Eveleigh replied to the topic Re: Snort auto-configuration problem? in the forums.
I agree the problem requires fixing at the source but decided to create a temporary fix for the problem. The following script: Re: Does the kernel support ipset? has a temporary solution for this problem. The pluging: tie-ti1-snort-network-addresses included in the zip file will attempt to identify and fix this problem. Once the problem fixed, it will also be a good solution to monitor the problem if it ever occurs again having also email capabilities (another plug-in for the same script)

Here is the plug-in code if you wish to retrofit it in your own script:

Code:

# TIE: Update Snort network addresses plug-in function
#
# doSnortNetworkAddressesPlugin()
# Temporary fix for problem identified by Nick see:
# http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,8/func,view/id,60799/
#
SNORT_NETWORK_ADDRESSES_PLUGIN_VERSION=1.0 # Script version

IPCALC=/bin/ipcalc
DO_SNORT_NETWORK_ADDRESSES_PLUGIN_ENABLED="$TRUE"
doSnortNetworkAddressesPlugin() {
  doDebug "Enter function doSnortNetworkAddressesPlugin() ..."

  if [[ ! -x "$IPCALC" ]]; then 
    doWarning "doSnortNetworkAddressesPlugin() "$IPCALC" executable does not exist or is improperly configured. Can not check the snort network addresses being protecting"
    doDebug "Exit function doSnortNetworkAddressesPlugin() missing executable "$IPCALC". Can not check SNORT config: "$SNORT_CONF" ipvar HOME_NET variable"
    return "$FAILED"
  fi

  local serverNetworkAddresses=""
  local missingNetworkAddress="$FALSE"
  # Retrieve list of nics
  local nics="$(ifconfig | grep -E "encap:Ethernet|encap:Point-to-Point" | cut -d' ' -f1)"

  for i in ${nics[@]}; do
    local ip="$(ifconfig "$i" | sed -rn 's/.*r:([^ ]+) .*/\1/p')" # Retrieve ip from ifconfig
    local netmask="$(ifconfig "$i" | sed -rn 's/.*k:([^ ]+).*/\1/p')" # Retrieve netmask from ifconfig

    if doExist "$ip" && doExist "$netmask"; then
      if ! eval "$("$IPCALC" -np "$ip" "$netmask")"; then # Convert ip to network ip and netmask to prefix
        doError "doSnortNetworkAddressesPlugin() Was not able to execute command: "$IPCALC" -np "$ip" "$netmask""
        doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$FAILED""
        return "$FAILED"
      fi
      doDebug "doSnortNetworkAddressesPlugin() Found Interface: "$i", IP Address: "$ip", Netmask: "$netmask", Network: "$NETWORK", Prefix: "$PREFIX""

      if [[ "$PREFIX" -eq 32 ]]; then
        serverNetworkAddresses="$serverNetworkAddresses","$NETWORK" # Prefix probably would work but not necessary
      else
        serverNetworkAddresses="$serverNetworkAddresses","$NETWORK"\\/"$PREFIX"
      fi

      if [[ $(grep "^ *ipvar HOME_NET.*$NETWORK" "$SNORT_CONF" | wc -l) -eq 0 ]]; then
        missingNetworkAddress="$TRUE"
        doWarning "doSnortNetworkAddressesPlugin() Found "$SNORT_CONF" Network Addresses ipvar HOME_NET variable:"
        doWarning ""$(grep "^ *ipvar HOME_NET " "$SNORT_CONF")"" # There is a character retrieved from the grep making my logging function fail.
        doWarning "doSnortNetworkAddressesPlugin() Was not able to find one of the following current network addresses: "$serverNetworkAddresses","$NETWORK"/"$PREFIX" in file: "$SNORT_CONF""
      fi
    else
      doDebug "doSnortNetworkAddressesPlugin() Found Interface: "$i" with no IP Address."
    fi
  done

  # No changes
  if ! "$missingNetworkAddress"; then
    doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$SUCCESS""
    return "$SUCCESS"
  fi

  # Substitute current addresses for new ones
  local snortNetworkAddresses="$(grep "^ *ipvar HOME_NET " "$SNORT_CONF")"  
  local snortNetworkAddresses=${snortNetworkAddresses//\//\\\/}
  local snortNetworkAddresses=${snortNetworkAddresses//[/\\[}
  local snortNetworkAddresses=${snortNetworkAddresses//]/\\]}
  sed -i -r "s/$snortNetworkAddresses/ipvar HOME_NET \[${serverNetworkAddresses:1}\]/" "$SNORT_CONF"
  doWarning "doSnortNetworkAddressesPlugin() Replace "$SNORT_CONF" Network Addresses ipvar HOME_NET variable with: "${serverNetworkAddresses:1}""
  local stdErr="$(service snort restart 2>&1 > /dev/null)"
  if [[ "$?" -eq 0 ]]; then
    doNotice "doSnortNetworkAddressesPlugin() Snort Service Restarted..."
  else
    doError "Ouch ... failed to start Snort"
    if doExist "$stdErr"; then
      doDebug "doSnortNetworkAddressesPlugin() "$stdErr""
    fi
    doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$FAILED""
    return "$FAILED"
  fi

  doDebug "Exit function doSnortNetworkAddressesPlugin() with exit code: "$SUCCESS""
  return "$SUCCESS"
}

07:48 AM
5 days ago
Philippe Eveleigh replied to the topic Re: Does the kernel support ipset? in the forums.
Nick interesting information your modification has allowed me to find weaknesses in the script that I have created and I have applied a few modifications.

You mentioned that you would be interested in the fix that allows the retrieval of files that where modified, wget is not very well suited to do this so it had to be resolved by using time comparison. The solution sits in the vicinity of the $WGET code, it might be a little hard to follow because the script is built to fetch configuration, rules & blocks files in multiple conditions. I do time comparison to confirm the fetching of files.

If you wish you or anyone else is welcome to use this script.

tie: Main bash script, suggested location: /usr/local/bin
tie.cron: Daily cron batch, suggested location: /etc/cron.daily
tie-ti1-source.conf: Configuration file, suggested location: /etc
tie-ti1-plugin.conf: plug-in include bellow plug-in source files, suggested location: /etc/tie.d
tie-ti1-firewall: Allows to modify the default firewall configuration (INPUT chain only) to also block FORWARD and OUTPUT chains, suggested location: /etc/tie.d
tie-ti1-mail: Enables mail message on error, requires configuration, suggested location: /etc/tie.d
tie-ti1-snort-list-available-rules: Provides list of available rules, suggested location: /etc/tie.d
tie-ti1-snort-network-addresses: Temporary fix for problem identified by Nick, suggested location: /etc/tie.d

Here is an overview of the script and its capabilities: This script adds additional rules to the current ClearOS SNORT configuration. This script will also configure IPSET and the firewall to block list if ip’s. All is done via configuration once the bash script is enabled.

instance capabilities parameter: The script was designed with the principle that it can be instantiated multiple times it allows the script to run independently from each others. Default: ti1

source enabled parameter: Enable snort config, snort rules, ipset blocking and ipset firewall rules (INPUT chain only)

source config parameter: Script configuration filename for the IDS/IPS activities. Default name: /etc/tie-ti1-source.conf

plugin config parameter: filename for the code insertion of the plug-ins code. Default name: /etc/tie.d/tie-ti1-plugin.conf

logger parameter: supported logger choices. Default to syslog

logger verbosity parameter: supported logger verbosity choices. Level notices is the default

Here is a configuration example: The main bash script ‘tie’ can be stored in folder: /usr/local/bin, the script must be obviously made executable, the configuration file tie-ti1-source.conf can be located in folder: /etc. Note: ti1 is the default instance name. tie.cron can be added to folder: /etc/cron.daily to run daily. If you wish to use the ipset blocks capabilites you must run the script at least one with the --source-enabled=b,f parameter to initiate the ipset blocks firewall capabilities

I have included a few of few plug-in for use, none of the plug-ins are required to run the main script. Suggested location as noted above default, in folder: /etc/tie.d
For use, you will be required to enable by editing the plug-in and changing its constant to … PLUGIN_ENABLED="$TRUE"

Files, folders and entries of interest created or modified by script are:
/etc/logrotate.d/tie-ti1
/etc/snort.d/reference.config
/etc/snort.d/rules/tie.d/ti1
/etc/snort.conf
/etc/clearos/firewall.d/90-tie-ti1
/var/log/tie.d/ti1
/var/tmp/tie.d/ti1/blocks/…
/var/tmp/tie.d/ti1/rules/…
/var/tmp/tie.d/ti1/available-snort-rules.txt
/var/tmp/tie.d/ti1/saved-ipset
/var/tmp/tie.d/ti1/saved-iptables
ipset and iptables entries

One last thing, if you decide to override the instantiation name all above references to ti1 will be replaced by your new instance name in the script. I suggest you keep the instance name as short as possible due to IPSET referenced set name length limitations. The script will warn you of this in its log.

As all can see the building of this script was influenced by Nick & Tim. Thank you to both of you.
File Attachment:
File Name: tie.zip
File Size: 19116
08:52 AM
6 days ago
Aaron Bylund and Ricardo Granados are now connections 02:25 PM
Philippe Eveleigh replied to the topic Re:Attachments for the forum in the forums.
I must becoming blind. I totally missed that one. Thanks Nic

B.T.W. The above request is for the IPSET script that I was talking previously about, it is almost ready.
11:30 AM
Philippe Eveleigh created a new topic Attachments for the forum in the forums.
I have a script that I wish to share but it is approximately 1600 lines, having no attachment capabilities on this site any suggestions?

Code:

Will code insert work with that amount of lines? 

10:00 AM
1 week ago
Philippe Eveleigh replied to the topic Re:DMZ question in the forums.
The main question is :
Can I use external IP in the DMZ zone? if yes...how can i configure the DMZ interface?

yes ... but it must be a range. You configure the DMZ the same way you do for the LAN or Hot LAN and you use your public ip range instead of the private ip range.
Apr 17
Philippe Eveleigh replied to the topic Re:DMZ problem in the forums.
This might be a similar problem to: DMZ question

Internet provider give two subnet with public ip routed by 81.183.114.40
81.189.157.40/28
81.189.115.224/28


If I throw the above subnet in the calculator. The range is not very clear to me ?

eth0 (WAN) have 81.183.114.40
eth1 (LAN) 192.168.1.1
eth2 (DMZ) 81.189.157.41
eth2:0 (DMZ) 81.189.115.225


Your configuration is leaving me a little perplex? Your problem does have a different twist seems to me like you also want to use VLAN ?
Apr 17
2 weeks ago
Philippe Eveleigh replied to the topic Re:Vlan Interface or Virtual Interface, what do I need? in the forums.
augustynr Assuming I understand your configuration, running two subnet networks on the same vlan id is a little odd? Having said that if you have no wish for security between both networks and run only one dhcp server you should be fine.

F.Y.I
I believe the more flexible configuration for running multiple vlan is to configure a Trunk between the Server Ethernet port and the Switch only applicable if your Switch support at least layer 2

The trunk configuration on the Switch should be statically configured. You associate your Trunk to as many vlan's you want and choose the vlan for your pc ports.

I run an ESXI server in a very similar way the only difference is I have a Trunk running between my ESXI Virtual Switch and my Physical Switch but I would think connecting a ClearOS Server to the Switch should work the same way.
Apr 04

Wall

No wall post to show

My Forum Updates

Groups

No group joined by the user yet.