Skip to content

Commit

Permalink
snort3: init, remove default rule
Browse files Browse the repository at this point in the history
The default rule is not required: snort can start without rules.
Also the default rule was marking all traffic as pass.
  • Loading branch information
gsanchietti committed Nov 4, 2024
1 parent bd27125 commit b9636fe
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 7 deletions.
5 changes: 3 additions & 2 deletions packages/snort3/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ uci set snort.snort.mode=ips
uci set snort.snort.manual=0
uci set snort.snort.method=nfq
uci set snort.snort.config_dir=/var/ns-snort
uci set snort.snort.log_dir=/var/log/snort
uci set snort.nfq.queue_count=$(grep -c ^processor /proc/cpuinfo)
uci set snort.nfq.thread_count=$(grep -c ^processor /proc/cpuinfo)
uci set snort.nfq.chain_type=forward
Expand Down Expand Up @@ -116,7 +117,7 @@ At the end of the download, always restart the snort service:
/etc/init.d/snort restart
```

Use only the test rules:
Use only the testing rules, just alert for all ICMP traffic:
```bash
ns-snort-rules --test
ns-snort-rules --testing
```
12 changes: 8 additions & 4 deletions packages/snort3/files/ns-snort-rules
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ from nethsec import snort
DATA_DIR = "/var/ns-snort"
RULES_DIR = os.path.join(DATA_DIR, "rules")
BACKUP_DIR = os.path.join(DATA_DIR, "old.rules")
TESTING_RULES_FILE = os.path.join(RULES_DIR, "testing.rules")
OFFICIAL_RULES_DIR = os.path.join(DATA_DIR, "snort-rules")
ET_RULES_DIR = os.path.join(DATA_DIR, "et-rules")

Expand All @@ -39,10 +40,9 @@ def backup_rules():

def generate_testing_rules():
log("Generating testing rules...")
testing_rules_dir = os.path.join(DATA_DIR, "testing-rules")
shutil.rmtree(testing_rules_dir, ignore_errors=True)
os.makedirs(testing_rules_dir, exist_ok=True)
rules_file = os.path.join(testing_rules_dir, "testing.rules")
shutil.rmtree(RULES_DIR, ignore_errors=True)
os.makedirs(RULES_DIR, exist_ok=True)
rules_file = TESTING_RULES_FILE
testing_rules = [
'alert icmp any any <> any any (msg:"TEST ALERT ICMP v4"; icode:0; itype:8; sid:99010;)',
'alert icmp any any <> any any (msg:"TEST ALERT ICMP v6"; icode:0; itype:33; sid:99011;)',
Expand Down Expand Up @@ -250,6 +250,10 @@ def main():
if args.testing:
generate_testing_rules()
sys.exit(0)
else:
# cleanup testing rules
if os.path.exists(TESTING_RULES_FILE):
os.remove(TESTING_RULES_FILE)

prepare_rule_file() # /etc/snort/rules/snort.rules

Expand Down
1 change: 0 additions & 1 deletion packages/snort3/files/snort.init
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,6 @@ start_service() {
if [ "$(uci -q get snort.snort.config_dir)" == "/var/ns-snort" ]; then
cdir="$(uci -q get snort.snort.config_dir)"
mkdir -p "${cdir}/rules"
echo 'pass ip any any -> any any (sid:9999999; rev:1;)' > "${cdir}/rules/default.rules"
find /etc/snort -type f ! -name snort.rules -exec cp '{}' "${cdir}" \;
fi

Expand Down

0 comments on commit b9636fe

Please sign in to comment.