Proposed changes to CentOS RPM

["Scott A. Wozny via Snort-devel" <snort-devel () lists snort org>]

In testing the 2.9.16 CentOS RPM package to use inline mode, I came across a couple issues I wanted to bring to the 
dev’s attention for consideration in the next RPM version.


First, there is no convenient way to tell the init.d/snortd script not to present interfaces on the command line. If 
you place an INTERFACE= line or comment out the default INTERFACE=eth0 line in sysconfig/snort then this logic in 
init.d/snort:


if [ "$INTERFACE"X = "X" ]; then

INTERFACE="-i eth0"

else

INTERFACE="-i $INTERFACE"

fi


Forces a -i eth0 onto the command line, negating any use of config interface: in the snort.conf file, should one prefer 
to specify interfaces there. I propose that this logic be changed to:


if [ "$INTERFACE"X = "X" ]; then

INTERFACE=""

else

INTERFACE="-i $INTERFACE"

fi


Since the default sysconfig/snort file in the RPM includes a default INTERFACE=eth0 making the change I propose will 
not change default behaviour for basic OOTB snort -v tests and will allow those who want to provide their interfaces in 
snort.conf the ability to do so. I’ve made this change on my CentOS 7 test system and it takes interface settings from 
either location.


For neatness sake, sysconfig/snort file’s INTERFACE section should also have commentary added indicating that 
INTERFACE= or just commenting out all INTERFACE lines is allowed but requires a config interface: parameter be added to 
snort.conf to replace it or snort will fail to start.


Second, there is no convenient way to provide a -Q on the command line for inline mode. Without it, while snort is able 
to pass packets and match signatures (presumably from parsing the interfaces parameter and seeing the colons), it will 
not load normalizers or drop packets on sig firing. I originally thought that I could use config policy_mode: inline in 
snort.conf instead, but normalizers still wouldn’t load (and without the config polcy_mode: inline AS WELL as -Q Rules 
Objects and Preprocessor Objects won’t load, so both are needed).


I propose adding to init.d/snortd (below the INTERFACE processing logic I mentioned above) the following:


if [ "$INLINE_MODE"X = "1X" ]; then

INLINE_MODE="-Q"

else

INLINE_MODE=""

fi


AND on the “Run with a single interface (default)” daemon line add $INLINE_MODE after $INTERFACE on that line.


In addition, while there doesn’t HAVE to be, there should be something like this added to sysconfig/snort (maybe below 
the INTERFACE section):


# Launch snort in inline mode?

# -Q

# Note: for full inline functionality also add this to snort.conf:

#      config policy_mode: inline

INLINE_MODE=0


If you have any questions or concerns with these changes, please let me know.  If there's a version control system I 
can make the changes to myself for approval, please let me know but I was only able to find the snort3 repo on github.  
So I figured I'd post here to get this to the right people.  🙂


Thanks,


Scott

_______________________________________________
Snort-devel mailing list
Snort-devel () lists snort org
https://lists.snort.org/mailman/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!