From 738d2e2acb1ee8131acfe51192c41cf30959fe80 Mon Sep 17 00:00:00 2001 From: Sergey Popov Date: Fri, 1 Jun 2012 20:11:00 +0400 Subject: [PATCH 1/3] initial commit for snortsam and snortsam-redirect patch --- net-analyzer/snortsam/Manifest | 4 ++ .../files/snortsam-2.70-redirect.patch | 37 ++++++++++++ .../snortsam/snortsam-2.70-r9999.ebuild | 58 +++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 net-analyzer/snortsam/Manifest create mode 100644 net-analyzer/snortsam/files/snortsam-2.70-redirect.patch create mode 100644 net-analyzer/snortsam/snortsam-2.70-r9999.ebuild diff --git a/net-analyzer/snortsam/Manifest b/net-analyzer/snortsam/Manifest new file mode 100644 index 0000000..459bb0c --- /dev/null +++ b/net-analyzer/snortsam/Manifest @@ -0,0 +1,4 @@ +AUX snortsam-2.70-redirect.patch 2294 RMD160 6d3c5bc4d4ceb537c1fb5f5dfe806f3657b48d7b SHA1 60d281983784506051ad1f1cfe5b659d0b6e6dd1 SHA256 d0c443d26161947b369be0ab8fe2363f3fd5d7a23b0afa287dd2fe576c9e7d41 +DIST snortsam-2.50-ciscoacl.diff.bz2 7295 RMD160 91d36fecc3fcf14de5ed964928d69ef3cc167bae SHA1 c887162193df59bff2f3fb2fe0ae0aec253314ce SHA256 a4f39789e9f10b95e6db1bbce5f9d26f7393161311f5c955a4b8380186a2cb6b +DIST snortsam-src-2.70.tar.gz 1971624 RMD160 336b0c701754d0688e2ebc967cfdbb3f9bc2fe32 SHA1 9cc7f9aad927217fbda75de038d0489b8e5f3a9e SHA256 442040a7281a641008f6410b7f6528d709f17d5041fd3752011075f8a38d19bc +EBUILD snortsam-2.70-r9999.ebuild 1598 RMD160 9b1d28cb4ee1865c2f6f166903824f6fff91e08b SHA1 57f138c4d7868f7bea169e1f0317f657a784325a SHA256 bfafe9ab2046e19abcfcf8d8a676e5dd264e9f0f6fad277ec4ba5bfd47238759 diff --git a/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch b/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch new file mode 100644 index 0000000..e2cf022 --- /dev/null +++ b/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch @@ -0,0 +1,37 @@ +diff -ur snortsam-2.7.0-orig/src/snortsam.c snortsam/src/snortsam.c +--- snortsam-2.7.0-orig/src/snortsam.c 2012-05-20 20:59:46.277029000 +0400 ++++ snortsam/src/snortsam.c 2012-05-25 16:16:59.411043000 +0400 +@@ -2467,6 +2467,7 @@ + printf("Debug: Received Packet: %s\n",packet.status==FWSAM_STATUS_CHECKIN?"CHECKIN": + packet.status==FWSAM_STATUS_CHECKOUT?"CHECKOUT": + packet.status==FWSAM_STATUS_BLOCK?"BLOCK": ++ packet.status==FWSAM_STATUS_REDIRECT?"REDIRECT": + packet.status==FWSAM_STATUS_UNBLOCK?"UNBLOCK":"**UNKNOWN**"); + printf("Debug: Snort SeqNo: %x\n",packet.snortseqno[0]|(packet.snortseqno[1]<<8)); + printf("Debug: Mgmt SeqNo : %x\n",packet.fwseqno[0]|(packet.fwseqno[1]<<8)); +@@ -2512,11 +2513,12 @@ + snortbox->toberemoved=TRUE; /* Mark sensor for removal from list. */ + ret=FALSE; + } +- else if(packet.status==FWSAM_STATUS_BLOCK || packet.status==FWSAM_STATUS_UNBLOCK) /* if we received a blocking request */ ++ else if(packet.status==FWSAM_STATUS_BLOCK || packet.status==FWSAM_STATUS_REDIRECT || packet.status==FWSAM_STATUS_UNBLOCK) /* if we received a blocking or redirecting request */ + { if((( (packet.fwseqno[0]|(packet.fwseqno[1]<<8)) ==snortbox->myseqno) && ( (packet.snortseqno[0]|(packet.snortseqno[1]<<8)) ==((snortbox->snortseqno+snortbox->myseqno)&0xffff) )) || disableseqnocheck) + { packstat=packet.status; + #ifdef FWSAMDEBUG +- printf("Debug: %s request received...\n",packet.status==FWSAM_STATUS_BLOCK?"Blocking":"Unblocking"); ++ printf("Debug: %s request received...\n",packet.status==FWSAM_STATUS_BLOCK?"Blocking": ++ packet.status==FWSAM_STATUS_REDIRECT?"Redirecting":"Unblocking"); + #endif + bmode=packet.fwmode; /* save parameters from packet */ + if(packet.endiancheck==1) /* Check if peer has the same endianess */ +diff -ur snortsam-2.7.0-orig/src/snortsam.h snortsam/src/snortsam.h +--- snortsam-2.7.0-orig/src/snortsam.h 2012-05-20 20:59:46.278524000 +0400 ++++ snortsam/src/snortsam.h 2012-05-20 21:01:02.273330000 +0400 +@@ -242,6 +242,7 @@ + #define FWSAM_STATUS_CHECKOUT 2 + #define FWSAM_STATUS_BLOCK 3 + #define FWSAM_STATUS_UNBLOCK 9 ++#define FWSAM_STATUS_REDIRECT 10 + + #define FWSAM_STATUS_OK 4 /* fw to snort */ + #define FWSAM_STATUS_ERROR 5 diff --git a/net-analyzer/snortsam/snortsam-2.70-r9999.ebuild b/net-analyzer/snortsam/snortsam-2.70-r9999.ebuild new file mode 100644 index 0000000..45f6e3d --- /dev/null +++ b/net-analyzer/snortsam/snortsam-2.70-r9999.ebuild @@ -0,0 +1,58 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-analyzer/snortsam/snortsam-2.70.ebuild,v 1.3 2011/11/18 05:09:16 jer Exp $ + +EAPI="4" + +inherit eutils toolchain-funcs + +MY_P="${PN}-src-${PV}" +DESCRIPTION="Snort plugin that allows automated blocking of IP addresses on several firewalls" +HOMEPAGE="http://www.snortsam.net/" +SRC_URI="http://www.snortsam.net/files/snortsam/${MY_P}.tar.gz + mirror://gentoo/${PN}-2.50-ciscoacl.diff.bz2" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="~alpha ~amd64 ~ppc ~ppc64 ~sparc ~x86" +IUSE="debug" + +S=${WORKDIR}/${PN} + +src_prepare() { + sed -i makesnortsam.sh \ + -e "s:sbin/functions.sh:etc/init.d/functions.sh:" \ + -e "s:-O2 : ${CFLAGS} :" \ + -e "s:gcc :$(tc-getCC) :" \ + -e "/^LDFLAGS=/d" \ + -e "s:\( -o ../snortsam\): ${LDFLAGS}\1:" \ + -e "s:\${SSP_LINUX_SRC} -o \${SNORTSAM}:& \${LINUX_LDFLAGS}:" \ + || die "sed failed" + + find "${S}" -depth -type d -name CVS -exec rm -rf \{\} \; +} + +src_compile() { + # Pinkbyte: patch for traffic redirection support + epatch "${FILESDIR}/${P}-redirect.patch" + # + sh makesnortsam.sh || die "makesnortsam.sh failed" +} + +src_install() { + if use debug; then + newbin snortsam-debug snortsam + else + dobin snortsam + fi + find "${S}" -depth -type f -name "*.asc" -exec rm -f {} \; + dodoc -r docs/ conf/ +} + +pkg_postinst() { + elog + elog "To use snortsam with snort, you'll have to compile snort with USE=snortsam." + elog "Read the INSTALL file to configure snort for snortsam, and configure" + elog "snortsam for your particular firewall." + elog +} From b3fbdc0e606de2b3644459e3dc438d29178198b8 Mon Sep 17 00:00:00 2001 From: Sergey Popov Date: Fri, 15 Jun 2012 20:01:29 +0400 Subject: [PATCH 2/3] snortsam: continue implementing redirect patch, adding condition to IPTBlock based on status of incoming packet, recorded in BLOCKINFO structure --- net-analyzer/snortsam/Manifest | 2 +- .../files/snortsam-2.70-redirect.patch | 471 +++++++++++++++++- 2 files changed, 468 insertions(+), 5 deletions(-) diff --git a/net-analyzer/snortsam/Manifest b/net-analyzer/snortsam/Manifest index 459bb0c..7ca9614 100644 --- a/net-analyzer/snortsam/Manifest +++ b/net-analyzer/snortsam/Manifest @@ -1,4 +1,4 @@ -AUX snortsam-2.70-redirect.patch 2294 RMD160 6d3c5bc4d4ceb537c1fb5f5dfe806f3657b48d7b SHA1 60d281983784506051ad1f1cfe5b659d0b6e6dd1 SHA256 d0c443d26161947b369be0ab8fe2363f3fd5d7a23b0afa287dd2fe576c9e7d41 +AUX snortsam-2.70-redirect.patch 21776 RMD160 624bbde2c6802416d2faf3c9d6b89caf1d8b8935 SHA1 09a0ea5b9602162845ea08bff2726b282ea465f2 SHA256 492e7b054c432d99d95c4c89d08a843d0d269e48004440959e3a5a81d4b37759 DIST snortsam-2.50-ciscoacl.diff.bz2 7295 RMD160 91d36fecc3fcf14de5ed964928d69ef3cc167bae SHA1 c887162193df59bff2f3fb2fe0ae0aec253314ce SHA256 a4f39789e9f10b95e6db1bbce5f9d26f7393161311f5c955a4b8380186a2cb6b DIST snortsam-src-2.70.tar.gz 1971624 RMD160 336b0c701754d0688e2ebc967cfdbb3f9bc2fe32 SHA1 9cc7f9aad927217fbda75de038d0489b8e5f3a9e SHA256 442040a7281a641008f6410b7f6528d709f17d5041fd3752011075f8a38d19bc EBUILD snortsam-2.70-r9999.ebuild 1598 RMD160 9b1d28cb4ee1865c2f6f166903824f6fff91e08b SHA1 57f138c4d7868f7bea169e1f0317f657a784325a SHA256 bfafe9ab2046e19abcfcf8d8a676e5dd264e9f0f6fad277ec4ba5bfd47238759 diff --git a/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch b/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch index e2cf022..dff8147 100644 --- a/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch +++ b/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch @@ -1,7 +1,25 @@ diff -ur snortsam-2.7.0-orig/src/snortsam.c snortsam/src/snortsam.c --- snortsam-2.7.0-orig/src/snortsam.c 2012-05-20 20:59:46.277029000 +0400 -+++ snortsam/src/snortsam.c 2012-05-25 16:16:59.411043000 +0400 -@@ -2467,6 +2467,7 @@ ++++ snortsam/src/snortsam.c 2012-06-15 18:23:29.653032000 +0400 +@@ -1971,7 +1971,7 @@ + void block(SENSORLIST *snortbox,unsigned long bsip,unsigned short bsport, + unsigned long bdip,unsigned short bdport, + unsigned short bproto,time_t bduration,unsigned char bmode, +- time_t btime,unsigned long bsig_id) ++ time_t btime,unsigned long bsig_id,char packstat) + { unsigned long peerip,blockip; + unsigned short blockport; + time_t t; +@@ -2022,6 +2022,8 @@ + blockdata.blocktime=btime; + blockdata.sig_id=bsig_id; + blockdata.block=TRUE; ++ // Add type of block(simple block or redirect) ++ blockdata.type=packstat; + + /* check for and get a blocktime limit out of the limit list based on the sensor*/ + blockdata.duration=limit_duration_on_sensor(snortbox->snortip.s_addr,bduration); +@@ -2467,6 +2469,7 @@ printf("Debug: Received Packet: %s\n",packet.status==FWSAM_STATUS_CHECKIN?"CHECKIN": packet.status==FWSAM_STATUS_CHECKOUT?"CHECKOUT": packet.status==FWSAM_STATUS_BLOCK?"BLOCK": @@ -9,7 +27,7 @@ diff -ur snortsam-2.7.0-orig/src/snortsam.c snortsam/src/snortsam.c packet.status==FWSAM_STATUS_UNBLOCK?"UNBLOCK":"**UNKNOWN**"); printf("Debug: Snort SeqNo: %x\n",packet.snortseqno[0]|(packet.snortseqno[1]<<8)); printf("Debug: Mgmt SeqNo : %x\n",packet.fwseqno[0]|(packet.fwseqno[1]<<8)); -@@ -2512,11 +2513,12 @@ +@@ -2512,11 +2515,12 @@ snortbox->toberemoved=TRUE; /* Mark sensor for removal from list. */ ret=FALSE; } @@ -24,9 +42,21 @@ diff -ur snortsam-2.7.0-orig/src/snortsam.c snortsam/src/snortsam.c #endif bmode=packet.fwmode; /* save parameters from packet */ if(packet.endiancheck==1) /* Check if peer has the same endianess */ +@@ -2604,9 +2608,9 @@ + } + else + { +- if(packstat==FWSAM_STATUS_BLOCK) ++ if(packstat==FWSAM_STATUS_BLOCK || packstat==FWSAM_STATUS_REDIRECT) + { /* call block, which performs checks */ +- block(snortbox,bsip,bsport,bdip,bdport,bproto,bduration,bmode,mytime,bsig_id); ++ block(snortbox,bsip,bsport,bdip,bdport,bproto,bduration,bmode,mytime,bsig_id,packstat); + } + else + { diff -ur snortsam-2.7.0-orig/src/snortsam.h snortsam/src/snortsam.h --- snortsam-2.7.0-orig/src/snortsam.h 2012-05-20 20:59:46.278524000 +0400 -+++ snortsam/src/snortsam.h 2012-05-20 21:01:02.273330000 +0400 ++++ snortsam/src/snortsam.h 2012-06-15 18:30:41.524502000 +0400 @@ -242,6 +242,7 @@ #define FWSAM_STATUS_CHECKOUT 2 #define FWSAM_STATUS_BLOCK 3 @@ -35,3 +65,436 @@ diff -ur snortsam-2.7.0-orig/src/snortsam.h snortsam/src/snortsam.h #define FWSAM_STATUS_OK 4 /* fw to snort */ #define FWSAM_STATUS_ERROR 5 +@@ -291,6 +292,7 @@ + unsigned short proto; /* Protocol (if connection) */ + unsigned short mode; /* Blocking mode (src, dst, connection) */ + short block; /* block or unblock flag --- this flag is dynamically changed */ ++ char type; /* Type of block - simple block or redirect. Taken from incoming packet status */ + } BLOCKINFO; + + typedef struct _oldblockinfo /* Block info structure */ +@@ -495,7 +497,7 @@ + void block(SENSORLIST *snortbox,unsigned long bsip,unsigned short bsport, + unsigned long bdip,unsigned short bdport, + unsigned short bproto,time_t bduration,unsigned char bmode, +- time_t btime,unsigned long bsig_id); ++ time_t btime,unsigned long bsig_id,char packstat); + void unblock(BLOCKINFO *bhp,char *comment,unsigned long reqip,int force); + void addtohistory(BLOCKHISTORY *,int); + void clearhistory(void); +diff -ur snortsam-2.7.0-orig/src/ssp_iptables.c snortsam/src/ssp_iptables.c +--- snortsam-2.7.0-orig/src/ssp_iptables.c 2012-05-20 20:59:46.275601000 +0400 ++++ snortsam/src/ssp_iptables.c 2012-06-15 19:58:38.620383000 +0400 +@@ -123,204 +123,214 @@ + printf("Debug: [iptables][%lx] Plugin Blocking...\n",threadid); + #endif + +- if(bd->block) +- { snprintf(msg,sizeof(msg)-1,"Info: Blocking ip %s", inettoa(bd->blockip)); +- logmessage(3,msg,"iptables",0); +- +- switch(bd->mode&FWSAM_HOW) +- { case FWSAM_HOW_IN: +- /* Assemble command */ +- if (snprintf(iptcmd,sizeof(iptcmd)-1, +- "/sbin/iptables -I FORWARD -i %s -s %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); +- logmessage(1,msg,"iptables",0); +- return; +- } +- if (snprintf(iptcmd2,sizeof(iptcmd2)-1, +- "/sbin/iptables -I INPUT -i %s -s %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); +- logmessage(1,msg,"iptables",0); +- return; +- } +- break; +- case FWSAM_HOW_OUT: +- /* Assemble command */ +- if (snprintf(iptcmd,sizeof(iptcmd)-1, +- "/sbin/iptables -I FORWARD -i %s -d %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); +- logmessage(1,msg,"iptables",0); +- return; +- } +- if (snprintf(iptcmd2,sizeof(iptcmd2)-1, +- "/sbin/iptables -I INPUT -i %s -d %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); +- logmessage(1,msg,"iptables",0); +- return; +- } +- break; +- case FWSAM_HOW_INOUT: +- /* Assemble command - block src*/ +- if ((snprintf(iptcmd,sizeof(iptcmd)-1, +- "/sbin/iptables -I FORWARD -i %s -s %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) || (snprintf(iptcmd1,sizeof(iptcmd1)-1, +- "/sbin/iptables -I FORWARD -i %s -d %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd1))) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); +- logmessage(1,msg,"iptables",0); +- return; +- } +- if ((snprintf(iptcmd2,sizeof(iptcmd2)-1, +- "/sbin/iptables -I INPUT -i %s -s %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) || (snprintf(iptcmd4,sizeof(iptcmd4)-1, +- "/sbin/iptables -I INPUT -i %s -d %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd4))) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); +- logmessage(1,msg,"iptables",0); +- return; +- } +- break; +- case FWSAM_HOW_THIS: +- /* Assemble command */ +- if (snprintf(iptcmd,sizeof(iptcmd)-1, +- "/sbin/iptables -I FORWARD -i %s -s %s -d %s -p %d --dport %d -j DROP", +- iptp->iface, inettoa(bd->blockip), inettoa(bd->peerip), bd->proto, bd->port) >= sizeof(iptcmd)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); +- logmessage(1,msg,"iptables",0); +- return; +- } +- if (snprintf(iptcmd2,sizeof(iptcmd2)-1, +- "/sbin/iptables -I INPUT -i %s -s %s -d %s -p %d --dport %d -j DROP", +- iptp->iface, inettoa(bd->blockip), inettoa(bd->peerip), bd->proto, bd->port) >= sizeof(iptcmd2)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); +- logmessage(1,msg,"iptables",0); +- return; +- } +- break; +- } +- } +- else +- { +- snprintf(msg,sizeof(msg)-1,"Info: UnBlocking ip %s", inettoa(bd->blockip)); +- logmessage(1,msg,"iptables",0); +-switch(bd->mode&FWSAM_HOW) +- { case FWSAM_HOW_IN: +- /* Assemble command */ +- if (snprintf(iptcmd,sizeof(iptcmd)-1, +- "/sbin/iptables -D FORWARD -i %s -s %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); +- logmessage(1,msg,"iptables",0); +- return; +- } +- if (snprintf(iptcmd2,sizeof(iptcmd2)-1, +- "/sbin/iptables -D INPUT -i %s -s %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); +- logmessage(1,msg,"iptables",0); +- return; +- } +- break; +- case FWSAM_HOW_OUT: +- /* Assemble command */ +- if (snprintf(iptcmd,sizeof(iptcmd)-1, +- "/sbin/iptables -D FORWARD -i %s -d %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); +- logmessage(1,msg,"iptables",0); +- return; +- } +- if (snprintf(iptcmd2,sizeof(iptcmd2)-1, +- "/sbin/iptables -D INPUT -i %s -d %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); +- logmessage(1,msg,"iptables",0); +- return; +- } +- break; +- case FWSAM_HOW_INOUT: +- /* Assemble command - block src*/ +- if ((snprintf(iptcmd,sizeof(iptcmd)-1, +- "/sbin/iptables -D FORWARD -i %s -s %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) || (snprintf(iptcmd1,sizeof(iptcmd1)-1, +- "/sbin/iptables -D FORWARD -i %s -d %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd1))) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); +- logmessage(1,msg,"iptables",0); +- return; +- } +- if ((snprintf(iptcmd2,sizeof(iptcmd2)-1, +- "/sbin/iptables -D INPUT -i %s -s %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) || (snprintf(iptcmd4,sizeof(iptcmd4)-1, +- "/sbin/iptables -D INPUT -i %s -d %s -j DROP", +- iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd4))) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); +- logmessage(1,msg,"iptables",0); +- return; +- } +- break; +- case FWSAM_HOW_THIS: +- /* Assemble command */ +- if (snprintf(iptcmd,sizeof(iptcmd)-1, +- "/sbin/iptables -D FORWARD -i %s -s %s -d %s -p %d --dport %d -j DROP", +- iptp->iface, inettoa(bd->blockip), inettoa(bd->peerip), bd->proto, bd->port) >= sizeof(iptcmd)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); +- logmessage(1,msg,"iptables",0); +- return; +- } +- if (snprintf(iptcmd2,sizeof(iptcmd2)-1, +- "/sbin/iptables -D INPUT -i %s -s %s -d %s -p %d --dport %d -j DROP", +- iptp->iface, inettoa(bd->blockip), inettoa(bd->peerip), bd->proto, bd->port) >= sizeof(iptcmd)) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); +- logmessage(1,msg,"iptables",0); +- return; +- } +- break; +- } +- } +-#ifdef FWSAMDEBUG +- printf("Debug: [iptables][%lx] command %s\n", threadid, iptcmd); +- printf("Debug: [iptables][%lx] command2 %s\n", threadid, iptcmd2); +-#endif +- /* Run the command */ +- if (system(iptcmd) != 0) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s Failed", iptcmd); +- logmessage(3,msg,"iptables",0); +- } else { +- snprintf(msg,sizeof(msg)-1,"Info: Command %s Executed Successfully", iptcmd); +- logmessage(3,msg,"iptables",0); +- } +- if (system(iptcmd2) != 0) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s Failed", iptcmd2); +- logmessage(1,msg,"iptables",0); +- } else { +- snprintf(msg,sizeof(msg)-1,"Info: Command2 %s Executed Successfully", iptcmd2); +- logmessage(3,msg,"iptables",0); +- } +- +-/*inventiva-recorte*/ +- if((bd->mode&FWSAM_HOW)==FWSAM_HOW_INOUT) +- { +- if (system(iptcmd1) != 0) { +- snprintf(msg,sizeof(msg)-1,"Error: Command %s Failed", iptcmd1); +- logmessage(3,msg,"iptables",0); +- } else { +- snprintf(msg,sizeof(msg)-1,"Info: Command %s Executed Successfully", iptcmd1); +- logmessage(3,msg,"iptables",0); +- } +- if (system(iptcmd4) != 0) { +- snprintf(msg,sizeof(msg)-1,"Error: Command2 %s Failed", iptcmd4); +- logmessage(1,msg,"iptables",0); +- } else { +- snprintf(msg,sizeof(msg)-1,"Info: Command2 %s Executed Successfully", iptcmd4); +- logmessage(3,msg,"iptables",0); +- } +- } +- +- ++ if(bd->block) ++ { snprintf(msg,sizeof(msg)-1,"Info: Blocking ip %s", inettoa(bd->blockip)); ++ logmessage(3,msg,"iptables",0); ++ ++ switch(bd->mode&FWSAM_HOW) ++ { case FWSAM_HOW_IN: ++ /* Assemble command */ ++ if (snprintf(iptcmd,sizeof(iptcmd)-1, ++ "/sbin/iptables -I FORWARD -i %s -s %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ if (snprintf(iptcmd2,sizeof(iptcmd2)-1, ++ "/sbin/iptables -I INPUT -i %s -s %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ break; ++ case FWSAM_HOW_OUT: ++ /* Assemble command */ ++ if (snprintf(iptcmd,sizeof(iptcmd)-1, ++ "/sbin/iptables -I FORWARD -i %s -d %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ if (snprintf(iptcmd2,sizeof(iptcmd2)-1, ++ "/sbin/iptables -I INPUT -i %s -d %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ break; ++ case FWSAM_HOW_INOUT: ++{ ++ char* cmdstr_fwd; ++ char cmdstr_fwd_redirect[]="/sbin/iptables -t mangle -I PREROUTING -i %s -s %s -j MARK --set-mark 255"; ++ char cmdstr_fwd_block[]="/sbin/iptables -I FORWARD -i %s -s %s -j DROP"; ++ if (bd->type==FWSAM_STATUS_BLOCK) ++ cmdstr_fwd=cmdstr_fwd_block; ++ else ++ cmdstr_fwd=cmdstr_fwd_redirect; ++ /* Assemble command - block src*/ ++ if ((snprintf(iptcmd,sizeof(iptcmd)-1, ++ cmdstr_fwd, ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) || (snprintf(iptcmd1,sizeof(iptcmd1)-1, ++ "/sbin/iptables -I FORWARD -i %s -d %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd1))) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ if (bd->type==FWSAM_STATUS_BLOCK) ++ if ((snprintf(iptcmd2,sizeof(iptcmd2)-1, ++ "/sbin/iptables -I INPUT -i %s -s %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) || (snprintf(iptcmd4,sizeof(iptcmd4)-1, ++ "/sbin/iptables -I INPUT -i %s -d %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd4))) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++} ++ break; ++ case FWSAM_HOW_THIS: ++ /* Assemble command */ ++ if (snprintf(iptcmd,sizeof(iptcmd)-1, ++ "/sbin/iptables -I FORWARD -i %s -s %s -d %s -p %d --dport %d -j DROP", ++ iptp->iface, inettoa(bd->blockip), inettoa(bd->peerip), bd->proto, bd->port) >= sizeof(iptcmd)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ if (snprintf(iptcmd2,sizeof(iptcmd2)-1, ++ "/sbin/iptables -I INPUT -i %s -s %s -d %s -p %d --dport %d -j DROP", ++ iptp->iface, inettoa(bd->blockip), inettoa(bd->peerip), bd->proto, bd->port) >= sizeof(iptcmd2)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ break; ++ } ++ } ++ else ++ { ++ snprintf(msg,sizeof(msg)-1,"Info: UnBlocking ip %s", inettoa(bd->blockip)); ++ logmessage(1,msg,"iptables",0); ++switch(bd->mode&FWSAM_HOW) ++ { case FWSAM_HOW_IN: ++ /* Assemble command */ ++ if (snprintf(iptcmd,sizeof(iptcmd)-1, ++ "/sbin/iptables -D FORWARD -i %s -s %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ if (snprintf(iptcmd2,sizeof(iptcmd2)-1, ++ "/sbin/iptables -D INPUT -i %s -s %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ break; ++ case FWSAM_HOW_OUT: ++ /* Assemble command */ ++ if (snprintf(iptcmd,sizeof(iptcmd)-1, ++ "/sbin/iptables -D FORWARD -i %s -d %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ if (snprintf(iptcmd2,sizeof(iptcmd2)-1, ++ "/sbin/iptables -D INPUT -i %s -d %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ break; ++ case FWSAM_HOW_INOUT: ++ /* Assemble command - block src*/ ++ if ((snprintf(iptcmd,sizeof(iptcmd)-1, ++ "/sbin/iptables -D FORWARD -i %s -s %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) || (snprintf(iptcmd1,sizeof(iptcmd1)-1, ++ "/sbin/iptables -D FORWARD -i %s -d %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd1))) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ if ((snprintf(iptcmd2,sizeof(iptcmd2)-1, ++ "/sbin/iptables -D INPUT -i %s -s %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) || (snprintf(iptcmd4,sizeof(iptcmd4)-1, ++ "/sbin/iptables -D INPUT -i %s -d %s -j DROP", ++ iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd4))) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ break; ++ case FWSAM_HOW_THIS: ++ /* Assemble command */ ++ if (snprintf(iptcmd,sizeof(iptcmd)-1, ++ "/sbin/iptables -D FORWARD -i %s -s %s -d %s -p %d --dport %d -j DROP", ++ iptp->iface, inettoa(bd->blockip), inettoa(bd->peerip), bd->proto, bd->port) >= sizeof(iptcmd)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s is too long", iptcmd); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ if (snprintf(iptcmd2,sizeof(iptcmd2)-1, ++ "/sbin/iptables -D INPUT -i %s -s %s -d %s -p %d --dport %d -j DROP", ++ iptp->iface, inettoa(bd->blockip), inettoa(bd->peerip), bd->proto, bd->port) >= sizeof(iptcmd)) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s is too long", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ return; ++ } ++ break; ++ } ++ } ++#ifdef FWSAMDEBUG ++ printf("Debug: [iptables][%lx] command %s\n", threadid, iptcmd); ++ printf("Debug: [iptables][%lx] command2 %s\n", threadid, iptcmd2); ++#endif ++ /* Run the command */ ++ if (system(iptcmd) != 0) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s Failed", iptcmd); ++ logmessage(3,msg,"iptables",0); ++ } else { ++ snprintf(msg,sizeof(msg)-1,"Info: Command %s Executed Successfully", iptcmd); ++ logmessage(3,msg,"iptables",0); ++ } ++ if (system(iptcmd2) != 0) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s Failed", iptcmd2); ++ logmessage(1,msg,"iptables",0); ++ } else { ++ snprintf(msg,sizeof(msg)-1,"Info: Command2 %s Executed Successfully", iptcmd2); ++ logmessage(3,msg,"iptables",0); ++ } ++ ++/*inventiva-recorte*/ ++ if((bd->mode&FWSAM_HOW)==FWSAM_HOW_INOUT) ++ { ++ if (system(iptcmd1) != 0) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command %s Failed", iptcmd1); ++ logmessage(3,msg,"iptables",0); ++ } else { ++ snprintf(msg,sizeof(msg)-1,"Info: Command %s Executed Successfully", iptcmd1); ++ logmessage(3,msg,"iptables",0); ++ } ++ if (system(iptcmd4) != 0) { ++ snprintf(msg,sizeof(msg)-1,"Error: Command2 %s Failed", iptcmd4); ++ logmessage(1,msg,"iptables",0); ++ } else { ++ snprintf(msg,sizeof(msg)-1,"Info: Command2 %s Executed Successfully", iptcmd4); ++ logmessage(3,msg,"iptables",0); ++ } ++ } ++ ++ + #ifdef SAVETABLES + /* Save command */ + if (system(savecmd) != 0) { From c7f23f2d15501256d19382872e53872a27590656 Mon Sep 17 00:00:00 2001 From: Sergey Popov Date: Sat, 16 Jun 2012 17:00:30 +0400 Subject: [PATCH 3/3] snortsam: finally implementing proper cancel redirect request when timeout occurs --- net-analyzer/snortsam/Manifest | 2 +- .../files/snortsam-2.70-redirect.patch | 21 +++++++++++++++---- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/net-analyzer/snortsam/Manifest b/net-analyzer/snortsam/Manifest index 7ca9614..558538f 100644 --- a/net-analyzer/snortsam/Manifest +++ b/net-analyzer/snortsam/Manifest @@ -1,4 +1,4 @@ -AUX snortsam-2.70-redirect.patch 21776 RMD160 624bbde2c6802416d2faf3c9d6b89caf1d8b8935 SHA1 09a0ea5b9602162845ea08bff2726b282ea465f2 SHA256 492e7b054c432d99d95c4c89d08a843d0d269e48004440959e3a5a81d4b37759 +AUX snortsam-2.70-redirect.patch 22221 RMD160 b5b5016c5817fb2c227764c0fe50049c95334f76 SHA1 d53afb3154b17489c945cffd06ddc72a4b32f761 SHA256 706bc4524a5818c5b0248fea4fb912618aec186b087915ab53c3ea0ab848e3a8 DIST snortsam-2.50-ciscoacl.diff.bz2 7295 RMD160 91d36fecc3fcf14de5ed964928d69ef3cc167bae SHA1 c887162193df59bff2f3fb2fe0ae0aec253314ce SHA256 a4f39789e9f10b95e6db1bbce5f9d26f7393161311f5c955a4b8380186a2cb6b DIST snortsam-src-2.70.tar.gz 1971624 RMD160 336b0c701754d0688e2ebc967cfdbb3f9bc2fe32 SHA1 9cc7f9aad927217fbda75de038d0489b8e5f3a9e SHA256 442040a7281a641008f6410b7f6528d709f17d5041fd3752011075f8a38d19bc EBUILD snortsam-2.70-r9999.ebuild 1598 RMD160 9b1d28cb4ee1865c2f6f166903824f6fff91e08b SHA1 57f138c4d7868f7bea169e1f0317f657a784325a SHA256 bfafe9ab2046e19abcfcf8d8a676e5dd264e9f0f6fad277ec4ba5bfd47238759 diff --git a/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch b/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch index dff8147..4cc3a7e 100644 --- a/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch +++ b/net-analyzer/snortsam/files/snortsam-2.70-redirect.patch @@ -84,8 +84,8 @@ diff -ur snortsam-2.7.0-orig/src/snortsam.h snortsam/src/snortsam.h void clearhistory(void); diff -ur snortsam-2.7.0-orig/src/ssp_iptables.c snortsam/src/ssp_iptables.c --- snortsam-2.7.0-orig/src/ssp_iptables.c 2012-05-20 20:59:46.275601000 +0400 -+++ snortsam/src/ssp_iptables.c 2012-06-15 19:58:38.620383000 +0400 -@@ -123,204 +123,214 @@ ++++ snortsam/src/ssp_iptables.c 2012-06-16 16:53:06.430453000 +0400 +@@ -123,204 +123,227 @@ printf("Debug: [iptables][%lx] Plugin Blocking...\n",threadid); #endif @@ -380,6 +380,7 @@ diff -ur snortsam-2.7.0-orig/src/ssp_iptables.c snortsam/src/ssp_iptables.c + { + snprintf(msg,sizeof(msg)-1,"Info: UnBlocking ip %s", inettoa(bd->blockip)); + logmessage(1,msg,"iptables",0); ++ +switch(bd->mode&FWSAM_HOW) + { case FWSAM_HOW_IN: + /* Assemble command */ @@ -416,9 +417,17 @@ diff -ur snortsam-2.7.0-orig/src/ssp_iptables.c snortsam/src/ssp_iptables.c + } + break; + case FWSAM_HOW_INOUT: ++{ ++ char* cmdstr_fwd; ++ char cmdstr_fwd_unredirect[]="/sbin/iptables -t mangle -D PREROUTING -i %s -s %s -j MARK --set-mark 255"; ++ char cmdstr_fwd_unblock[]="/sbin/iptables -D FORWARD -i %s -s %s -j DROP"; ++ if (bd->type==FWSAM_STATUS_BLOCK) ++ cmdstr_fwd=cmdstr_fwd_unblock; ++ else ++ cmdstr_fwd=cmdstr_fwd_unredirect; + /* Assemble command - block src*/ + if ((snprintf(iptcmd,sizeof(iptcmd)-1, -+ "/sbin/iptables -D FORWARD -i %s -s %s -j DROP", ++ cmdstr_fwd, + iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd)) || (snprintf(iptcmd1,sizeof(iptcmd1)-1, + "/sbin/iptables -D FORWARD -i %s -d %s -j DROP", + iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd1))) { @@ -426,6 +435,7 @@ diff -ur snortsam-2.7.0-orig/src/ssp_iptables.c snortsam/src/ssp_iptables.c + logmessage(1,msg,"iptables",0); + return; + } ++ if (bd->type==FWSAM_STATUS_BLOCK) + if ((snprintf(iptcmd2,sizeof(iptcmd2)-1, + "/sbin/iptables -D INPUT -i %s -s %s -j DROP", + iptp->iface, inettoa(bd->blockip)) >= sizeof(iptcmd2)) || (snprintf(iptcmd4,sizeof(iptcmd4)-1, @@ -435,6 +445,7 @@ diff -ur snortsam-2.7.0-orig/src/ssp_iptables.c snortsam/src/ssp_iptables.c + logmessage(1,msg,"iptables",0); + return; + } ++} + break; + case FWSAM_HOW_THIS: + /* Assemble command */ @@ -467,7 +478,8 @@ diff -ur snortsam-2.7.0-orig/src/ssp_iptables.c snortsam/src/ssp_iptables.c + snprintf(msg,sizeof(msg)-1,"Info: Command %s Executed Successfully", iptcmd); + logmessage(3,msg,"iptables",0); + } -+ if (system(iptcmd2) != 0) { ++ if (bd->type==FWSAM_STATUS_BLOCK) ++ if (system(iptcmd2) != 0) { + snprintf(msg,sizeof(msg)-1,"Error: Command2 %s Failed", iptcmd2); + logmessage(1,msg,"iptables",0); + } else { @@ -485,6 +497,7 @@ diff -ur snortsam-2.7.0-orig/src/ssp_iptables.c snortsam/src/ssp_iptables.c + snprintf(msg,sizeof(msg)-1,"Info: Command %s Executed Successfully", iptcmd1); + logmessage(3,msg,"iptables",0); + } ++ if (bd->type==FWSAM_STATUS_BLOCK) + if (system(iptcmd4) != 0) { + snprintf(msg,sizeof(msg)-1,"Error: Command2 %s Failed", iptcmd4); + logmessage(1,msg,"iptables",0);