#!/bin/bash
# 2007/03/28 be authored by cross@ssorc.tw
#
# Purpose: In order to easy change the QUEUE/ACCEPT, or start/stop the snort-inline.
#
# ChangeLog:
# 2007/05/22 added start into check snort-inline is live or not function.
# 2007/05/16 added function for check.
# 2007/03/29 fixed functions.
# add interface() of function for getting wich interface device.
# Plan:
# 200x/xx/xx plan to add how to check snort-inline version.
# 200x/xx/xx plan added function for When uses accept(),
# changes "INPUT -p tcp –dport 80 -j ACCEPT"
# to "INPUT -p tcp –dport 80 –syn -m state –state NEW -j ACCEPT". ???
#set -x
IPTABLES_SH=/etc/iptables.sh
#SNORT=/usr/local/bin/snort_inline-2.6.1.2-b1
SNORT=/usr/local/bin/snort_inline-2.4.5a
#SNORT_CONF=/etc/snort_inline/snort_inline.conf-2.6.1.2-b1
SNORT_CONF=/etc/snort_inline/snort_inline.conf-2.4.5a
IF=$2
X=$1
interface() {
if [ -z $IF ]; then
echo ""
echo "# Input interface device."
echo ""
echo $"# Example: $0 $X { eth0 | eth1 | ppp0 }"
echo ""
exit
else
echo $IF | egrep '^eth[0-9]$|^ppp[0-9]$'
VALUE=`echo $?`
if [ $VALUE = 1 ]; then
echo ""
echo "# Plz input correct interface device name."
echo ""
exit
fi
# If not match ifconfig, and out.
ifconfig | egrep 'eth|ppp' | awk '{print $1}' | grep -v ':' | grep $IF
VALUE=`echo $?`
if [ $VALUE = 1 ]; then
echo ""
echo "# No such device $IF"
echo ""
exit
fi
fi
}
if [ ! -f $SNORT ]; then
echo " Plz install Snort-Inline first."
echo ""
exit
fi
if [ -f /var/run/snort_inline.pid ]; then
# snort-inline-2.4 pid
PID_FILE=/var/run/snort_inline.pid
else
# snort-inline-2.6 pid
PID_FILE=/var/run/snort_*.pid
fi
queue() {
WORD="Starting QUEUE."
echo ""
echo "# $WORD"
sh $IPTABLES_SH
echo ""
echo "# $WORD Finishing."
}
queueicmp() {
WORD="Only QUEUEing the ICMP."
echo ""
echo "# $WORD"
sed -e 's/QUEUE/ACCEPT/g' -e 's/INPUT -p icmp.*ACCEPT/INPUT -p icmp –icmp-type 8 -m state –state NEW -j QUEUE/g' $IPTABLES_SH > /etc/iptables.shACCEPTicmp
sh /etc/iptables.shACCEPTicmp
echo ""
echo "# $WORD Finishing."
}
accept() {
WORD="Let all QUEUE to ACCEPT."
echo ""
echo "# $WORD"
sed 's/QUEUE/ACCEPT/g' $IPTABLES_SH > /etc/iptables.shACCEPT
sh /etc/iptables.shACCEPT
echo ""
echo "# $WORD Finishing."
}
test() {
interface
WORD="Testing Snort-Inline config."
echo "# $WORD"
$SNORT -QNTc $SNORT_CONF -i $IF
echo ""
echo "# $WORD Finisheding."
}
stop() {
WORDstop="Stopping Snort-Inline."
echo ""
echo "# $WORDstop"
accept
if [ ! -f $PID_FILE ]; then
echo ""
echo "### The Snort-Inline is not running."
else
echo ""
echo "# Kill the Snort-Inline."
kill `cat $PID_FILE`
sleep 5
if [ -f $PID_FILE ];then
kill -9 `cat $PID_FILE`
fi
echo "# Kill the Snort-Inline. Finishing."
fi
echo ""
echo "# $WORDstop Finishing."
echo ""
}
start() {
if [ -f $PID_FILE ]; then
echo ""
echo "# The Snort-Inline is running."
echo ""
else
WORDstart="Starting Snort-Inline."
echo ""
echo "# $WORDstart"
export PCAP_FRAMES=max
interface
$SNORT -QNDc $SNORT_CONF -i $IF
sleep 10
tail -n 5 /var/log/messages | grep "Snort initialization completed successfully"
VALUE=`echo $?`
echo $VALUE
echo ""
echo "# $WORDstart Finishing."
echo ""
if [ $VALUE = 0 ]; then
echo "### Now, needs to Start QUEUE manually."
echo ""
else
echo "### Plz waiting for finishing start the Snort-Inline,"
echo "### then starting QUEUE manually."
echo ""
fi
fi
}
case "$1" in
queue)
queue
;;
queueicmp)
queueicmp
;;
accept)
accept
;;
stop)
stop
;;
test)
test
;;
start)
start
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 { queue | queueicmp | accept | test | stop | start | restart }"
echo ""
esac
留言