snort3: improve script reliability
- Enable missing variable checking by default - Explicitly check variables are defined in all 'rm' commands Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
This commit is contained in:
parent
55abc039ff
commit
b94c6dd37d
|
@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
|
|||
|
||||
PKG_NAME:=snort3
|
||||
PKG_VERSION:=3.1.78.0
|
||||
PKG_RELEASE:=2
|
||||
PKG_RELEASE:=3
|
||||
|
||||
PKG_SOURCE:=$(PKG_VERSION).tar.gz
|
||||
PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
# SPDX-License-Identifier: GPL-2.0
|
||||
# shellcheck disable=SC2039,SC2155 # "local" not defined in POSIX sh
|
||||
|
||||
set -o nounset
|
||||
|
||||
PROG="$(command -v snort)"
|
||||
MAIN="/usr/share/snort/main.uc"
|
||||
CONF_DIR=$(uci -q get snort.snort.temp_dir || echo "/var/snort.d")
|
||||
|
@ -73,7 +75,7 @@ setup() {
|
|||
teardown() {
|
||||
# Merely cleans up after.
|
||||
nft_rm_table
|
||||
[ -e "$CONF" ] && rm "$CONF"
|
||||
[ -e "$CONF" ] && rm "${CONF:?}"
|
||||
}
|
||||
|
||||
resetup() {
|
||||
|
@ -110,7 +112,7 @@ check() {
|
|||
local test_conf="${CONF_DIR}/test_conf.lua"
|
||||
_SNORT_WITHOUT_RULES="$no_rules" print snort > "${test_conf}" || die "Errors during generation of snort config"
|
||||
if $PROG -T $warn -c "${test_conf}" 2> $OUT ; then
|
||||
rm "${test_conf}"
|
||||
rm "${test_conf:?}"
|
||||
else
|
||||
die "Errors in snort config tests. Examine ${test_conf} for issues"
|
||||
fi
|
||||
|
@ -121,7 +123,7 @@ check() {
|
|||
print nftables > "${test_nft}" || die "Errors during generation of nftables config"
|
||||
$VERBOSE && options='-e'
|
||||
if nft $options --check -f "${test_nft}" ; then
|
||||
rm "${test_nft}"
|
||||
rm "${test_nft:?}"
|
||||
else
|
||||
die "Errors in nftables config tests. Examine ${test_nft} for issues"
|
||||
fi
|
||||
|
@ -173,7 +175,7 @@ report() {
|
|||
local msg src srcP dst dstP dir gid sid
|
||||
local tmp=$(mktemp -t snort.rep.XXXXXX)
|
||||
_filter_by_date "${log_dir}" | while read -r line; do
|
||||
unset -v src dst srcP dstP
|
||||
src='' && dst='' && srcP='' && dstP=''
|
||||
eval "$(jsonfilter -s "$line" \
|
||||
-e 'msg=$.msg' \
|
||||
-e 'src=$.src_addr' \
|
||||
|
@ -196,7 +198,7 @@ report() {
|
|||
[ "$NLINES" = 0 ] && output="cat" || output="head -n $NLINES"
|
||||
|
||||
local lines=$($SORT "$tmp" | uniq -c | $SORT -nr | $output)
|
||||
rm "$tmp"
|
||||
rm "${tmp:?}"
|
||||
if [ -z "$lines" ]; then
|
||||
echo -n "There were no incidents "
|
||||
[ -z "$PATTERN" ] && echo "reported." || echo "matching pattern '$PATTERN'."
|
||||
|
@ -254,7 +256,7 @@ report() {
|
|||
echo 'Hosts by name:'
|
||||
local IP
|
||||
local peerdns=$(ifstatus wan | jsonfilter -e '$["dns-server"][0]')
|
||||
echo "$lines" | awk -F'#' '{printf "%s\n%s\n", $2, $3}' | sed 's/(.*//' | sort -u \
|
||||
echo "$lines" | awk -F'#' '{printf "%s\n%s\n", $2, $3}' | sed 's/(.*//' | $SORT -u \
|
||||
| while read -r IP; do
|
||||
[ -z "$IP" ] && continue
|
||||
n=$(nslookup "$IP" | awk '/name = / {n=$NF} END{print n}')
|
||||
|
@ -362,7 +364,7 @@ USAGE
|
|||
exit 1
|
||||
}
|
||||
|
||||
while [ -n "$1" ]; do
|
||||
while [ "${1:-}" ]; do
|
||||
case "$1" in
|
||||
-h|--help)
|
||||
usage
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
# SPDX-License-Identifier: GPL-2.0
|
||||
# shellcheck disable=SC2039,SC2155 # "local" not defined in POSIX sh
|
||||
|
||||
set -o nounset
|
||||
|
||||
alias log='logger -s -t "snort-rules[$$]" -p "info"'
|
||||
|
||||
download_rules() {
|
||||
|
@ -30,7 +32,7 @@ download_rules() {
|
|||
log "Generating testing rules..."
|
||||
archive_loc="testing-rules"
|
||||
new_rules="$data_dir/$archive_loc"
|
||||
rm -fr "$new_rules"
|
||||
rm -fr "${new_rules:?}"
|
||||
mkdir -p "$new_rules"
|
||||
rules_file="$new_rules/testing.rules"
|
||||
{
|
||||
|
@ -76,7 +78,7 @@ download_rules() {
|
|||
|
||||
old_rules="$data_dir/old.rules"
|
||||
if $backup; then
|
||||
rm -fr "$old_rules"
|
||||
rm -fr "${old_rules:?}"
|
||||
mkdir -p "$old_rules"
|
||||
|
||||
for rules_file in "$rules_dir"/*; do
|
||||
|
@ -103,7 +105,7 @@ download_rules() {
|
|||
|
||||
|
||||
mkdir -p "$conf_dir"
|
||||
rm -fr "$rules_dir"
|
||||
rm -fr "${rules_dir:?}"
|
||||
if $persist; then
|
||||
mv -f "$new_rules" "$rules_dir"
|
||||
else
|
||||
|
@ -145,7 +147,7 @@ USAGE
|
|||
exit 1
|
||||
}
|
||||
|
||||
while [ -n "$1" ]; do
|
||||
while [ "${1:-}" ]; do
|
||||
case "$1" in
|
||||
-h|--help)
|
||||
usage
|
||||
|
|
Loading…
Reference in New Issue