From b94c6dd37df76aa7f6b6813135228b82cd5d8886 Mon Sep 17 00:00:00 2001 From: Eric Fahlgren Date: Mon, 5 Feb 2024 07:07:38 -0800 Subject: [PATCH] snort3: improve script reliability - Enable missing variable checking by default - Explicitly check variables are defined in all 'rm' commands Signed-off-by: Eric Fahlgren --- net/snort3/Makefile | 2 +- net/snort3/files/snort-mgr | 16 +++++++++------- net/snort3/files/snort-rules | 10 ++++++---- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/net/snort3/Makefile b/net/snort3/Makefile index 6f0218d8ea..87500abfe0 100644 --- a/net/snort3/Makefile +++ b/net/snort3/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=snort3 PKG_VERSION:=3.1.78.0 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE:=$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/snort3/snort3/archive/refs/tags/ diff --git a/net/snort3/files/snort-mgr b/net/snort3/files/snort-mgr index 625157967d..1fc54ca127 100644 --- a/net/snort3/files/snort-mgr +++ b/net/snort3/files/snort-mgr @@ -3,6 +3,8 @@ # SPDX-License-Identifier: GPL-2.0 # shellcheck disable=SC2039,SC2155 # "local" not defined in POSIX sh +set -o nounset + PROG="$(command -v snort)" MAIN="/usr/share/snort/main.uc" CONF_DIR=$(uci -q get snort.snort.temp_dir || echo "/var/snort.d") @@ -73,7 +75,7 @@ setup() { teardown() { # Merely cleans up after. nft_rm_table - [ -e "$CONF" ] && rm "$CONF" + [ -e "$CONF" ] && rm "${CONF:?}" } resetup() { @@ -110,7 +112,7 @@ check() { local test_conf="${CONF_DIR}/test_conf.lua" _SNORT_WITHOUT_RULES="$no_rules" print snort > "${test_conf}" || die "Errors during generation of snort config" if $PROG -T $warn -c "${test_conf}" 2> $OUT ; then - rm "${test_conf}" + rm "${test_conf:?}" else die "Errors in snort config tests. Examine ${test_conf} for issues" fi @@ -121,7 +123,7 @@ check() { print nftables > "${test_nft}" || die "Errors during generation of nftables config" $VERBOSE && options='-e' if nft $options --check -f "${test_nft}" ; then - rm "${test_nft}" + rm "${test_nft:?}" else die "Errors in nftables config tests. Examine ${test_nft} for issues" fi @@ -173,7 +175,7 @@ report() { local msg src srcP dst dstP dir gid sid local tmp=$(mktemp -t snort.rep.XXXXXX) _filter_by_date "${log_dir}" | while read -r line; do - unset -v src dst srcP dstP + src='' && dst='' && srcP='' && dstP='' eval "$(jsonfilter -s "$line" \ -e 'msg=$.msg' \ -e 'src=$.src_addr' \ @@ -196,7 +198,7 @@ report() { [ "$NLINES" = 0 ] && output="cat" || output="head -n $NLINES" local lines=$($SORT "$tmp" | uniq -c | $SORT -nr | $output) - rm "$tmp" + rm "${tmp:?}" if [ -z "$lines" ]; then echo -n "There were no incidents " [ -z "$PATTERN" ] && echo "reported." || echo "matching pattern '$PATTERN'." @@ -254,7 +256,7 @@ report() { echo 'Hosts by name:' local IP local peerdns=$(ifstatus wan | jsonfilter -e '$["dns-server"][0]') - echo "$lines" | awk -F'#' '{printf "%s\n%s\n", $2, $3}' | sed 's/(.*//' | sort -u \ + echo "$lines" | awk -F'#' '{printf "%s\n%s\n", $2, $3}' | sed 's/(.*//' | $SORT -u \ | while read -r IP; do [ -z "$IP" ] && continue n=$(nslookup "$IP" | awk '/name = / {n=$NF} END{print n}') @@ -362,7 +364,7 @@ USAGE exit 1 } -while [ -n "$1" ]; do +while [ "${1:-}" ]; do case "$1" in -h|--help) usage diff --git a/net/snort3/files/snort-rules b/net/snort3/files/snort-rules index 9547e9b4f1..cc83833274 100644 --- a/net/snort3/files/snort-rules +++ b/net/snort3/files/snort-rules @@ -3,6 +3,8 @@ # SPDX-License-Identifier: GPL-2.0 # shellcheck disable=SC2039,SC2155 # "local" not defined in POSIX sh +set -o nounset + alias log='logger -s -t "snort-rules[$$]" -p "info"' download_rules() { @@ -30,7 +32,7 @@ download_rules() { log "Generating testing rules..." archive_loc="testing-rules" new_rules="$data_dir/$archive_loc" - rm -fr "$new_rules" + rm -fr "${new_rules:?}" mkdir -p "$new_rules" rules_file="$new_rules/testing.rules" { @@ -76,7 +78,7 @@ download_rules() { old_rules="$data_dir/old.rules" if $backup; then - rm -fr "$old_rules" + rm -fr "${old_rules:?}" mkdir -p "$old_rules" for rules_file in "$rules_dir"/*; do @@ -103,7 +105,7 @@ download_rules() { mkdir -p "$conf_dir" - rm -fr "$rules_dir" + rm -fr "${rules_dir:?}" if $persist; then mv -f "$new_rules" "$rules_dir" else @@ -145,7 +147,7 @@ USAGE exit 1 } -while [ -n "$1" ]; do +while [ "${1:-}" ]; do case "$1" in -h|--help) usage