Changes

renamed some directories to no longer include spaces in the name in
order to make things more "unixy". Also, new autosnort AVATAR release.
Check out the readme for details on what has changed. It should be
working now!

Autosnort - Ubuntu/AVATAR/autosnort-ubuntu-AVATAR.sh → Autosnort-Ubuntu/AVATAR/autosnort-ubuntu-AVATAR.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
-#Autosnort script for Ubuntu 12.04+
+#Autosnort script for Ubuntu 16.04+
+#Please note that this version of the script is specifically made available for students of Building Virtual Labs training on networkdefense.io, as well as the book, Building Virtual Machine Labs: A Hands-On Guide
+#This script will configure Snort
 
 #Functions, functions everywhere.
 
@@ -169,7 +171,6 @@ apt-get update &>> $logfile && apt-get -y upgrade &>> $logfile
 error_check 'System updates'
 
 ########################################
-
 #Need to do an OS version check.
 
 print_status "OS Version Check.."
@@ -182,20 +183,34 @@ else
 fi
 
 ########################################
-
-#These packages are required at a minimum to build snort and barnyard + their component libraries. The perl requirements are for pulledpork.pl
+#These packages are required at a minimum to build snort, barnyard + their component libraries. The perl requirements are for pulledpork.pl
 #A package name changed on Ubuntu 18.04, and we need to account for that. so we do an if/then based on the release we pulled a moment ago.
 
 if [[ $release == "18."* ]]; then
-	print_status "Installing base packages: libdumbnet-dev ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libarchive-tar-perl libnet-ssleay-perl liblzma-dev libwww-perl zlib1g-dev.."
+	#some of the packages we need aren't in the main package repo in 18.04, so we need to modify sources.list to install packages from universe. Before doing that, make a backup of sources.list. If the sources.list.bak file exists, that means the script ran before and somehow bombed out, and we don't want to overwrite a good backup that may contain user customizations
+	print_status "adjusting /etc/apt/sources.list to utilize universe packages.."
+	if [ ! -f /etc/apt/sources.list.bak ]; then
+		cp /etc/apt/sources.list /etc/apt/sources.list.bak &>> $logfile
+		error_check 'Backup of /etc/apt/sources.list'
+	else
+		print_notification '/etc/apt/sources.list.bak already exists.'
+	fi
 
-	declare -a packages=( libdumbnet-dev ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libarchive-tar-perl libnet-ssleay-perl liblzma-dev libwww-perl zlib1g-dev );
+	#rather than using sed or awk to modify the sources.list file, we use echo -e and clobber the sources.list file, replacing it with our modifications that enable universe packages. If users have non-default package repos enabled, they can restore them from the backup file we create before doing this.
+	echo -e "deb http://archive.ubuntu.com/ubuntu bionic main universe\\ndeb http://archive.ubuntu.com/ubuntu bionic-security main universe\\ndeb http://archive.ubuntu.com/ubuntu bionic-updates main universe" > /etc/apt/sources.list
+	error_check 'Modification of /etc/apt/sources.list'
+	print_notification 'This script assumes a default sources.list, and changes all the default repos from "main" to "main universe". If you added any third party sources, you will need to re-enter those manually from the file /etc/apt/sources.list.bak, into your new /etc/apt/sources.list file.'
+
+	print_status "Installing base packages: libdumbnet-dev ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libarchive-tar-perl libnet-ssleay-perl liblzma-dev libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev luajit libwww-perl libnghttp2-dev libssl-dev openssl pkg-config zlib1g-dev.."
+
+	declare -a packages=( libdumbnet-dev ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libarchive-tar-perl libnet-ssleay-perl liblzma-dev libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev luajit libwww-perl libnghttp2-dev libssl-dev openssl pkg-config zlib1g-dev );
 
 	install_packages ${packages[@]}
+
 else
-	print_status "Installing base packages: libdumbnet-dev ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libarchive-tar-perl libcrypt-ssleay-perl liblzma-dev libwww-perl zlib1g-dev.."
+	print_status "Installing base packages: libdumbnet-dev ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libarchive-tar-perl libcrypt-ssleay-perl liblzma-dev libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev luajit libwww-perl libnghttp2-dev libssl-dev openssl pkg-config zlib1g-dev.."
 
-	declare -a packages=( libdumbnet-dev ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libarchive-tar-perl libcrypt-ssleay-perl liblzma-dev libwww-perl zlib1g-dev );
+	declare -a packages=( libdumbnet-dev ethtool build-essential libpcap0.8-dev libpcre3-dev bison flex autoconf libtool libarchive-tar-perl libcrypt-ssleay-perl liblzma-dev libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev luajit libwww-perl libnghttp2-dev libssl-dev openssl pkg-config zlib1g-dev );
 
 	install_packages ${packages[@]}
 fi
@@ -339,6 +354,8 @@ dir_check $snort_basedir/so_rules
 dir_check $snort_basedir/rules
 dir_check $snort_basedir/preproc_rules
 dir_check $snort_basedir/snort_dynamicrules
+dir_check $snort_basedir/rules/iplists
+touch $snort_basedir/rules/iplists/IPRVersion.dat
 
 print_status "Attempting to download .conf file for $snortver.."
 
@@ -443,7 +460,7 @@ cd /usr/src/pulledpork
 
 print_status "Attempting to download rules for $ppsnortver.."
 print_notification "If this hangs, please make sure you set the HTTP_PROXY, http_proxy, HTTPS_PROXY, and https_proxy variables as required!"
-perl pulledpork.pl -c /usr/src/pulledpork/etc/pulledpork.conf -W -vv &>> $logfile
+perl pulledpork.pl -W -vv -P -c /usr/src/pulledpork/etc/pulledpork.conf &>> $logfile
 if [ $? == 0 ]; then
 	pp_postprocessing
 else

Autosnort - Ubuntu/AVATAR/readme.txt → Autosnort-Ubuntu/AVATAR/readme.txt

@@ -1,4 +1,4 @@
-This is a special release of autosnort meant to be used as a part of Project:AVATAR. This installer script provides the following functionality:
+This is a special release of autosnort meant to be used for students in the Building Virtual Labs class and/or readers of Building Virtual Machine Labs: A Hands-On Guide book. This script performs the following tasks:
 
 -Downloads required pre-reqs to run and compile snort
 -Compiles snort with the --enable-sourcefire config option. Snort is installed to /opt/snort/bin/snort, while snort's supporting files are installed to /opt/snort/etc
@@ -9,12 +9,24 @@ This is a special release of autosnort meant to be used as a part of Project:AVA
 -Inline mode operation: This installer requires a minimum of 3 network interfaces to work properly. Two interfaces will be placed into inline mode via the AFPACKET DAQ. ARP will be disabled on these interfaces, meaning that your system will NOT respond to any traffic sent to these interfaces. By default, the script will attempt to bridge the eth1 and eth2 interfaces. You can specify different interface names to be bridged in the full_autosnort.conf file
 -Pulledpork.pl is installed and used to download the initial ruleset for snort. you will need to register a free account on snort.org (or pay for a rule subscription), and copy your oinkcode into the full_autosnort.conf file for this script to work properly
 
-This installer, and its supporting files are meant to be consumed with the book "Building Virtual Machine Labs: A Hands-On Guide, my massive virtual lab book.
+1. pull https://github.com/da667/Autosnort
+2. cd Autosnort/Autosnort-Ubuntu/AVATAR
+3. modify full_autosnort.conf (e.g. interface names, base installation directory, etc.). At an absolute minimum you MUST input a valid snort.org Oink Code
+4. As root, (or via "sudo") run autosnort-ubuntu-AVATAR.sh
+5. On successful reboot, snort should be running (try ps -ef | grep snort to check)
+6. snortd service should be registered, you can use 'service snortd (start|stop|status|restart) to control the snort process.
+7. Errors? Problems? Check the file /var/log/autosnort_install.log for troubleshooting.
 
 Thanks,
 
 da_667
 
+12-29-18
+-Users reported users that the script no longer works, complaining about a libluajit dependency. apparently the Snort team has opted to included openappID as a part of the --enable-sourcefire compile option that the autosnort script has used for years now.
+--Script has been updated to download a couple of dependencies in order to be able to run openappID -- libnghttp2, libluajit, libssl-dev, pkg-config and a few others. All you need to know is that Snort should configure and compile with no errors, at least as of 2.9.12
+---please note that this script doesn't download fingerprints for openappID, nor does it enable the openappId preprocessor in snort.conf. If you're interested in learning how to do that, that is an exercise that will be left to you to try out. Have fun storming the castle!
+--Had to write in a config change very similar to the autosuricata config change we wrote for ubuntu 18.04 users recently: backing up the apt sources.list file, clobber the existing sources.list, and regenerate a new sources.list file that enables the universe repos for ubuntu 18.04. This is because 18.04 doesn't enable universe by default, and libluajit is a universe repo package.
+-discovered an issue where pulledpork was actually dropping any rules into the /opt/snort/rules/snort.rules file, claiming 0 new rules. Added the "-P" option to pulledpork execution, to force pulledpork to process rules, even if it /thinks/ there are no new rules.
 8-3-18
 -This script is now compatible with Ubuntu 18.04, in addition to Ubuntu 16.04
 -Fixed the pulledpork.conf this script generates. It now reflects the current version of pulledpork.pl (0.7.4)