From 173a6f55d923e46c2c6519617594bd6d567fe402 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 12:23:51 +0100 Subject: [PATCH 01/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index 4267b96..287b4cd 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -81,7 +81,7 @@ create_snort_files() { # Function to install Snort on macOS install_snort_macos() { print_step "Installing" "Snort for macOS" - maybe_sudo brew install snort + brew install snort create_snort_dirs_files /usr/local/etc/rules /usr/local/etc/so_rules /usr/local/etc/lists /var/log/snort create_snort_files /usr/local/etc/rules/local.rules /usr/local/etc/lists/default.blocklist From a515ef56efd5e4a4985684a004e23fbf5a1ac332 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 12:28:54 +0100 Subject: [PATCH 02/21] chore: Update Snort installation script for macOS --- README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0cf22b9..287c0a2 100644 --- a/README.md +++ b/README.md @@ -31,11 +31,18 @@ This repository contains several resources for installing and configuring Snort, ### Prerequisites - Wazuh Agent installed on endpoints -### Installation +### Installation +## Installation (Linux) Install using this command: ```bash sudo curl -SL https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-snort/main/scripts/install.sh | bash ``` +## Installation (MacOS) + + Install using this command: + ```bash + curl -SL https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-snort/main/scripts/install.sh | bash + ``` ## Description From da0e77bc2c5cbbf4d47f8048b95c2589a6560a70 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 12:31:14 +0100 Subject: [PATCH 03/21] chore: Update Snort installation script for macOS --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 287c0a2..ef2a3b4 100644 --- a/README.md +++ b/README.md @@ -38,11 +38,10 @@ Install using this command: sudo curl -SL https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-snort/main/scripts/install.sh | bash ``` ## Installation (MacOS) - Install using this command: - ```bash + ```bash curl -SL https://raw.githubusercontent.com/ADORSYS-GIS/wazuh-snort/main/scripts/install.sh | bash - ``` + ``` ## Description From 1fa1beb1ca6a003bd91d446cd3ee7c7978a5a670 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 13:31:09 +0100 Subject: [PATCH 04/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index 287b4cd..4267b96 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -81,7 +81,7 @@ create_snort_files() { # Function to install Snort on macOS install_snort_macos() { print_step "Installing" "Snort for macOS" - brew install snort + maybe_sudo brew install snort create_snort_dirs_files /usr/local/etc/rules /usr/local/etc/so_rules /usr/local/etc/lists /var/log/snort create_snort_files /usr/local/etc/rules/local.rules /usr/local/etc/lists/default.blocklist From 54dade7aa3745b4de7b0684c1d406640514ac407 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 13:32:03 +0100 Subject: [PATCH 05/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index 4267b96..287b4cd 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -81,7 +81,7 @@ create_snort_files() { # Function to install Snort on macOS install_snort_macos() { print_step "Installing" "Snort for macOS" - maybe_sudo brew install snort + brew install snort create_snort_dirs_files /usr/local/etc/rules /usr/local/etc/so_rules /usr/local/etc/lists /var/log/snort create_snort_files /usr/local/etc/rules/local.rules /usr/local/etc/lists/default.blocklist From 706d2afef1f194a9c690f0a85844058f9561a1ca Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 13:44:03 +0100 Subject: [PATCH 06/21] Update Snort installation script for macOS --- scripts/install.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index 287b4cd..c1b7945 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -135,7 +135,7 @@ install_snort_linux() { # Function to configure Snort logging on macOS configure_snort_logging_macos() { - local config_file="/usr/local/etc/snort/snort.lua" + local config_file="/opt/homebrew/etc/snort/snort.lua" local content_to_add='alert_fast =\n{\n file = true\n}' info_message "Configuring Snort logging" @@ -168,7 +168,7 @@ update_ossec_conf_macos() { # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" - maybe_sudo snort -c /usr/local/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i en0 -A fast -q -D -l /var/log/snort + maybe_sudo snort -c /opt/homebrew/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i en0 -A fast -q -D -l /var/log/snort success_message "Snort started on macOS" } From 64d656870e3ed4357963c648650117f446178914 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 13:50:12 +0100 Subject: [PATCH 07/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/scripts/install.sh b/scripts/install.sh index c1b7945..e3c7a99 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -81,6 +81,10 @@ create_snort_files() { # Function to install Snort on macOS install_snort_macos() { print_step "Installing" "Snort for macOS" + # Install brew + if ! command -v brew &> /dev/null; then + /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" + fi brew install snort create_snort_dirs_files /usr/local/etc/rules /usr/local/etc/so_rules /usr/local/etc/lists /var/log/snort From 868e4864d60363d7987db063d7d85c5e0bd9b123 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 13:52:19 +0100 Subject: [PATCH 08/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index e3c7a99..682617c 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -81,7 +81,7 @@ create_snort_files() { # Function to install Snort on macOS install_snort_macos() { print_step "Installing" "Snort for macOS" - # Install brew + # Install brew if it doesn't exist if ! command -v brew &> /dev/null; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" fi From cb683f605dc705d9d82d2167a143a036e4024494 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 13:55:50 +0100 Subject: [PATCH 09/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index 682617c..961a893 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -83,7 +83,7 @@ install_snort_macos() { print_step "Installing" "Snort for macOS" # Install brew if it doesn't exist if ! command -v brew &> /dev/null; then - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" + curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh fi brew install snort From 67adb10bee697037b3b1a34cc4d0a4966424a369 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 14:00:01 +0100 Subject: [PATCH 10/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 4 ---- 1 file changed, 4 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index 961a893..c1b7945 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -81,10 +81,6 @@ create_snort_files() { # Function to install Snort on macOS install_snort_macos() { print_step "Installing" "Snort for macOS" - # Install brew if it doesn't exist - if ! command -v brew &> /dev/null; then - curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh - fi brew install snort create_snort_dirs_files /usr/local/etc/rules /usr/local/etc/so_rules /usr/local/etc/lists /var/log/snort From 5edea25e5920251db234ede4f51dcc3143f567e9 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 15:29:05 +0100 Subject: [PATCH 11/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index c1b7945..80f0505 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -151,9 +151,9 @@ configure_snort_logging_macos() { update_ossec_conf_macos() { local content_to_add=" - snort-full<\/log_format> - \/var\/log\/snort\/alert_fast.txt<\/location> - <\/localfile>" + snort-full + /var/log/snort/alert_fast.txt + " info_message "Updating $OSSEC_CONF_PATH" if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then @@ -165,6 +165,7 @@ update_ossec_conf_macos() { fi } + # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" From 28903dfec40ba692d671ac3a6c4699f3ca640637 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 15:35:11 +0100 Subject: [PATCH 12/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index 80f0505..e340418 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -156,9 +156,16 @@ update_ossec_conf_macos() { " info_message "Updating $OSSEC_CONF_PATH" + + # Add the Snort configuration to ossec.conf if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then - maybe_sudo sed -i '' "/<\/ossec_config>/i\\ - $content_to_add" "$OSSEC_CONF_PATH" + sudo sed -i '' -e "/<\/ossec_config>/i\\ +\\ +\\ + snort-full\\ + /var/log/snort/alert_fast.txt\\ +" "$OSSEC_CONF_PATH" + success_message "ossec.conf updated on macOS" else info_message "The content already exists in $OSSEC_CONF_PATH" @@ -166,6 +173,7 @@ update_ossec_conf_macos() { } + # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" From fb841b0bbdbc789107251028fa7d5e99babb8778 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 15:49:16 +0100 Subject: [PATCH 13/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/install.sh b/scripts/install.sh index e340418..66855ce 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -158,7 +158,7 @@ update_ossec_conf_macos() { info_message "Updating $OSSEC_CONF_PATH" # Add the Snort configuration to ossec.conf - if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then + if ! sudo grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then sudo sed -i '' -e "/<\/ossec_config>/i\\ \\ \\ From 965ef184841824a0c78936ea65b373481cd66888 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 16:15:23 +0100 Subject: [PATCH 14/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 92 ++++++++++++++++++++++++---------------------- 1 file changed, 48 insertions(+), 44 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index 66855ce..c0a774a 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -80,8 +80,18 @@ create_snort_files() { # Function to install Snort on macOS install_snort_macos() { - print_step "Installing" "Snort for macOS" - brew install snort + # Check if the architecture is M1/ARM or Intel + ARCH=$(uname -m) + + print_step "Installing" "Snort for macOS ($ARCH)" + + if [[ $ARCH == "arm64" ]]; then + maybe_sudo brew install snort + SNORT_CONF_PATH="/opt/homebrew/etc/snort/snort.lua" + else + maybe_sudo brew install snort + SNORT_CONF_PATH="/usr/local/etc/snort/snort.lua" + fi create_snort_dirs_files /usr/local/etc/rules /usr/local/etc/so_rules /usr/local/etc/lists /var/log/snort create_snort_files /usr/local/etc/rules/local.rules /usr/local/etc/lists/default.blocklist @@ -135,7 +145,7 @@ install_snort_linux() { # Function to configure Snort logging on macOS configure_snort_logging_macos() { - local config_file="/opt/homebrew/etc/snort/snort.lua" + local config_file="$SNORT_CONF_PATH" local content_to_add='alert_fast =\n{\n file = true\n}' info_message "Configuring Snort logging" @@ -149,35 +159,35 @@ configure_snort_logging_macos() { # Function to update ossec.conf on macOS update_ossec_conf_macos() { - local content_to_add=" - - snort-full - /var/log/snort/alert_fast.txt - " - info_message "Updating $OSSEC_CONF_PATH" + + if [[ $ARCH == "arm64" ]]; then + content_to_add=" + + snort-full + /var/log/snort/alert_fast.txt + " + else + content_to_add=" + + snort-full + /usr/local/var/log/snort/alert_fast.txt + " + fi - # Add the Snort configuration to ossec.conf - if ! sudo grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then - sudo sed -i '' -e "/<\/ossec_config>/i\\ -\\ -\\ - snort-full\\ - /var/log/snort/alert_fast.txt\\ -" "$OSSEC_CONF_PATH" - + if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then + maybe_sudo sed -i '' "/<\/ossec_config>/i\\ + $content_to_add" "$OSSEC_CONF_PATH" success_message "ossec.conf updated on macOS" else info_message "The content already exists in $OSSEC_CONF_PATH" fi } - - # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" - maybe_sudo snort -c /opt/homebrew/etc/snort/snort.lua -R /usr/local/etc/rules/local.rules -i en0 -A fast -q -D -l /var/log/snort + maybe_sudo snort -c "$SNORT_CONF_PATH" -R /usr/local/etc/rules/local.rules -i en0 -A fast -q -D -l /var/log/snort success_message "Snort started on macOS" } @@ -219,13 +229,13 @@ start_snort_linux() { success_message "Snort started on Linux" } -# Function to ensure the script runs with root privileges +# Function to ensure the script runs with appropriate privileges maybe_sudo() { - if [ "$(id -u)" -ne 0 ]; then - if command -v sudo >/dev/null 2>&1; then + if [ "$EUID" -ne 0 ]; then + if command -v sudo &>/dev/null; then sudo "$@" else - error_message "This script requires root privileges. Please run with sudo or as root." + error_message "Please run the script as root or install sudo." exit 1 fi else @@ -233,22 +243,16 @@ maybe_sudo() { fi } -# Main function to install and configure Snort -install_snort() { - case "$OSTYPE" in - darwin*) - install_snort_macos - ;; - linux*) - install_snort_linux - ;; - *) - error_message "Unsupported OS type: $OSTYPE" - exit 1 - ;; - esac -} - -# Run the main installation function -install_snort - +# Main logic: install Snort based on the operating system +case "$OS_NAME" in + Linux) + install_snort_linux + ;; + Darwin) + install_snort_macos + ;; + *) + error_message "Unsupported OS: $OS_NAME" + exit 1 + ;; +esac From 8e048c7bdefffdebec3f27787165f1957fa6df3b Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 16:23:47 +0100 Subject: [PATCH 15/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index c0a774a..c2513ab 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -86,17 +86,17 @@ install_snort_macos() { print_step "Installing" "Snort for macOS ($ARCH)" if [[ $ARCH == "arm64" ]]; then - maybe_sudo brew install snort + brew install snort SNORT_CONF_PATH="/opt/homebrew/etc/snort/snort.lua" else - maybe_sudo brew install snort + brew install snort SNORT_CONF_PATH="/usr/local/etc/snort/snort.lua" fi create_snort_dirs_files /usr/local/etc/rules /usr/local/etc/so_rules /usr/local/etc/lists /var/log/snort create_snort_files /usr/local/etc/rules/local.rules /usr/local/etc/lists/default.blocklist - echo 'alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )' | maybe_sudo tee /usr/local/etc/rules/local.rules > /dev/null + echo 'alert icmp any any -> any any ( msg:"ICMP Traffic Detected"; sid:10000001; metadata:policy security-ips alert; )' | sudo tee /usr/local/etc/rules/local.rules > /dev/null configure_snort_logging_macos update_ossec_conf_macos From 4e34825bd0bf1e706b6519212c444198e35f19d7 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 16:58:26 +0100 Subject: [PATCH 16/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 47 +++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index c2513ab..9572564 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -162,28 +162,45 @@ update_ossec_conf_macos() { info_message "Updating $OSSEC_CONF_PATH" if [[ $ARCH == "arm64" ]]; then + # ARM (M1) specific Snort configuration content_to_add=" - - snort-full - /var/log/snort/alert_fast.txt - " + + snort-full + /var/log/snort/alert_fast.txt +" + + # Check and add Snort config if not present + if ! sudo grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then + sudo sed -i '' -e "/<\/ossec_config>/i\\ +\\ +\\ + snort-full\\ + /var/log/snort/alert_fast.txt\\ +" "$OSSEC_CONF_PATH" + success_message "ossec.conf updated on macOS ARM (M1)" + else + info_message "The content already exists in $OSSEC_CONF_PATH" + fi else + # Intel specific Snort configuration content_to_add=" - - snort-full - /usr/local/var/log/snort/alert_fast.txt - " - fi - - if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then - maybe_sudo sed -i '' "/<\/ossec_config>/i\\ + + snort-full<\/log_format> + \/usr\/local\/var\/log\/snort\/alert_fast.txt<\/location> +<\/localfile>" + + # Check and add Snort config if not present + if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then + maybe_sudo sed -i '' "/<\/ossec_config>/i\\ $content_to_add" "$OSSEC_CONF_PATH" - success_message "ossec.conf updated on macOS" - else - info_message "The content already exists in $OSSEC_CONF_PATH" + success_message "ossec.conf updated on macOS Intel" + else + info_message "The content already exists in $OSSEC_CONF_PATH" + fi fi } + # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" From 000fe37d3aadf36647642ba7ed0e918751e6dfad Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 17:30:27 +0100 Subject: [PATCH 17/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index 9572564..d9211f6 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -161,15 +161,14 @@ configure_snort_logging_macos() { update_ossec_conf_macos() { info_message "Updating $OSSEC_CONF_PATH" - if [[ $ARCH == "arm64" ]]; then - # ARM (M1) specific Snort configuration - content_to_add=" + content_to_add=" snort-full /var/log/snort/alert_fast.txt " - # Check and add Snort config if not present + if [[ $ARCH == "arm64" ]]; then + # ARM (M1) specific Snort configuration if ! sudo grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then sudo sed -i '' -e "/<\/ossec_config>/i\\ \\ @@ -183,16 +182,13 @@ update_ossec_conf_macos() { fi else # Intel specific Snort configuration - content_to_add=" - - snort-full<\/log_format> - \/usr\/local\/var\/log\/snort\/alert_fast.txt<\/location> -<\/localfile>" - - # Check and add Snort config if not present if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then maybe_sudo sed -i '' "/<\/ossec_config>/i\\ - $content_to_add" "$OSSEC_CONF_PATH" +\\ +\\ + snort-full\\ + /var/log/snort/alert_fast.txt\\ +" "$OSSEC_CONF_PATH" success_message "ossec.conf updated on macOS Intel" else info_message "The content already exists in $OSSEC_CONF_PATH" @@ -201,6 +197,7 @@ update_ossec_conf_macos() { } + # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" From 583ce56f528bea7484cf4fbd5000fe99008a389f Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Wed, 11 Sep 2024 17:34:51 +0100 Subject: [PATCH 18/21] chore: Update Snort installation script for macOS --- scripts/install.sh | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index d9211f6..103148c 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -161,14 +161,15 @@ configure_snort_logging_macos() { update_ossec_conf_macos() { info_message "Updating $OSSEC_CONF_PATH" - content_to_add=" + if [[ $ARCH == "arm64" ]]; then + # ARM (M1) specific Snort configuration + content_to_add=" snort-full /var/log/snort/alert_fast.txt " - if [[ $ARCH == "arm64" ]]; then - # ARM (M1) specific Snort configuration + # Check and add Snort config if not present if ! sudo grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then sudo sed -i '' -e "/<\/ossec_config>/i\\ \\ @@ -182,13 +183,16 @@ update_ossec_conf_macos() { fi else # Intel specific Snort configuration + content_to_add=" + + snort-full<\/log_format> + /var\/log\/snort\/alert_fast.txt<\/location> +<\/localfile>" + + # Check and add Snort config if not present if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then maybe_sudo sed -i '' "/<\/ossec_config>/i\\ -\\ -\\ - snort-full\\ - /var/log/snort/alert_fast.txt\\ -" "$OSSEC_CONF_PATH" + $content_to_add" "$OSSEC_CONF_PATH" success_message "ossec.conf updated on macOS Intel" else info_message "The content already exists in $OSSEC_CONF_PATH" @@ -197,7 +201,6 @@ update_ossec_conf_macos() { } - # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" From 61c5587abbacfceee6ca81b30b7804df5859d19d Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Thu, 12 Sep 2024 08:12:38 +0100 Subject: [PATCH 19/21] fix(macos): resolve issue with grep not detecting multiline content in ossec.conf update - Modify grep to check for specific line instead of entire content block - Ensure correct sed command execution based on macOS architecture (M1 and Intel) --- scripts/install.sh | 62 +++++++++++++++------------------------------- 1 file changed, 20 insertions(+), 42 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index 103148c..f9f574f 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -143,64 +143,42 @@ install_snort_linux() { start_snort_linux } -# Function to configure Snort logging on macOS -configure_snort_logging_macos() { - local config_file="$SNORT_CONF_PATH" - local content_to_add='alert_fast =\n{\n file = true\n}' - - info_message "Configuring Snort logging" - if ! grep -q "$content_to_add" "$config_file"; then - echo -e "$content_to_add" | maybe_sudo tee -a "$config_file" > /dev/null - success_message "Snort logging configured in $config_file" - else - info_message "Snort logging is already configured in $config_file" - fi -} - -# Function to update ossec.conf on macOS +# Function to update ossec.conf on macOS (M1 and Intel) update_ossec_conf_macos() { + local content_to_add=" + + snort-full + /var/log/snort/alert_fast.txt + " + info_message "Updating $OSSEC_CONF_PATH" - if [[ $ARCH == "arm64" ]]; then - # ARM (M1) specific Snort configuration - content_to_add=" - - snort-full - /var/log/snort/alert_fast.txt -" - - # Check and add Snort config if not present - if ! sudo grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then + # Check if the specific tag exists in the configuration file + if ! sudo grep -q "/var/log/snort/alert_fast.txt" "$OSSEC_CONF_PATH"; then + # Update ossec.conf based on the system architecture (M1 or Intel) + if [[ $(uname -m) == 'arm64' ]]; then + # macOS M1 sudo sed -i '' -e "/<\/ossec_config>/i\\ \\ \\ snort-full\\ /var/log/snort/alert_fast.txt\\ " "$OSSEC_CONF_PATH" - success_message "ossec.conf updated on macOS ARM (M1)" else - info_message "The content already exists in $OSSEC_CONF_PATH" + # macOS Intel + sudo sed -i '' "/<\/ossec_config>/i\\ +$content_to_add" "$OSSEC_CONF_PATH" fi + + success_message "ossec.conf updated on macOS" else - # Intel specific Snort configuration - content_to_add=" - - snort-full<\/log_format> - /var\/log\/snort\/alert_fast.txt<\/location> -<\/localfile>" - - # Check and add Snort config if not present - if ! grep -q "$content_to_add" "$OSSEC_CONF_PATH"; then - maybe_sudo sed -i '' "/<\/ossec_config>/i\\ - $content_to_add" "$OSSEC_CONF_PATH" - success_message "ossec.conf updated on macOS Intel" - else - info_message "The content already exists in $OSSEC_CONF_PATH" - fi + info_message "The content already exists in $OSSEC_CONF_PATH" fi } + + # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" From 8973302cbff2ed04903026cc599a0680d254d428 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Thu, 12 Sep 2024 08:19:04 +0100 Subject: [PATCH 20/21] chore: Configure Snort logging on macOS --- scripts/install.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/scripts/install.sh b/scripts/install.sh index f9f574f..68e2b37 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -143,6 +143,20 @@ install_snort_linux() { start_snort_linux } +# Function to configure Snort logging on macOS +configure_snort_logging_macos() { + local config_file="$SNORT_CONF_PATH" + local content_to_add='alert_fast =\n{\n file = true\n}' + + info_message "Configuring Snort logging" + if ! grep -q "$content_to_add" "$config_file"; then + echo -e "$content_to_add" | maybe_sudo tee -a "$config_file" > /dev/null + success_message "Snort logging configured in $config_file" + else + info_message "Snort logging is already configured in $config_file" + fi +} + # Function to update ossec.conf on macOS (M1 and Intel) update_ossec_conf_macos() { local content_to_add=" From 03dde42667d7d50f9f171c1f4de219ab866d0d76 Mon Sep 17 00:00:00 2001 From: Dylane Bengono Date: Thu, 12 Sep 2024 08:22:11 +0100 Subject: [PATCH 21/21] chore: Refactor Snort installation script for macOS --- scripts/install.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/scripts/install.sh b/scripts/install.sh index 68e2b37..852b74f 100755 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -192,7 +192,6 @@ $content_to_add" "$OSSEC_CONF_PATH" - # Function to start Snort on macOS start_snort_macos() { info_message "Starting Snort" @@ -264,4 +263,4 @@ case "$OS_NAME" in error_message "Unsupported OS: $OS_NAME" exit 1 ;; -esac +esac \ No newline at end of file