New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nonstandard interface names not being detected by sosetup #955

Closed
cskeen opened this Issue Jun 30, 2016 · 12 comments

Comments

Projects
None yet
4 participants
@cskeen

cskeen commented Jun 30, 2016

Sosetup will not detect anything but standard interface names, which precludes the use of more friendly naming conventions (for example, eth_left or eth_right) for interfaces.

This is caused by the use of the following idiom for detecting interfaces:
cat "/proc/net/dev" | egrep "(eth|bond|wlan|br|ath|bge|mon|fe|em|p[0-5]p)[0-9]+" | awk '{print $1}' | cut -d: -f1 |sort

Changing it to the following would resolve this issue in most cases:
cat "/proc/net/dev" | egrep "(eth|bond|wlan|br|ath|bge|mon|fe|em|p[0-5]p)\w+" | awk '{print $1}' | cut -d: -f1 |sort

This idiom also appears in sosetup-network.

@dougburks

This comment has been minimized.

Show comment
Hide comment
@dougburks

dougburks Jun 30, 2016

Contributor

Hi @cskeen ,

If you'd like, you can submit these changes via pull request:
https://github.com/Security-Onion-Solutions/securityonion-setup

Contributor

dougburks commented Jun 30, 2016

Hi @cskeen ,

If you'd like, you can submit these changes via pull request:
https://github.com/Security-Onion-Solutions/securityonion-setup

@dougburks

This comment has been minimized.

Show comment
Hide comment
Contributor

dougburks commented Jul 4, 2016

@dougburks

This comment has been minimized.

Show comment
Hide comment
Contributor

dougburks commented Jul 4, 2016

@cskeen

This comment has been minimized.

Show comment
Hide comment
@cskeen

cskeen Jul 5, 2016

Thanks! I was planning on doing a pull request when I got in this morning, but it's already done.

cskeen commented Jul 5, 2016

Thanks! I was planning on doing a pull request when I got in this morning, but it's already done.

@weslambert

This comment has been minimized.

Show comment
Hide comment
@weslambert

weslambert Jul 6, 2016

Collaborator

Does the resolution of this issue (#304) close this issue (#955) -- are these the same?

#304

Thanks,
Wes

Collaborator

weslambert commented Jul 6, 2016

Does the resolution of this issue (#304) close this issue (#955) -- are these the same?

#304

Thanks,
Wes

@dougburks

This comment has been minimized.

Show comment
Hide comment
@dougburks

dougburks Jul 6, 2016

Contributor

Looking at #304, I see that @timwhisnant submitted an alternative idiom that was less strict.

I went back and looked at where our idiom originally came from and found it in /usr/lib/nsmnow/lib-nsm-common-utils. We've had to update it many times over the years to allow for more modern interfaces and we still don't allow for totally custom interface names like "DMZ".

I wonder if it's time to move to a less strict idiom so that we won't have to update this anymore. Something like this:

awk '/:/ {print $1}' /proc/net/dev | tr -d ':' |grep -v "^lo$" | sort

In words:

  • search /proc/net/dev for lines that contain a colon (:) and print the first field of those lines
  • remove the colons from all entries in the list
  • remove the loopback interface from the list
  • sort the final listing

Thoughts?

Contributor

dougburks commented Jul 6, 2016

Looking at #304, I see that @timwhisnant submitted an alternative idiom that was less strict.

I went back and looked at where our idiom originally came from and found it in /usr/lib/nsmnow/lib-nsm-common-utils. We've had to update it many times over the years to allow for more modern interfaces and we still don't allow for totally custom interface names like "DMZ".

I wonder if it's time to move to a less strict idiom so that we won't have to update this anymore. Something like this:

awk '/:/ {print $1}' /proc/net/dev | tr -d ':' |grep -v "^lo$" | sort

In words:

  • search /proc/net/dev for lines that contain a colon (:) and print the first field of those lines
  • remove the colons from all entries in the list
  • remove the loopback interface from the list
  • sort the final listing

Thoughts?

@cskeen

This comment has been minimized.

Show comment
Hide comment
@cskeen

cskeen Jul 6, 2016

I, for one, would prefer the less strict idiom. Having sosetup fail to detect an interface because it has an unusual name seems like more of a problem than the off chance of some bogus interface showing up in /proc/net/dev. In that sense, I feel that it would be better to present all the interface options (other than loopback) rather than trying to filter them for some expected convention.

cskeen commented Jul 6, 2016

I, for one, would prefer the less strict idiom. Having sosetup fail to detect an interface because it has an unusual name seems like more of a problem than the off chance of some bogus interface showing up in /proc/net/dev. In that sense, I feel that it would be better to present all the interface options (other than loopback) rather than trying to filter them for some expected convention.

@dougburks

This comment has been minimized.

Show comment
Hide comment
Contributor

dougburks commented Jul 6, 2016

@dougburks

This comment has been minimized.

Show comment
Hide comment
Contributor

dougburks commented Jul 6, 2016

@timwhisnant

This comment has been minimized.

Show comment
Hide comment
@timwhisnant

timwhisnant Jul 6, 2016

My only concern when submitting this issue was that the sguil database
would have issues parsing the interface names (there's also the concern
with validating input, bad things could occur). We've used a similar patch
in production for two+ years without issue, so should be good.
On Jul 6, 2016 10:05 AM, "Doug Burks" notifications@github.com wrote:

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/bN-9Pgb19w8/discussion


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#955 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AIW3W5pM_oilIP8_XM_PoNKyXE4bGzBUks5qS7YWgaJpZM4JCgJA
.

timwhisnant commented Jul 6, 2016

My only concern when submitting this issue was that the sguil database
would have issues parsing the interface names (there's also the concern
with validating input, bad things could occur). We've used a similar patch
in production for two+ years without issue, so should be good.
On Jul 6, 2016 10:05 AM, "Doug Burks" notifications@github.com wrote:

submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/bN-9Pgb19w8/discussion


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#955 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AIW3W5pM_oilIP8_XM_PoNKyXE4bGzBUks5qS7YWgaJpZM4JCgJA
.

@dougburks

This comment has been minimized.

Show comment
Hide comment
@dougburks

dougburks Jul 7, 2016

Contributor

Thanks all !

Contributor

dougburks commented Jul 7, 2016

Thanks all !

@dougburks

This comment has been minimized.

Show comment
Hide comment

@dougburks dougburks closed this Jul 18, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment