ITUS Shield v2 script to update snort.rules, adapted from v1.5 `fw_upgrade`

\etc\snort\rules\emerging-threats.rules

# Uncommented rules/*.rules files below are included as DROPs within your snort.rules
# updaterules.sh extracts them selectively from https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz

# Emerging Threats FAQ https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ

# BotCC: Detect hosts communicating with a known and active Bot or Malware command and control server.
rules/emerging-botcc.portgrouped.rules
rules/emerging-botcc.rules

# CIArmy: Subset of CINS Active Threat Intelligence rules, where an IP's 'Rogue Packet' score is poor or it has tripped a number of trusted alerts around the world.
rules/emerging-ciarmy.rules

# Compromised: Hosts compromised by bots, phishing sites, or spewing hostile traffic. These are not your everyday infected and sending a bit of spam hosts, these are significantly infected and hostile hosts.
rules/emerging-compromised.rules

# Current Events 
# Most often simple sigs for the Storm binary URL of the day, sigs to catch CLSIDs of newly found vulnerable apps where we don't have detail on the exploit.
# Useful sigs but not for the long term until they have been properly tested.
rules/emerging-current_events.rules

# Don't Route or Peer (DROP): Daily updated list of the Spamhaus Don't Route or Peer list. Primarily known professional spammers. More info at http://www.spamhaus.org
rules/emerging-drop.rules

# Dshield: Daily updated list of the DShield top attackers list. Reliable. More info at http://www.dshield.org
rules/emerging-dshield.rules

# Exploits: Detect direct exploits including Windows exploits, Veritas, etc.
rules/emerging-exploit.rules

# Malware: Spyware and other things you don't want running on your network. URL hooks for known update schemes, User-Agent strings of known malware, and a load of other goodies.
rules/emerging-malware.rules
rules/emerging-mobile_malware.rules

# Scan: Things to detect reconnaissance and probing. Nessus, Nikto, portscanning, etc. Early warning stuff.
rules/emerging-scan.rules

rules/emerging-trojan.rules
rules/emerging-user_agents.rules

# Web clients: Some SQL Injection, web server overflows, vulnerable web apps, that kind of thing. Very important if you're running web servers, and pretty reasonable load.
rules/emerging-web_client.rules
rules/emerging-worm.rules

# Optionally uncomment others below, depending on what you're running on your network
# Descriptions at https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#What_is_the_general_intent_of_ea
# rules/emerging-activex.rules
# rules/emerging-attack_response.rules
# rules/emerging-chat.rules
# rules/emerging-deleted.rules
# rules/emerging-dns.rules
# rules/emerging-dos.rules
# rules/emerging-ftp.rules
# rules/emerging-games.rules
# rules/emerging-icmp.rules
# rules/emerging-icmp_info.rules
# rules/emerging-imap.rules
# rules/emerging-inappropriate.rules
# rules/emerging-info.rules
# rules/emerging-misc.rules
# rules/emerging-netbios.rules
# rules/emerging-p2p.rules
# rules/emerging-policy.rules
# rules/emerging-pop3.rules
# rules/emerging-rpc.rules
# rules/emerging-scada.rules
# rules/emerging-shellcode.rules
# rules/emerging-smtp.rules
# rules/emerging-snmp.rules
# rules/emerging-sql.rules
# rules/emerging-telnet.rules
# rules/emerging-tftp.rules
# rules/emerging-tor.rules
# rules/emerging-voip.rules
# rules/emerging-web_server.rules
# rules/emerging-web_specific_apps.rules

\etc\snort\updaterules.sh

#!/bin/sh

# Wrapper to handle downloads
download () {
	# try  
	{
		local ruleset=$1
		local url=$2
		local followRedirect=$3
		local timeout=$4
		
		if [ -z "$timeout" ] ; then timeout=120 ; fi
		
		echo " "
		echo "Downloading $ruleset"
		echo "  $url"

		if [ "$followRedirect" == "true" ]
		then
			curl -k -1 -m $timeout -o $ruleset -L $url		
		else
			curl -k -1 -m $timeout -o $ruleset $url
		fi
	} || {		
		echo "Unable to download rules '$1' from $2"
		echo "*error*	 $1" >> rule_counter.log
		return 1
	}
}

# Ingests files conforming to a specified filespec, appending lines from each to alert.list
ingest () {	
	# try  
	{
		for filename in $(ls $1)
		do
			# Extract rules to alert.tmp
			cat $filename | sed '/^\#/d' | sed '/^$/d' > alert.tmp &&
			# Append to alert.list
			cat alert.tmp >> alert.list	&&
			# Output count to rule_counter.log
			local count=$(wc -l alert.tmp | awk '{print $1}')
			printf "%7d\t%s\n" $count "$filename" >> rule_counter.log
		done
		return 0		
	} || {
		echo "Unable to ingest rules '$1'"
		echo "*error*	 $1" >> rule_counter.log
		return 1
	}
}

# Downloads and ingests rules from an url
# (gzips will be unpacked, resultant $filenames spec should be provided as the last argument)
downloadAndIngest() {
	local ruleset=$1
	local url=$2
	local followRedirect=$3
	local filenames=$4
	if [ -n "$url" ]
	then
		if [ -z "$filenames" ] ; then
			filenames=$ruleset
		fi
		download "$ruleset" "$url" $followRedirect &&
		(
			(file "$ruleset" | grep -q gzip  &&
			 mv "$ruleset" "$ruleset.tar.gz" &&
			 tar -zxf "$ruleset.tar.gz") ||
			touch "$ruleset" # null op - no unzip required
		) &&
		ingest "$filenames" && 
		return 0
	fi
	return 1
}

# Prepare /tmp/snort/ and cumulative output files
echo " "
echo "Preparing working directory for rule download and ingestion"
echo "/tmp/snort"
if [ ! -d "/tmp/snort" ] ; then	mkdir /tmp/snort ; else	rm -rf /tmp/snort/* ; fi
cd /tmp/snort
touch alert.list
touch ip.list

# Prepare rule_counter.log
echo "# Rules  Set processed by etc/snort/updaterules.sh"  > rule_counter.log
echo "-------- -----------------------------------------" >> rule_counter.log

# NOTE: Snort Community Rules ~1.7MB (`true` below flags that 302 redirects should be followed -> actual file is in an Amazon S3 bucket)
downloadAndIngest community-rules    https://www.snort.org/downloads/community/community-rules.tar.gz  true  community-rules/*.rules

# SSL Blacklist: Bad SSL certificates identified by abuse.ch to be associated with malware or botnet activities in the past 30 days.
downloadAndIngest abuse-sslbl.rules  https://sslbl.abuse.ch/blacklist/sslipblacklist.rules

# SSL Aggressive: Bad SSL certificates *ever* identified by abuse.ch to be associated with malware or botnet activities.
# Since IP addresses can change, may contain false positives - comment out by default
# downloadAndIngest abuse-dyre.rules https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist_aggressive.rules

# ZeuS servers: DISCONTINUED 2019-07 https://zeustracker.abuse.ch/byebye.php?download=snort
# downloadAndIngest zeus.rules       https://zeustracker.abuse.ch/blocklist.php?download=snort

# Emerging Threats zip ~2.3MB        https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ
download emerging-threats.tar.gz     https://rules.emergingthreats.net/open/snort-edge/emerging.rules.tar.gz  &&
(
	# Extract emerging-threats.tar.gz, assumed it will unzip to folder "rules"
	echo " "

	# Look for pre-defined subset of rules to extract
	if [ -f "/etc/snort/rules/emerging-threats.rules" ]; then
		echo "Extracting subset listed in /etc/snort/rules/emerging-threats.rules"
		# Expect errors due to commented lines, so send error output to null
		tar -zxvf "emerging-threats.tar.gz" -T "/etc/snort/rules/emerging-threats.rules" 2>/dev/null
		# Also extract IP blacklist and sid-msg.map for later use
		tar -zxvf "emerging-threats.tar.gz" "rules/compromised-ips.txt" "rules/sid-msg.map"

	else # unzip the lot
		echo "Extracting:"
		tar -zxvf "emerging-threats.tar.gz"
	fi

	# Now ingest *.rules
	ingest "rules/*.rules"
)

echo " "
echo "Changing rules that only alert to drop instead"
sed -i 's/alert /drop /' alert.list
# wc -l alert.list
sed '/^\#/d' alert.list >> drop.list
# wc -l drop.list
sed '/^$/d' drop.list | sort | uniq > drop.sorted
# wc -l drop.sorted

# Snort only allows one sid number, so we have to delete where rules contain multiple revisions
echo "Removing rules with extra sid revision numbers"
cat drop.sorted | awk -F"sid:" '{print $2}' | awk -F";" '{print $1}' | sort | uniq -d > duplicate.sids
touch duplicate.sed
for i in $(cat duplicate.sids)
do
	echo "0,/$i/{/$i/d}" >> duplicate.sed
done
cat drop.sorted | awk -F"sid:" '{print $2 $1}' | sort > drop.tmp
sed -i -f duplicate.sed  drop.tmp
sed -i 's/^/sid:/' drop.tmp
cat drop.tmp | awk -F";)" '{print $2 $1}' | sort > drop.sorted
sed -i 's/$/;\)/' drop.sorted

# Exclude rules determined by ITUS Networks to cause web site issues
# Searching and removing ~100 rules takes a couple of minutes
# (note: as of August 2019 though, none seem to be present in default sets above)
if [ -f "/etc/snort/rules/exclude.rules" ]; then
	echo "-------- -----------------------------------------" >> rule_counter.log
	count=$(wc -l drop.sorted | awk '{print $1}')
	printf "%7d\t%s\n" $count "unique rules before applying exclude.rules" >> rule_counter.log
	original=$(wc -l drop.sorted | awk '{print $1}')
	total=$(wc -l /etc/snort/rules/exclude.rules | awk '{print $1}')
	pattern=0
	for sid in $(cat /etc/snort/rules/exclude.rules)
	do
		if [ "$sid" -eq "$sid" ] 2>/dev/null
		then # it's an integer sid
			percent=$((++pattern*100/total))
			printf "\rExcluding rules that can cause web site issues: %3d%%" $percent;
			sed -i "/sid:$sid/s/^/#/" drop.sorted
		fi
	done
	printf "\rExcluding rules that can cause web site issues: 100%%\n";
	final=$(wc -l drop.sorted | awk '{print $1}')
	if [ "$final" -eq "$original" ] 2>/dev/null
	then
		echo "No rules excluded - consider removing old sids from /etc/snort/rules/exclude.rules"
	else
		removed=$((final-original))
		echo "$removed rules removed"
	fi
fi

# Remove carriage return characters and blank lines
tr -d '\r' < drop.sorted | awk 'NF' > snort.rules

# Cleanup working files
echo "Cleaning up working files"
rm -f ip.list alert.* duplicate.* drop.*

# Update IP blacklists ---------------------------------
echo " "
echo "Updating IP blacklists"
echo "-------- -----------------------------------------" >> rule_counter.log

# rules/compromised-ips.txt comes from emerging-threats.tar.gz downloaded above
if [ -f "rules/compromised-ips.txt" ]; then
	cat rules/compromised-ips.txt >> ip.list
	count=$(wc -l rules/compromised-ips.txt | awk '{print $1}')
	printf "%7d\t%s\n" $count "rules/compromised-ips.txt" >> rule_counter.log
fi

# Snort Community blacklist url found via https://blog.snort.org/2015/09/ip-blacklist-feed-has-moved-locations.html
# Note other potentially useful urls within https://github.com/shirkdog/pulledpork/blob/master/etc/pulledpork.conf
download talos-ip-blacklist.txt https://talosintelligence.com/documents/ip-blacklist true  # follow url 302 redirects
if [ -f "talos-ip-blacklist.txt" ]; then
	cat talos-ip-blacklist.txt >> ip.list
	count=$(wc -l talos-ip-blacklist.txt | awk '{print $1}')
	printf "%7d\t%s\n" $count "talos-ip-blacklist.txt" >> rule_counter.log
fi

# Output unique IPs from our downloaded blacklist(s) to L2.blacklist
awk '!seen[$0]++' ip.list > L2.blacklist

# Update rule_counter.log with final results
echo "-------- -----------------------------------------" >> rule_counter.log
count=$(wc -l snort.rules | awk '{print $1}')
printf "%7d\t%s\n" $count "snort.rules" >> rule_counter.log
count=$(wc -l L2.blacklist | awk '{print $1}')
printf "%7d\t%s\n" $count "L2.blacklist" >> rule_counter.log
echo \ >> rule_counter.log
echo " "
echo "Displaying rule_counter.log"
echo " "
cat rule_counter.log

# Replace snort files and restart ----------------------
if [ -s "snort.rules" ]; then
	echo "Replacing /etc/snort/rules/snort.rules"
	mv /etc/snort/rules/snort.rules /etc/snort/rules/snort.rules.bak
	mv snort.rules /etc/snort/rules/snort.rules
else
	echo "No snort rules downloaded"
fi
if [ -s "L2.blacklist" ]; then
	echo "Replacing /etc/snort/rules/iplists/L2.blacklist"
	mv /etc/snort/rules/iplists/L2.blacklist /etc/snort/rules/iplists/L2.blacklist.bak
	mv L2.blacklist /etc/snort/rules/iplists/L2.blacklist
else
	echo "No IP blacklists downloaded"
fi
cp -f rule_counter.log /var/log/snort/rule_counter.log

echo "Restarting SNORT service"
# service snort restart
/etc/init.d/snort restart
sleep 1
echo " "
cd /etc/snort
exit 0

\usr\lib\lua\luci\model\cbi\snort.lua

--[[

LuCI Snort module

Copyright (C) 2015, Itus Networks, Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

Author: Luka Perkov <luka@openwrt.org>

Version 4:
Redo some of the system calls and file paths for the updated Firmware

version 3
Modified by Roadrunnere42 added if then statement to choose which mode the shield's in and display in >>services >> intrusion prevention window
either one snort config file or 2 snort config files if running in router mode.

version 2
Modified by Roadrunnere42 to include a tab called priority 1 logs in intrusion prevention window, which displays any IPS rules that has trigger a priority 1 log in the IPS log.
/usr/lib/lua/luci/model/cbi/snort.lua - changed
/tmp/snort/priority1 - added to hold priority 1 logs

version 1
Modified by Roadrunnere42 to include a tab called rule counter in intrusion prevention window, which displays the number of rules that each rule set has.
This requires the following files to be changed or added
/tmp/rule_counter.log                 - created when run
/sbin/fw_upgrade.sh                   - changed
/usr/lib/lua/luci/model/cbi/snort.lua - changed

]]--

local fs = require "nixio.fs"
local sys = require "luci.sys"
require "ubus"

m = Map("snort", translate("Intrusion Prevention"), translate("<p>Changes may take a couple of minutes to take effect, service may be interrupted during that time.  Where you have edited rules, the system will need to download and re-process the new rulesets and any exclusions specified.</p><p>The IPS engine will restart each time you click the Save & Apply or On/Off button.</p><p><b>DO NOT REFRESH</b> if you see a <b>Bad Gateway</b> timeout message presented, since that may re-process your changes again.  Instead, place the cursor in your address bar and press Enter to re-navigate back to this page.</p>"))

m.on_init = function()
--[[
   -- Get the Shield Mode
   io.input("/var/.mode")
   line = io.read("*line")
   if line == "Router" then
   luci.sys.call("cp /var/log/snort/alert.fast /var/log/snort/alert.log")
   luci.sys.call("sed '1!G;h$!d' /var/log/snort/alert.log > /var/log/snort/snort_luci.log")
   luci.sys.call("rm /var/log/snort/alert.log")
   end
   luci.sys.call("grep -i 'priority: 1' /var/log/snort/snort_luci.log > /var/log/snort/priority1.log")
--]]
end

m.reset = false
m.submit = false

s = m:section(NamedSection, "snort")
s.anonymous = true
s.addremove = false

s:tab("tab_basic", translate("Basic Settings"))
s:tab("tab_advanced", translate("Advanced Settings"))
s:tab("tab_engine", translate("Engine"))
s:tab("tab_preprocessors", translate("Preprocessors"))
s:tab("tab_other", translate("Other Settings"))
s:tab("tab_priority", translate("IPS Priority 1 Log"))
s:tab("tab_logs", translate("IPS Logs"))
s:tab("tab_threshold", translate("Threshold Config"))
s:tab("tab_emerging_threats", translate("Emerging Threats"))
s:tab("tab_custom", translate("Custom Rules"))
s:tab("tab_rules", translate("Exclude Rules"))
s:tab("tab_counter", translate("Rule Counter"))
--s:tab("tab_snort1", translate("Snort Rules Selector"))

	--------------------- Basic Tab ------------------------
	local status="not running"
	require "ubus"
	local conn = ubus.connect()
	if not conn then
   		error("Failed to connect to ubusd")
	end

	for k, v in pairs(conn:call("service", "list", { name="snort" })) do
   		status="running"
	end

	button_start = s:taboption("tab_basic",Button, "start", translate("Status: "))
  	if status == "running" then
  		 button_start.inputtitle = "ON"
  	else
   		button_start.inputtitle = "OFF"
  	end

  	button_start.write = function(self, section)
   		if status == "not running" then
      			sys.call("service snort start")
      			button_start.inputtitle = "ON"
      			button_start.title = "Status: "
   		else
      			sys.call("service snort stop")
      			button_start.inputtitle = "OFF"
      			button_start.title = "Status: "
   		end
	end

  	if status == "running" then
   		button_restart = s:taboption("tab_basic", Button, "restart", translate("Restart: "))
   		button_restart.inputtitle = "Restart"
   		button_restart.write = function(self, section)
      		sys.call("service snort restart")   
   	end
  end

--[[  io.input("/var/.mode")
  line = io.read("*line")
  if line == "Router" then
   --------------------- Snort Instance WAN Tab -----------------------

   config_file1 = s:taboption("tab_wan", TextValue, "text1", "")
   config_file1.wrap = "off"
   config_file1.rows = 25
   config_file1.rmempty = false

   function config_file1.cfgvalue()
      local uci = require "luci.model.uci".cursor_state()
      file = "/etc/snort/snort7.conf"
      if file then
         return fs.readfile(file) or ""
      else
         return ""
      end
   end

   function config_file1.write(self, section, value)
      if value then
         local uci = require "luci.model.uci".cursor_state()
	       file = "/etc/snort/snort7.conf"
	       fs.writefile(file, value:gsub("\r\n", "\n"))
	       luci.sys.call("/etc/init.d/snort restart")
      end
   end
   ---------------------- Snort Instance LAN Tab ------------------------

   config_file2 = s:taboption("tab_lan", TextValue, "text2", "")
   config_file2.wrap = "off"
   config_file2.rows = 25
   config_file2.rmempty = false

   function config_file2.cfgvalue()
      local uci = require "luci.model.uci".cursor_state()
      file = "/etc/snort/snort8.conf"
      if file then
         return fs.readfile(file) or ""
      else
         return ""
      end
   end

   function config_file2.write(self, section, value)
      if value then
         local uci = require "luci.model.uci".cursor_state()
	 file = "/etc/snort/snort8.conf"
	 fs.writefile(file, value:gsub("\r\n", "\n"))
	 luci.sys.call("/etc/init.d/snort restart")
      end
   end

   else
   ---------------------- Snort Config Tab ------------------------

   config_file2 = s:taboption("tab_config", TextValue, "config1", "")
   config_file2.wrap = "off"
   config_file2.rows = 25
   config_file2.rmempty = false

   function config_file2.cfgvalue()
      local uci = require "luci.model.uci".cursor_state()
      file = "/etc/snort/snort_bridge.conf"
      if file then
         return fs.readfile(file) or ""
      else
	       return ""
      end
   end

   function config_file2.write(self, section, value)
      if value then
         local uci = require "luci.model.uci".cursor_state()
         file = "/etc/snort/snort_bridge.conf"
         fs.writefile(file, value:gsub("\r\n", "\n"))
         luci.sys.call("/etc/init.d/snort restart")
      end
   end
end
--]]

	--------------------- Advanced Tab -----------------------

        config_file1 = s:taboption("tab_advanced", TextValue, "text1", "")
        config_file1.wrap = "off"
        config_file1.rows = 25
        config_file1.rmempty = false

        function config_file1.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/profile/config1_advanced.conf"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file1.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/profile/config1_advanced.conf"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
--                      luci.sys.call("/etc/init.d/suricata restart")
                end
        end


        ---------------------- Engine Tab ------------------------

        config_file2 = s:taboption("tab_engine", TextValue, "text2", "")
        config_file2.wrap = "off"
        config_file2.rows = 25
        config_file2.rmempty = false

        function config_file2.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/profile/config2_engine.conf"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file2.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/profile/config2_engine.conf"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
--                      luci.sys.call("/etc/init.d/suricata restart")
                end
        end

        ------------------- Preprocessors Tab ---------------------

        config_file3 = s:taboption("tab_preprocessors", TextValue, "text3", "")
        config_file3.wrap = "off"
        config_file3.rows = 25
        config_file3.rmempty = false

        function config_file3.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/profile/config3_preprocessors.conf"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file3.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/profile/config3_preprocessors.conf"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
--                      luci.sys.call("/etc/init.d/suricata restart")
                end
        end

        --------------------- Other Tab ------------------------

        config_file4 = s:taboption("tab_other", TextValue, "text4", "")
        config_file4.wrap = "off"
        config_file4.rows = 25
        config_file4.rmempty = false

        function config_file4.cfgvalue()
                local uci = require "luci.model.uci".cursor_state()
                file = "/etc/snort/profile/config4_other.conf"
                if file then
                        return fs.readfile(file) or ""
                else
                        return ""
                end
        end

        function config_file4.write(self, section, value)
                if value then
                        local uci = require "luci.model.uci".cursor_state()
                        file = "/etc/snort/profile/config4_other.conf"
                        fs.writefile(file, value:gsub("\r\n", "\n"))
                        luci.sys.call("/etc/init.d/snort restart")
--                      luci.sys.call("/etc/init.d/suricata restart")
                end
        end

	---------------------- Threshold Config Tab ------------------------

	config_file5 = s:taboption("tab_threshold", TextValue, "threshold", "")
	config_file5.wrap = "off"
	config_file5.rows = 25
	config_file5.rmempty = false

	function config_file5.cfgvalue()
		local uci = require "luci.model.uci".cursor_state()
		file = "/etc/snort/threshold.conf"
		if file then
			return fs.readfile(file) or ""
		else
			return ""
		end
	end

	function config_file5.write(self, section, value)
		if value then
			local uci = require "luci.model.uci".cursor_state()
			file = "/etc/snort/threshold.conf"
			fs.writefile(file, value:gsub("\r\n", "\n"))
			luci.sys.call("/etc/init.d/snort restart")
		end
	end

	---------------------- Emerging Threats Tab ------------------------
	config_file6 = s:taboption("tab_emerging_threats", TextValue, "emergingThreats", translate("Uncomment rules from <a href='https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ' target='_blank'>Emerging Threats</a> that you want included as DROPs within your snort.rules"))
	config_file6.wrap = "off"
	config_file6.rows = 25
	config_file6.rmempty = false

	function config_file6.cfgvalue()
		local uci = require "luci.model.uci".cursor_state()
		file = "/etc/snort/rules/emerging-threats.rules"
		if file then
			return fs.readfile(file) or ""
		else
			return ""
		end
	end

	function config_file6.write(self, section, value)
		if value then
			local uci = require "luci.model.uci".cursor_state()
			file = "/etc/snort/rules/emerging-threats.rules"
			fs.writefile(file, value:gsub("\r\n", "\n"))
			luci.sys.call("/etc/snort/updaterules.sh")
		end
	end

	---------------------- Custom Rules Tab ------------------------

	config_file7 = s:taboption("tab_custom", TextValue, "customRules", "")
	config_file7.wrap = "off"
	config_file7.rows = 25
	config_file7.rmempty = false

	function config_file7.cfgvalue()
		local uci = require "luci.model.uci".cursor_state()
		file = "/etc/snort/rules/local.rules"
		if file then
			return fs.readfile(file) or ""
		else
			return ""
		end
	end

	function config_file7.write(self, section, value)
		if value then
			local uci = require "luci.model.uci".cursor_state()
			file = "/etc/snort/rules/local.rules"
			fs.writefile(file, value:gsub("\r\n", "\n"))
			luci.sys.call("/etc/init.d/snort restart")
		end
	end

	--------------------- Exclude Rules Tab ------------------------

	config_file8 = s:taboption("tab_rules", TextValue, "excludeRules", translate("<p>Some rules can cause issues with certain apps or websites</p><p>You can exclude these rules if you identify their <abbr title=\"Snort Intrusion Detection\">sid</abbr> numbers</p><p><a href='https://snort.org/documents#OfficialDocumentation' target='_blank'>Read more</a></p>"))
   config_file8.wrap = "off"
	config_file8.rows = 25
	config_file8.rmempty = false

	function config_file8.cfgvalue()
		local uci = require "luci.model.uci".cursor_state()
		file = "/etc/snort/rules/exclude.rules"
		if file then
		return fs.readfile(file) or ""
	else
		return ""
	end
end

	function config_file8.write(self, section, value)
	if value then
		local uci = require "luci.model.uci".cursor_state()
		file = "/etc/snort/rules/exclude.rules"
		fs.writefile(file, value:gsub("\r\n", "\n"))
      luci.sys.call("/etc/snort/updaterules.sh")
	end
end

	--------------------- Logs Tab ------------------------

	snort_logfile = s:taboption("tab_logs", TextValue, "logfile", "")
	snort_logfile.wrap = "off"
	snort_logfile.rows = 25
	snort_logfile.rmempty = false

	function snort_logfile.cfgvalue()
		local uci = require "luci.model.uci".cursor_state()
		local file = "/var/log/snort/snort_luci.log"
		if file then
			return fs.readfile(file) or ""
		else
			return ""
		end
end

	---------------------Priority Tab ------------------------
	snort_logfile1 = s:taboption("tab_priority", TextValue, "IPS Priority 1 Log", "")
	snort_logfile1.wrap = "off"
	snort_logfile1.rows = 25
	snort_logfile1.rmempty = false

	function snort_logfile1.cfgvalue()
		local uci = require "luci.model.uci".cursor_state()
		local file = "/etc/snort/logs/priority1.log"
	if file then
		return fs.readfile(file) or ""
	else
		return ""
	end
end

	--------------------- Rule Counter Tab ------------------------

counter = s:taboption("tab_counter", TextValue, "Counter", "")
counter.wrap = "off"
counter.rows = 25
counter.rmempty = false

function counter.cfgvalue()
	local uci = require "luci.model.uci".cursor_state()
	local file = "/var/log/snort/rule_counter.log"
	if file then
		return fs.readfile(file) or ""
	else
		return ""
	end
end

	--------------------- snort rule selector Tab ------------------------


--	firefox = s:taboption("tab_snort1", Flag, "content_firefox", translate("Firefox"))
-- firefox.default=firefox.disabled
--	firefox.rmempty = false

	--firefox = s:taboption("tab_snort1", Flag, "content_firefox", translate("Firefox"))
--	firefox.default=snort1.enabled
--	firefox.rmempty = false








return m

Commented ZeuS section - discontinued July 8 per https://zeustracker.abuse.ch/byebye.php?download=snort

Added Snort community rules - see https://snort.org/faq/what-are-community-rules
Removed blank lines.

Handle errors, parameterise downloads, read excluded SIDS from /etc/snort/rules/exclude.rules file. Made exclude.rules optional since the ~100 rules originally excluded by ITUS no longer seem to be present in the default rulesets currently being downloaded as at Aug 2019.

We may want to also grab the IP Blacklist of compromised IP addresses from ET.
https://rules.emergingthreats.net/open/snort-edge/rules/compromised-ips.txt
These should go in /etc/snort/iplists/L2-Blacklist I believe (Not at the shield at the moment). These are a list of KNOWN bad IP addresses.

Also, fantastic job on the script! 👍

Good tip, I'll get on it. I'll also try look at an lua switch for DNS over https this weekend.

I notice compromised-ips is only 12KB versus current /etc/snort/rules/iplists/L2.blacklist 76KB. I suppose a straight replace is the best option we've got at the moment, but would be good to source others to merge in if we can.

…

On Wed, 14 Aug 2019 at 05:19, Donald Hoskins ***@***.***> wrote: We may want to also grab the IP Blacklist of compromised IP addresses from ET. https://rules.emergingthreats.net/open/snort-edge/rules/compromised-ips.txt These should go in /etc/snort/iplists/L2-Blacklist I believe (Not at the shield at the moment). These are a list of KNOWN bad IP addresses. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://gist.github.com/e3e9e95a21d418e9c83a3a3a0731e3cc?email_source=notifications&email_token=ABQ6LYQX553WNCKKCLSTIS3QEMQOLA5CNFSM4IK3PDR2YY3PNVWWK3TUL52HS4DFVNDWS43UINXW23LFNZ2KUY3PNVWWK3TUL5UWJTQAFW7DY#gistcomment-2997820>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABQ6LYT2XRRGKXJTF6VO6P3QEMQOLANCNFSM4IK3PDRQ> .

Found one 17KB additional set of blacklisted ips from snort here https://blog.snort.org/2015/09/ip-blacklist-feed-has-moved-locations.html
Will start with those two for now.

Do you know if the /rules/iplists/L2.sid-msg.map is actively used?
If so, could update that from emerging-threats too..

Updated to download IP blacklists, push them to /rules/iplists/L2.blacklist

I'm not sure about the L2 map file. I'd have to see what is in it compared to the ET map file. I know the sid-msg.map file outlines the SID for rules, but since the IP Blacklist is just a series of IPs and has no SID, I'm not sure. When I set it up, I think the L2 map file was already there and I just activated it and made it work in the config, then updated the IP list itself.

Updated to play nice with snort.lua
Now we have a UI to add/remove emerging threats, exclude sids and see the rule counts :)