diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2014-02-28 20:31:38 -0500 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2014-02-28 20:31:38 -0500 |
commit | 9e7d630ecf8377ec58606895c077918e4cf37ff8 (patch) | |
tree | 6421084b94fa1203d4f86ac40ec182007dbbcb34 | |
parent | 16117ee018a4c59bd82766ad91cff013b022dbd5 (diff) | |
download | pfsense-packages-9e7d630ecf8377ec58606895c077918e4cf37ff8.tar.gz pfsense-packages-9e7d630ecf8377ec58606895c077918e4cf37ff8.tar.bz2 pfsense-packages-9e7d630ecf8377ec58606895c077918e4cf37ff8.zip |
Add new output option for Bro-IDS destination for Barnyard2.
-rw-r--r-- | config/suricata/suricata_barnyard.php | 161 |
1 files changed, 126 insertions, 35 deletions
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index f0bdbd17..e1ae892e 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -46,8 +46,8 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $a_nat = &$config['installedpackages']['suricata']['rule']; $pconfig = array(); + if (isset($id) && $a_nat[$id]) { - /* old options */ $pconfig = $a_nat[$id]; if (!empty($a_nat[$id]['barnconfigpassthru'])) $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); @@ -69,28 +69,20 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_syslog_facility'] = "LOG_USER"; if (empty($a_nat[$id]['barnyard_syslog_priority'])) $pconfig['barnyard_syslog_priority'] = "LOG_INFO"; + if (empty($a_nat[$id]['barnyard_bro_ids_dport'])) + $pconfig['barnyard_bro_ids_dport'] = "47760"; if (empty($a_nat[$id]['barnyard_sensor_name'])) $pconfig['barnyard_sensor_name'] = php_uname("n"); } -if (isset($_GET['dup'])) - unset($id); - -if ($_POST) { - - foreach ($a_nat as $natent) { - if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) - continue; - if ($natent['interface'] != $_POST['interface']) - $input_error[] = "This interface has already an instance defined"; - } - +if ($_POST['save']) { // Check that at least one output plugin is enabled - if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on') + if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on' && + $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on") $input_errors[] = gettext("You must enable at least one output option when using Barnyard2."); // Validate inputs if MySQL database loggging enabled - if ($_POST['barnyard_mysql_enable'] == 'on') { + if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_dbhost'])) $input_errors[] = gettext("Please provide a valid hostname or IP address for the MySQL database host."); if (empty($_POST['barnyard_dbname'])) @@ -100,13 +92,22 @@ if ($_POST) { } // Validate inputs if syslog output enabled - if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on') { + if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on' && + $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_syslog_dport']) || !is_numeric($_POST['barnyard_syslog_dport'])) $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Syslog Remote Port."); if (empty($_POST['barnyard_syslog_rhost'])) $input_errors[] = gettext("Please provide a valid hostname or IP address for the Syslog Remote Host."); } + // Validate inputs if Bro-IDS output enabled + if ($_POST['barnyard_bro_ids_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { + if (empty($_POST['barnyard_bro_ids_dport']) || !is_numeric($_POST['barnyard_bro_ids_dport'])) + $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Bro-IDS Remote Port."); + if (empty($_POST['barnyard_bro_ids_rhost'])) + $input_errors[] = gettext("Please provide a valid hostname or IP address for the Bro-IDS Remote Host."); + } + // if no errors write to conf if (!$input_errors) { $natent = array(); @@ -121,6 +122,7 @@ if ($_POST) { $natent['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable'] ? 'on' : 'off'; $natent['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable'] ? 'on' : 'off'; $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; + $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; @@ -133,23 +135,30 @@ if ($_POST) { if ($_POST['barnyard_syslog_dport']) $natent['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; else $natent['barnyard_syslog_dport'] = '514'; if ($_POST['barnyard_syslog_facility']) $natent['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; else $natent['barnyard_syslog_facility'] = 'LOG_USER'; if ($_POST['barnyard_syslog_priority']) $natent['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; else $natent['barnyard_syslog_priority'] = 'LOG_INFO'; + if ($_POST['barnyard_bro_ids_rhost']) $natent['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; else unset($natent['barnyard_bro_ids_rhost']); + if ($_POST['barnyard_bro_ids_dport']) $natent['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; else $natent['barnyard_bro_ids_dport'] = '47760'; if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']); else unset($natent['barnconfigpassthru']); - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - $a_nat[] = $natent; - } - + $a_nat[$id] = $natent; write_config(); - // No need to rebuild rules if just toggling Barnyard2 on or off + // No need to rebuild rules for Barnyard2 changes $rebuild_rules = false; sync_suricata_package_config(); - // Signal any running barnyard2 instance on this interface to - // reload its configuration to pick up any changes made. - suricata_barnyard_reload_config($a_nat[$id], "HUP"); + // If disabling Barnyard2 on the interface, stop any + // currently running instance. If an instance is + // running, signal it to reload the configuration. + // If Barnyard2 is enabled but not running, start it. + if ($a_nat[$id]['barnyard_enable'] == "off") { + suricata_barnyard_stop($a_nat[$id], get_real_interface($a_nat[$id]['interface'])); + } + elseif ($a_nat[$id]['barnyard_enable'] == "on") { + if (suricata_is_running($a_nat[$id]['uuid'], get_real_interface($a_nat[$id]['interface']), "barnyard2")) + suricata_barnyard_reload_config($a_nat[$id], "HUP"); + else + suricata_barnyard_start($a_nat[$id], get_real_interface($a_nat[$id]['interface'])); + } // after click go to this page header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -160,6 +169,33 @@ if ($_POST) { header("Location: suricata_barnyard.php?id=$id"); exit; } + else { + // We had errors, so save incoming field data to prevent retyping + $pconfig['barnyard_enable'] = $_POST['barnyard_enable']; + $pconfig['barnyard_show_year'] = $_POST['barnyard_show_year']; + $pconfig['barnyard_archive_enable'] = $_POST['barnyard_archive_enable']; + $pconfig['barnyard_dump_payload'] = $_POST['barnyard_dump_payload']; + $pconfig['barnyard_obfuscate_ip'] = $_POST['barnyard_obfuscate_ip']; + $pconfig['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable']; + $pconfig['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable']; + $pconfig['barnyard_syslog_local'] = $_POST['barnyard_syslog_local']; + $pconfig['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; + $pconfig['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; + $pconfig['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable']; + + $pconfig['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; + $pconfig['barnyard_dbhost'] = $_POST['barnyard_dbhost']; + $pconfig['barnyard_dbname'] = $_POST['barnyard_dbname']; + $pconfig['barnyard_dbuser'] = $_POST['barnyard_dbuser']; + $pconfig['barnyard_dbpwd'] = $_POST['barnyard_dbpwd']; + $pconfig['barnyard_syslog_rhost'] = $_POST['barnyard_syslog_rhost']; + $pconfig['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; + $pconfig['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; + $pconfig['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; + $pconfig['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; + $pconfig['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; + $pconfig['barnconfigpassthru'] = $_POST['barnconfigpassthru']; + } } $if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); @@ -169,10 +205,8 @@ include_once("head.inc"); ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> -<?php include("fbegin.inc"); ?> -<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?> +<?php include("fbegin.inc"); -<?php /* Display Alert message */ if ($input_errors) { print_input_errors($input_errors); // TODO: add checks @@ -182,10 +216,9 @@ include_once("head.inc"); print_info_box($savemsg); } - ?> +?> -<form action="suricata_barnyard.php" method="post" - enctype="multipart/form-data" name="iform" id="iform"> +<form action="suricata_barnyard.php" method="post" name="iform" id="iform"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr><td> <?php @@ -195,7 +228,7 @@ include_once("head.inc"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); - $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); + $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}"); display_top_tabs($tab_array); echo '</td></tr>'; echo '<tr><td class="tabnavtbl">'; @@ -261,7 +294,6 @@ include_once("head.inc"); <?php echo gettext("Unique name to use for this sensor."); ?> </td> </tr> - </tr> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td> </tr> @@ -272,6 +304,7 @@ include_once("head.inc"); onClick="toggle_mySQL()"/><?php echo gettext("Enable logging of alerts to a MySQL database instance"); ?><br/> <?php echo gettext("You will also have to provide the database credentials in the fields below."); ?></td> </tr> + <tbody id="mysql_config_rows"> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Database Host"); ?></td> <td width="78%" class="vtable"> @@ -304,6 +337,7 @@ include_once("head.inc"); <?php echo gettext("Password for the MySQL database user"); ?> </td> </tr> + </tbody> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Syslog Output Settings"); ?></td> </tr> @@ -315,6 +349,7 @@ include_once("head.inc"); <?php echo gettext("Enable logging of alerts to a syslog receiver"); ?><br/> <?php echo gettext("This will send alert data to either a local or remote syslog receiver."); ?></td> </tr> + <tbody id="syslog_config_rows"> <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Operation Mode"); ?></td> <td width="78%" class="vtable"> @@ -395,6 +430,36 @@ include_once("head.inc"); <?php echo gettext("Select Syslog Priority (Level) to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_INFO") . "</strong>."; ?> </td> </tr> + </tbody> + <tr> + <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Bro-IDS Output Settings"); ?></td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Bro-IDS"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_bro_ids_enable'] == "on") echo "checked"; ?> + onClick="toggle_bro_ids()"/> + <?php echo gettext("Enable logging of alerts to a Bro-IDS receiver"); ?><br/> + <?php echo gettext("This will send alert data to either a local or remote Bro-IDS receiver."); ?></td> + </tr> + <tbody id="bro_ids_config_rows"> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_rhost" type="text" class="formfld host" + id="barnyard_bro_ids_rhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_rhost']);?>"/> + <?php echo gettext("Hostname or IP address of remote Bro-IDS host"); ?> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Port"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_bro_ids_dport" type="text" class="formfld unknown" + id="barnyard_bro_ids_dport" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_dport']);?>"/> + <?php echo gettext("Port number for Bro-IDS instance on remote host. Default is ") . "<strong>" . gettext("47760") . "</strong>."; ?> + </td> + </tr> + </tbody> <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Advanced Settings"); ?></td> </tr> @@ -410,7 +475,7 @@ include_once("head.inc"); <tr> <td width="22%" valign="top"> </td> <td width="78%"> - <input name="Submit" type="submit" class="formbtn" value="Save"> + <input name="save" type="submit" class="formbtn" value="Save"> <input name="id" type="hidden" value="<?=$id;?>"> </td> </tr> <tr> @@ -435,6 +500,11 @@ function toggle_mySQL() { document.iform.barnyard_dbname.disabled = endis; document.iform.barnyard_dbuser.disabled = endis; document.iform.barnyard_dbpwd.disabled = endis; + + if (endis) + document.getElementById("mysql_config_rows").style.display = "none"; + else + document.getElementById("mysql_config_rows").style.display = ""; } function toggle_syslog() { @@ -449,6 +519,11 @@ function toggle_syslog() { document.iform.barnyard_syslog_proto_tcp.disabled = endis; document.iform.barnyard_syslog_facility.disabled = endis; document.iform.barnyard_syslog_priority.disabled = endis; + + if (endis) + document.getElementById("syslog_config_rows").style.display = "none"; + else + document.getElementById("syslog_config_rows").style.display = ""; } function toggle_local_syslog() { @@ -464,6 +539,18 @@ function toggle_local_syslog() { } } +function toggle_bro_ids() { + var endis = !document.iform.barnyard_bro_ids_enable.checked; + + document.iform.barnyard_bro_ids_rhost.disabled = endis; + document.iform.barnyard_bro_ids_dport.disabled = endis; + + if (endis) + document.getElementById("bro_ids_config_rows").style.display = "none"; + else + document.getElementById("bro_ids_config_rows").style.display = ""; +} + function enable_change(enable_change) { endis = !(document.iform.barnyard_enable.checked || enable_change); // make sure a default answer is called if this is invoked. @@ -488,6 +575,9 @@ function enable_change(enable_change) { document.iform.barnyard_syslog_proto_tcp.disabled = endis; document.iform.barnyard_syslog_facility.disabled = endis; document.iform.barnyard_syslog_priority.disabled = endis; + document.iform.barnyard_bro_ids_enable.disabled = endis; + document.iform.barnyard_bro_ids_rhost.disabled = endis; + document.iform.barnyard_bro_ids_dport.disabled = endis; document.iform.barnconfigpassthru.disabled = endis; } @@ -495,6 +585,7 @@ enable_change(false); toggle_mySQL(); toggle_syslog(); toggle_local_syslog(); +toggle_bro_ids(); </script> |