aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2014-02-28 20:31:38 -0500
committerbmeeks8 <bmeeks8@bellsouth.net>2014-02-28 20:31:38 -0500
commit9e7d630ecf8377ec58606895c077918e4cf37ff8 (patch)
tree6421084b94fa1203d4f86ac40ec182007dbbcb34
parent16117ee018a4c59bd82766ad91cff013b022dbd5 (diff)
downloadpfsense-packages-9e7d630ecf8377ec58606895c077918e4cf37ff8.tar.gz
pfsense-packages-9e7d630ecf8377ec58606895c077918e4cf37ff8.tar.bz2
pfsense-packages-9e7d630ecf8377ec58606895c077918e4cf37ff8.zip
Add new output option for Bro-IDS destination for Barnyard2.
-rw-r--r--config/suricata/suricata_barnyard.php161
1 files changed, 126 insertions, 35 deletions
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php
index f0bdbd17..e1ae892e 100644
--- a/config/suricata/suricata_barnyard.php
+++ b/config/suricata/suricata_barnyard.php
@@ -46,8 +46,8 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
$a_nat = &$config['installedpackages']['suricata']['rule'];
$pconfig = array();
+
if (isset($id) && $a_nat[$id]) {
- /* old options */
$pconfig = $a_nat[$id];
if (!empty($a_nat[$id]['barnconfigpassthru']))
$pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']);
@@ -69,28 +69,20 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['barnyard_syslog_facility'] = "LOG_USER";
if (empty($a_nat[$id]['barnyard_syslog_priority']))
$pconfig['barnyard_syslog_priority'] = "LOG_INFO";
+ if (empty($a_nat[$id]['barnyard_bro_ids_dport']))
+ $pconfig['barnyard_bro_ids_dport'] = "47760";
if (empty($a_nat[$id]['barnyard_sensor_name']))
$pconfig['barnyard_sensor_name'] = php_uname("n");
}
-if (isset($_GET['dup']))
- unset($id);
-
-if ($_POST) {
-
- foreach ($a_nat as $natent) {
- if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent))
- continue;
- if ($natent['interface'] != $_POST['interface'])
- $input_error[] = "This interface has already an instance defined";
- }
-
+if ($_POST['save']) {
// Check that at least one output plugin is enabled
- if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on')
+ if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on' &&
+ $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on")
$input_errors[] = gettext("You must enable at least one output option when using Barnyard2.");
// Validate inputs if MySQL database loggging enabled
- if ($_POST['barnyard_mysql_enable'] == 'on') {
+ if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
if (empty($_POST['barnyard_dbhost']))
$input_errors[] = gettext("Please provide a valid hostname or IP address for the MySQL database host.");
if (empty($_POST['barnyard_dbname']))
@@ -100,13 +92,22 @@ if ($_POST) {
}
// Validate inputs if syslog output enabled
- if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on') {
+ if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on' &&
+ $_POST['barnyard_enable'] == "on") {
if (empty($_POST['barnyard_syslog_dport']) || !is_numeric($_POST['barnyard_syslog_dport']))
$input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Syslog Remote Port.");
if (empty($_POST['barnyard_syslog_rhost']))
$input_errors[] = gettext("Please provide a valid hostname or IP address for the Syslog Remote Host.");
}
+ // Validate inputs if Bro-IDS output enabled
+ if ($_POST['barnyard_bro_ids_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
+ if (empty($_POST['barnyard_bro_ids_dport']) || !is_numeric($_POST['barnyard_bro_ids_dport']))
+ $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Bro-IDS Remote Port.");
+ if (empty($_POST['barnyard_bro_ids_rhost']))
+ $input_errors[] = gettext("Please provide a valid hostname or IP address for the Bro-IDS Remote Host.");
+ }
+
// if no errors write to conf
if (!$input_errors) {
$natent = array();
@@ -121,6 +122,7 @@ if ($_POST) {
$natent['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable'] ? 'on' : 'off';
$natent['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable'] ? 'on' : 'off';
$natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off';
+ $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off';
$natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode'];
$natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto'];
@@ -133,23 +135,30 @@ if ($_POST) {
if ($_POST['barnyard_syslog_dport']) $natent['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; else $natent['barnyard_syslog_dport'] = '514';
if ($_POST['barnyard_syslog_facility']) $natent['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; else $natent['barnyard_syslog_facility'] = 'LOG_USER';
if ($_POST['barnyard_syslog_priority']) $natent['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; else $natent['barnyard_syslog_priority'] = 'LOG_INFO';
+ if ($_POST['barnyard_bro_ids_rhost']) $natent['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; else unset($natent['barnyard_bro_ids_rhost']);
+ if ($_POST['barnyard_bro_ids_dport']) $natent['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; else $natent['barnyard_bro_ids_dport'] = '47760';
if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']); else unset($natent['barnconfigpassthru']);
- if (isset($id) && $a_nat[$id])
- $a_nat[$id] = $natent;
- else {
- $a_nat[] = $natent;
- }
-
+ $a_nat[$id] = $natent;
write_config();
- // No need to rebuild rules if just toggling Barnyard2 on or off
+ // No need to rebuild rules for Barnyard2 changes
$rebuild_rules = false;
sync_suricata_package_config();
- // Signal any running barnyard2 instance on this interface to
- // reload its configuration to pick up any changes made.
- suricata_barnyard_reload_config($a_nat[$id], "HUP");
+ // If disabling Barnyard2 on the interface, stop any
+ // currently running instance. If an instance is
+ // running, signal it to reload the configuration.
+ // If Barnyard2 is enabled but not running, start it.
+ if ($a_nat[$id]['barnyard_enable'] == "off") {
+ suricata_barnyard_stop($a_nat[$id], get_real_interface($a_nat[$id]['interface']));
+ }
+ elseif ($a_nat[$id]['barnyard_enable'] == "on") {
+ if (suricata_is_running($a_nat[$id]['uuid'], get_real_interface($a_nat[$id]['interface']), "barnyard2"))
+ suricata_barnyard_reload_config($a_nat[$id], "HUP");
+ else
+ suricata_barnyard_start($a_nat[$id], get_real_interface($a_nat[$id]['interface']));
+ }
// after click go to this page
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
@@ -160,6 +169,33 @@ if ($_POST) {
header("Location: suricata_barnyard.php?id=$id");
exit;
}
+ else {
+ // We had errors, so save incoming field data to prevent retyping
+ $pconfig['barnyard_enable'] = $_POST['barnyard_enable'];
+ $pconfig['barnyard_show_year'] = $_POST['barnyard_show_year'];
+ $pconfig['barnyard_archive_enable'] = $_POST['barnyard_archive_enable'];
+ $pconfig['barnyard_dump_payload'] = $_POST['barnyard_dump_payload'];
+ $pconfig['barnyard_obfuscate_ip'] = $_POST['barnyard_obfuscate_ip'];
+ $pconfig['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable'];
+ $pconfig['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable'];
+ $pconfig['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'];
+ $pconfig['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode'];
+ $pconfig['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto'];
+ $pconfig['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'];
+
+ $pconfig['barnyard_sensor_name'] = $_POST['barnyard_sensor_name'];
+ $pconfig['barnyard_dbhost'] = $_POST['barnyard_dbhost'];
+ $pconfig['barnyard_dbname'] = $_POST['barnyard_dbname'];
+ $pconfig['barnyard_dbuser'] = $_POST['barnyard_dbuser'];
+ $pconfig['barnyard_dbpwd'] = $_POST['barnyard_dbpwd'];
+ $pconfig['barnyard_syslog_rhost'] = $_POST['barnyard_syslog_rhost'];
+ $pconfig['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport'];
+ $pconfig['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility'];
+ $pconfig['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority'];
+ $pconfig['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost'];
+ $pconfig['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport'];
+ $pconfig['barnconfigpassthru'] = $_POST['barnconfigpassthru'];
+ }
}
$if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']);
@@ -169,10 +205,8 @@ include_once("head.inc");
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
-<?php include("fbegin.inc"); ?>
-<?if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';}?>
+<?php include("fbegin.inc");
-<?php
/* Display Alert message */
if ($input_errors) {
print_input_errors($input_errors); // TODO: add checks
@@ -182,10 +216,9 @@ include_once("head.inc");
print_info_box($savemsg);
}
- ?>
+?>
-<form action="suricata_barnyard.php" method="post"
- enctype="multipart/form-data" name="iform" id="iform">
+<form action="suricata_barnyard.php" method="post" name="iform" id="iform">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
@@ -195,7 +228,7 @@ include_once("head.inc");
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
$tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
$tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
- $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
+ $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
display_top_tabs($tab_array);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -261,7 +294,6 @@ include_once("head.inc");
&nbsp;<?php echo gettext("Unique name to use for this sensor."); ?>
</td>
</tr>
- </tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td>
</tr>
@@ -272,6 +304,7 @@ include_once("head.inc");
onClick="toggle_mySQL()"/><?php echo gettext("Enable logging of alerts to a MySQL database instance"); ?><br/>
<?php echo gettext("You will also have to provide the database credentials in the fields below."); ?></td>
</tr>
+ <tbody id="mysql_config_rows">
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Database Host"); ?></td>
<td width="78%" class="vtable">
@@ -304,6 +337,7 @@ include_once("head.inc");
&nbsp;<?php echo gettext("Password for the MySQL database user"); ?>
</td>
</tr>
+ </tbody>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Syslog Output Settings"); ?></td>
</tr>
@@ -315,6 +349,7 @@ include_once("head.inc");
<?php echo gettext("Enable logging of alerts to a syslog receiver"); ?><br/>
<?php echo gettext("This will send alert data to either a local or remote syslog receiver."); ?></td>
</tr>
+ <tbody id="syslog_config_rows">
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Operation Mode"); ?></td>
<td width="78%" class="vtable">
@@ -395,6 +430,36 @@ include_once("head.inc");
<?php echo gettext("Select Syslog Priority (Level) to use for remote reporting. Default is ") . "<strong>" . gettext("LOG_INFO") . "</strong>."; ?>
</td>
</tr>
+ </tbody>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Bro-IDS Output Settings"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Bro-IDS"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_bro_ids_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_bro_ids_enable'] == "on") echo "checked"; ?>
+ onClick="toggle_bro_ids()"/>
+ <?php echo gettext("Enable logging of alerts to a Bro-IDS receiver"); ?><br/>
+ <?php echo gettext("This will send alert data to either a local or remote Bro-IDS receiver."); ?></td>
+ </tr>
+ <tbody id="bro_ids_config_rows">
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Host"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_bro_ids_rhost" type="text" class="formfld host"
+ id="barnyard_bro_ids_rhost" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_rhost']);?>"/>
+ &nbsp;<?php echo gettext("Hostname or IP address of remote Bro-IDS host"); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Remote Port"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_bro_ids_dport" type="text" class="formfld unknown"
+ id="barnyard_bro_ids_dport" size="25" value="<?=htmlspecialchars($pconfig['barnyard_bro_ids_dport']);?>"/>
+ &nbsp;<?php echo gettext("Port number for Bro-IDS instance on remote host. Default is ") . "<strong>" . gettext("47760") . "</strong>."; ?>
+ </td>
+ </tr>
+ </tbody>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Advanced Settings"); ?></td>
</tr>
@@ -410,7 +475,7 @@ include_once("head.inc");
<tr>
<td width="22%" valign="top">&nbsp;</td>
<td width="78%">
- <input name="Submit" type="submit" class="formbtn" value="Save">
+ <input name="save" type="submit" class="formbtn" value="Save">
<input name="id" type="hidden" value="<?=$id;?>"> </td>
</tr>
<tr>
@@ -435,6 +500,11 @@ function toggle_mySQL() {
document.iform.barnyard_dbname.disabled = endis;
document.iform.barnyard_dbuser.disabled = endis;
document.iform.barnyard_dbpwd.disabled = endis;
+
+ if (endis)
+ document.getElementById("mysql_config_rows").style.display = "none";
+ else
+ document.getElementById("mysql_config_rows").style.display = "";
}
function toggle_syslog() {
@@ -449,6 +519,11 @@ function toggle_syslog() {
document.iform.barnyard_syslog_proto_tcp.disabled = endis;
document.iform.barnyard_syslog_facility.disabled = endis;
document.iform.barnyard_syslog_priority.disabled = endis;
+
+ if (endis)
+ document.getElementById("syslog_config_rows").style.display = "none";
+ else
+ document.getElementById("syslog_config_rows").style.display = "";
}
function toggle_local_syslog() {
@@ -464,6 +539,18 @@ function toggle_local_syslog() {
}
}
+function toggle_bro_ids() {
+ var endis = !document.iform.barnyard_bro_ids_enable.checked;
+
+ document.iform.barnyard_bro_ids_rhost.disabled = endis;
+ document.iform.barnyard_bro_ids_dport.disabled = endis;
+
+ if (endis)
+ document.getElementById("bro_ids_config_rows").style.display = "none";
+ else
+ document.getElementById("bro_ids_config_rows").style.display = "";
+}
+
function enable_change(enable_change) {
endis = !(document.iform.barnyard_enable.checked || enable_change);
// make sure a default answer is called if this is invoked.
@@ -488,6 +575,9 @@ function enable_change(enable_change) {
document.iform.barnyard_syslog_proto_tcp.disabled = endis;
document.iform.barnyard_syslog_facility.disabled = endis;
document.iform.barnyard_syslog_priority.disabled = endis;
+ document.iform.barnyard_bro_ids_enable.disabled = endis;
+ document.iform.barnyard_bro_ids_rhost.disabled = endis;
+ document.iform.barnyard_bro_ids_dport.disabled = endis;
document.iform.barnconfigpassthru.disabled = endis;
}
@@ -495,6 +585,7 @@ enable_change(false);
toggle_mySQL();
toggle_syslog();
toggle_local_syslog();
+toggle_bro_ids();
</script>