aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2014-09-04 16:28:27 -0400
committerbmeeks8 <bmeeks8@bellsouth.net>2014-09-04 16:28:27 -0400
commit46ba3729b4bbf7dd321fc3555677a66c67f4c784 (patch)
treed09cafaffff387f721204bc4cee0103da5f51b43
parent2c4435fa4db6a4d24d7faf0b4cdbd7cde8d73089 (diff)
downloadpfsense-packages-46ba3729b4bbf7dd321fc3555677a66c67f4c784.tar.gz
pfsense-packages-46ba3729b4bbf7dd321fc3555677a66c67f4c784.tar.bz2
pfsense-packages-46ba3729b4bbf7dd321fc3555677a66c67f4c784.zip
Add new GUI control for setting interface promisc mode on/off.
-rw-r--r--config/suricata/suricata_generate_yaml.php5
-rw-r--r--config/suricata/suricata_interfaces_edit.php13
-rw-r--r--config/suricata/suricata_migrate_config.php8
-rw-r--r--config/suricata/suricata_yaml_template.inc1
4 files changed, 27 insertions, 0 deletions
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index 0715471d..8e3e538c 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -165,6 +165,11 @@ if ($suricatacfg['delayed_detect'] == 'on')
else
$delayed_detect = "no";
+if ($suricatacfg['intf_promisc_mode'] == 'on')
+ $intf_promisc_mode = "yes";
+else
+ $intf_promisc_mode = "no";
+
// Add interface-specific blocking settings
if ($suricatacfg['blockoffenders'] == 'on')
$suri_blockoffenders = "yes";
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index ff21b48f..e1e6675f 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -169,6 +169,8 @@ if (empty($pconfig['eve_log_files']))
$pconfig['eve_log_files'] = "on";
if (empty($pconfig['eve_log_ssh']))
$pconfig['eve_log_ssh'] = "on";
+if (empty($pconfig['intf_promisc_mode']))
+ $pconfig['intf_promisc_mode'] = "on";
// See if creating a new interface by duplicating an existing one
if (strcasecmp($action, 'dup') == 0) {
@@ -300,6 +302,7 @@ if ($_POST["save"] && !$input_errors) {
if ($_POST['eve_log_files'] == "on") { $natent['eve_log_files'] = 'on'; }else{ $natent['eve_log_files'] = 'off'; }
if ($_POST['eve_log_ssh'] == "on") { $natent['eve_log_ssh'] = 'on'; }else{ $natent['eve_log_ssh'] = 'off'; }
if ($_POST['delayed_detect'] == "on") { $natent['delayed_detect'] = 'on'; }else{ $natent['delayed_detect'] = 'off'; }
+ if ($_POST['intf_promisc_mode'] == "on") { $natent['intf_promisc_mode'] = 'on'; }else{ $natent['intf_promisc_mode'] = 'off'; }
if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['configpassthru'])); else unset($natent['configpassthru']);
$if_real = get_real_interface($natent['interface']);
@@ -367,6 +370,7 @@ if ($_POST["save"] && !$input_errors) {
$natent['enable_midstream_sessions'] = 'off';
$natent['enable_async_sessions'] = 'off';
$natent['delayed_detect'] = 'off';
+ $natent['intf_promisc_mode'] = 'on';
$natent['asn1_max_frames'] = '256';
$natent['dns_global_memcap'] = "16777216";
@@ -885,6 +889,14 @@ if ($savemsg) {
"<strong>" . gettext("Not Checked") . "</strong>."; ?></td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Promiscuous Mode"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="intf_promisc_mode" id="intf_promisc_mode" type="checkbox" value="on"
+ <?php if ($pconfig['intf_promisc_mode'] == "on") echo " checked"; ?>/>
+ <?php echo gettext("Suricata will place the monitored interface in promiscuous mode when checked. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>."; ?></td>
+ </tr>
+ <tr>
<td colspan="2" class="listtopic"><?php echo gettext("Networks " . "Suricata Should Inspect and Protect"); ?></td>
</tr>
<tr>
@@ -1197,6 +1209,7 @@ function enable_change(enable_change) {
document.iform.btnPasslist.disabled=endis;
document.iform.btnSuppressList.disabled=endis;
document.iform.delayed_detect.disabled=endis;
+ document.iform.intf_promisc_mode.disabled=endis;
}
function wopen(url, name, w, h) {
diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php
index abbdcf64..ba13155b 100644
--- a/config/suricata/suricata_migrate_config.php
+++ b/config/suricata/suricata_migrate_config.php
@@ -124,6 +124,14 @@ foreach ($rule as &$r) {
}
/***********************************************************/
+ /* Add new interface promisc mode value and default 'on'. */
+ /***********************************************************/
+ if (empty($pconfig['intf_promisc_mode'])) {
+ $pconfig['intf_promisc_mode'] = "on";
+ $updated_cfg = true;
+ }
+
+ /***********************************************************/
/* Add new HTTP Log Extended Info setting if not present */
/***********************************************************/
if (!isset($pconfig['http_log_extended'])) {
diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc
index e75a1148..82c449d3 100644
--- a/config/suricata/suricata_yaml_template.inc
+++ b/config/suricata/suricata_yaml_template.inc
@@ -256,6 +256,7 @@ logging:
pcap:
- interface: {$if_real}
checksum-checks: auto
+ promisc: {$intf_promisc_mode}
# For FreeBSD ipfw(8) divert(4) support.
# ipfw add 100 divert 8000 ip from any to any