aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2014-02-28 20:41:37 -0500
committerbmeeks8 <bmeeks8@bellsouth.net>2014-02-28 20:41:37 -0500
commitaf5566164c9b0b412962c26b831e78c499f53281 (patch)
tree48c045a10c0150688ddfe8d3d2145c94b83f48eb
parent3d4247441ec7b090ee4340c3e78e42a9b31632fd (diff)
downloadpfsense-packages-af5566164c9b0b412962c26b831e78c499f53281.tar.gz
pfsense-packages-af5566164c9b0b412962c26b831e78c499f53281.tar.bz2
pfsense-packages-af5566164c9b0b412962c26b831e78c499f53281.zip
Bug fixes and enhancements for v0.2-BETA in Suricata pkg.
-rw-r--r--config/suricata/suricata_alerts.php33
-rw-r--r--config/suricata/suricata_app_parsers.php15
-rw-r--r--config/suricata/suricata_check_cron_misc.inc2
-rw-r--r--config/suricata/suricata_check_for_rule_updates.php51
-rw-r--r--config/suricata/suricata_define_vars.php2
-rw-r--r--config/suricata/suricata_flow_stream.php9
-rw-r--r--config/suricata/suricata_global.php66
-rw-r--r--config/suricata/suricata_interfaces.php42
-rw-r--r--config/suricata/suricata_interfaces_edit.php38
-rw-r--r--config/suricata/suricata_libhtp_policy_engine.php6
-rw-r--r--config/suricata/suricata_os_policy_engine.php6
-rw-r--r--config/suricata/suricata_rules.php61
-rw-r--r--config/suricata/suricata_rules_edit.php23
-rw-r--r--config/suricata/suricata_rulesets.php36
14 files changed, 178 insertions, 212 deletions
diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php
index 3fc39f36..75f21333 100644
--- a/config/suricata/suricata_alerts.php
+++ b/config/suricata/suricata_alerts.php
@@ -274,12 +274,10 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen
}
if ($_POST['delete']) {
- conf_mount_rw();
suricata_post_delete_logs($suricata_uuid);
$fd = @fopen("{$suricatalogdir}suricata_{$if_real}{$suricata_uuid}/alerts.log", "w+");
if ($fd)
fclose($fd);
- conf_mount_ro();
/* XXX: This is needed if suricata is run as suricata user */
mwexec('/bin/chmod 660 {$suricatalogdir}*', true);
sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", "HUP");
@@ -375,7 +373,7 @@ if ($savemsg) {
$selected = "";
if ($id == $instanceid)
$selected = "selected";
- echo "<option value='{$id}' {$selected}> (" . suricata_get_friendly_interface($instance['interface']) . "){$instance['descr']}</option>\n";
+ echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . "){$instance['descr']}</option>\n";
}
?>
</select>&nbsp;&nbsp;<?php echo gettext('Choose which instance alerts you want to inspect.'); ?>
@@ -386,7 +384,7 @@ if ($savemsg) {
<input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext('All ' .
'log files will be saved.'); ?>&nbsp;&nbsp;
<input name="delete" type="submit" class="formbtns" value="Clear"
- onclick="return confirm('Do you really want to remove all instance logs?');"></a>
+ onclick="return confirm('Do you really want to remove all instance logs?');">
<span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?>
</td>
</tr>
@@ -439,21 +437,30 @@ if ($savemsg) {
/* make sure alert file exists */
if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log")) {
- exec("tail -{$anentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/alerts_{$suricata_uuid}");
- if (file_exists("/tmp/alerts_{$suricata_uuid}")) {
+ exec("tail -{$anentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/alerts_suricata{$suricata_uuid}");
+ if (file_exists("/tmp/alerts_suricata{$suricata_uuid}")) {
$tmpblocked = array_flip(suricata_get_blocked_ips());
$counter = 0;
/* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
/* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */
- $fd = fopen("/tmp/alerts_{$suricata_uuid}", "r");
+ $fd = fopen("/tmp/alerts_suricata{$suricata_uuid}", "r");
while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
if(count($fields) < 12)
continue;
+ // Create a DateTime object from the event timestamp that
+ // we can use to easily manipulate output formats.
+ $event_tm = date_create_from_format("m/d/Y-H:i:s.u", $fields[0]);
+
+ // Check the 'CATEGORY' field for the text "(null)" and
+ // substitute "Not Assigned".
+ if ($fields[6] == "(null)")
+ $fields[6] = "Not Assigned";
+
/* Time */
- $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -7);
+ $alert_time = date_format($event_tm, "H:i:s");
/* Date */
- $alert_date = trim(substr($fields[0], 0, strpos($fields[0], '-')));
+ $alert_date = date_format($event_tm, "m/d/Y");
/* Description */
$alert_descr = $fields[5];
$alert_descr_url = urlencode($fields[5]);
@@ -462,7 +469,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
/* Protocol */
$alert_proto = $fields[8];
/* IP SRC */
- $alert_ip_src = $fields[9];
+ $alert_ip_src = inet_ntop(inet_pton($fields[9]));
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$alert_ip_src = str_replace(":", ":&#8203;", $alert_ip_src);
/* Add Reverse DNS lookup icons */
@@ -491,7 +498,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
/* IP SRC Port */
$alert_src_p = $fields[10];
/* IP Destination */
- $alert_ip_dst = $fields[11];
+ $alert_ip_dst = inet_ntop(inet_pton($fields[11]));
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$alert_ip_dst = str_replace(":", ":&#8203;", $alert_ip_dst);
/* Add Reverse DNS lookup icons */
@@ -538,7 +545,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
}
else {
$sid_dsbl_link = "<input type='image' name='togglesid[]' onClick=\"encRuleSig('{$fields[2]}','{$fields[3]}','','');\" ";
- $sid_dsbl_link .= "<img src='../themes/{$g['theme']}/images/icons/icon_block.gif' width='11' height='11' border='0' ";
+ $sid_dsbl_link .= "src='../themes/{$g['theme']}/images/icons/icon_block.gif' width='11' height='11' border='0' ";
$sid_dsbl_link .= "title='" . gettext("Force-disable this rule and remove it from current rules set.") . "'/>";
}
/* DESCRIPTION */
@@ -560,7 +567,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
$counter++;
}
fclose($fd);
- @unlink("/tmp/alerts_{$suricata_uuid}");
+ @unlink("/tmp/alerts_suricata{$suricata_uuid}");
}
}
?>
diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php
index eddf273d..e8f20226 100644
--- a/config/suricata/suricata_app_parsers.php
+++ b/config/suricata/suricata_app_parsers.php
@@ -348,15 +348,14 @@ elseif ($_POST['save']) {
/**************************************************/
/* If we have a valid rule ID, save configuration */
- /* then update the suricata.conf file and rebuild */
- /* the rules for this interface. */
+ /* then update the suricata.conf file for this */
+ /* interface. */
/**************************************************/
if (isset($id) && $a_nat[$id]) {
$a_nat[$id] = $natent;
write_config();
- $rebuild_rules = true;
- suricata_generate_yaml($natent);
$rebuild_rules = false;
+ suricata_generate_yaml($natent);
}
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
@@ -385,7 +384,7 @@ include_once("head.inc");
}
?>
-<form action="suricata_app_parsers.php" method="post"name="iform" id="iform">
+<form action="suricata_app_parsers.php" method="post" name="iform" id="iform">
<input name="id" type="hidden" value="<?=$id;?>"/>
<input type="hidden" name="eng_id" id="eng_id" value="<?=$eng_id;?>"/>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
@@ -397,7 +396,7 @@ include_once("head.inc");
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
$tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
$tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
- $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
+ $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
display_top_tabs($tab_array);
echo '</td></tr>';
echo '<tr><td>';
@@ -469,7 +468,7 @@ include_once("head.inc");
<th class="list" align="right"><input type="image" name="import_alias[]" src="../themes/<?= $g['theme'];?>/images/icons/icon_import_alias.gif" width="17"
height="17" border="0" title="<?php echo gettext("Import server configuration from existing Aliases");?>"/>
<input type="image" name="add_libhtp_policy[]" src="../themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" width="17"
- height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></a></th>
+ height="17" border="0" title="<?php echo gettext("Add a new server configuration");?>"></th>
</tr>
</thead>
<?php foreach ($pconfig['libhtp_policy']['item'] as $f => $v): ?>
@@ -482,7 +481,7 @@ include_once("head.inc");
<?php if ($v['bind_to'] <> "all") : ?>
<input type="image" name="del_libhtp_policy[]" value="<?=$f;?>" onclick="document.getElementById('eng_id').value='<?=$f;?>';return confirm('Are you sure you want to delete this entry?');"
src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0"
- title="<?=gettext("Delete this server configuration");?>"></a>
+ title="<?=gettext("Delete this server configuration");?>">
<?php else : ?>
<img src="/themes/<?=$g['theme'];?>/images/icons/icon_x_d.gif" width="17" height="17" border="0"
title="<?=gettext("Default server configuration cannot be deleted");?>">
diff --git a/config/suricata/suricata_check_cron_misc.inc b/config/suricata/suricata_check_cron_misc.inc
index 88dfd5ff..2fdc7832 100644
--- a/config/suricata/suricata_check_cron_misc.inc
+++ b/config/suricata/suricata_check_cron_misc.inc
@@ -68,7 +68,7 @@ if ($suricatalogdirsizeKB > 0 && $suricatalogdirsizeKB > $suricataloglimitsizeKB
/* Clean-up the logs for each configured Suricata instance */
foreach ($config['installedpackages']['suricata']['rule'] as $value) {
- $if_real = suricata_get_real_interface($value['interface']);
+ $if_real = get_real_interface($value['interface']);
$suricata_uuid = $value['uuid'];
$suricata_log_dir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}";
log_error(gettext("[Suricata] Truncating logs for {$value['descr']} ({$if_real})..."));
diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php
index 280add7a..3cf6b84b 100644
--- a/config/suricata/suricata_check_for_rule_updates.php
+++ b/config/suricata/suricata_check_for_rule_updates.php
@@ -434,7 +434,7 @@ if ($emergingthreats == 'on') {
// The code below renames ET files with a prefix, so we
// skip renaming the Suricata default events rule files
// that are also bundled in the ET rules.
- $default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" );
+ $default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" );
$files = glob("{$tmpfname}/emerging/rules/*.rules");
// Determine the correct prefix to use based on which
// Emerging Threats rules package is enabled.
@@ -656,17 +656,38 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
$rebuild_rules = false;
/* Restart Suricata if already running and we are not rebooting to pick up the new rules. */
- if (is_process_running("suricata") && !$g['booting']) {
- if ($pkg_interface <> "console") {
- update_status(gettext('Restarting Suricata to activate the new set of rules...'));
- update_output_window(gettext("Please wait ... restarting Suricata will take some time..."));
+ if (is_process_running("suricata") && !$g['booting'] &&
+ !empty($config['installedpackages']['suricata']['rule'])) {
+
+ // See if "Live Reload" is configured and signal each Suricata instance
+ // if enabled, else just do a hard restart of all the instances.
+ if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates'] == 'on') {
+ if ($pkg_interface <> "console") {
+ update_status(gettext('Signalling Suricata to live-load the new set of rules...'));
+ update_output_window(gettext("Please wait ... the process should complete in a few seconds..."));
+ }
+ log_error(gettext("[Suricata] Live-Reload of rules from auto-update is enabled..."));
+ error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, $suricata_rules_upd_log);
+ foreach ($config['installedpackages']['suricata']['rule'] as $value) {
+ $if_real = get_real_interface($value['interface']);
+ suricata_reload_config($value);
+ error_log(gettext("\tLive swap of updated rules requested for " . convert_friendly_interface_to_friendly_descr($value['interface']) . ".\n"), 3, $suricata_rules_upd_log);
+ }
+ log_error(gettext("[Suricata] Live-Reload of updated rules completed..."));
+ error_log(gettext("\tLive-Reload of the updated rules is complete.\n"), 3, $suricata_rules_upd_log);
+ }
+ else {
+ if ($pkg_interface <> "console") {
+ update_status(gettext('Restarting Suricata to activate the new set of rules...'));
+ update_output_window(gettext("Please wait ... restarting Suricata will take some time..."));
+ }
+ error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, $suricata_rules_upd_log);
+ restart_service("suricata");
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("Suricata has restarted with your new set of rules..."));
+ log_error(gettext("[Suricata] Suricata has restarted with your new set of rules..."));
+ error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, $suricata_rules_upd_log);
}
- error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, $suricata_rules_upd_log);
- restart_service("suricata");
- if ($pkg_interface <> "console")
- update_output_window(gettext("Suricata has restarted with your new set of rules..."));
- log_error(gettext("[Suricata] Suricata has restarted with your new set of rules..."));
- error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, $suricata_rules_upd_log);
}
else {
if ($pkg_interface <> "console")
@@ -676,13 +697,17 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
// Remove old $tmpfname files
if (is_dir("{$tmpfname}")) {
- if ($pkg_interface <> "console")
+ if ($pkg_interface <> "console") {
update_status(gettext("Cleaning up after rules extraction..."));
+ update_output_window(gettext("Removing {$tmpfname} directory..."));
+ }
exec("/bin/rm -r {$tmpfname}");
}
-if ($pkg_interface <> "console")
+if ($pkg_interface <> "console") {
update_status(gettext("The Rules update has finished..."));
+ update_output_window("");
+}
log_error(gettext("[Suricata] The Rules update has finished."));
error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $suricata_rules_upd_log);
conf_mount_ro();
diff --git a/config/suricata/suricata_define_vars.php b/config/suricata/suricata_define_vars.php
index b1cbfee9..e130e555 100644
--- a/config/suricata/suricata_define_vars.php
+++ b/config/suricata/suricata_define_vars.php
@@ -162,7 +162,7 @@ if ($savemsg)
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
$tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
$tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
- $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
+ $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
display_top_tabs($tab_array);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php
index 6c081fa8..1a65ddfd 100644
--- a/config/suricata/suricata_flow_stream.php
+++ b/config/suricata/suricata_flow_stream.php
@@ -299,15 +299,14 @@ elseif ($_POST['save']) {
/**************************************************/
/* If we have a valid rule ID, save configuration */
- /* then update the suricata.conf file and rebuild */
- /* the rules for this interface. */
+ /* then update the suricata.conf file for this */
+ /* interface. */
/**************************************************/
if (isset($id) && $a_nat[$id]) {
$a_nat[$id] = $natent;
write_config();
- $rebuild_rules = true;
- suricata_generate_yaml($natent);
$rebuild_rules = false;
+ suricata_generate_yaml($natent);
}
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
@@ -443,7 +442,7 @@ include_once("head.inc");
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
$tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
$tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
- $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
+ $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
display_top_tabs($tab_array);
echo '</td></tr>';
echo '<tr><td>';
diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php
index 3ba84736..99abc49b 100644
--- a/config/suricata/suricata_global.php
+++ b/config/suricata/suricata_global.php
@@ -45,6 +45,7 @@ $pconfig['suricataloglimit'] = $config['installedpackages']['suricata']['config'
$pconfig['suricataloglimitsize'] = $config['installedpackages']['suricata']['config'][0]['suricataloglimitsize'];
$pconfig['autoruleupdate'] = $config['installedpackages']['suricata']['config'][0]['autoruleupdate'];
$pconfig['autoruleupdatetime'] = $config['installedpackages']['suricata']['config'][0]['autoruleupdatetime'];
+$pconfig['live_swap_updates'] = $config['installedpackages']['suricata']['config'][0]['live_swap_updates'];
$pconfig['log_to_systemlog'] = $config['installedpackages']['suricata']['config'][0]['log_to_systemlog'];
$pconfig['clearlogs'] = $config['installedpackages']['suricata']['config'][0]['clearlogs'];
$pconfig['forcekeepsettings'] = $config['installedpackages']['suricata']['config'][0]['forcekeepsettings'];
@@ -137,6 +138,7 @@ if (!$input_errors) {
}
$config['installedpackages']['suricata']['config'][0]['autoruleupdatetime'] = str_pad($_POST['autoruleupdatetime'], 4, "0", STR_PAD_LEFT);
$config['installedpackages']['suricata']['config'][0]['log_to_systemlog'] = $_POST['log_to_systemlog'] ? 'on' : 'off';
+ $config['installedpackages']['suricata']['config'][0]['live_swap_updates'] = $_POST['live_swap_updates'] ? 'on' : 'off';
$config['installedpackages']['suricata']['config'][0]['clearlogs'] = $_POST['clearlogs'] ? 'on' : 'off';
$config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off';
@@ -185,7 +187,7 @@ if ($input_errors)
$tab_array[] = array(gettext("Suricata Interfaces"), false, "/suricata/suricata_interfaces.php");
$tab_array[] = array(gettext("Global Settings"), true, "/suricata/suricata_global.php");
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
- $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$instanceid}");
+ $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php");
$tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
$tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
display_top_tabs($tab_array);
@@ -204,13 +206,13 @@ if ($input_errors)
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td valign="top" width="8%"><input name="enable_etopen_rules" type="checkbox" value="on" onclick="enable_et_rules();"
- <?php if ($config['installedpackages']['suricata']['config'][0]['enable_etopen_rules']=="on") echo "checked"; ?>></td>
+ <?php if ($config['installedpackages']['suricata']['config'][0]['enable_etopen_rules']=="on") echo "checked"; ?>/></td>
<td><span class="vexpl"><?php echo gettext("ETOpen is an open source set of Snort rules whose coverage " .
"is more limited than ETPro."); ?></span></td>
</tr>
<tr>
<td valign="top" width="8%"><input name="enable_etpro_rules" type="checkbox" value="on" onclick="enable_pro_rules();"
- <?php if ($config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']=="on") echo "checked"; ?>></td>
+ <?php if ($config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']=="on") echo "checked"; ?>/></td>
<td><span class="vexpl"><?php echo gettext("ETPro for Snort offers daily updates and extensive coverage of current malware threats."); ?></span></td>
</tr>
<tr>
@@ -232,9 +234,8 @@ if ($input_errors)
</tr>
<tr>
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
- <td><input name="etprocode" type="text"
- class="formfld unknown" id="etprocode" size="52"
- value="<?=htmlspecialchars($pconfig['etprocode']);?>"><br/>
+ <td><input name="etprocode" type="text" class="formfld unknown" id="etprocode" size="52"
+ value="<?=htmlspecialchars($pconfig['etprocode']);?>"/><br/>
<?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td>
</tr>
</table>
@@ -246,7 +247,7 @@ if ($input_errors)
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td><input name="enable_vrt_rules" type="checkbox" id="enable_vrt_rules" value="on" onclick="enable_snort_vrt();"
- <?php if($pconfig['enable_vrt_rules']=='on') echo 'checked'; ?>></td>
+ <?php if($pconfig['enable_vrt_rules']=='on') echo 'checked'; ?>/></td>
<td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td>
<tr>
<td>&nbsp;</td>
@@ -264,9 +265,8 @@ if ($input_errors)
</tr>
<tr>
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
- <td><input name="oinkcode" type="text"
- class="formfld unknown" id="oinkcode" size="52"
- value="<?=htmlspecialchars($pconfig['oinkcode']);?>"><br/>
+ <td><input name="oinkcode" type="text" class="formfld unknown" id="oinkcode" size="52"
+ value="<?=htmlspecialchars($pconfig['oinkcode']);?>"/><br/>
<?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td>
</tr>
</table>
@@ -277,7 +277,7 @@ if ($input_errors)
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on"
- <?php if ($config['installedpackages']['suricata']['config'][0]['snortcommunityrules']=="on") echo "checked";?> ></td>
+ <?php if ($config['installedpackages']['suricata']['config'][0]['snortcommunityrules']=="on") echo " checked";?>/></td>
<td class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " .
"without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset.");?>
<br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
@@ -300,20 +300,27 @@ if ($input_errors)
<?php if ($iface3 == $pconfig['autoruleupdate']) echo "selected"; ?>>
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
- </select><span class="vexpl">&nbsp;&nbsp;<?php echo gettext("Please select the interval for rule updates. Choosing ") .
+ </select>&nbsp;&nbsp;<?php echo gettext("Please select the interval for rule updates. Choosing ") .
"<strong>" . gettext("NEVER") . "</strong>" . gettext(" disables auto-updates."); ?><br/><br/>
- <?php echo "<span class=\"red\"><strong>" . gettext("Hint: ") . "</strong></span>" . gettext("in most cases, every 12 hours is a good choice."); ?></span></td>
+ <?php echo "<span class=\"red\"><strong>" . gettext("Hint: ") . "</strong></span>" . gettext("in most cases, every 12 hours is a good choice."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td>
<td width="78%" class="vtable"><input type="text" class="formfld time" name="autoruleupdatetime" id="autoruleupdatetime" size="4"
- maxlength="5" value="<?=$pconfig['autoruleupdatetime'];?>" <?php if ($pconfig['autoruleupdate'] == "never_up") {echo "disabled";} ?>><span class="vexpl">&nbsp;&nbsp;
- <?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" .
- gettext("Default") . "&nbsp;</strong>" . gettext("is ") . "<strong>" . gettext("00:03") . "</strong></span>"; ?>.<br/><br/>
+ maxlength="5" value="<?=$pconfig['autoruleupdatetime'];?>" <?php if ($pconfig['autoruleupdate'] == "never_up") {echo "disabled";} ?>/>&nbsp;&nbsp;
+ <?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). Default is ") . "<strong>" . gettext("00:03") . "</strong>"; ?>.<br/><br/>
<?php echo gettext("Rules will update at the interval chosen above starting at the time specified here. For example, using the default " .
"start time of 00:03 and choosing 12 Hours for the interval, the rules will update at 00:03 and 12:03 each day."); ?></td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Live Rule Swap on Update"); ?></td>
+ <td width="78%" class="vtable"><input name="live_swap_updates" id="live_swap_updates" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates']=="on") echo " checked"; ?>/>
+ &nbsp;<?php echo gettext("Enable \"Live Swap\" reload of rules after downloading an update. Default is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?><br/><br/>
+ <?php echo gettext("When enabled, Suricata will perform a live load of the new rules following an update instead of a hard restart. " .
+ "If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update."); ?></td>
+</tr>
+<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
</tr>
<tr>
@@ -328,12 +335,12 @@ if ($input_errors)
<table cellpadding="0" cellspacing="0">
<tr>
<td colspan="2"><input name="suricataloglimit" type="radio" id="suricataloglimit" value="on"
- <?php if($pconfig['suricataloglimit']=='on') echo 'checked'; ?>><span class="vexpl">
+ <?php if($pconfig['suricataloglimit']=='on') echo 'checked'; ?>/><span class="vexpl">
<strong><?php echo gettext("Enable"); ?></strong> <?php echo gettext("directory size limit"); ?> (<strong><?php echo gettext("Default"); ?></strong>)</span></td>
</tr>
<tr>
<td colspan="2"><input name="suricataloglimit" type="radio" id="suricataloglimit" value="off"
- <?php if($pconfig['suricataloglimit']=='off') echo 'checked'; ?>> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong>
+ <?php if($pconfig['suricataloglimit']=='off') echo 'checked'; ?>/> <span class="vexpl"><strong><?php echo gettext("Disable"); ?></strong>
<?php echo gettext("directory size limit"); ?></span><br/>
<br/>
<span class="red"><strong><?php echo gettext("Warning:"); ?></strong></span> <?php echo gettext("Nanobsd " .
@@ -343,7 +350,7 @@ if ($input_errors)
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td class="vexpl"><?php echo gettext("Size in ") . "<strong>" . gettext("MB:") . "</strong>";?>&nbsp;
- <input name="suricataloglimitsize" type="text" class="formfld unknown" id="suricataloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['suricataloglimitsize']);?>">
+ <input name="suricataloglimitsize" type="text" class="formfld unknown" id="suricataloglimitsize" size="10" value="<?=htmlspecialchars($pconfig['suricataloglimitsize']);?>"/>
&nbsp;<?php echo gettext("Default is ") . "<strong>" . gettext("20%") . "</strong>" . gettext(" of available space.");?></td>
</tr>
</table>
@@ -366,24 +373,21 @@ if ($input_errors)
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Log to System Log"); ?></td>
- <td width="78%" class="vtable"><input name="log_to_systemlog"
- id="log_to_systemlog" type="checkbox" value="yes"
- <?php if ($config['installedpackages']['suricata']['config'][0]['log_to_systemlog']=="on") echo "checked"; ?>
- >&nbsp;<?php echo gettext("Copy Suricata messages to the firewall system log."); ?></td>
+ <td width="78%" class="vtable"><input name="log_to_systemlog" id="log_to_systemlog" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['suricata']['config'][0]['log_to_systemlog']=="on") echo " checked"; ?>/>&nbsp;
+ <?php echo gettext("Copy Suricata messages to the firewall system log."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Suricata Log Files After Deinstall"); ?></td>
- <td width="78%" class="vtable"><input name="clearlogs"
- id="clearlogs" type="checkbox" value="yes"
- <?php if ($config['installedpackages']['suricata']['config'][0]['clearlogs']=="on") echo "checked"; ?>
- >&nbsp;<?php echo gettext("Suricata log files will be removed during package deinstallation."); ?></td>
+ <td width="78%" class="vtable"><input name="clearlogs" id="clearlogs" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['suricata']['config'][0]['clearlogs']=="on") echo " checked"; ?>/>&nbsp;
+ <?php echo gettext("Suricata log files will be removed during package deinstallation."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Suricata Settings After Deinstall"); ?></td>
- <td width="78%" class="vtable"><input name="forcekeepsettings"
- id="forcekeepsettings" type="checkbox" value="yes"
- <?php if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings']=="on") echo "checked"; ?>
- >&nbsp;<?php echo gettext("Settings will not be removed during package deinstallation."); ?></td>
+ <td width="78%" class="vtable"><input name="forcekeepsettings" id="forcekeepsettings" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings']=="on") echo " checked"; ?>/>&nbsp;
+ <?php echo gettext("Settings will not be removed during package deinstallation."); ?></td>
</tr>
<tr>
<td colspan="2" align="center"><input name="save" type="submit" class="formbtn" value="Save"/></td>
diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php
index 88b426ba..50ca99c1 100644
--- a/config/suricata/suricata_interfaces.php
+++ b/config/suricata/suricata_interfaces.php
@@ -36,10 +36,10 @@ $suricatadir = SURICATADIR;
$suricatalogdir = SURICATALOGDIR;
$rcdir = RCFILEPREFIX;
-if ($_POST['id'] && is_numeric($_POST['id']))
+if ($_POST['id'])
$id = $_POST['id'];
else
- $id = "";
+ $id = 0;
if (!is_array($config['installedpackages']['suricata']['rule']))
$config['installedpackages']['suricata']['rule'] = array();
@@ -47,32 +47,15 @@ $a_nat = &$config['installedpackages']['suricata']['rule'];
$id_gen = count($config['installedpackages']['suricata']['rule']);
if ($_POST['del_x']) {
- /* delete selected rules */
+ /* delete selected interfaces */
if (is_array($_POST['rule'])) {
conf_mount_rw();
foreach ($_POST['rule'] as $rulei) {
- /* convert fake interfaces to real */
$if_real = get_real_interface($a_nat[$rulei]['interface']);
$suricata_uuid = $a_nat[$rulei]['uuid'];
suricata_stop($a_nat[$rulei], $if_real);
exec("/bin/rm -r {$suricatalogdir}suricata_{$if_real}{$suricata_uuid}");
exec("/bin/rm -r {$suricatadir}suricata_{$suricata_uuid}_{$if_real}");
-
- // If interface had auto-generated Suppress List, then
- // delete that along with the interface
- $autolist = "{$a_nat[$rulei]['interface']}" . "suppress";
- if (is_array($config['installedpackages']['suricata']['suppress']) &&
- is_array($config['installedpackages']['suricata']['suppress']['item'])) {
- $a_suppress = &$config['installedpackages']['suricata']['suppress']['item'];
- foreach ($a_suppress as $k => $i) {
- if ($i['name'] == $autolist) {
- unset($config['installedpackages']['suricata']['suppress']['item'][$k]);
- break;
- }
- }
- }
-
- // Finally delete the interface's config entry entirely
unset($a_nat[$rulei]);
}
conf_mount_ro();
@@ -106,12 +89,12 @@ if ($_POST['del_x']) {
}
/* start/stop Barnyard2 */
-if ($_POST['bartoggle'] && is_numeric($id)) {
+if ($_POST['bartoggle']) {
$suricatacfg = $config['installedpackages']['suricata']['rule'][$id];
$if_real = get_real_interface($suricatacfg['interface']);
$if_friendly = convert_friendly_interface_to_friendly_descr($suricatacfg['interface']);
- if (suricata_is_running($suricatacfg['uuid'], $if_real, 'barnyard2') == 'no') {
+ if (!suricata_is_running($suricatacfg['uuid'], $if_real, 'barnyard2')) {
log_error("Toggle (barnyard starting) for {$if_friendly}({$suricatacfg['descr']})...");
sync_suricata_package_config();
suricata_barnyard_start($suricatacfg, $if_real);
@@ -126,12 +109,12 @@ if ($_POST['bartoggle'] && is_numeric($id)) {
}
/* start/stop Suricata */
-if ($_POST['toggle'] && is_numeric($id)) {
+if ($_POST['toggle']) {
$suricatacfg = $config['installedpackages']['suricata']['rule'][$id];
$if_real = get_real_interface($suricatacfg['interface']);
$if_friendly = convert_friendly_interface_to_friendly_descr($suricatacfg['interface']);
- if (suricata_is_running($suricatacfg['uuid'], $if_real) == 'yes') {
+ if (suricata_is_running($suricatacfg['uuid'], $if_real)) {
log_error("Toggle (suricata stopping) for {$if_friendly}({$suricatacfg['descr']})...");
suricata_stop($suricatacfg, $if_real);
} else {
@@ -151,8 +134,9 @@ if ($_POST['toggle'] && is_numeric($id)) {
header("Location: /suricata/suricata_interfaces.php");
exit;
}
-
-$pgtitle = "Services: Suricata Intrusion Detection System";
+$suri_bin_ver = SURICATA_VER;
+$suri_pkg_ver = SURICATA_PKG_VER;
+$pgtitle = "Services: Suricata {$suri_bin_ver} pkg {$suri_pkg_ver} - Intrusion Detection System";
include_once("head.inc");
?>
@@ -203,7 +187,7 @@ include_once("head.inc");
</colgroup>
<thead>
<tr id="frheader">
- <th class="list">&nbsp;</td>
+ <th class="list">&nbsp;</th>
<th class="listhdrr"><?php echo gettext("Interface"); ?></th>
<th class="listhdrr"><?php echo gettext("Suricata"); ?></th>
<th class="listhdrr"><?php echo gettext("Pattern Matcher"); ?></th>
@@ -240,7 +224,7 @@ include_once("head.inc");
$if_real = get_real_interface($natent['interface']);
$natend_friendly= convert_friendly_interface_to_friendly_descr($natent['interface']);
$suricata_uuid = $natent['uuid'];
- if (suricata_is_running($suricata_uuid, $if_real) == 'no'){
+ if (!suricata_is_running($suricata_uuid, $if_real)){
$iconfn = 'block';
$iconfn_msg1 = 'Suricata is not running on ';
$iconfn_msg2 = '. Click to start.';
@@ -250,7 +234,7 @@ include_once("head.inc");
$iconfn_msg1 = 'Suricata is running on ';
$iconfn_msg2 = '. Click to stop.';
}
- if (suricata_is_running($suricata_uuid, $if_real, 'barnyard2') == 'no'){
+ if (!suricata_is_running($suricata_uuid, $if_real, 'barnyard2')){
$biconfn = 'block';
$biconfn_msg1 = 'Barnyard2 is not running on ';
$biconfn_msg2 = '. Click to start.';
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index 6dbf9412..d7b5a8cb 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -40,9 +40,9 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
$config['installedpackages']['suricata']['rule'] = array();
$a_rule = &$config['installedpackages']['suricata']['rule'];
-if ($_GET['id'] && is_numeric($_GET['id']));
+if ($_GET['id']);
$id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401);
-if ($_POST['id'] && is_numeric($_POST['id']))
+if ($_POST['id'])
$id = $_POST['id'];
if (is_null($id))
$id = 0;
@@ -130,8 +130,8 @@ if ($_POST["save"]) {
if (!$_POST['interface'])
$input_errors[] = gettext("Choosing an Interface is mandatory!");
- if ($_POST['max_pending_packets'] < 1 || $_POST['max_pending_packets'] > 65535)
- $input_errors[] = gettext("The value for Maximum-Pending-Packets must be between 1 and 65,535!");
+ if ($_POST['max_pending_packets'] < 1 || $_POST['max_pending_packets'] > 65000)
+ $input_errors[] = gettext("The value for Maximum-Pending-Packets must be between 1 and 65,000!");
if (!empty($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size']))
$input_errors[] = gettext("The value for 'Max Packet Log Size' must be numbers only. Do not include any alphabetic characters.");
@@ -146,15 +146,6 @@ if ($_POST["save"]) {
$natent['enable'] = $_POST['enable'] ? 'on' : 'off';
$natent['uuid'] = $pconfig['uuid'];
- // See if the HOME_NET, EXTERNAL_NET, or SUPPRESS LIST values were changed
- $suricata_reload = false;
- if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname']))
- $suricata_reload = true;
- if ($_POST['externallistname'] && ($_POST['externallistname'] <> $natent['externallistname']))
- $suricata_reload = true;
- if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname']))
- $suricata_reload = true;
-
if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']);
if ($_POST['max_pcap_log_size']) $natent['max_pcap_log_size'] = $_POST['max_pcap_log_size']; else unset($natent['max_pcap_log_size']);
if ($_POST['max_pcap_log_files']) $natent['max_pcap_log_files'] = $_POST['max_pcap_log_files']; else unset($natent['max_pcap_log_files']);
@@ -253,7 +244,7 @@ if ($_POST["save"]) {
$natent['libhtp_policy']['item'][] = $default;
// Enable the basic default rules for the interface
- $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules";
+ $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules";
// Adding a new interface, so set flag to build new rules
$rebuild_rules = true;
@@ -272,15 +263,6 @@ if ($_POST["save"]) {
// Update suricata.conf and suricata.sh files for this interface
sync_suricata_package_config();
- /*******************************************************/
- /* Signal Suricata to reload configuration if we changed */
- /* HOME_NET, EXTERNAL_NET or Suppress list values. */
- /* The function only signals a running Suricata instance */
- /* to safely reload these parameters. */
- /*******************************************************/
- if ($suricata_reload == true)
- suricata_reload_config($natent, "USR2");
-
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate' );
@@ -319,7 +301,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
$tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
$tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
- $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
+ $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
display_top_tabs($tab_array);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -521,7 +503,9 @@ if ($savemsg) {
<td width="78%" class="vtable"><input name="max_pending_packets" type="text"
class="formfld unknown" id="max_pending_packets" size="8" value="<?=htmlspecialchars($pconfig['max_pending_packets']); ?>"/>&nbsp;
<?php echo gettext("Enter number of simultaneous packets to process. Default is ") . "<strong>" .
- gettext("1024") . "</strong>."; ?><br/><br/><?php echo gettext("Minimum value is 1 and the maximum value is 65,535.") ?></td>
+ gettext("1024") . "</strong>."; ?><br/><br/><?php echo gettext("This controls the number simultaneous packets the engine can handle. ") .
+ gettext("Setting this higher generally keeps the threads more busy. The minimum value is 1 and the maximum value is 65,000. ") . "<br/><span class='red'><strong>" .
+ gettext("Warning: ") . "</strong></span>" . gettext("Setting this too high can lead to degradation and a possible system crash by exhausting available memory.") ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Detect-Engine Profile"); ?></td>
@@ -557,7 +541,7 @@ if ($savemsg) {
</select>&nbsp;&nbsp;
<?php echo gettext("Choose a multi-pattern matcher (MPM) algorithm. ") . "<strong>" . gettext("Default") .
"</strong>" . gettext(" is ") . "<strong>" . gettext("AC") . "</strong>"; ?>.<br/><br/>
- <?php echo gettext("AC is recommended for most systems. "); ?>
+ <?php echo gettext("AC is the default, and is the best choice for almost all systems."); ?>
<br/></td>
</tr>
<tr>
@@ -587,7 +571,7 @@ if ($savemsg) {
gettext("3000") . "</strong>."; ?><br/><br/><?php echo gettext("When set to 0 an internal default is used. When left blank there is no recursion limit.") ?></td>
</tr>
<tr>
- <td colspan="2" class="listtopic"><?php echo gettext("Networks " . "Suricata Should Inspect and Whitelist"); ?></td>
+ <td colspan="2" class="listtopic"><?php echo gettext("Networks " . "Suricata Should Inspect and Protect"); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Home Net"); ?></td>
diff --git a/config/suricata/suricata_libhtp_policy_engine.php b/config/suricata/suricata_libhtp_policy_engine.php
index 01f6b9e8..1a3c7455 100644
--- a/config/suricata/suricata_libhtp_policy_engine.php
+++ b/config/suricata/suricata_libhtp_policy_engine.php
@@ -53,9 +53,7 @@
**************************************************************************************/
?>
-<tr>
-<td class="tabcont">
-<table width="100%" border="0" cellpadding="6" cellspacing="0">
+<table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
<td colspan="2" valign="middle" class="listtopic"><?php echo gettext("Suricata Target-Based HTTP Server Policy Configuration"); ?></td>
</tr>
@@ -163,8 +161,6 @@
gettext("Cancel changes and return to App Parsers tab"); ?>"></td>
</tr>
</table>
-</td>
-</tr>
<script type="text/javascript" src="/javascript/autosuggest.js">
</script>
diff --git a/config/suricata/suricata_os_policy_engine.php b/config/suricata/suricata_os_policy_engine.php
index ea539e92..c9360901 100644
--- a/config/suricata/suricata_os_policy_engine.php
+++ b/config/suricata/suricata_os_policy_engine.php
@@ -49,9 +49,7 @@
**************************************************************************************/
?>
-<tr>
-<td class="tabcont">
-<table width="100%" border="0" cellpadding="6" cellspacing="0">
+<table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tr>
<td colspan="2" align="center" class="listtopic"><?php echo gettext("Suricata Target-Based Host OS Policy Engine Configuration"); ?></td>
</tr>
@@ -120,8 +118,6 @@
gettext("Cancel changes and return to Flow/Stream tab"); ?>"></td>
</tr>
</table>
-</td>
-</tr>
<script type="text/javascript" src="/javascript/autosuggest.js">
</script>
<script type="text/javascript" src="/javascript/suggestions.js">
diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php
index f6457f19..1a0c54b5 100644
--- a/config/suricata/suricata_rules.php
+++ b/config/suricata/suricata_rules.php
@@ -40,8 +40,6 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
$config['installedpackages']['suricata']['rule'] = array();
$a_rule = &$config['installedpackages']['suricata']['rule'];
-log_error(print_r($_POST, true));
-
if ($_GET['id'])
$id = $_GET['id'];
if ($_POST['id'])
@@ -56,19 +54,6 @@ if (isset($id) && $a_rule[$id]) {
$pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']);
}
-function truncate($string, $length) {
-
- /********************************
- * This function truncates the *
- * passed string to the length *
- * specified adding ellipsis if *
- * truncation was necessary. *
- ********************************/
- if (strlen($string) > $length)
- $string = substr($string, 0, ($length - 2)) . "...";
- return $string;
-}
-
function add_title_attribute($tag, $title) {
/********************************
@@ -347,17 +332,6 @@ elseif ($_POST['save']) {
$rebuild_rules = false;
/* Signal Suricata to "live reload" the rules */
suricata_reload_config($a_rule[$id]);
-// $output = "";
-// $retcode = "";
-// exec("/usr/local/bin/suricata -T --init-errors-fatal -c {$suricatacfgdir}/suricata.yaml 2>&1", $output, $retcode);
-// if (intval($retcode) != 0) {
-// $error = "";
-// $start = count($output);
-// $end = $start - 4;
-// for($i = $start; $i > $end; $i--)
-// $error .= $output[$i];
-// $input_errors[] = "Custom rules have errors:\n {$error}";
-// }
}
elseif ($_POST['apply']) {
@@ -411,7 +385,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
$tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
$tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
- $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
+ $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
display_top_tabs($tab_array);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -554,7 +528,6 @@ if ($savemsg) {
<col width="20" align="left" valign="middle">
<col width="6%" align="center" axis="number">
<col width="8%" align="center" axis="number">
- <col width="54" align="center" axis="string">
<col width="52" align="center" axis="string">
<col width="12%" align="center" axis="string">
<col width="9%" align="center" axis="string">
@@ -567,7 +540,6 @@ if ($savemsg) {
<th class="list">&nbsp;</th>
<th class="listhdrr"><?php echo gettext("GID"); ?></th>
<th class="listhdrr"><?php echo gettext("SID"); ?></th>
- <th class="listhdrr"><?php echo gettext("Action"); ?></th>
<th class="listhdrr"><?php echo gettext("Proto"); ?></th>
<th class="listhdrr"><?php echo gettext("Source"); ?></th>
<th class="listhdrr"><?php echo gettext("Port"); ?></th>
@@ -618,17 +590,17 @@ if ($savemsg) {
$tmp = trim(preg_replace('/^\s*#+\s*/', '', $tmp));
$rule_content = preg_split('/[\s]+/', $tmp);
- // Create custom <span> tags for the fields we truncate so we can
+ // Create custom <span> tags for some of the fields so we can
// have a "title" attribute for tooltips to show the full string.
$srcspan = add_title_attribute($textss, $rule_content[2]);
$srcprtspan = add_title_attribute($textss, $rule_content[3]);
$dstspan = add_title_attribute($textss, $rule_content[5]);
$dstprtspan = add_title_attribute($textss, $rule_content[6]);
$protocol = $rule_content[1]; //protocol field
- $source = truncate($rule_content[2], 14); //source field
- $source_port = truncate($rule_content[3], 10); //source port field
- $destination = truncate($rule_content[5], 14); //destination field
- $destination_port = truncate($rule_content[6], 10); //destination port field
+ $source = $rule_content[2]; //source field
+ $source_port = $rule_content[3]; //source port field
+ $destination = $rule_content[5]; //destination field
+ $destination_port = $rule_content[6]; //destination port field
$message = suricata_get_msg($v['rule']);
$sid_tooltip = gettext("View the raw text for this rule");
@@ -638,33 +610,30 @@ if ($savemsg) {
src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\"
title='{$title}' name=\"toggle[]\"/>{$textse}
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 10px;\">
+ <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$textss}{$gid}{$textse}
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 10px;\">
+ <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
<a href=\"javascript: void(0)\"
- onclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&ids={$sid}&gid={$gid}','FileViewer',800,600)\"
+ onclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"
title='{$sid_tooltip}'>{$textss}{$sid}{$textse}</a>
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 10px;\">
- {$textss}{$v['action']}{$textse}
- </td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 10px;\">
+ <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$textss}{$protocol}{$textse}
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 10px;\">
+ <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$srcspan}{$source}</span>
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 10px;\">
+ <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$srcprtspan}{$source_port}</span>
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 10px;\">
+ <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$dstspan}{$destination}</span>
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 10px;\">
+ <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$dstprtspan}{$destination_port}</span>
</td>
- <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line; font-size: 10px; font-color: white;\">
+ <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line; font-size: 11px; font-color: white;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$textss}{$message}{$textse}
</td>
</tr>";
diff --git a/config/suricata/suricata_rules_edit.php b/config/suricata/suricata_rules_edit.php
index 0dc4c57b..ad6b2986 100644
--- a/config/suricata/suricata_rules_edit.php
+++ b/config/suricata/suricata_rules_edit.php
@@ -49,12 +49,16 @@ if (isset($id) && $a_rule[$id]) {
$pconfig['interface'] = $a_rule[$id]['interface'];
$pconfig['rulesets'] = $a_rule[$id]['rulesets'];
}
+else {
+ header("Location: /suricata/suricata_interfaces.php");
+ exit;
+}
/* convert fake interfaces to real */
-$if_real = suricata_get_real_interface($pconfig['interface']);
+$if_real = get_real_interface($pconfig['interface']);
$suricata_uuid = $a_rule[$id]['uuid'];
$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}";
-$file = $_GET['openruleset'];
+$file = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401);
$contents = '';
$wrap_flag = "off";
@@ -86,33 +90,26 @@ if (substr($file, 0, 10) == "IPS Policy") {
unset($rules_map);
}
// Is it a SID to load the rule text from?
-elseif (isset($_GET['ids'])) {
+elseif (isset($_GET['sid']) && is_numeric(trim($_GET['sid']))) {
// If flowbit rule, point to interface-specific file
if ($file == "Auto-Flowbit Rules")
$rules_map = suricata_load_rules_map("{$suricatacfgdir}rules/" . FLOWBITS_FILENAME);
else
$rules_map = suricata_load_rules_map("{$suricatadir}rules/{$file}");
- $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule'];
+ $contents = $rules_map[$_GET['gid']][trim($_GET['sid'])]['rule'];
$wrap_flag = "soft";
}
-
// Is it our special flowbit rules file?
elseif ($file == "Auto-Flowbit Rules")
$contents = file_get_contents("{$suricatacfgdir}rules/{$flowbit_rules_file}");
// Is it a rules file in the ../rules/ directory?
elseif (file_exists("{$suricatadir}rules/{$file}"))
$contents = file_get_contents("{$suricatadir}rules/{$file}");
-// Is it a fully qualified path and file?
-elseif (file_exists($file))
- if (substr(realpath($file), 0, strlen(SURICATALOGDIR)) != SURICATALOGDIR)
- $contents = gettext("\n\nERROR -- File: {$file} can not be viewed!");
- else
- $contents = file_get_contents($file);
// It is not something we can display, so exit.
else
$input_errors[] = gettext("Unable to open file: {$displayfile}");
-$pgtitle = array(gettext("Suricata"), gettext("File Viewer"));
+$pgtitle = array(gettext("Suricata"), gettext("Rules File Viewer"));
?>
<?php include("head.inc");?>
@@ -131,7 +128,7 @@ $pgtitle = array(gettext("Suricata"), gettext("File Viewer"));
</tr>
<tr>
<td width="20%">
- <input type="button" class="formbtn" value="Return" onclick="window.close()">
+ <input type="button" class="formbtn" value="Close" onclick="window.close()"/>
</td>
<td align="right">
<b><?php echo gettext("Rules File: ") . '</b>&nbsp;' . $displayfile; ?>&nbsp;&nbsp;&nbsp;&nbsp;
diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php
index e15818d5..4365de4b 100644
--- a/config/suricata/suricata_rulesets.php
+++ b/config/suricata/suricata_rulesets.php
@@ -35,6 +35,10 @@ global $g, $rebuild_rules;
$suricatadir = SURICATADIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
+// Array of default events rules for Suricata
+$default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules",
+ "smtp-events.rules", "stream-events.rules", "tls-events.rules" );
+
if (!is_array($config['installedpackages']['suricata']['rule'])) {
$config['installedpackages']['suricata']['rule'] = array();
}
@@ -87,17 +91,6 @@ if (!file_exists("{$suricatadir}rules/" . GPL_FILE_PREFIX . "community.rules"))
if (($snortdownload != 'on') || ($a_nat[$id]['ips_policy_enable'] != 'on'))
$policy_select_disable = "disabled";
-if ($a_nat[$id]['autoflowbitrules'] == 'on') {
- if (file_exists("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}") &&
- filesize("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) {
- $btn_view_flowb_rules = " title=\"" . gettext("View flowbit-required rules") . "\"";
- }
- else
- $btn_view_flowb_rules = " disabled";
-}
-else
- $btn_view_flowb_rules = " disabled";
-
// If a Snort VRT policy is enabled and selected, remove all Snort VRT
// rules from the configured rule sets to allow automatic selection.
if ($a_nat[$id]['ips_policy_enable'] == 'on') {
@@ -126,7 +119,7 @@ if ($_POST["save"]) {
}
// Always start with the default events and files rules
- $enabled_items = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules";
+ $enabled_items = implode("||", $default_rules);
if (is_array($_POST['toenable']))
$enabled_items .= "||" . implode("||", $_POST['toenable']);
else
@@ -157,7 +150,7 @@ if ($_POST["save"]) {
}
elseif ($_POST['unselectall']) {
// Remove all but the default events and files rules
- $a_nat[$id]['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules";
+ $a_nat[$id]['rulesets'] = implode("||", $default_rules);
if ($_POST['ips_policy_enable'] == "on") {
$a_nat[$id]['ips_policy_enable'] = 'on';
@@ -173,7 +166,7 @@ elseif ($_POST['unselectall']) {
}
elseif ($_POST['selectall']) {
// Start with the required default events and files rules
- $rulesets = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" );
+ $rulesets = $default_rules;
if ($_POST['ips_policy_enable'] == "on") {
$a_nat[$id]['ips_policy_enable'] = 'on';
@@ -214,6 +207,19 @@ elseif ($_POST['selectall']) {
sync_suricata_package_config();
}
+// See if we have any Auto-Flowbit rules and enable
+// the VIEW button if we do.
+if ($a_nat[$id]['autoflowbitrules'] == 'on') {
+ if (file_exists("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}") &&
+ filesize("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) {
+ $btn_view_flowb_rules = " title=\"" . gettext("View flowbit-required rules") . "\"";
+ }
+ else
+ $btn_view_flowb_rules = " disabled";
+}
+else
+ $btn_view_flowb_rules = " disabled";
+
$enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']);
$if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']);
@@ -248,7 +254,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
$tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
$tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
- $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
+ $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
display_top_tabs($tab_array);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';