aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata/suricata_post_install.php
diff options
context:
space:
mode:
authorStephane Lapie <stephane.lapie@asahinet.com>2014-09-09 10:38:18 +0900
committerStephane Lapie <stephane.lapie@asahinet.com>2014-09-09 10:38:18 +0900
commit2540793065bc8539001aec717745474569c8ff77 (patch)
tree0160e83bf24c77dfa9d73e2d2d2ce5eeb90610bb /config/suricata/suricata_post_install.php
parentc93a3c793d53e9076b49e05c32a7c132329ff353 (diff)
parent8a33d84b6e7d52e2e7dd414c03428ce6da0296a2 (diff)
downloadpfsense-packages-2540793065bc8539001aec717745474569c8ff77.tar.gz
pfsense-packages-2540793065bc8539001aec717745474569c8ff77.tar.bz2
pfsense-packages-2540793065bc8539001aec717745474569c8ff77.zip
Merge git+ssh://github.com/pfsense/pfsense-packages
Diffstat (limited to 'config/suricata/suricata_post_install.php')
-rw-r--r--config/suricata/suricata_post_install.php106
1 files changed, 78 insertions, 28 deletions
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php
index eb193d58..7c8d03a5 100644
--- a/config/suricata/suricata_post_install.php
+++ b/config/suricata/suricata_post_install.php
@@ -51,7 +51,33 @@ require_once("/usr/local/pkg/suricata/suricata.inc");
global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include;
+/****************************************
+ * Define any new constants here that *
+ * may not be yet defined in the old *
+ * "suricata.inc" include file that *
+ * might be cached and used by the *
+ * package manager installation code. *
+ * *
+ * This is a hack to work around the *
+ * fact the old version of suricata.inc *
+ * is cached and used instead of the *
+ * updated version icluded with the *
+ * updated GUI package. *
+ ****************************************/
+if (!defined('SID_MODS_PATH'))
+ define('SID_MODS_PATH', '/var/db/suricata/sidmods/');
+if (!defined('IPREP_PATH'))
+ define('IPREP_PATH', '/var/db/suricata/iprep/');
+
+/****************************************
+ * End of PHP cachine workaround *
+ ****************************************/
+
+// Initialize some common values from defined constants
$suricatadir = SURICATADIR;
+$suricatalogdir = SURICATALOGDIR;
+$flowbit_rules_file = FLOWBITS_FILENAME;
+$suricata_enforcing_rules_file = ENFORCING_RULES_FILENAME;
$rcdir = RCFILEPREFIX;
// Hard kill any running Suricata process that may have been started by any
@@ -73,47 +99,59 @@ if(is_process_running("barnyard")) {
// Set flag for post-install in progress
$g['suricata_postinstall'] = true;
+// Mount file system read/write so we can modify some files
+conf_mount_rw();
+
// Remove any previously installed script since we rebuild it
-@unlink("{$rcdir}/suricata.sh");
+@unlink("{$rcdir}suricata.sh");
// Create the top-tier log directory
safe_mkdir(SURICATALOGDIR);
-// remake saved settings
+// Create the IP Rep and SID Mods lists directory
+safe_mkdir(SID_MODS_PATH);
+safe_mkdir(IPREP_PATH);
+
+// remake saved settings if previously flagged
if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') {
log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings..."));
update_status(gettext("Saved settings detected..."));
+ /* Do one-time settings migration for new version configuration */
+ update_output_window(gettext("Please wait... migrating settings to new configuration..."));
+ include('/usr/local/pkg/suricata/suricata_migrate_config.php');
update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
log_error(gettext("[Suricata] Downloading and updating configured rule types..."));
update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
if ($pkg_interface <> "console")
$suricata_gui_include = true;
- include('/usr/local/www/suricata/suricata_check_for_rule_updates.php');
+ include('/usr/local/pkg/suricata/suricata_check_for_rule_updates.php');
update_status(gettext("Generating suricata.yaml configuration file from saved settings..."));
$rebuild_rules = true;
// Create the suricata.yaml files for each enabled interface
$suriconf = $config['installedpackages']['suricata']['rule'];
- foreach ($suriconf as $value) {
- $if_real = get_real_interface($value['interface']);
-
- // ## BETA pkg bug fix-up -- be sure default rules enabled ##
- $rules = explode("||", $value['rulesets']);
- foreach (array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ) as $r){
- if (!in_array($r, $rules))
- $rules[] = $r;
- }
- natcasesort($rules);
- $value['rulesets'] = implode("||", $rules);
- write_config();
- // ## end of BETA pkg bug fix-up ##
-
- // create a suricata.yaml file for interface
- suricata_generate_yaml($value);
+ foreach ($suriconf as $suricatacfg) {
+ $if_real = get_real_interface($suricatacfg['interface']);
+ $suricata_uuid = $suricatacfg['uuid'];
+ $suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}";
+
+ // Pull in the PHP code that generates the suricata.yaml file
+ // variables that will be substituted further down below.
+ include("/usr/local/pkg/suricata/suricata_generate_yaml.php");
+
+ // Pull in the boilerplate template for the suricata.yaml
+ // configuration file. The contents of the template along
+ // with substituted variables are stored in $suricata_conf_text
+ // (which is defined in the included file).
+ include("/usr/local/pkg/suricata/suricata_yaml_template.inc");
+
+ // Now write out the conf file using $suricata_conf_text contents
+ @file_put_contents("{$suricatacfgdir}/suricata.yaml", $suricata_conf_text);
+ unset($suricata_conf_text);
// create barnyard2.conf file for interface
- if ($value['barnyard_enable'] == 'on')
- suricata_generate_barnyard2_conf($value, $if_real);
+ if ($suricatacfg['barnyard_enable'] == 'on')
+ suricata_generate_barnyard2_conf($suricatacfg, $if_real);
}
// create Suricata bootup file suricata.sh
@@ -128,10 +166,14 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
configure_cron();
// Restore the Dashboard Widget if it was previously enabled and saved
- if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget']) && !empty($config['widgets']['sequence']))
- $config['widgets']['sequence'] .= "," . $config['installedpackages']['suricata']['config'][0]['dashboard_widget'];
- if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']) && !empty($config['widgets']))
- $config['widgets']['widget_suricata_display_lines'] = $config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows'];
+ if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget']) && !empty($config['widgets']['sequence'])) {
+ if (strpos($config['widgets']['sequence'], "suricata_alerts-container") === FALSE)
+ $config['widgets']['sequence'] .= "," . $config['installedpackages']['suricata']['config'][0]['dashboard_widget'];
+ }
+ if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']) && !empty($config['widgets'])) {
+ if (empty($config['widgets']['widget_suricata_display_lines']))
+ $config['widgets']['widget_suricata_display_lines'] = $config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows'];
+ }
$rebuild_rules = false;
update_output_window(gettext("Finished rebuilding Suricata configuration files..."));
@@ -142,14 +184,22 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
update_status(gettext("Starting Suricata using rebuilt configuration..."));
update_output_window(gettext("Please wait... while Suricata is started..."));
log_error(gettext("[Suricata] Starting Suricata using rebuilt configuration..."));
- start_service("suricata");
+ mwexec_bg("{$rcdir}suricata.sh start");
update_output_window(gettext("Suricata has been started using the rebuilt configuration..."));
}
}
+// If this is first install and "forcekeepsettings" is empty,
+// then default it to 'on'.
+if (empty($config['installedpackages']['suricata']['config'][0]['forcekeepsettings']))
+ $config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = 'on';
+
+// Finished with file system mods, so remount it read-only
+conf_mount_ro();
+
// Update Suricata package version in configuration
-$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "v1.0.2";
-write_config();
+$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0";
+write_config("Suricata pkg: updated GUI package version number.");
// Done with post-install, so clear flag
unset($g['suricata_postinstall']);