aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2014-05-21 15:18:51 -0300
committerRenato Botelho <garga@FreeBSD.org>2014-05-21 15:18:51 -0300
commit4c3480ad5ff3d019998bcec1477c357c5e876c11 (patch)
tree787aa92b93df42146e610b72225b93d2fc001606 /config/suricata
parent2756de4fc9eb14746bf0d5be7e83826958723201 (diff)
parent97e0eebfbdaa33bd2e7fbf674da94998abf81ced (diff)
downloadpfsense-packages-4c3480ad5ff3d019998bcec1477c357c5e876c11.tar.gz
pfsense-packages-4c3480ad5ff3d019998bcec1477c357c5e876c11.tar.bz2
pfsense-packages-4c3480ad5ff3d019998bcec1477c357c5e876c11.zip
Merge pull request #659 from bmeeks8/suricata-1.0.2
Diffstat (limited to 'config/suricata')
-rw-r--r--config/suricata/suricata.inc9
-rw-r--r--config/suricata/suricata.xml2
-rw-r--r--config/suricata/suricata_alerts.php2
-rw-r--r--config/suricata/suricata_barnyard.php2
-rw-r--r--config/suricata/suricata_interfaces.php45
-rw-r--r--config/suricata/suricata_interfaces_edit.php55
-rw-r--r--config/suricata/suricata_logs_browser.php17
-rw-r--r--config/suricata/suricata_passlist_edit.php7
-rw-r--r--config/suricata/suricata_post_install.php6
-rw-r--r--config/suricata/suricata_suppress_edit.php7
-rw-r--r--config/suricata/suricata_uninstall.php7
-rw-r--r--config/suricata/suricata_yaml_template.inc2
12 files changed, 126 insertions, 35 deletions
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc
index c767f2d0..89bb572f 100644
--- a/config/suricata/suricata.inc
+++ b/config/suricata/suricata.inc
@@ -60,7 +60,12 @@ define('SURICATA_PKG_VER', $suricata_package_version);
define('SURICATA_PF_TABLE', 'snort2c');
// Create some other useful defines
-define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/etc/suricata/');
+$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
+if ($pf_version >= 2.2)
+ define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/local/etc/suricata/');
+else
+ define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/etc/suricata/');
+
define('SURICATALOGDIR', '/var/log/suricata/');
define('RULES_UPD_LOGFILE', SURICATALOGDIR . 'suricata_rules_update.log');
define('ENFORCING_RULES_FILENAME', 'suricata.rules');
@@ -933,7 +938,7 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) {
natcasesort($sidMap);
// Now print the result to the supplied file
- @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n");
+ @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Suricata.\n\n");
@file_put_contents($sid_file, array_values($sidMap), FILE_APPEND);
}
diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml
index 1a64d619..a2acd49e 100644
--- a/config/suricata/suricata.xml
+++ b/config/suricata/suricata.xml
@@ -51,7 +51,7 @@
<description>Suricata IDS/IPS Package</description>
<requirements>None</requirements>
<name>suricata</name>
- <version>1.4.6 pkg v1.0</version>
+ <version>1.4.6 pkg v1.0.2</version>
<title>Services: Suricata IDS</title>
<include_file>/usr/local/pkg/suricata/suricata.inc</include_file>
<menu>
diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php
index 07e4eb1f..2f0f114f 100644
--- a/config/suricata/suricata_alerts.php
+++ b/config/suricata/suricata_alerts.php
@@ -410,7 +410,7 @@ if ($savemsg) {
<td width="78%" class="vtable">
<input name="save" type="submit" class="formbtns" value=" Save " title="<?=gettext("Save auto-refresh and view settings");?>"/>
&nbsp;<?php echo gettext('Refresh');?>&nbsp;&nbsp;<input name="arefresh" type="checkbox" value="on"
- <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>/>
+ <?php if ($config['installedpackages']['suricata']['alertsblocks']['arefresh']=="on") echo "checked"; ?>/>
<?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>&nbsp;&nbsp;
<input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"/>
&nbsp;<?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php
index d4afe4f4..c7488fe4 100644
--- a/config/suricata/suricata_barnyard.php
+++ b/config/suricata/suricata_barnyard.php
@@ -86,8 +86,6 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['barnyard_bro_ids_dport'] = "47760";
if (empty($a_nat[$id]['barnyard_sensor_id']))
$pconfig['barnyard_sensor_id'] = "0";
- if (empty($a_nat[$id]['barnyard_sensor_name']))
- $pconfig['barnyard_sensor_name'] = php_uname("n");
}
if ($_POST['save']) {
diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php
index 26d57b71..205a872b 100644
--- a/config/suricata/suricata_interfaces.php
+++ b/config/suricata/suricata_interfaces.php
@@ -57,6 +57,10 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
$a_nat = &$config['installedpackages']['suricata']['rule'];
$id_gen = count($config['installedpackages']['suricata']['rule']);
+// Get list of configured firewall interfaces
+$ifaces = get_configured_interface_list();
+
+
if ($_POST['del_x']) {
/* delete selected interfaces */
if (is_array($_POST['rule'])) {
@@ -207,9 +211,22 @@ include_once("head.inc");
<th class="listhdrr"><?php echo gettext("Block"); ?></th>
<th class="listhdrr"><?php echo gettext("Barnyard2"); ?></th>
<th class="listhdr"><?php echo gettext("Description"); ?></th>
- <th class="list"><a href="suricata_interfaces_edit.php?id=<?php echo $id_gen;?>">
- <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif"
- width="17" height="17" border="0" title="<?php echo gettext('Add Suricata interface mapping');?>"></a>
+ <th class="list">
+ <?php if ($id_gen < count($ifaces)): ?>
+ <a href="suricata_interfaces_edit.php?id=<?php echo $id_gen;?>">
+ <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif"
+ width="17" height="17" border="0" title="<?php echo gettext('Add Suricata interface mapping');?>"></a>
+ <?php else: ?>
+ <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0"
+ title="<?php echo gettext('No available interfaces for a new Suricata mapping');?>">
+ <?php endif; ?>
+ <?php if ($id_gen == 0): ?>
+ <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" " border="0">
+ <?php else: ?>
+ <input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif"
+ width="17" height="17" title="<?php echo gettext("Delete selected Suricata interface mapping(s)"); ?>"
+ onclick="return intf_del()">
+ <?php endif; ?>
</th>
</tr>
</thead>
@@ -342,7 +359,15 @@ include_once("head.inc");
<td valign="middle" class="list" nowrap>
<a href="suricata_interfaces_edit.php?id=<?=$i;?>">
<img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif"
- width="17" height="17" border="0" title="<?php echo gettext('Edit Suricata interface mapping'); ?>"></a>
+ width="17" height="17" border="0" title="<?php echo gettext('Edit this Suricata interface mapping'); ?>"></a>
+ <?php if ($id_gen < count($ifaces)): ?>
+ <a href="suricata_interfaces_edit.php?id=<?=$i;?>&action=dup">
+ <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif"
+ width="17" height="17" border="0" title="<?php echo gettext('Add new interface mapping based on this one'); ?>"></a>
+ <?php else: ?>
+ <img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0"
+ title="<?php echo gettext('No available interfaces for a new Suricata mapping');?>">
+ <?php endif; ?>
</td>
</tr>
<?php $i++; $nnats++; endforeach; ob_end_flush(); ?>
@@ -354,8 +379,16 @@ include_once("head.inc");
<?php else: ?>&nbsp;
<?php endif; ?>
</td>
- <td class="list" valign="middle" nowrap>
- <?php if ($nnats == 0): ?>
+ <td class="list">
+ <?php if ($id_gen < count($ifaces)): ?>
+ <a href="suricata_interfaces_edit.php?id=<?php echo $id_gen;?>">
+ <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif"
+ width="17" height="17" border="0" title="<?php echo gettext('Add Suricata interface mapping');?>"></a>
+ <?php else: ?>
+ <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus_d.gif" width="17" height="17" border="0"
+ title="<?php echo gettext('No available interfaces for a new Suricata mapping');?>">
+ <?php endif; ?>
+ <?php if ($id_gen == 0): ?>
<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" " border="0">
<?php else: ?>
<input name="del" type="image" src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif"
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index 3b61755c..dcf6fe3f 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -62,6 +62,13 @@ elseif (isset($_GET['id']) && is_numericint($_GET['id']));
if (is_null($id))
$id = 0;
+if (isset($_POST['action']))
+ $action = htmlspecialchars($_POST['action'], ENT_QUOTES | ENT_HTML401);
+elseif (isset($_GET['action']))
+ $action = htmlspecialchars($_GET['action'], ENT_QUOTES | ENT_HTML401);
+else
+ $action = "";
+
$pconfig = array();
if (empty($suricataglob['rule'][$id]['uuid'])) {
/* Adding new interface, so flag rules to build. */
@@ -142,7 +149,37 @@ if (empty($pconfig['max_pcap_log_size']))
if (empty($pconfig['max_pcap_log_files']))
$pconfig['max_pcap_log_files'] = "1000";
-if ($_POST["save"]) {
+// See if creating a new interface by duplicating an existing one
+if (strcasecmp($action, 'dup') == 0) {
+
+ // Try to pick the next available physical interface to use
+ $ifaces = get_configured_interface_list();
+ $ifrules = array();
+ foreach($a_rule as $r)
+ $ifrules[] = $r['interface'];
+ foreach ($ifaces as $i) {
+ if (!in_array($i, $ifrules)) {
+ $pconfig['interface'] = $i;
+ $pconfig['enable'] = 'on';
+ $pconfig['descr'] = strtoupper($i);
+ $pconfig['inspect_recursion_limit'] = '3000';
+ break;
+ }
+ }
+ if (count($ifrules) == count($ifaces)) {
+ $input_errors[] = gettext("No more available interfaces to configure for Suricata!");
+ $interfaces = array();
+ $pconfig = array();
+ }
+
+ // Set Home Net, External Net, Suppress List and Pass List to defaults
+ unset($pconfig['suppresslistname']);
+ unset($pconfig['passlistname']);
+ unset($pconfig['homelistname']);
+ unset($pconfig['externallistname']);
+}
+
+if ($_POST["save"] && !$input_errors) {
// If the interface is not enabled, stop any running Suricata
// instance on it, save the new state and exit.
if (!isset($_POST['enable'])) {
@@ -237,7 +274,7 @@ if ($_POST["save"]) {
if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode($_POST['configpassthru']); else unset($natent['configpassthru']);
$if_real = get_real_interface($natent['interface']);
- if (isset($id) && $a_rule[$id]) {
+ if (isset($id) && $a_rule[$id] && $action == '') {
// See if moving an existing Suricata instance to another physical interface
if ($natent['interface'] != $a_rule[$id]['interface']) {
$oif_real = get_real_interface($a_rule[$id]['interface']);
@@ -253,7 +290,15 @@ if ($_POST["save"]) {
conf_mount_ro();
}
$a_rule[$id] = $natent;
- } else {
+ }
+ elseif (strcasecmp($action, 'dup') == 0) {
+ // Duplicating a new interface, so set flag to build new rules
+ $rebuild_rules = true;
+
+ // Add the new duplicated interface configuration to the [rule] array in config
+ $a_rule[] = $natent;
+ }
+ else {
// Adding new interface, so set interface configuration parameter defaults
$natent['ip_max_frags'] = "65535";
$natent['ip_frag_timeout'] = "60";
@@ -358,6 +403,9 @@ if ($savemsg) {
?>
<form action="suricata_interfaces_edit.php<?php echo "?id=$id";?>" method="post" name="iform" id="iform">
+<input name="id" type="hidden" value="<?=$id;?>"/>
+<input name="action" type="hidden" value="<?=$action;?>"/>
+
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
<?php
@@ -773,7 +821,6 @@ if ($savemsg) {
<tr>
<td colspan="2" align="center" valign="middle"><input name="save" type="submit" class="formbtn" value="Save" title="<?php echo
gettext("Click to save settings and exit"); ?>"/>
- <input name="id" type="hidden" value="<?=$id;?>"/>
</td>
</tr>
<tr>
diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php
index 04edf373..cbe5ee7b 100644
--- a/config/suricata/suricata_logs_browser.php
+++ b/config/suricata/suricata_logs_browser.php
@@ -55,21 +55,22 @@ $suricata_uuid = $a_instance[$instanceid]['uuid'];
$if_real = get_real_interface($a_instance[$instanceid]['interface']);
// Construct a pointer to the instance's logging subdirectory
-$suricatalogdir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}";
+$suricatalogdir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}/";
-$logfile = $_POST['file'];
+// Limit all file access to just the currently selected interface's logging subdirectory
+$logfile = htmlspecialchars($suricatalogdir . basename($_POST['file']));
if ($_POST['action'] == 'load') {
- if(!is_file($_POST['file'])) {
+ if(!is_file($logfile)) {
echo "|3|" . gettext("Log file does not exist or that logging feature is not enabled") . ".|";
}
else {
- $data = file_get_contents($_POST['file']);
+ $data = file_get_contents($logfile);
if($data === false) {
echo "|1|" . gettext("Failed to read log file") . ".|";
} else {
$data = base64_encode($data);
- echo "|0|{$_POST['file']}|{$data}|";
+ echo "|0|{$logfile}|{$data}|";
}
}
exit;
@@ -101,7 +102,7 @@ if ($input_errors) {
jQuery.ajax(
"<?=$_SERVER['SCRIPT_NAME'];?>", {
type: 'POST',
- data: "action=load&file=" + jQuery("#logFile").val(),
+ data: "instance=" + jQuery("#instance").val() + "&action=load&file=" + jQuery("#logFile").val(),
complete: loadComplete
}
);
@@ -180,7 +181,7 @@ if ($input_errors) {
$selected = "";
if ($log == basename($logfile))
$selected = "selected";
- echo "<option value='{$suricatalogdir}/{$log}' {$selected}>" . $log . "</option>\n";
+ echo "<option value='{$suricatalogdir}{$log}' {$selected}>" . $log . "</option>\n";
}
?>
</select>&nbsp;&nbsp;<?php echo gettext('Choose which log you want to view.'); ?>
@@ -222,7 +223,7 @@ if ($input_errors) {
</table>
</form>
-<?php if(empty($logfile)): ?>
+<?php if(empty($_POST['file'])): ?>
<script type="text/javascript">
document.getElementById("logFile").selectedIndex=-1;
</script>
diff --git a/config/suricata/suricata_passlist_edit.php b/config/suricata/suricata_passlist_edit.php
index 35c7b66e..437ae9a8 100644
--- a/config/suricata/suricata_passlist_edit.php
+++ b/config/suricata/suricata_passlist_edit.php
@@ -114,7 +114,12 @@ if ($_POST['save']) {
/* input validation */
$reqdfields = explode(" ", "name");
$reqdfieldsn = explode(",", "Name");
- do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
+
+ $pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
+ if ($pf_version < 2.1)
+ $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;');
+ else
+ do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if(strtolower($_POST['name']) == "defaultpasslist")
$input_errors[] = gettext("Pass List file names may not be named defaultpasslist.");
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php
index c44b392f..eb193d58 100644
--- a/config/suricata/suricata_post_install.php
+++ b/config/suricata/suricata_post_install.php
@@ -60,14 +60,14 @@ if(is_process_running("suricata")) {
killbyname("suricata");
sleep(2);
// Delete any leftover suricata PID files in /var/run
- unlink_if_exists("/var/run/suricata_*.pid");
+ unlink_if_exists("{$g['varrun_path']}/suricata_*.pid");
}
// Hard kill any running Barnyard2 processes
if(is_process_running("barnyard")) {
killbyname("barnyard2");
sleep(2);
// Delete any leftover barnyard2 PID files in /var/run
- unlink_if_exists("/var/run/barnyard2_*.pid");
+ unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
}
// Set flag for post-install in progress
@@ -148,7 +148,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
}
// Update Suricata package version in configuration
-$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "v1.0.1";
+$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "v1.0.2";
write_config();
// Done with post-install, so clear flag
diff --git a/config/suricata/suricata_suppress_edit.php b/config/suricata/suricata_suppress_edit.php
index a46e9e99..d4549e56 100644
--- a/config/suricata/suricata_suppress_edit.php
+++ b/config/suricata/suricata_suppress_edit.php
@@ -88,7 +88,12 @@ if ($_POST['save']) {
$reqdfields = explode(" ", "name");
$reqdfieldsn = array("Name");
- do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors);
+
+ $pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
+ if ($pf_version < 2.1)
+ $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;');
+ else
+ do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if(strtolower($_POST['name']) == "defaultwhitelist")
$input_errors[] = "Whitelist file names may not be named defaultwhitelist.";
diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php
index 2317578e..2a82e473 100644
--- a/config/suricata/suricata_uninstall.php
+++ b/config/suricata/suricata_uninstall.php
@@ -58,7 +58,7 @@ killbyname("suricata");
sleep(1);
// Delete any leftover suricata PID files in /var/run
-array_map('@unlink', glob("/var/run/suricata_*.pid"));
+unlink_if_exists("{$g['varrun_path']}/suricata_*.pid");
/* Make sure all active Barnyard2 processes are terminated */
/* Log a message only if a running process is detected */
@@ -68,10 +68,7 @@ killbyname("barnyard2");
sleep(1);
// Delete any leftover barnyard2 PID files in /var/run
-array_map('@unlink', glob("/var/run/barnyard2_*.pid"));
-
-/* Remove the suricata user and group */
-mwexec('/usr/sbin/pw userdel suricata; /usr/sbin/pw groupdel suricata', true);
+unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
/* Remove the Suricata cron jobs. */
install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/suricata/suricata_check_for_rule_updates.php", false);
diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc
index c20ca8db..44fd1d5f 100644
--- a/config/suricata/suricata_yaml_template.inc
+++ b/config/suricata/suricata_yaml_template.inc
@@ -29,7 +29,7 @@ default-log-dir: {$suricatalogdir}suricata_{$if_real}{$suricata_uuid}
# Configure the type of alert (and other) logging.
outputs:
- # alert_pf blocking plugin
+ # alert-pf blocking plugin
- alert-pf:
enabled: {$suri_blockoffenders}
kill-state: {$suri_killstates}