aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2014-08-27 18:15:44 -0400
committerbmeeks8 <bmeeks8@bellsouth.net>2014-08-27 18:15:44 -0400
commitce07b15de33b4847df5498f9bbae93e2b1e893ca (patch)
tree9d78a73c101f5b8d0fde9535c314e2fa64e14211 /config/suricata
parent0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b (diff)
downloadpfsense-packages-ce07b15de33b4847df5498f9bbae93e2b1e893ca.tar.gz
pfsense-packages-ce07b15de33b4847df5498f9bbae93e2b1e893ca.tar.bz2
pfsense-packages-ce07b15de33b4847df5498f9bbae93e2b1e893ca.zip
Improve HOME_NET and EXTERNAL_NET variable generation.
Diffstat (limited to 'config/suricata')
-rw-r--r--config/suricata/suricata.inc36
-rw-r--r--config/suricata/suricata_generate_yaml.php6
-rw-r--r--config/suricata/suricata_interfaces_edit.php6
-rw-r--r--config/suricata/suricata_list_view.php5
4 files changed, 34 insertions, 19 deletions
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc
index 2626f70a..59c620b4 100644
--- a/config/suricata/suricata.inc
+++ b/config/suricata/suricata.inc
@@ -257,7 +257,7 @@ function suricata_find_list($find_name, $type = 'passlist') {
return array();
}
-function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
+function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $externallist = false) {
/***********************************************************/
/* The default is to build a HOME_NET variable unless */
@@ -267,9 +267,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
global $config, $g, $aliastable, $filterdns;
$home_net = array();
- if ($listname == 'default' || empty($listname)) {
+ if (!$externallist && ($listname == 'default' || empty($listname))) {
$localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes';
- } else {
+ }
+ elseif ($externallist && $listname == 'default') {
+ return array( "any" );
+ }
+ else {
$list = suricata_find_list($listname);
if (empty($list))
return $list;
@@ -283,11 +287,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
$home_net = explode(" ", trim(filter_expand_alias($list['address'])));
}
- // Always add loopback to HOME_NET and passlist (ftphelper)
- if (!in_array("127.0.0.1", $home_net))
- $home_net[] = "127.0.0.1";
- if (!in_array("::1", $home_net))
- $home_net[] = "::1";
+ // Always add loopback to HOME_NET and passlist
+ if (!externallist) {
+ if (!in_array("127.0.0.1", $home_net))
+ $home_net[] = "127.0.0.1";
+ if (!in_array("::1", $home_net))
+ $home_net[] = "::1";
+ }
/********************************************************************/
/* Always put the interface running Suricata in HOME_NET and */
@@ -298,7 +304,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
/* IP for Suricata, though, to prevent locking out the firewall. */
/********************************************************************/
$suricataip = get_interface_ip($suricatacfg['interface']);
- if (!$passlist || $localnet == 'yes' || empty($localnet)) {
+ if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) {
if (is_ipaddr($suricataip)) {
if ($suricatacfg['interface'] <> "wan") {
$sn = get_interface_subnet($suricatacfg['interface']);
@@ -308,7 +314,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
}
}
}
- else {
+ elseif (!externallist && $localnet != 'yes') {
if (is_ipaddr($suricataip)) {
if (!in_array($suricataip, $home_net))
$home_net[] = $suricataip;
@@ -319,7 +325,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
// Trim off the interface designation (e.g., %em1) if present
if (strpos($suricataip, "%") !== FALSE)
$suricataip = substr($suricataip, 0, strpos($suricataip, "%"));
- if (!$passlist || $localnet == 'yes' || empty($localnet)) {
+ if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) {
if (is_ipaddrv6($suricataip)) {
if ($suricatacfg['interface'] <> "wan") {
$sn = get_interface_subnetv6($suricatacfg['interface']);
@@ -329,16 +335,16 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
}
}
}
- else {
+ elseif (!externallist && $localnet != 'yes') {
if (is_ipaddrv6($suricataip)) {
if (!in_array($suricataip, $home_net))
$home_net[] = $suricataip;
}
}
- // Add link-local address
+ // Add link-local address if user included locally-attached networks
$suricataip = get_interface_linklocal($suricatacfg['interface']);
- if (!empty($suricataip)) {
+ if (!empty($suricataip) && $localnet == 'yes') {
// Trim off the interface designation (e.g., %em1) if present
if (strpos($suricataip, "%") !== FALSE)
$suricataip = substr($suricataip, 0, strpos($suricataip, "%"));
@@ -346,7 +352,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
$home_net[] = $suricataip;
}
- if (!$passlist || $localnet == 'yes' || empty($localnet)) {
+ if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) {
/*************************************************************************/
/* Iterate through the interface list and write out pass list items and */
/* also compile a HOME_NET list of all local interfaces for suricata. */
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index 91dc06a5..05d6dea8 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -68,11 +68,11 @@ foreach ($suricata_files as $file) {
$home_net_list = suricata_build_list($suricatacfg, $suricatacfg['homelistname']);
$home_net = implode(",", $home_net_list);
$home_net = trim($home_net);
-$external_net = '!$HOME_NET';
+$external_net = 'any';
if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] != 'default') {
- $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname']);
+ $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname'], false, true);
$external_net = implode(",", $external_net_list);
- $external_net = trim($external_net);
+ $external_net = '[' . trim($external_net) . ']';
}
// Set the PASS LIST and write its contents to disk
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index 1bef338a..55c97efc 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -937,7 +937,11 @@ if ($savemsg) {
}
}
?>
- </select>&nbsp;&nbsp;
+ </select>
+ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="button" class="formbtns" value="View List"
+ onclick="viewList('<?=$id;?>','externallistname','externalnet')" id="btnExternalNet"
+ title="<?php echo gettext("Click to view currently selected External Net contents"); ?>"/>
+ <br/>
<?php echo gettext("Choose the External Net you want this interface " .
"to use."); ?>&nbsp;<br/><br/>
<span class="red"><?php echo gettext("Note:"); ?></span>&nbsp;<?php echo gettext("Default " .
diff --git a/config/suricata/suricata_list_view.php b/config/suricata/suricata_list_view.php
index 722bf47a..dc5a2b04 100644
--- a/config/suricata/suricata_list_view.php
+++ b/config/suricata/suricata_list_view.php
@@ -58,6 +58,11 @@ if (isset($id) && isset($wlist)) {
$contents = str_replace("\r", "", base64_decode($list['suppresspassthru']));
$title = "Suppress List";
}
+ elseif ($type == "externalnet") {
+ $list = suricata_build_list($a_rule, $wlist, false, true);
+ $contents = implode("\n", $list);
+ $title = "EXTERNAL_NET";
+ }
else
$contents = gettext("\n\nERROR -- Requested List Type entity is not valid!");
}