diff options
author | bmeeks8 <bmeeks8@bellsouth.net> | 2014-11-26 15:39:07 -0500 |
---|---|---|
committer | bmeeks8 <bmeeks8@bellsouth.net> | 2014-12-15 12:15:44 -0500 |
commit | 95b568faae3d838eeb29e8ea2a46e32e4c1afa0b (patch) | |
tree | 2a728f9d4852c3a004d952f89eab5e59097a8b8a /config/suricata | |
parent | 617fe1038c458fcd366f675d2f94a6c2401a78a2 (diff) | |
download | pfsense-packages-95b568faae3d838eeb29e8ea2a46e32e4c1afa0b.tar.gz pfsense-packages-95b568faae3d838eeb29e8ea2a46e32e4c1afa0b.tar.bz2 pfsense-packages-95b568faae3d838eeb29e8ea2a46e32e4c1afa0b.zip |
Add GUI support for new GeoIP rule options.
Diffstat (limited to 'config/suricata')
-rw-r--r-- | config/suricata/suricata.priv.inc | 1 | ||||
-rw-r--r-- | config/suricata/suricata.xml | 5 | ||||
-rw-r--r-- | config/suricata/suricata_geoipupdate.php | 94 | ||||
-rw-r--r-- | config/suricata/suricata_global.php | 23 | ||||
-rw-r--r-- | config/suricata/suricata_migrate_config.php | 20 | ||||
-rw-r--r-- | config/suricata/suricata_post_install.php | 11 | ||||
-rw-r--r-- | config/suricata/suricata_uninstall.php | 1 |
7 files changed, 143 insertions, 12 deletions
diff --git a/config/suricata/suricata.priv.inc b/config/suricata/suricata.priv.inc index ae19d7b2..d6edab9a 100644 --- a/config/suricata/suricata.priv.inc +++ b/config/suricata/suricata.priv.inc @@ -41,6 +41,7 @@ $priv_list['page-services-suricata']['match'][] = "suricata/suricata_check_cron_ $priv_list['page-services-suricata']['match'][] = "suricata/suricata_yaml_template.inc*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata.inc*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_defs.inc*"; +$priv_list['page-services-suricata']['match'][] = "suricata/suricata_geoipupdate.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_post_install.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_uninstall.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_generate_yaml.php*"; diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index dcab4b86..03355b25 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -113,6 +113,11 @@ <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/suricata/suricata_geoipupdate.php</item> + <prefix>/usr/local/pkg/suricata/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php</item> <prefix>/usr/local/www/suricata/</prefix> <chmod>0755</chmod> diff --git a/config/suricata/suricata_geoipupdate.php b/config/suricata/suricata_geoipupdate.php new file mode 100644 index 00000000..4e86b833 --- /dev/null +++ b/config/suricata/suricata_geoipupdate.php @@ -0,0 +1,94 @@ +<?php +/* + * suricata_geoipupdate.php + * + * Significant portions of this code are based on original work done + * for the Snort package for pfSense from the following contributors: + * + * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>. + * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>. + * Copyright (C) 2006 Scott Ullrich + * Copyright (C) 2009 Robert Zelaya Sr. Developer + * Copyright (C) 2012 Ermal Luci + * All rights reserved. + * + * Adapted for Suricata by: + * Copyright (C) 2014 Bill Meeks + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. +*/ + +/* This product includes GeoLite data created by MaxMind, available from + * http://www.maxmind.com +*/ + +require_once("config.inc"); +require_once("functions.inc"); +require("/usr/local/pkg/suricata/suricata_defs.inc"); + +global $g, $config; +$suricata_geoip_dbdir = SURICATA_PBI_BASEDIR . 'share/GeoIP/'; +$geoip_tmppath = "{$g['tmp_path']}/geoipup/"; + +// If auto-updates of GeoIP are disabled, then exit +if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == "off") + exit(0); +else + log_error(gettext("[Suricata] Updating the GeoIP country database files...")); + + +// Download the free GeoIP Legacy country name databases for IPv4 and IPv6 +// to a temporary location. +safe_mkdir("$geoip_tmppath"); +download_file("http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz", "{$geoip_tmppath}GeoIP.dat.gz"); +download_file("http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz", "{$geoip_tmppath}GeoIPv6.dat.gz"); + +// Mount filesystem read-write since we need to write +// the databases to PBI_BASE/share/GeoIP. +conf_mount_rw(); + +// If the files downloaded successfully, unpack them and store +// the DB files in the PBI_BASE/share/GeoIP directory. +if (file_exists("{$geoip_tmppath}GeoIP.dat.gz")) { + exec("/usr/bin/gunzip -f {$geoip_tmppath}GeoIP.dat.gz"); + @rename("{$geoip_tmppath}GeoIP.dat", "{$suricata_geoip_dbdir}GeoIP.dat"); +} +else + log_error(gettext("[Suricata] An error occurred downloading the 'GeoIP.dat.gz' update file for GeoIP.")); + +if (file_exists("{$geoip_tmppath}GeoIPv6.dat.gz")) { + exec("/usr/bin/gunzip -f {$geoip_tmppath}GeoIPv6.dat.gz"); + @rename("{$geoip_tmppath}GeoIPv6.dat", "{$suricata_geoip_dbdir}GeoIPv6.dat"); +} +else + log_error(gettext("[Suricata] An error occurred downloading the 'GeoIPv6.dat.gz' update file for GeoIP.")); + +// Finished with filesystem mods, so remount read-only +conf_mount_ro(); + +// Cleanup the tmp directory path +rmdir_recursive("$geoip_tmppath"); + +log_error(gettext("[Suricata] GeoIP database update finished.")); + +?> diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 0696ceac..b462a7c8 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -66,6 +66,7 @@ else { $pconfig['forcekeepsettings'] = $config['installedpackages']['suricata']['config'][0]['forcekeepsettings']; $pconfig['snortcommunityrules'] = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules']; $pconfig['snort_rules_file'] = $config['installedpackages']['suricata']['config'][0]['snort_rules_file']; + $pconfig['autogeoipupdate'] = $config['installedpackages']['suricata']['config'][0]['autogeoipupdate']; } // Do input validation on parameters @@ -97,6 +98,7 @@ if (!$input_errors) { $config['installedpackages']['suricata']['config'][0]['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules'] = $_POST['enable_etopen_rules'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'] = $_POST['enable_etpro_rules'] ? 'on' : 'off'; + $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] = $_POST['autogeoipupdate'] ? 'on' : 'off'; // If any rule sets are being turned off, then remove them // from the active rules section of each interface. Start @@ -155,13 +157,21 @@ if (!$input_errors) { $retval = 0; + write_config("Suricata pkg: modified global settings."); + + /* Toggle cron task for GeoIP database updates if setting was changed */ + if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == 'on' && !suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_geoipupdate.php")) { + include("/usr/local/pkg/suricata/suricata_geoipupdate.php"); + install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_geoipupdate.php", TRUE, 0, 0, 8, "*", "*", "root"); + } + elseif ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == 'off' && suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_geoipupdate.php")) + install_cron_job("/usr/local/pkg/suricata/suricata_geoipupdate.php", FALSE); + /* create passlist and homenet file, then sync files */ conf_mount_rw(); sync_suricata_package_config(); conf_mount_ro(); - write_config("Suricata pkg: modified global settings."); - /* forces page to reload new settings */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); @@ -352,6 +362,15 @@ if ($input_errors) "If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update."); ?></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("GeoIP DB Update"); ?></td> + <td width="78%" class="vtable"><input name="autogeoipupdate" id="autogeoipupdate" type="checkbox" value="yes" + <?php if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate']=="on") echo " checked"; ?>/> + <?php echo gettext("Enable downloading of free GeoIP Country Database updates. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?><br/><br/> + <?php echo gettext("When enabled, Suricata will automatically download updates for the free legacy GeoIP country database on the 8th of each month at midnight.") . + "<br/><br/>" . gettext("If you have a subscription for more current GeoIP updates, uncheck this option and instead create your own process to place the required database files in " . + SURICATA_PBI_BASEDIR . "share/GeoIP/."); ?></td> +</tr> +<tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td> </tr> <tr> diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index d5f56a62..a53b5ba4 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -71,12 +71,20 @@ if ($config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] /**********************************************************/ /* Create new Auto SID Mgmt settings if not set */ /**********************************************************/ - if (empty($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'])) { - $config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] = "off"; - $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size'] = "250"; - $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = "336"; - $updated_cfg = true; - } +if (empty($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'])) { + $config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] = "off"; + $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size'] = "250"; + $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = "336"; + $updated_cfg = true; +} + +/**********************************************************/ +/* Create new Auto GeoIP update setting if not set */ +/**********************************************************/ +if (empty($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'])) { + $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] = "on"; + $updated_cfg = true; +} // Now process the interface-specific settings foreach ($rule as &$r) { diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 73ba7f50..3a82d567 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -66,10 +66,6 @@ global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include; * updated version icluded with the * * updated GUI package. * ****************************************/ -if (!defined('SURICATA_SID_MODS_PATH')) - define('SURICATA_SID_MODS_PATH', '/var/db/suricata/sidmods/'); -if (!defined('SURICATA_IPREP_PATH')) - define('SURICATA_IPREP_PATH', '/var/db/suricata/iprep/'); if (!defined('SURICATA_PBI_BASEDIR')) define('SURICATA_PBI_BASEDIR', '/usr/pbi/suricata-' . php_uname("m")); @@ -116,6 +112,13 @@ safe_mkdir(SURICATALOGDIR); safe_mkdir(SURICATA_SID_MODS_PATH); safe_mkdir(SURICATA_IPREP_PATH); +// Download the latest GeoIP DB updates and create cron task if the feature is not disabled +if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] != 'off') { + log_error(gettext("[Suricata] Installing free GeoIP country database files...")); + include("/usr/local/pkg/suricata/suricata_geoipupdate.php"); + install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_geoipupdate.php", TRUE, 0, 0, 8, "*", "*", "root"); +} + // remake saved settings if previously flagged if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') { log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings...")); diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php index 239b535a..b8928d17 100644 --- a/config/suricata/suricata_uninstall.php +++ b/config/suricata/suricata_uninstall.php @@ -77,6 +77,7 @@ unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid"); install_cron_job("suricata_check_for_rule_updates.php", false); install_cron_job("suricata_check_cron_misc.inc", false); install_cron_job("{$suri_pf_table}" , false); +install_cron_job("suricata_geoipupdate.php" , false); /* See if we are to keep Suricata log files on uninstall */ if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on') { |