aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2014-11-26 15:39:07 -0500
committerbmeeks8 <bmeeks8@bellsouth.net>2014-12-15 12:15:44 -0500
commit95b568faae3d838eeb29e8ea2a46e32e4c1afa0b (patch)
tree2a728f9d4852c3a004d952f89eab5e59097a8b8a /config/suricata
parent617fe1038c458fcd366f675d2f94a6c2401a78a2 (diff)
downloadpfsense-packages-95b568faae3d838eeb29e8ea2a46e32e4c1afa0b.tar.gz
pfsense-packages-95b568faae3d838eeb29e8ea2a46e32e4c1afa0b.tar.bz2
pfsense-packages-95b568faae3d838eeb29e8ea2a46e32e4c1afa0b.zip
Add GUI support for new GeoIP rule options.
Diffstat (limited to 'config/suricata')
-rw-r--r--config/suricata/suricata.priv.inc1
-rw-r--r--config/suricata/suricata.xml5
-rw-r--r--config/suricata/suricata_geoipupdate.php94
-rw-r--r--config/suricata/suricata_global.php23
-rw-r--r--config/suricata/suricata_migrate_config.php20
-rw-r--r--config/suricata/suricata_post_install.php11
-rw-r--r--config/suricata/suricata_uninstall.php1
7 files changed, 143 insertions, 12 deletions
diff --git a/config/suricata/suricata.priv.inc b/config/suricata/suricata.priv.inc
index ae19d7b2..d6edab9a 100644
--- a/config/suricata/suricata.priv.inc
+++ b/config/suricata/suricata.priv.inc
@@ -41,6 +41,7 @@ $priv_list['page-services-suricata']['match'][] = "suricata/suricata_check_cron_
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_yaml_template.inc*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata.inc*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_defs.inc*";
+$priv_list['page-services-suricata']['match'][] = "suricata/suricata_geoipupdate.php*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_post_install.php*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_uninstall.php*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_generate_yaml.php*";
diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml
index dcab4b86..03355b25 100644
--- a/config/suricata/suricata.xml
+++ b/config/suricata/suricata.xml
@@ -113,6 +113,11 @@
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
+ <item>https://packages.pfsense.org/packages/config/suricata/suricata_geoipupdate.php</item>
+ <prefix>/usr/local/pkg/suricata/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
<item>https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php</item>
<prefix>/usr/local/www/suricata/</prefix>
<chmod>0755</chmod>
diff --git a/config/suricata/suricata_geoipupdate.php b/config/suricata/suricata_geoipupdate.php
new file mode 100644
index 00000000..4e86b833
--- /dev/null
+++ b/config/suricata/suricata_geoipupdate.php
@@ -0,0 +1,94 @@
+<?php
+/*
+ * suricata_geoipupdate.php
+ *
+ * Significant portions of this code are based on original work done
+ * for the Snort package for pfSense from the following contributors:
+ *
+ * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2012 Ermal Luci
+ * All rights reserved.
+ *
+ * Adapted for Suricata by:
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* This product includes GeoLite data created by MaxMind, available from
+ * http://www.maxmind.com
+*/
+
+require_once("config.inc");
+require_once("functions.inc");
+require("/usr/local/pkg/suricata/suricata_defs.inc");
+
+global $g, $config;
+$suricata_geoip_dbdir = SURICATA_PBI_BASEDIR . 'share/GeoIP/';
+$geoip_tmppath = "{$g['tmp_path']}/geoipup/";
+
+// If auto-updates of GeoIP are disabled, then exit
+if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == "off")
+ exit(0);
+else
+ log_error(gettext("[Suricata] Updating the GeoIP country database files..."));
+
+
+// Download the free GeoIP Legacy country name databases for IPv4 and IPv6
+// to a temporary location.
+safe_mkdir("$geoip_tmppath");
+download_file("http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz", "{$geoip_tmppath}GeoIP.dat.gz");
+download_file("http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz", "{$geoip_tmppath}GeoIPv6.dat.gz");
+
+// Mount filesystem read-write since we need to write
+// the databases to PBI_BASE/share/GeoIP.
+conf_mount_rw();
+
+// If the files downloaded successfully, unpack them and store
+// the DB files in the PBI_BASE/share/GeoIP directory.
+if (file_exists("{$geoip_tmppath}GeoIP.dat.gz")) {
+ exec("/usr/bin/gunzip -f {$geoip_tmppath}GeoIP.dat.gz");
+ @rename("{$geoip_tmppath}GeoIP.dat", "{$suricata_geoip_dbdir}GeoIP.dat");
+}
+else
+ log_error(gettext("[Suricata] An error occurred downloading the 'GeoIP.dat.gz' update file for GeoIP."));
+
+if (file_exists("{$geoip_tmppath}GeoIPv6.dat.gz")) {
+ exec("/usr/bin/gunzip -f {$geoip_tmppath}GeoIPv6.dat.gz");
+ @rename("{$geoip_tmppath}GeoIPv6.dat", "{$suricata_geoip_dbdir}GeoIPv6.dat");
+}
+else
+ log_error(gettext("[Suricata] An error occurred downloading the 'GeoIPv6.dat.gz' update file for GeoIP."));
+
+// Finished with filesystem mods, so remount read-only
+conf_mount_ro();
+
+// Cleanup the tmp directory path
+rmdir_recursive("$geoip_tmppath");
+
+log_error(gettext("[Suricata] GeoIP database update finished."));
+
+?>
diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php
index 0696ceac..b462a7c8 100644
--- a/config/suricata/suricata_global.php
+++ b/config/suricata/suricata_global.php
@@ -66,6 +66,7 @@ else {
$pconfig['forcekeepsettings'] = $config['installedpackages']['suricata']['config'][0]['forcekeepsettings'];
$pconfig['snortcommunityrules'] = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules'];
$pconfig['snort_rules_file'] = $config['installedpackages']['suricata']['config'][0]['snort_rules_file'];
+ $pconfig['autogeoipupdate'] = $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'];
}
// Do input validation on parameters
@@ -97,6 +98,7 @@ if (!$input_errors) {
$config['installedpackages']['suricata']['config'][0]['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off';
$config['installedpackages']['suricata']['config'][0]['enable_etopen_rules'] = $_POST['enable_etopen_rules'] ? 'on' : 'off';
$config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'] = $_POST['enable_etpro_rules'] ? 'on' : 'off';
+ $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] = $_POST['autogeoipupdate'] ? 'on' : 'off';
// If any rule sets are being turned off, then remove them
// from the active rules section of each interface. Start
@@ -155,13 +157,21 @@ if (!$input_errors) {
$retval = 0;
+ write_config("Suricata pkg: modified global settings.");
+
+ /* Toggle cron task for GeoIP database updates if setting was changed */
+ if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == 'on' && !suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_geoipupdate.php")) {
+ include("/usr/local/pkg/suricata/suricata_geoipupdate.php");
+ install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_geoipupdate.php", TRUE, 0, 0, 8, "*", "*", "root");
+ }
+ elseif ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == 'off' && suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_geoipupdate.php"))
+ install_cron_job("/usr/local/pkg/suricata/suricata_geoipupdate.php", FALSE);
+
/* create passlist and homenet file, then sync files */
conf_mount_rw();
sync_suricata_package_config();
conf_mount_ro();
- write_config("Suricata pkg: modified global settings.");
-
/* forces page to reload new settings */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
@@ -352,6 +362,15 @@ if ($input_errors)
"If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update."); ?></td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("GeoIP DB Update"); ?></td>
+ <td width="78%" class="vtable"><input name="autogeoipupdate" id="autogeoipupdate" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate']=="on") echo " checked"; ?>/>
+ &nbsp;<?php echo gettext("Enable downloading of free GeoIP Country Database updates. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?><br/><br/>
+ <?php echo gettext("When enabled, Suricata will automatically download updates for the free legacy GeoIP country database on the 8th of each month at midnight.") .
+ "<br/><br/>" . gettext("If you have a subscription for more current GeoIP updates, uncheck this option and instead create your own process to place the required database files in " .
+ SURICATA_PBI_BASEDIR . "share/GeoIP/."); ?></td>
+</tr>
+<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
</tr>
<tr>
diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php
index d5f56a62..a53b5ba4 100644
--- a/config/suricata/suricata_migrate_config.php
+++ b/config/suricata/suricata_migrate_config.php
@@ -71,12 +71,20 @@ if ($config['installedpackages']['suricata']['config'][0]['suricata_config_ver']
/**********************************************************/
/* Create new Auto SID Mgmt settings if not set */
/**********************************************************/
- if (empty($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'])) {
- $config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] = "off";
- $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size'] = "250";
- $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = "336";
- $updated_cfg = true;
- }
+if (empty($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'])) {
+ $config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] = "off";
+ $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size'] = "250";
+ $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = "336";
+ $updated_cfg = true;
+}
+
+/**********************************************************/
+/* Create new Auto GeoIP update setting if not set */
+/**********************************************************/
+if (empty($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'])) {
+ $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] = "on";
+ $updated_cfg = true;
+}
// Now process the interface-specific settings
foreach ($rule as &$r) {
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php
index 73ba7f50..3a82d567 100644
--- a/config/suricata/suricata_post_install.php
+++ b/config/suricata/suricata_post_install.php
@@ -66,10 +66,6 @@ global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include;
* updated version icluded with the *
* updated GUI package. *
****************************************/
-if (!defined('SURICATA_SID_MODS_PATH'))
- define('SURICATA_SID_MODS_PATH', '/var/db/suricata/sidmods/');
-if (!defined('SURICATA_IPREP_PATH'))
- define('SURICATA_IPREP_PATH', '/var/db/suricata/iprep/');
if (!defined('SURICATA_PBI_BASEDIR'))
define('SURICATA_PBI_BASEDIR', '/usr/pbi/suricata-' . php_uname("m"));
@@ -116,6 +112,13 @@ safe_mkdir(SURICATALOGDIR);
safe_mkdir(SURICATA_SID_MODS_PATH);
safe_mkdir(SURICATA_IPREP_PATH);
+// Download the latest GeoIP DB updates and create cron task if the feature is not disabled
+if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] != 'off') {
+ log_error(gettext("[Suricata] Installing free GeoIP country database files..."));
+ include("/usr/local/pkg/suricata/suricata_geoipupdate.php");
+ install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_geoipupdate.php", TRUE, 0, 0, 8, "*", "*", "root");
+}
+
// remake saved settings if previously flagged
if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') {
log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings..."));
diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php
index 239b535a..b8928d17 100644
--- a/config/suricata/suricata_uninstall.php
+++ b/config/suricata/suricata_uninstall.php
@@ -77,6 +77,7 @@ unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
install_cron_job("suricata_check_for_rule_updates.php", false);
install_cron_job("suricata_check_cron_misc.inc", false);
install_cron_job("{$suri_pf_table}" , false);
+install_cron_job("suricata_geoipupdate.php" , false);
/* See if we are to keep Suricata log files on uninstall */
if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on') {