diff options
| author | Renato Botelho <garga@pfSense.org> | 2014-03-19 10:28:24 -0300 |
|---|---|---|
| committer | Renato Botelho <garga@pfSense.org> | 2014-03-19 10:28:24 -0300 |
| commit | d50c07fd00ac203332e57a45532a265759922993 (patch) | |
| tree | ad427c579bcd5e731369f709d0307f9028fbc2d2 /config | |
| parent | a84a84bf31ed33c7e132b704186a56b77cc9148a (diff) | |
| parent | 172270f302e2cdb0e0b6f7581152bc32befa99bc (diff) | |
| download | pfsense-packages-d50c07fd00ac203332e57a45532a265759922993.tar.gz pfsense-packages-d50c07fd00ac203332e57a45532a265759922993.tar.bz2 pfsense-packages-d50c07fd00ac203332e57a45532a265759922993.zip | |
Merge pull request #622 from bmeeks8/master
Suricata 1.4.6 pkg. v0.2-BETA -- more bug fixes, no version bump
Diffstat (limited to 'config')
| -rw-r--r-- | config/suricata/suricata.inc | 112 | ||||
| -rw-r--r-- | config/suricata/suricata_alerts.js | 8 | ||||
| -rw-r--r-- | config/suricata/suricata_alerts.php | 83 | ||||
| -rw-r--r-- | config/suricata/suricata_alerts.widget.php | 53 | ||||
| -rw-r--r-- | config/suricata/suricata_barnyard.php | 39 | ||||
| -rw-r--r-- | config/suricata/suricata_check_for_rule_updates.php | 49 | ||||
| -rw-r--r-- | config/suricata/suricata_download_updates.php | 28 | ||||
| -rw-r--r-- | config/suricata/suricata_generate_yaml.php | 10 | ||||
| -rw-r--r-- | config/suricata/suricata_interfaces.php | 2 | ||||
| -rw-r--r-- | config/suricata/suricata_interfaces_edit.php | 58 | ||||
| -rw-r--r-- | config/suricata/suricata_logs_browser.php | 2 | ||||
| -rw-r--r-- | config/suricata/suricata_rules.php | 51 | ||||
| -rw-r--r-- | config/suricata/suricata_rules_edit.php | 41 | ||||
| -rw-r--r-- | config/suricata/suricata_rules_flowbits.php | 19 | ||||
| -rw-r--r-- | config/suricata/suricata_suppress.php | 2 | ||||
| -rw-r--r-- | config/suricata/suricata_suppress_edit.php | 2 | ||||
| -rw-r--r-- | config/suricata/suricata_yaml_template.inc | 5 |
17 files changed, 349 insertions, 215 deletions
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 1b6f5eb3..2660fae6 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -77,16 +77,12 @@ function suricata_generate_id() { } function suricata_is_running($suricata_uuid, $if_real, $type = 'suricata') { - global $config, $g; - - if (isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid")) - return true; - else - return false; + global $g; + return isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid"); } function suricata_barnyard_stop($suricatacfg, $if_real) { - global $config, $g; + global $g; $suricata_uuid = $suricatacfg['uuid']; if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { @@ -96,13 +92,13 @@ function suricata_barnyard_stop($suricatacfg, $if_real) { } function suricata_stop($suricatacfg, $if_real) { - global $config, $g; + global $g; $suricata_uuid = $suricatacfg['uuid']; if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Suricata STOP for {$suricatacfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); - sleep(2); + sleep(1); // For some reason Suricata seems to need a double TERM signal to actually shutdown if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) @@ -113,7 +109,7 @@ function suricata_stop($suricatacfg, $if_real) { } function suricata_barnyard_start($suricatacfg, $if_real) { - global $config, $g; + global $g; $suricata_uuid = $suricatacfg['uuid']; $suricatadir = SURICATADIR . "suricata_{$suricata_uuid}_{$if_real}"; @@ -121,19 +117,19 @@ function suricata_barnyard_start($suricatacfg, $if_real) { if ($suricatacfg['barnyard_enable'] == 'on') { log_error("[Suricata] Barnyard2 START for {$suricatacfg['descr']}({$if_real})..."); - exec("/usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}/barnyard2.conf -d {$suricatalogdir} -D -q"); + mwexec_bg("/usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}/barnyard2.conf -d {$suricatalogdir} -D -q"); } } function suricata_start($suricatacfg, $if_real) { - global $config, $g; + global $g; $suricatadir = SURICATADIR; $suricata_uuid = $suricatacfg['uuid']; if ($suricatacfg['enable'] == 'on') { log_error("[Suricata] Suricata START for {$suricatacfg['descr']}({$if_real})..."); - exec("/usr/local/bin/suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); + mwexec_bg("/usr/local/bin/suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); } else return; @@ -154,7 +150,7 @@ function suricata_reload_config($suricatacfg, $signal="USR2") { /* */ /* $signal = USR2 (default) parses and reloads config. */ /**************************************************************/ - global $config, $g; + global $g; $suricatadir = SURICATADIR; $suricata_uuid = $suricatacfg['uuid']; @@ -166,8 +162,8 @@ function suricata_reload_config($suricatacfg, $signal="USR2") { /******************************************************/ if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Suricata LIVE RULE RELOAD initiated for {$suricatacfg['descr']} ({$if_real})..."); - sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", $signal); -// exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid 2>&1 &"); +// sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", $signal); + mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); } } @@ -183,7 +179,7 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { /* */ /* $signal = HUP (default) parses and reloads config. */ /**************************************************************/ - global $config, $g; + global $g; $suricatadir = SURICATADIR; $suricata_uuid = $suricatacfg['uuid']; @@ -195,8 +191,8 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { /******************************************************/ if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Barnyard2 CONFIG RELOAD initiated for {$suricatacfg['descr']} ({$if_real})..."); - sigkillbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid", $signal); -// exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid 2>&1 &"); +// sigkillbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid", $signal); + mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid"); } } @@ -698,7 +694,19 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { /*************************************************************/ /* This function reads all the rules file in the passed */ /* $rules_path variable and produces a properly formatted */ - /* sid-msg.map file for use by Suricata and/or barnyard2. */ + /* sid-msg.map v2 file for use by Suricata and barnyard2. */ + /* */ + /* This function produces the new v2 format sid-msg.map */ + /* with the field layout as follows: */ + /* */ + /* GID || SID || REV || CLASSTYPE || PRI || MSG || REF ... */ + /* */ + /* On Entry: $rules_path --> array or directory of files */ + /* or a single file containing */ + /* the rules to read. */ + /* $sid_file --> the complete destination path */ + /* and filename for the output */ + /* sid-msg.map file. */ /*************************************************************/ $sidMap = array(); @@ -707,7 +715,7 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { // First check if we were passed a directory, a single file // or an array of filenames to read. Set our $rule_files // variable accordingly. If we can't figure it out, return - // and don't write a sid_msg_map file. + // and don't write a sid-msg.map file. if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -760,7 +768,11 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { $record = ""; // Parse the rule to find sid and any references. + $gid = '1'; // default to 1 for regular rules $sid = ''; + $rev = ''; + $classtype = 'NOCLASS'; // required default for v2 format + $priority = '0'; // required default for v2 format $msg = ''; $matches = ''; $sidEntry = ''; @@ -768,23 +780,32 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { $msg = trim($matches[1]); if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) $sid = trim($matches[1]); - if (!empty($sid) && !empty($msg)) { - $sidEntry = $sid . ' || ' . $msg; + if (preg_match('/\bgid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + $gid = trim($matches[1]); + if (preg_match('/\brev\s*:\s*([^\;]+)/i', $rule, $matches)) + $rev = trim($matches[1]); + if (preg_match('/\bclasstype\s*:\s*([^\;]+)/i', $rule, $matches)) + $classtype = trim($matches[1]); + if (preg_match('/\bpriority\s*:\s*([^\;]+)/i', $rule, $matches)) + $priority = trim($matches[1]); + + if (!empty($gid) && !empty($sid) && !empty($msg)) { + $sidEntry = $gid . ' || ' . $sid . ' || ' . $rev . ' || ' . $classtype . ' || '; + $sidEntry .= $priority . ' || ' . $msg; preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); foreach ($matches[1] as $ref) $sidEntry .= " || " . trim($ref); $sidEntry .= "\n"; - if (!is_array($sidMap[$sid])) - $sidMap[$sid] = array(); - $sidMap[$sid] = $sidEntry; + $sidMap[] = $sidEntry; } } } - // Sort the generated sid-msg map by sid - ksort($sidMap); + // Sort the generated sid-msg map + natcasesort($sidMap); // Now print the result to the supplied file - @file_put_contents($sid_file, array_values($sidMap)); + @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n"); + @file_put_contents($sid_file, array_values($sidMap), FILE_APPEND); } function suricata_merge_reference_configs($cfg_in, $cfg_out) { @@ -1688,27 +1709,18 @@ function suricata_create_rc() { $start_barnyard = <<<EOE if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid ]; then - pid=`/bin/pgrep -f "barnyard2 -r {$suricata_uuid} "` + pid=`/bin/pgrep -fn "barnyard2 -r {$suricata_uuid} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid` fi + if [ ! -z \$pid ]; then - /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 STOP for {$value['descr']}({$suricata_uuid}_{$if_real})..." - /bin/pkill -TERM \$pid - time=0 timeout=30 - while /bin/kill -TERM \$pid 2>/dev/null; do - sleep 1 - time=\$((time+1)) - if [ \$time -gt \$timeout ]; then - break - fi - done - if [ -f /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid ]; then - /bin/rm /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid - fi + /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$suricata_uuid}_{$if_real})..." + /bin/pkill -HUP \$pid + else + /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 START for {$value['descr']}({$suricata_uuid}_{$if_real})..." + /usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/barnyard2.conf -d {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} -D -q fi - /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 START for {$value['descr']}({$suricata_uuid}_{$if_real})..." - /usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/barnyard2.conf -d {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} -D -q EOE; $stop_barnyard2 = <<<EOE @@ -1729,9 +1741,9 @@ EOE; /bin/rm /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid fi else - pid=`/bin/pgrep -f "barnyard2 -r {$suricata_uuid} "` + pid=`/bin/pgrep -fn "barnyard2 -r {$suricata_uuid} "` if [ ! -z \$pid ]; then - /bin/pkill -TERM -f "barnyard2 -r {$suricata_uuid} " + /bin/pkill -TERM -fn "barnyard2 -r {$suricata_uuid} " time=0 timeout=30 while /bin/kill -TERM \$pid 2>/dev/null; do sleep 1 @@ -1754,7 +1766,7 @@ EOE; ###### For Each Iface # Start suricata and barnyard2 if [ ! -f {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid ]; then - pid=`/bin/pgrep -f "suricata -i {$if_real} "` + pid=`/bin/pgrep -fn "suricata -i {$if_real} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid` fi @@ -1790,10 +1802,10 @@ EOE; /bin/rm /var/run/suricata_{$if_real}{$suricata_uuid}.pid fi else - pid=`/bin/pgrep -f "suricata -i {$if_real} "` + pid=`/bin/pgrep -fn "suricata -i {$if_real} "` if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SuricataStartup "Suricata STOP for {$value['descr']}({$suricata_uuid}_{$if_real})..." - /bin/pkill -TERM -f "suricata -i {$if_real} " + /bin/pkill -TERM -fn "suricata -i {$if_real} " time=0 timeout=30 while /bin/kill -TERM \$pid 2>/dev/null; do sleep 1 diff --git a/config/suricata/suricata_alerts.js b/config/suricata/suricata_alerts.js index 9e5b0b29..b6a5d3c3 100644 --- a/config/suricata/suricata_alerts.js +++ b/config/suricata/suricata_alerts.js @@ -14,9 +14,11 @@ function suricata_alerts_fetch_new_rules_callback(callback_data) { for(var x=0; x<data_split.length-1; x++) { row_split = data_split[x].split("||"); var line = ''; - line = '<td width="22%" class="listMRr" nowrap>' + row_split[0] + '<br/>' + row_split[1] + '</td>'; - line += '<td width="39%" class="listMRr">' + row_split[2] + '<br/>' + row_split[3] + '</td>'; - line += '<td width="39%" class="listMRr">' + 'Pri: ' + row_split[4] + ' ' + row_split[5] + '</td>'; + line = '<td class="listMRr">' + row_split[0] + '<br/>' + row_split[1] + '</td>'; + line += '<td class="listMRr ellipsis" nowrap><div style="display:inline;" title="'; + line += row_split[2] + '">' + row_split[2] + '</div><br/><div style="display:inline;" title="'; + line += row_split[3] + '">' + row_split[3] + '</div></td>'; + line += '<td class="listMRr">' + 'Pri: ' + row_split[4] + ' ' + row_split[5] + '</td>'; new_data_to_add[new_data_to_add.length] = line; } suricata_alerts_update_div_rows(new_data_to_add); diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 3b135f32..99241b7e 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -121,12 +121,12 @@ function suricata_add_supplist_entry($suppress) { return false; } -if ($_POST['instance']) +if (is_numericint($_POST['instance'])) $instanceid = $_POST['instance']; -// This is for the auto-refresh so wecan stay on the same interface -if (is_numeric($_GET['instance'])) +// This is for the auto-refresh so we can stay on the same interface +if (is_numericint($_GET['instance'])) $instanceid = $_GET['instance']; -if (empty($instanceid)) +if (is_null($instanceid)) $instanceid = 0; if (!is_array($config['installedpackages']['suricata']['rule'])) @@ -186,12 +186,12 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu $suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n"; else $suppress = "#{$_POST['descr']}\nsuppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n"; - $success = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); + $success = gettext("An entry for 'suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}' has been added to the Suppress List."); break; case "by_src": case "by_dst": // Check for valid IP addresses, exit if not valid - if (is_ipaddr($_POST['ip']) || is_ipaddrv6($_POST['ip'])) { + if (is_ipaddr($_POST['ip'])) { if (empty($_POST['descr'])) $suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}\n"; else @@ -212,6 +212,7 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu if (suricata_add_supplist_entry($suppress)) { suricata_reload_config($a_instance[$instanceid]); $savemsg = $success; + sleep(2); } else $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); @@ -269,8 +270,9 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen /* Signal Suricata to live-load the new rules */ suricata_reload_config($a_instance[$instanceid]); + sleep(2); - $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules."); + $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 15 secs for the process to complete before toggling additional rules."); } if ($_POST['delete']) { @@ -372,7 +374,7 @@ if ($savemsg) { $selected = ""; if ($id == $instanceid) $selected = "selected"; - echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . "){$instance['descr']}</option>\n"; + echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . ") {$instance['descr']}</option>\n"; } ?> </select> <?php echo gettext('Choose which instance alerts you want to inspect.'); ?> @@ -380,22 +382,23 @@ if ($savemsg) { <tr> <td width="22%" class="vncell"><?php echo gettext('Save or Remove Logs'); ?></td> <td width="78%" class="vtable"> - <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext('All ' . - 'log files will be saved.'); ?> - <input name="delete" type="submit" class="formbtns" value="Clear" - onclick="return confirm('Do you really want to remove all instance logs?');"> - <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?> + <input name="download" type="submit" class="formbtns" value="Download" + title="<?=gettext("Download interface log files as a gzip archive");?>"/> + <?php echo gettext('All log files will be saved.');?> + <input name="delete" type="submit" class="formbtns" value="Clear" + onclick="return confirm('Do you really want to remove all instance logs?')" title="<?=gettext("Clear all interface log files");?>"/> + <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo gettext('all log files will be deleted.'); ?> </td> </tr> <tr> <td width="22%" class="vncell"><?php echo gettext('Auto Refresh and Log View'); ?></td> <td width="78%" class="vtable"> - <input name="save" type="submit" class="formbtns" value="Save"> - <?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on" - <?php if ($config['installedpackages']['suricata']['alertsblocks']['arefresh']=="on") echo "checked"; ?>> - <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> - <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"> - <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <input name="save" type="submit" class="formbtns" value=" Save " title="<?=gettext("Save auto-refresh and view settings");?>"/> + <?php echo gettext('Refresh');?> <input name="arefresh" type="checkbox" value="on" + <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>/> + <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> + <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"/> + <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?> </td> </tr> <tr> @@ -404,31 +407,31 @@ if ($savemsg) { </tr> <tr> <td width="100%" colspan="2"> - <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> + <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="0" cellpadding="0" cellspacing="0"> <colgroup> <col width="10%" align="center" axis="date"> - <col width="41" align="center" axis="number"> - <col width="64" align="center" axis="string"> + <col width="40" align="center" axis="number"> + <col width="52" align="center" axis="string"> <col width="10%" axis="string"> <col width="13%" align="center" axis="string"> - <col width="8%" align="center" axis="string"> + <col width="7%" align="center" axis="string"> <col width="13%" align="center" axis="string"> - <col width="8%" align="center" axis="string"> - <col width="9%" align="center" axis="number"> + <col width="7%" align="center" axis="string"> + <col width="10%" align="center" axis="number"> <col axis="string"> </colgroup> <thead> <tr> - <th class="listhdrr" axis="date"><?php echo gettext("DATE"); ?></th> - <th class="listhdrr" axis="number"><?php echo gettext("PRI"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("PROTO"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("CLASS"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("SRC"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("SPORT"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("DST"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("DPORT"); ?></th> + <th class="listhdrr" axis="date"><?php echo gettext("Date"); ?></th> + <th class="listhdrr" axis="number"><?php echo gettext("Pri"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Proto"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Class"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Src"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("SPort"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Dst"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("DPort"); ?></th> <th class="listhdrr" axis="number"><?php echo gettext("SID"); ?></th> - <th class="listhdrr" axis="string"><?php echo gettext("DESCRIPTION"); ?></th> + <th class="listhdrr" axis="string"><?php echo gettext("Description"); ?></th> </tr> </thead> <tbody> @@ -444,7 +447,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */ $fd = fopen("/tmp/alerts_suricata{$suricata_uuid}", "r"); while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { - if(count($fields) < 12) + if(count($fields) < 13) continue; // Create a DateTime object from the event timestamp that @@ -468,7 +471,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* Protocol */ $alert_proto = $fields[8]; /* IP SRC */ - $alert_ip_src = inet_ntop(inet_pton($fields[9])); + $alert_ip_src = $fields[9]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); /* Add Reverse DNS lookup icons */ @@ -497,7 +500,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* IP SRC Port */ $alert_src_p = $fields[10]; /* IP Destination */ - $alert_ip_dst = inet_ntop(inet_pton($fields[11])); + $alert_ip_dst = $fields[11]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); /* Add Reverse DNS lookup icons */ @@ -520,8 +523,8 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo } /* Add icon for auto-removing from Blocked Table if required */ // if (isset($tmpblocked[$fields[11]])) { -// $alert_ip_src .= " <input type='image' name='unblock[]' onClick=\"document.getElementById('ip').value='{$fields[11]}';\" "; -// $alert_ip_src .= "title='" . gettext("Remove host from Blocked Table") . "' border='0' width='12' height='12' src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/>"; +// $alert_ip_dst .= " <input type='image' name='unblock[]' onClick=\"document.getElementById('ip').value='{$fields[11]}';\" "; +// $alert_ip_dst .= "title='" . gettext("Remove host from Blocked Table") . "' border='0' width='12' height='12' src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/>"; // } /* IP DST Port */ $alert_dst_p = $fields[12]; @@ -560,7 +563,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo <td class='listr' align='center' sorttable_customkey='{$fields[11]}'>{$alert_ip_dst}</td> <td class='listr' align='center'>{$alert_dst_p}</td> <td class='listr' align='center' sorttable_customkey='{$fields[3]}'>{$alert_sid_str}<br/>{$sidsupplink} {$sid_dsbl_link}</td> - <td class='listr' style=\"word-wrap:break-word;\">{$alert_descr}</td> + <td class='listbg' style=\"word-wrap:break-word;\">{$alert_descr}</td> </tr>\n"; $counter++; diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index 370c6e96..21fad03d 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -80,8 +80,8 @@ if (isset($_GET['getNewAlerts'])) { $suri_alerts = suricata_widget_get_alerts(); $counter = 0; foreach ($suri_alerts as $a) { - $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . ":" . $a['srcport'] . "||"; - $response .= $a['dst'] . ":" . $a['dstport'] . "||" . $a['priority'] . "||" . $a['category'] . "\n"; + $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . "||"; + $response .= $a['dst'] . "||" . $a['priority'] . "||" . $a['category'] . "\n"; $counter++; if($counter >= $suri_nentries) break; @@ -134,10 +134,22 @@ function suricata_widget_get_alerts() { $suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm)); $suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s"); $suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d"); - $suricata_alerts[$counter]['src'] = $fields[9]; - $suricata_alerts[$counter]['srcport'] = $fields[10]; - $suricata_alerts[$counter]['dst'] = $fields[11]; - $suricata_alerts[$counter]['dstport'] = $fields[12]; + // Add square brackets around any IPv6 address + if (is_ipaddrv6($fields[9])) + $suricata_alerts[$counter]['src'] = "[" . $fields[9] . "]"; + else + $suricata_alerts[$counter]['src'] = $fields[9]; + // Add the SRC PORT if not null + if (!empty($fields[10])) + $suricata_alerts[$counter]['src'] .= ":" . $fields[10]; + // Add square brackets around any IPv6 address + if (is_ipaddrv6($fields[11])) + $suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]"; + else + $suricata_alerts[$counter]['dst'] = $fields[11]; + // Add the SRC PORT if not null + if (!empty($fields[12])) + $suricata_alerts[$counter]['dst'] .= ":" . $fields[12]; $suricata_alerts[$counter]['priority'] = $fields[7]; $suricata_alerts[$counter]['category'] = $fields[6]; $counter++; @@ -161,13 +173,6 @@ function suricata_widget_get_alerts() { /* display the result */ ?> -<script type="text/javascript"> -//<![CDATA[ -var suricataupdateDelay = 10000; // update every 10 second -var suri_nentries = <?php echo $suri_nentries; ?>; -//]]> -</script> - <input type="hidden" id="suricata_alerts-config" name="suricata_alerts-config" value=""/> <div id="suricata_alerts-settings" class="widgetconfigdiv" style="display:none;"> <form action="/widgets/widgets/suricata_alerts.widget.php" method="post" name="iformd"> @@ -177,12 +182,17 @@ var suri_nentries = <?php echo $suri_nentries; ?>; </form> </div> -<table width="100%" border="0" cellspacing="0" cellpadding="0"> +<table width="100%" border="0" cellspacing="0" cellpadding="0" style="table-layout: fixed;"> + <colgroup> + <col style="width: 24%;" /> + <col style="width: 38%;" /> + <col style="width: 38%;" /> + </colgroup> <thead> - <tr class="suricata-alert-header"> - <td width="22%" class="widgetsubheader" align="center">IF/Date</td> - <td width="39%" class="widgetsubheader" align="center">Src/Dst</td> - <td width="39%" class="widgetsubheader" align="center">Details</td> + <tr> + <th class="listhdrr"><?=gettext("IF/Date");?></th> + <th class="listhdrr"><?=gettext("Src/Dst Address");?></th> + <th class="listhdrr"><?=gettext("Classification");?></th> </tr> </thead> <tbody id="suricata-alert-entries"> @@ -193,9 +203,9 @@ var suri_nentries = <?php echo $suri_nentries; ?>; foreach ($suricata_alerts as $alert) { $evenRowClass = $counter % 2 ? " listMReven" : " listMRodd"; echo(" <tr class='" . $evenRowClass . "'> - <td width='22%' class='listMRr' nowrap>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td> - <td width='39%' class='listMRr'>" . $alert['src'] . ":" . $alert['srcport'] . "<br>" . $alert['dst'] . ":" . $alert['dstport'] . "</td> - <td width='39%' class='listMRr'>Pri: " . $alert['priority'] . " " . $alert['category'] . "</td></tr>"); + <td class='listMRr'>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td> + <td class='listMRr ellipsis' nowrap><div style='display:inline;' title='" . $alert['src'] . "'>" . $alert['src'] . "</div><br/><div style='display:inline;' title='" . $alert['dst'] . "'>" . $alert['dst'] . "</div></td> + <td class='listMRr'>Pri: " . $alert['priority'] . " " . $alert['category'] . "</td></tr>"); $counter++; if($counter >= $suri_nentries) break; @@ -211,7 +221,6 @@ var suri_nentries = <?php echo $suri_nentries; ?>; var suri_nentries = <?php echo $suri_nentries; ?>; // default is 5 <!-- needed to display the widget settings menu --> -//<![CDATA[ selectIntLink = "suricata_alerts-configure"; textlink = document.getElementById(selectIntLink); textlink.style.display = "inline"; diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index e1ae892e..e71dc261 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -55,6 +55,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_dbpwd'] = base64_decode($a_nat[$id]['barnyard_dbpwd']); if (empty($a_nat[$id]['barnyard_show_year'])) $pconfig['barnyard_show_year'] = "on"; + if (empty($a_nat[$id]['unified2_log_limit'])) + $pconfig['unified2_log_limit'] = "32"; if (empty($a_nat[$id]['barnyard_archive_enable'])) $pconfig['barnyard_archive_enable'] = "on"; if (empty($a_nat[$id]['barnyard_obfuscate_ip'])) @@ -71,6 +73,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_syslog_priority'] = "LOG_INFO"; if (empty($a_nat[$id]['barnyard_bro_ids_dport'])) $pconfig['barnyard_bro_ids_dport'] = "47760"; + if (empty($a_nat[$id]['barnyard_sensor_id'])) + $pconfig['barnyard_sensor_id'] = "0"; if (empty($a_nat[$id]['barnyard_sensor_name'])) $pconfig['barnyard_sensor_name'] = php_uname("n"); } @@ -81,6 +85,18 @@ if ($_POST['save']) { $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on") $input_errors[] = gettext("You must enable at least one output option when using Barnyard2."); + // Validate unified2 log file limit + if ($_POST['barnyard_enable'] == 'on') { + if (!is_numericint($_POST['unified2_log_limit']) || $_POST['unified2_log_limit'] < 1) + $input_errors[] = gettext("The value for 'Unified2 Log Limit' must be a valid integer greater than zero."); + } + + // Validate Sensor ID is a valid integer + if ($_POST['barnyard_enable'] == 'on') { + if (!is_numericint($_POST['barnyard_sensor_id']) || $_POST['barnyard_sensor_id'] < 0) + $input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer."); + } + // Validate inputs if MySQL database loggging enabled if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_dbhost'])) @@ -126,7 +142,9 @@ if ($_POST['save']) { $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; + if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0'; if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['unified2_log_limit']) $natent['unified2_log_limit'] = $_POST['unified2_log_limit']; else unset($natent['unified2_log_limit']); if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); @@ -266,6 +284,15 @@ include_once("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Unified2 Log Limit"); ?></td> + <td width="78%" class="vtable"> + <input name="unified2_log_limit" type="text" class="formfld unknown" + id="unified2_log_limit" size="25" value="<?=htmlspecialchars($pconfig['unified2_log_limit']);?>"/> + <?php echo gettext("Log file size limit in megabytes (MB). Default is "); ?><strong><?=gettext("32 MB.");?></strong><br/> + <?php echo gettext("This sets the maximum size for a unified2 log file before it is rotated and a new one created."); ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Archive Unified2 Logs"); ?></td> <td width="78%" class="vtable"> <input name="barnyard_archive_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_archive_enable'] == "on") echo "checked"; ?>/> @@ -287,11 +314,19 @@ include_once("head.inc"); <?php echo gettext("Enable obfuscation of logged IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?> </td> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensor ID"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_sensor_id" type="text" class="formfld unknown" + id="barnyard_sensor_id" size="25" value="<?=htmlspecialchars($pconfig['barnyard_sensor_id']);?>"/> + <?php echo gettext("Sensor ID to use for this sensor. Default is ") . "<strong>" . gettext("0.") . "</strong>"; ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensor Name"); ?></td> <td width="78%" class="vtable"> <input name="barnyard_sensor_name" type="text" class="formfld unknown" id="barnyard_sensor_name" size="25" value="<?=htmlspecialchars($pconfig['barnyard_sensor_name']);?>"/> - <?php echo gettext("Unique name to use for this sensor."); ?> + <?php echo gettext("Unique name to use for this sensor. (Optional)"); ?> </td> </tr> <tr> @@ -555,10 +590,12 @@ function enable_change(enable_change) { endis = !(document.iform.barnyard_enable.checked || enable_change); // make sure a default answer is called if this is invoked. endis2 = (document.iform.barnyard_enable); + document.iform.unified2_log_limit.disabled = endis; document.iform.barnyard_archive_enable.disabled = endis; document.iform.barnyard_show_year.disabled = endis; document.iform.barnyard_dump_payload.disabled = endis; document.iform.barnyard_obfuscate_ip.disabled = endis; + document.iform.barnyard_sensor_id.disabled = endis; document.iform.barnyard_sensor_name.disabled = endis; document.iform.barnyard_mysql_enable.disabled = endis; document.iform.barnyard_dbhost.disabled = endis; diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 3cf6b84b..867a7efe 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -29,6 +29,7 @@ require_once("functions.inc"); require_once("service-utils.inc"); +require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules; @@ -95,6 +96,9 @@ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; $snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5"; $snort_community_rules_url = GPLV2_DNLD_URL; +/* Mount the Suricata conf directories R/W so we can modify files there */ +conf_mount_rw(); + /* Set up Emerging Threats rules filenames and URL */ if ($etpro == "on") { $emergingthreats_filename = ETPRO_DNLD_FILENAME; @@ -137,24 +141,12 @@ function suricata_download_file_url($url, $file_out) { /* It provides logging of returned CURL errors. */ /************************************************/ - global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; + global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update, $rfc2616; // Initialize required variables for the pfSense "read_body()" function $file_size = 1; $downloaded = 1; $first_progress_update = TRUE; - - - // Array of message strings for HTTP Response Codes - $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", - 206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found", - 305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request", - 401 => "Unauthorized", 402 => "Payment Required", 403 => "Forbidden", - 404 => "Not Found", 405 => "Method Not Allowed", 407 => "Proxy Authentication Required", - 408 => "Request Timeout", 410 => "Gone", 500 => "Internal Server Error", - 501 => "Not Implemented", 502 => "Bad Gateway", 503 => "Service Unavailable", - 504 => "Gateway Timeout", 505 => "HTTP Version Not Supported" ); - $last_curl_error = ""; $fout = fopen($file_out, "wb"); @@ -204,8 +196,8 @@ function suricata_download_file_url($url, $file_out) { if ($rc === false) $last_curl_error = curl_error($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); - if (isset($http_resp_msg[$http_code])) - $last_curl_error = $http_resp_msg[$http_code]; + if (is_rfc2616_code($http_code)) + $last_curl_error = $rfc2616[$http_code]; curl_close($ch); fclose($fout); @@ -239,7 +231,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $pkg_interface, $suricata_rules_upd_log, $last_curl_error; + global $pkg_interface, $suricata_rules_upd_log, $last_curl_error, $update_errors; $suricatadir = SURICATADIR; $filename_md5 = basename($file_dst); @@ -284,6 +276,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { if ($pkg_interface == "console") error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log); error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log); + $update_errors = true; return false; } } @@ -307,7 +300,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $pkg_interface, $suricata_rules_upd_log, $last_curl_error; + global $pkg_interface, $suricata_rules_upd_log, $last_curl_error, $update_errors; $suricatadir = SURICATADIR; $filename = basename($file_dst); @@ -337,6 +330,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $suricata_rules_upd_log); error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $suricata_rules_upd_log); error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $suricata_rules_upd_log); + $update_errors = true; return false; } return true; @@ -349,13 +343,13 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { if ($pkg_interface == "console") error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log); error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log); + $update_errors = true; return false; } } /* Start of main code */ -conf_mount_rw(); /* remove old $tmpfname files if present */ if (is_dir("{$tmpfname}")) @@ -375,6 +369,7 @@ if (file_exists($suricata_rules_upd_log)) { /* Log start time for this rules update */ error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $suricata_rules_upd_log); $last_curl_error = ""; +$update_errors = false; /* Check for and download any new Emerging Threats Rules sigs */ if ($emergingthreats == 'on') { @@ -426,10 +421,10 @@ if ($emergingthreats == 'on') { /* Remove the old Emerging Threats rules files */ $eto_prefix = ET_OPEN_FILE_PREFIX; $etpro_prefix = ET_PRO_FILE_PREFIX; - array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*.rules")); - array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*.rules")); - array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*ips.txt")); - array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*ips.txt")); + unlink_if_exists("{$suricatadir}rules/{$eto_prefix}*.rules"); + unlink_if_exists("{$suricatadir}rules/{$etpro_prefix}*.rules"); + unlink_if_exists("{$suricatadir}rules/{$eto_prefix}*ips.txt"); + unlink_if_exists("{$suricatadir}rules/{$etpro_prefix}*ips.txt"); // The code below renames ET files with a prefix, so we // skip renaming the Suricata default events rule files @@ -488,7 +483,7 @@ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { /* Remove the old Snort rules files */ $vrt_prefix = VRT_FILE_PREFIX; - array_map('unlink', glob("{$suricatadir}rules/{$vrt_prefix}*.rules")); + unlink_if_exists("{$suricatadir}rules/{$vrt_prefix}*.rules"); if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); @@ -715,4 +710,12 @@ conf_mount_ro(); // Restore the state of $pkg_interface $pkg_interface = $pkg_interface_orig; +/* Save this update status to the configuration file */ +if ($update_errors) + $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("failed"); +else + $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("success"); +$config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'] = time(); +write_config(); + ?> diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php index 46030bd0..bae467e4 100644 --- a/config/suricata/suricata_download_updates.php +++ b/config/suricata/suricata_download_updates.php @@ -40,6 +40,16 @@ $emergingthreats = $config['installedpackages']['suricata']['config'][0]['enable $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; $snortcommunityrules = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules']; +/* Get last update information if available */ +if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'])) + $last_rule_upd_time = date('M-d Y H:i', $config['installedpackages']['suricata']['config'][0]['last_rule_upd_time']); +else + $last_rule_upd_time = gettext("Unknown"); +if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'])) + $last_rule_upd_status = htmlspecialchars($config['installedpackages']['suricata']['config'][0]['last_rule_upd_status']); +else + $last_rule_upd_status = gettext("Unknown"); + $snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; @@ -211,6 +221,22 @@ include_once("head.inc"); </tr> <tr> <td align="center"> + <table width="45%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td class="list" align="right"><strong><?php echo gettext("Last Update:");?></strong></td> + <td class="list" align="left"><?php echo $last_rule_upd_time;?></td> + </tr> + <tr> + <td class="list" align="right"><strong><?php echo gettext("Result:");?></strong></td> + <td class="list" align="left"><?php echo $last_rule_upd_status;?></td> + </tr> + </tbody> + </table> + </td> + </tr> + <tr> + <td align="center"> <?php if ($snortdownload != 'on' && $emergingthreats != 'on' && $etpro != 'on'): ?> <br/><button disabled="disabled"><?=gettext("Check");?></button> <button disabled="disabled"><?=gettext("Force");?></button> @@ -226,7 +252,7 @@ include_once("head.inc"); title="<?php echo gettext("Check for new updates to enabled rule sets"); ?>"/> <input type="submit" value="<?=gettext("Force");?>" name="force" id="force" class="formbtn" title="<?=gettext("Force an update of all enabled rule sets");?>" - onclick="return confirm('<?=gettext("This will zero-out the MD5 hashes to force a fresh download of enabled rule sets. Click OK to continue or CANCEL to quit");?>');"/> + onclick="return confirm('<?=gettext("This will zero-out the MD5 hashes to force a fresh download of all enabled rule sets. Click OK to continue or CANCEL to quit");?>');"/> <br/><br/> <?php endif; ?> </td> diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 0614adf8..115f0045 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -226,6 +226,16 @@ if ($suricatacfg['barnyard_enable'] == 'on') else $barnyard2_enabled = "no"; +if (isset($suricatacfg['unified2_log_limit'])) + $unified2_log_limit = "{$suricatacfg['unified2_log_limit']}mb"; +else + $unified2_log_limit = "32mb"; + +if (isset($suricatacfg['barnyard_sensor_id'])) + $unified2_sensor_id = $suricatacfg['barnyard_sensor_id']; +else + $unified2_sensor_id = "0"; + // Add interface-specific IP defrag settings if (!empty($suricatacfg['frag_memcap'])) $frag_memcap = $suricatacfg['frag_memcap']; diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php index 50ca99c1..5e5d8c44 100644 --- a/config/suricata/suricata_interfaces.php +++ b/config/suricata/suricata_interfaces.php @@ -190,7 +190,7 @@ include_once("head.inc"); <th class="list"> </th> <th class="listhdrr"><?php echo gettext("Interface"); ?></th> <th class="listhdrr"><?php echo gettext("Suricata"); ?></th> - <th class="listhdrr"><?php echo gettext("Pattern Matcher"); ?></th> + <th class="listhdrr"><?php echo gettext("Pattern Match"); ?></th> <th class="listhdrr"><?php echo gettext("Block"); ?></th> <th class="listhdrr"><?php echo gettext("Barnyard2"); ?></th> <th class="listhdr"><?php echo gettext("Description"); ?></th> diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index d7b5a8cb..389566a2 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -40,10 +40,11 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; -if ($_GET['id']); - $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); if ($_POST['id']) $id = $_POST['id']; +elseif ($_GET['id']); + $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); + if (is_null($id)) $id = 0; @@ -71,8 +72,8 @@ if (isset($id) && $a_rule[$id]) { if (empty($pconfig['uuid'])) $pconfig['uuid'] = $suricata_uuid; } -// Must be a new interface, so try to pick next available physical interface to use elseif (isset($id) && !isset($a_rule[$id])) { + // Must be a new interface, so try to pick next available physical interface to use $ifaces = get_configured_interface_list(); $ifrules = array(); foreach($a_rule as $r) @@ -95,8 +96,6 @@ if (empty($pconfig['blockoffendersip'])) $pconfig['blockoffendersip'] = "both"; if (empty($pconfig['max_pending_packets'])) $pconfig['max_pending_packets'] = "1024"; -if (empty($pconfig['inspect_recursion_limit'])) - $pconfig['inspect_recursion_limit'] = "3000"; if (empty($pconfig['detect_eng_profile'])) $pconfig['detect_eng_profile'] = "medium"; if (empty($pconfig['mpm_algo'])) @@ -127,17 +126,49 @@ if (empty($pconfig['max_pcap_log_files'])) $pconfig['max_pcap_log_files'] = "1000"; if ($_POST["save"]) { - if (!$_POST['interface']) + // If the interface is not enabled, stop any running Suricata + // instance on it, save the new state and exit. + if (!isset($_POST['enable'])) { + if (isset($id) && $a_rule[$id]) { + $a_rule[$id]['enable'] = 'off'; + $a_rule[$id]['interface'] = htmlspecialchars($_POST['interface']); + $a_rule[$id]['descr'] = htmlspecialchars($_POST['descr']); + suricata_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface'])); + + // Save configuration changes + write_config(); + + // Update suricata.conf and suricata.sh files for this interface + sync_suricata_package_config(); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /suricata/suricata_interfaces.php"); + exit; + } + } + + // Validate inputs + if (!isset($_POST['interface'])) $input_errors[] = gettext("Choosing an Interface is mandatory!"); + if (isset($_POST['stats_upd_interval']) && !is_numericint($_POST['stats_upd_interval'])) + $input_errors[] = gettext("The value for Stats Update Interval must contain only digits and evaluate to an integer."); + if ($_POST['max_pending_packets'] < 1 || $_POST['max_pending_packets'] > 65000) $input_errors[] = gettext("The value for Maximum-Pending-Packets must be between 1 and 65,000!"); - if (!empty($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size'])) + if (isset($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size'])) $input_errors[] = gettext("The value for 'Max Packet Log Size' must be numbers only. Do not include any alphabetic characters."); - if (!empty($_POST['max_pcap_log_files']) && !is_numeric($_POST['max_pcap_log_files'])) - $input_errors[] = gettext("The value for 'Max Packet Log Files' must be numbers only."); + if (isset($_POST['max_pcap_log_files']) && !is_numeric($_POST['max_pcap_log_files'])) + $input_errors[] = gettext("The value for 'Max Packet Log Files' must be numbers only."); + + if (!empty($_POST['inspect_recursion_limit']) && !is_numeric($_POST['inspect_recursion_limit'])) + $input_errors[] = gettext("The value for Inspect Recursion Limit can either be blank or contain only digits evaluating to an integer greater than or equal to 0."); // if no errors write to suricata.yaml if (!$input_errors) { @@ -146,12 +177,12 @@ if ($_POST["save"]) { $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; - if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']); + if ($_POST['descr']) $natent['descr'] = htmlspecialchars($_POST['descr']); else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['max_pcap_log_size']) $natent['max_pcap_log_size'] = $_POST['max_pcap_log_size']; else unset($natent['max_pcap_log_size']); if ($_POST['max_pcap_log_files']) $natent['max_pcap_log_files'] = $_POST['max_pcap_log_files']; else unset($natent['max_pcap_log_files']); if ($_POST['enable_stats_log'] == "on") { $natent['enable_stats_log'] = 'on'; }else{ $natent['enable_stats_log'] = 'off'; } if ($_POST['append_stats_log'] == "on") { $natent['append_stats_log'] = 'on'; }else{ $natent['append_stats_log'] = 'off'; } - if ($_POST['stats_upd_interval']) $natent['stats_upd_interval'] = $_POST['stats_upd_interval']; else $natent['stats_upd_interval'] = "10"; + if ($_POST['stats_upd_interval'] >= 1) $natent['stats_upd_interval'] = $_POST['stats_upd_interval']; else $natent['stats_upd_interval'] = "10"; if ($_POST['enable_http_log'] == "on") { $natent['enable_http_log'] = 'on'; }else{ $natent['enable_http_log'] = 'off'; } if ($_POST['append_http_log'] == "on") { $natent['append_http_log'] = 'on'; }else{ $natent['append_http_log'] = 'off'; } if ($_POST['enable_tls_log'] == "on") { $natent['enable_tls_log'] = 'on'; }else{ $natent['enable_tls_log'] = 'off'; } @@ -163,7 +194,7 @@ if ($_POST["save"]) { if ($_POST['enable_tracked_files_md5'] == "on") { $natent['enable_tracked_files_md5'] = 'on'; }else{ $natent['enable_tracked_files_md5'] = 'off'; } if ($_POST['enable_file_store'] == "on") { $natent['enable_file_store'] = 'on'; }else{ $natent['enable_file_store'] = 'off'; } if ($_POST['max_pending_packets']) $natent['max_pending_packets'] = $_POST['max_pending_packets']; else unset($natent['max_pending_packets']); - if ($_POST['inspect_recursion_limit']) $natent['inspect_recursion_limit'] = $_POST['inspect_recursion_limit']; else unset($natent['inspect_recursion_limit']); + if ($_POST['inspect_recursion_limit'] >= '0') $natent['inspect_recursion_limit'] = $_POST['inspect_recursion_limit']; else unset($natent['inspect_recursion_limit']); if ($_POST['detect_eng_profile']) $natent['detect_eng_profile'] = $_POST['detect_eng_profile']; else unset($natent['detect_eng_profile']); if ($_POST['mpm_algo']) $natent['mpm_algo'] = $_POST['mpm_algo']; else unset($natent['mpm_algo']); if ($_POST['sgh_mpm_context']) $natent['sgh_mpm_context'] = $_POST['sgh_mpm_context']; else unset($natent['sgh_mpm_context']); @@ -347,7 +378,7 @@ if ($savemsg) { <td width="22%" valign="top" class="vncellreq"><?php echo gettext("Description"); ?></td> <td width="78%" class="vtable"><input name="descr" type="text" class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"/> <br/> - <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td> + <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference. The default is the interface name."); ?></span><br/></td> </tr> <tr> <td colspan="2" class="listtopic"><?php echo gettext("Logging Settings"); ?></td> @@ -859,6 +890,7 @@ function viewList(id, elemID, elemType) { } var url = "suricata_list_view.php?id=" + id + "&wlist="; url = url + getSelectedValue(elemID) + "&type=" + elemType; + url = url + "&time=" + new Date().getTime(); wopen(url, 'WhitelistViewer', 640, 480); } diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index 9fc24927..f9c34ed0 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -150,7 +150,7 @@ if ($input_errors) { $selected = ""; if ($id == $instanceid) $selected = "selected"; - echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . "){$instance['descr']}</option>\n"; + echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . ") {$instance['descr']}</option>\n"; } ?> </select> <?php echo gettext('Choose which instance logs you want to view.'); ?> diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index 1a0c54b5..567c29ea 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -40,10 +40,11 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; -if ($_GET['id']) - $id = $_GET['id']; -if ($_POST['id']) +if (isset($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { $id = 0; } @@ -95,6 +96,10 @@ $emergingdownload = $config['installedpackages']['suricata']['config'][0]['enabl $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; $categories = explode("||", $pconfig['rulesets']); +// Add any previously saved rules files to the categories array +if (!empty($pconfig['rulesets'])) + $categories = explode("||", $pconfig['rulesets']); + if ($_GET['openruleset']) $currentruleset = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401); elseif ($_POST['selectbox']) @@ -463,7 +468,7 @@ if ($savemsg) { <td rowspan="5" width="48%" valign="middle"><input type="submit" name="apply" id="apply" value="<?php echo gettext("Apply"); ?>" class="formbtn" title="<?php echo gettext("Click to rebuild the rules with your changes"); ?>"/><br/><br/> <span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . - gettext("Suricata must be restarted to activate any SID enable/disable changes made on this tab."); ?></span></td> + gettext("When finished, click APPLY to send any SID enable/disable changes made on this tab to the running Suricata process."); ?></span></td> <td class="vexpl" valign="middle"><?php echo "<input type='image' name='resetcategory[]' src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' @@ -525,14 +530,14 @@ if ($savemsg) { <td> <table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0"> <colgroup> - <col width="20" align="left" valign="middle"> + <col width="14" align="left" valign="middle"> <col width="6%" align="center" axis="number"> - <col width="8%" align="center" axis="number"> + <col width="9%" align="center" axis="number"> <col width="52" align="center" axis="string"> - <col width="12%" align="center" axis="string"> - <col width="9%" align="center" axis="string"> - <col width="12%" align="center" axis="string"> - <col width="9%" align="center" axis="string"> + <col width="14%" align="center" axis="string"> + <col width="10%" align="center" axis="string"> + <col width="14%" align="center" axis="string"> + <col width="10%" align="center" axis="string"> <col axis="string"> </colgroup> <thead> @@ -542,9 +547,9 @@ if ($savemsg) { <th class="listhdrr"><?php echo gettext("SID"); ?></th> <th class="listhdrr"><?php echo gettext("Proto"); ?></th> <th class="listhdrr"><?php echo gettext("Source"); ?></th> - <th class="listhdrr"><?php echo gettext("Port"); ?></th> + <th class="listhdrr"><?php echo gettext("SPort"); ?></th> <th class="listhdrr"><?php echo gettext("Destination"); ?></th> - <th class="listhdrr"><?php echo gettext("Port"); ?></th> + <th class="listhdrr"><?php echo gettext("DPort"); ?></th> <th class="listhdrr"><?php echo gettext("Message"); ?></th> </tr> </thead> @@ -604,36 +609,36 @@ if ($savemsg) { $message = suricata_get_msg($v['rule']); $sid_tooltip = gettext("View the raw text for this rule"); - echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\" sorttable_customkey=\"\">{$textss} - <input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}'; + echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\" sorttable_customkey=\"\">{$textss} + <a id=\"rule_{$gid}_{$sid}\" href='#'><input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}'; document.getElementById('gid').value='{$gid}';\" src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" - title='{$title}' name=\"toggle[]\"/>{$textse} + title='{$title}' name=\"toggle[]\"/></a>{$textse} </td> - <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <td class=\"listr\" style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$textss}{$gid}{$textse} </td> - <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <td class=\"listr\" style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> <a href=\"javascript: void(0)\" onclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\" title='{$sid_tooltip}'>{$textss}{$sid}{$textse}</a> </td> - <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <td class=\"listr\" style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$textss}{$protocol}{$textse} </td> - <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <td class=\"listr ellipsis\" nowrap style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$srcspan}{$source}</span> </td> - <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <td class=\"listr ellipsis\" nowrap style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$srcprtspan}{$source_port}</span> </td> - <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <td class=\"listr ellipsis\" nowrap style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$dstspan}{$destination}</span> </td> - <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <td class=\"listr ellipsis\" nowrap style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$dstprtspan}{$destination_port}</span> </td> - <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line; font-size: 11px; font-color: white;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> + <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"> {$textss}{$message}{$textse} </td> </tr>"; diff --git a/config/suricata/suricata_rules_edit.php b/config/suricata/suricata_rules_edit.php index ad6b2986..b61c2f3a 100644 --- a/config/suricata/suricata_rules_edit.php +++ b/config/suricata/suricata_rules_edit.php @@ -33,31 +33,28 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); $flowbit_rules_file = FLOWBITS_FILENAME; $suricatadir = SURICATADIR; -if (!is_array($config['installedpackages']['suricata']['rule'])) { - $config['installedpackages']['suricata']['rule'] = array(); -} -$a_rule = &$config['installedpackages']['suricata']['rule']; +if (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); -$id = $_GET['id']; +// If we were not passed a valid index ID, close the pop-up and exit if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); + echo '<html><body link="#000000" vlink="#000000" alink="#000000">'; + echo '<script language="javascript" type="text/javascript">'; + echo 'window.close();</script>'; + echo '</body></html>'; exit; } -if (isset($id) && $a_rule[$id]) { - $pconfig['enable'] = $a_rule[$id]['enable']; - $pconfig['interface'] = $a_rule[$id]['interface']; - $pconfig['rulesets'] = $a_rule[$id]['rulesets']; -} -else { - header("Location: /suricata/suricata_interfaces.php"); - exit; +if (!is_array($config['installedpackages']['suricata']['rule'])) { + $config['installedpackages']['suricata']['rule'] = array(); } -/* convert fake interfaces to real */ -$if_real = get_real_interface($pconfig['interface']); +$a_rule = &$config['installedpackages']['suricata']['rule']; + +$if_real = get_real_interface($a_rule[$id]['interface']); $suricata_uuid = $a_rule[$id]['uuid']; -$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}"; +$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/"; + $file = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401); $contents = ''; $wrap_flag = "off"; @@ -73,13 +70,13 @@ else // a standard rules file, or a complete file name. // Test for the special case of an IPS Policy file. if (substr($file, 0, 10) == "IPS Policy") { - $rules_map = suricata_load_vrt_policy($a_rule[$id]['ips_policy']); - if (isset($_GET['ids'])) { - $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $rules_map = suricata_load_vrt_policy(strtolower(trim(substr($file, strpos($file, "-")+1)))); + if (isset($_GET['sid']) && is_numericint($_GET['sid']) && isset($_GET['gid']) && is_numericint($_GET['gid'])) { + $contents = $rules_map[$_GET['gid']][trim($_GET['sid'])]['rule']; $wrap_flag = "soft"; } else { - $contents = "# Suricata IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']) . "\n\n"; + $contents = "# Suricata IPS Policy - " . ucfirst(trim(substr($file, strpos($file, "-")+1))) . "\n\n"; foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { $contents .= "# Category: " . $rules_map[$k1][$k2]['category'] . " SID: {$k2}\n"; @@ -90,7 +87,7 @@ if (substr($file, 0, 10) == "IPS Policy") { unset($rules_map); } // Is it a SID to load the rule text from? -elseif (isset($_GET['sid']) && is_numeric(trim($_GET['sid']))) { +elseif (isset($_GET['sid']) && is_numericint($_GET['sid']) && isset($_GET['gid']) && is_numericint($_GET['gid'])) { // If flowbit rule, point to interface-specific file if ($file == "Auto-Flowbit Rules") $rules_map = suricata_load_rules_map("{$suricatacfgdir}rules/" . FLOWBITS_FILENAME); diff --git a/config/suricata/suricata_rules_flowbits.php b/config/suricata/suricata_rules_flowbits.php index 53019894..6470ff4b 100644 --- a/config/suricata/suricata_rules_flowbits.php +++ b/config/suricata/suricata_rules_flowbits.php @@ -43,8 +43,8 @@ $a_nat = &$config['installedpackages']['suricata']['rule']; if (isset($_POST['id'])) $id = $_POST['id']; -elseif (isset($_GET['id'])) - $id = $_GET['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); if (is_null($id)) { header("Location: /suricata/suricata_interfaces.php"); @@ -205,13 +205,13 @@ if ($savemsg) </tr> <tr> <td> - <table id="myTable" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0"> + <table id="myTable" width="100%" class="sortable" style="table-layout: fixed;" border="0" cellpadding="0" cellspacing="0"> <colgroup> <col width="11%" axis="number"> - <col width="10%" axis="string"> + <col width="52" axis="string"> <col width="14%" axis="string"> <col width="14%" axis="string"> - <col width="20%" axis="string"> + <col width="24%" axis="string"> <col axis="string"> </colgroup> <thead> @@ -263,11 +263,11 @@ if ($savemsg) // Use "echo" to write the table HTML row-by-row. echo "<tr>" . "<td class=\"listr\" sorttable_customkey=\"{$sid}\">{$sid} {$supplink}</td>" . - "<td class=\"listr\">{$protocol}</td>" . - "<td class=\"listr ellipsis\"><span title=\"{$rule_content[2]}\">{$source}</span></td>" . - "<td class=\"listr ellipsis\"><span title=\"{$rule_content[5]}\">{$destination}</span></td>" . + "<td class=\"listr\" style=\"text-align:center;\">{$protocol}</td>" . + "<td class=\"listr ellipsis\" nowrap style=\"text-align:center;\"><span title=\"{$rule_content[2]}\">{$source}</span></td>" . + "<td class=\"listr ellipsis\" nowrap style=\"text-align:center;\"><span title=\"{$rule_content[5]}\">{$destination}</span></td>" . "<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$flowbits}</td>" . - "<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$message}</td>" . + "<td class=\"listbg\" style=\"word-wrap:break-word; word-break:normal;\">{$message}</td>" . "</tr>"; $count++; } @@ -283,7 +283,6 @@ if ($savemsg) <td align="center" valign="middle"> <input id="cancel" name="cancel" type="submit" class="formbtn" <?php echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> - <input name="id" type="hidden" value="<?=$id;?>" /> </td> </tr> <?php endif; ?> diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php index e97006dc..12227f3d 100644 --- a/config/suricata/suricata_suppress.php +++ b/config/suricata/suricata_suppress.php @@ -122,7 +122,7 @@ if ($input_errors) { $tab_array[] = array(gettext("Suricata Interfaces"), false, "/suricata/suricata_interfaces.php"); $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); - $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$instanceid}"); + $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); $tab_array[] = array(gettext("Suppress"), true, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); display_top_tabs($tab_array); diff --git a/config/suricata/suricata_suppress_edit.php b/config/suricata/suricata_suppress_edit.php index c2c23f10..3d5bad27 100644 --- a/config/suricata/suricata_suppress_edit.php +++ b/config/suricata/suricata_suppress_edit.php @@ -142,7 +142,7 @@ if ($savemsg) $tab_array[] = array(gettext("Interfaces"), false, "/suricata/suricata_interfaces.php"); $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); - $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$instanceid}"); + $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); $tab_array[] = array(gettext("Suppress"), true, "/suricata/suricata_suppress.php"); display_top_tabs($tab_array); ?> diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index e62c48eb..07ada36e 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -40,9 +40,8 @@ outputs: - unified2-alert: enabled: {$barnyard2_enabled} filename: unified2.alert - limit: 32mb - # Sensor ID field of unified2 alerts. - sensor-id: 0 + limit: {$unified2_log_limit} + sensor-id: {$unified2_sensor_id} - http-log: enabled: {$http_log_enabled} |