diff options
| -rw-r--r-- | config/suricata/suricata_generate_yaml.php | 5 | ||||
| -rw-r--r-- | config/suricata/suricata_interfaces_edit.php | 13 | ||||
| -rw-r--r-- | config/suricata/suricata_migrate_config.php | 8 | ||||
| -rw-r--r-- | config/suricata/suricata_yaml_template.inc | 1 |
4 files changed, 27 insertions, 0 deletions
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 0715471d..8e3e538c 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -165,6 +165,11 @@ if ($suricatacfg['delayed_detect'] == 'on') else $delayed_detect = "no"; +if ($suricatacfg['intf_promisc_mode'] == 'on') + $intf_promisc_mode = "yes"; +else + $intf_promisc_mode = "no"; + // Add interface-specific blocking settings if ($suricatacfg['blockoffenders'] == 'on') $suri_blockoffenders = "yes"; diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index ff21b48f..e1e6675f 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -169,6 +169,8 @@ if (empty($pconfig['eve_log_files'])) $pconfig['eve_log_files'] = "on"; if (empty($pconfig['eve_log_ssh'])) $pconfig['eve_log_ssh'] = "on"; +if (empty($pconfig['intf_promisc_mode'])) + $pconfig['intf_promisc_mode'] = "on"; // See if creating a new interface by duplicating an existing one if (strcasecmp($action, 'dup') == 0) { @@ -300,6 +302,7 @@ if ($_POST["save"] && !$input_errors) { if ($_POST['eve_log_files'] == "on") { $natent['eve_log_files'] = 'on'; }else{ $natent['eve_log_files'] = 'off'; } if ($_POST['eve_log_ssh'] == "on") { $natent['eve_log_ssh'] = 'on'; }else{ $natent['eve_log_ssh'] = 'off'; } if ($_POST['delayed_detect'] == "on") { $natent['delayed_detect'] = 'on'; }else{ $natent['delayed_detect'] = 'off'; } + if ($_POST['intf_promisc_mode'] == "on") { $natent['intf_promisc_mode'] = 'on'; }else{ $natent['intf_promisc_mode'] = 'off'; } if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['configpassthru'])); else unset($natent['configpassthru']); $if_real = get_real_interface($natent['interface']); @@ -367,6 +370,7 @@ if ($_POST["save"] && !$input_errors) { $natent['enable_midstream_sessions'] = 'off'; $natent['enable_async_sessions'] = 'off'; $natent['delayed_detect'] = 'off'; + $natent['intf_promisc_mode'] = 'on'; $natent['asn1_max_frames'] = '256'; $natent['dns_global_memcap'] = "16777216"; @@ -885,6 +889,14 @@ if ($savemsg) { "<strong>" . gettext("Not Checked") . "</strong>."; ?></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Promiscuous Mode"); ?></td> + <td width="78%" class="vtable"> + <input name="intf_promisc_mode" id="intf_promisc_mode" type="checkbox" value="on" + <?php if ($pconfig['intf_promisc_mode'] == "on") echo " checked"; ?>/> + <?php echo gettext("Suricata will place the monitored interface in promiscuous mode when checked. Default is ") . + "<strong>" . gettext("Checked") . "</strong>."; ?></td> + </tr> + <tr> <td colspan="2" class="listtopic"><?php echo gettext("Networks " . "Suricata Should Inspect and Protect"); ?></td> </tr> <tr> @@ -1197,6 +1209,7 @@ function enable_change(enable_change) { document.iform.btnPasslist.disabled=endis; document.iform.btnSuppressList.disabled=endis; document.iform.delayed_detect.disabled=endis; + document.iform.intf_promisc_mode.disabled=endis; } function wopen(url, name, w, h) { diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index abbdcf64..ba13155b 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -124,6 +124,14 @@ foreach ($rule as &$r) { } /***********************************************************/ + /* Add new interface promisc mode value and default 'on'. */ + /***********************************************************/ + if (empty($pconfig['intf_promisc_mode'])) { + $pconfig['intf_promisc_mode'] = "on"; + $updated_cfg = true; + } + + /***********************************************************/ /* Add new HTTP Log Extended Info setting if not present */ /***********************************************************/ if (!isset($pconfig['http_log_extended'])) { diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index e75a1148..82c449d3 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -256,6 +256,7 @@ logging: pcap: - interface: {$if_real} checksum-checks: auto + promisc: {$intf_promisc_mode} # For FreeBSD ipfw(8) divert(4) support. # ipfw add 100 divert 8000 ip from any to any |