aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--config/suricata/suricata.inc112
-rw-r--r--config/suricata/suricata_alerts.js8
-rw-r--r--config/suricata/suricata_alerts.php83
-rw-r--r--config/suricata/suricata_alerts.widget.php53
-rw-r--r--config/suricata/suricata_barnyard.php39
-rw-r--r--config/suricata/suricata_check_for_rule_updates.php49
-rw-r--r--config/suricata/suricata_download_updates.php28
-rw-r--r--config/suricata/suricata_generate_yaml.php10
-rw-r--r--config/suricata/suricata_interfaces.php2
-rw-r--r--config/suricata/suricata_interfaces_edit.php58
-rw-r--r--config/suricata/suricata_logs_browser.php2
-rw-r--r--config/suricata/suricata_rules.php51
-rw-r--r--config/suricata/suricata_rules_edit.php41
-rw-r--r--config/suricata/suricata_rules_flowbits.php19
-rw-r--r--config/suricata/suricata_suppress.php2
-rw-r--r--config/suricata/suricata_suppress_edit.php2
-rw-r--r--config/suricata/suricata_yaml_template.inc5
17 files changed, 349 insertions, 215 deletions
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc
index 1b6f5eb3..2660fae6 100644
--- a/config/suricata/suricata.inc
+++ b/config/suricata/suricata.inc
@@ -77,16 +77,12 @@ function suricata_generate_id() {
}
function suricata_is_running($suricata_uuid, $if_real, $type = 'suricata') {
- global $config, $g;
-
- if (isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid"))
- return true;
- else
- return false;
+ global $g;
+ return isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid");
}
function suricata_barnyard_stop($suricatacfg, $if_real) {
- global $config, $g;
+ global $g;
$suricata_uuid = $suricatacfg['uuid'];
if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) {
@@ -96,13 +92,13 @@ function suricata_barnyard_stop($suricatacfg, $if_real) {
}
function suricata_stop($suricatacfg, $if_real) {
- global $config, $g;
+ global $g;
$suricata_uuid = $suricatacfg['uuid'];
if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) {
log_error("[Suricata] Suricata STOP for {$suricatacfg['descr']}({$if_real})...");
killbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid");
- sleep(2);
+ sleep(1);
// For some reason Suricata seems to need a double TERM signal to actually shutdown
if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"))
@@ -113,7 +109,7 @@ function suricata_stop($suricatacfg, $if_real) {
}
function suricata_barnyard_start($suricatacfg, $if_real) {
- global $config, $g;
+ global $g;
$suricata_uuid = $suricatacfg['uuid'];
$suricatadir = SURICATADIR . "suricata_{$suricata_uuid}_{$if_real}";
@@ -121,19 +117,19 @@ function suricata_barnyard_start($suricatacfg, $if_real) {
if ($suricatacfg['barnyard_enable'] == 'on') {
log_error("[Suricata] Barnyard2 START for {$suricatacfg['descr']}({$if_real})...");
- exec("/usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}/barnyard2.conf -d {$suricatalogdir} -D -q");
+ mwexec_bg("/usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}/barnyard2.conf -d {$suricatalogdir} -D -q");
}
}
function suricata_start($suricatacfg, $if_real) {
- global $config, $g;
+ global $g;
$suricatadir = SURICATADIR;
$suricata_uuid = $suricatacfg['uuid'];
if ($suricatacfg['enable'] == 'on') {
log_error("[Suricata] Suricata START for {$suricatacfg['descr']}({$if_real})...");
- exec("/usr/local/bin/suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid");
+ mwexec_bg("/usr/local/bin/suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid");
}
else
return;
@@ -154,7 +150,7 @@ function suricata_reload_config($suricatacfg, $signal="USR2") {
/* */
/* $signal = USR2 (default) parses and reloads config. */
/**************************************************************/
- global $config, $g;
+ global $g;
$suricatadir = SURICATADIR;
$suricata_uuid = $suricatacfg['uuid'];
@@ -166,8 +162,8 @@ function suricata_reload_config($suricatacfg, $signal="USR2") {
/******************************************************/
if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) {
log_error("[Suricata] Suricata LIVE RULE RELOAD initiated for {$suricatacfg['descr']} ({$if_real})...");
- sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", $signal);
-// exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid 2>&1 &");
+// sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", $signal);
+ mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid");
}
}
@@ -183,7 +179,7 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") {
/* */
/* $signal = HUP (default) parses and reloads config. */
/**************************************************************/
- global $config, $g;
+ global $g;
$suricatadir = SURICATADIR;
$suricata_uuid = $suricatacfg['uuid'];
@@ -195,8 +191,8 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") {
/******************************************************/
if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) {
log_error("[Suricata] Barnyard2 CONFIG RELOAD initiated for {$suricatacfg['descr']} ({$if_real})...");
- sigkillbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid", $signal);
-// exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid 2>&1 &");
+// sigkillbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid", $signal);
+ mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid");
}
}
@@ -698,7 +694,19 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) {
/*************************************************************/
/* This function reads all the rules file in the passed */
/* $rules_path variable and produces a properly formatted */
- /* sid-msg.map file for use by Suricata and/or barnyard2. */
+ /* sid-msg.map v2 file for use by Suricata and barnyard2. */
+ /* */
+ /* This function produces the new v2 format sid-msg.map */
+ /* with the field layout as follows: */
+ /* */
+ /* GID || SID || REV || CLASSTYPE || PRI || MSG || REF ... */
+ /* */
+ /* On Entry: $rules_path --> array or directory of files */
+ /* or a single file containing */
+ /* the rules to read. */
+ /* $sid_file --> the complete destination path */
+ /* and filename for the output */
+ /* sid-msg.map file. */
/*************************************************************/
$sidMap = array();
@@ -707,7 +715,7 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) {
// First check if we were passed a directory, a single file
// or an array of filenames to read. Set our $rule_files
// variable accordingly. If we can't figure it out, return
- // and don't write a sid_msg_map file.
+ // and don't write a sid-msg.map file.
if (is_string($rules_path)) {
if (is_dir($rules_path))
$rule_files = glob($rules_path . "*.rules");
@@ -760,7 +768,11 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) {
$record = "";
// Parse the rule to find sid and any references.
+ $gid = '1'; // default to 1 for regular rules
$sid = '';
+ $rev = '';
+ $classtype = 'NOCLASS'; // required default for v2 format
+ $priority = '0'; // required default for v2 format
$msg = '';
$matches = '';
$sidEntry = '';
@@ -768,23 +780,32 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) {
$msg = trim($matches[1]);
if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches))
$sid = trim($matches[1]);
- if (!empty($sid) && !empty($msg)) {
- $sidEntry = $sid . ' || ' . $msg;
+ if (preg_match('/\bgid\s*:\s*(\d+)\s*;/i', $rule, $matches))
+ $gid = trim($matches[1]);
+ if (preg_match('/\brev\s*:\s*([^\;]+)/i', $rule, $matches))
+ $rev = trim($matches[1]);
+ if (preg_match('/\bclasstype\s*:\s*([^\;]+)/i', $rule, $matches))
+ $classtype = trim($matches[1]);
+ if (preg_match('/\bpriority\s*:\s*([^\;]+)/i', $rule, $matches))
+ $priority = trim($matches[1]);
+
+ if (!empty($gid) && !empty($sid) && !empty($msg)) {
+ $sidEntry = $gid . ' || ' . $sid . ' || ' . $rev . ' || ' . $classtype . ' || ';
+ $sidEntry .= $priority . ' || ' . $msg;
preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches);
foreach ($matches[1] as $ref)
$sidEntry .= " || " . trim($ref);
$sidEntry .= "\n";
- if (!is_array($sidMap[$sid]))
- $sidMap[$sid] = array();
- $sidMap[$sid] = $sidEntry;
+ $sidMap[] = $sidEntry;
}
}
}
- // Sort the generated sid-msg map by sid
- ksort($sidMap);
+ // Sort the generated sid-msg map
+ natcasesort($sidMap);
// Now print the result to the supplied file
- @file_put_contents($sid_file, array_values($sidMap));
+ @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n");
+ @file_put_contents($sid_file, array_values($sidMap), FILE_APPEND);
}
function suricata_merge_reference_configs($cfg_in, $cfg_out) {
@@ -1688,27 +1709,18 @@ function suricata_create_rc() {
$start_barnyard = <<<EOE
if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid ]; then
- pid=`/bin/pgrep -f "barnyard2 -r {$suricata_uuid} "`
+ pid=`/bin/pgrep -fn "barnyard2 -r {$suricata_uuid} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid`
fi
+
if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 STOP for {$value['descr']}({$suricata_uuid}_{$if_real})..."
- /bin/pkill -TERM \$pid
- time=0 timeout=30
- while /bin/kill -TERM \$pid 2>/dev/null; do
- sleep 1
- time=\$((time+1))
- if [ \$time -gt \$timeout ]; then
- break
- fi
- done
- if [ -f /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid ]; then
- /bin/rm /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid
- fi
+ /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$suricata_uuid}_{$if_real})..."
+ /bin/pkill -HUP \$pid
+ else
+ /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 START for {$value['descr']}({$suricata_uuid}_{$if_real})..."
+ /usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/barnyard2.conf -d {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} -D -q
fi
- /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 START for {$value['descr']}({$suricata_uuid}_{$if_real})..."
- /usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/barnyard2.conf -d {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} -D -q
EOE;
$stop_barnyard2 = <<<EOE
@@ -1729,9 +1741,9 @@ EOE;
/bin/rm /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid
fi
else
- pid=`/bin/pgrep -f "barnyard2 -r {$suricata_uuid} "`
+ pid=`/bin/pgrep -fn "barnyard2 -r {$suricata_uuid} "`
if [ ! -z \$pid ]; then
- /bin/pkill -TERM -f "barnyard2 -r {$suricata_uuid} "
+ /bin/pkill -TERM -fn "barnyard2 -r {$suricata_uuid} "
time=0 timeout=30
while /bin/kill -TERM \$pid 2>/dev/null; do
sleep 1
@@ -1754,7 +1766,7 @@ EOE;
###### For Each Iface
# Start suricata and barnyard2
if [ ! -f {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid ]; then
- pid=`/bin/pgrep -f "suricata -i {$if_real} "`
+ pid=`/bin/pgrep -fn "suricata -i {$if_real} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid`
fi
@@ -1790,10 +1802,10 @@ EOE;
/bin/rm /var/run/suricata_{$if_real}{$suricata_uuid}.pid
fi
else
- pid=`/bin/pgrep -f "suricata -i {$if_real} "`
+ pid=`/bin/pgrep -fn "suricata -i {$if_real} "`
if [ ! -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SuricataStartup "Suricata STOP for {$value['descr']}({$suricata_uuid}_{$if_real})..."
- /bin/pkill -TERM -f "suricata -i {$if_real} "
+ /bin/pkill -TERM -fn "suricata -i {$if_real} "
time=0 timeout=30
while /bin/kill -TERM \$pid 2>/dev/null; do
sleep 1
diff --git a/config/suricata/suricata_alerts.js b/config/suricata/suricata_alerts.js
index 9e5b0b29..b6a5d3c3 100644
--- a/config/suricata/suricata_alerts.js
+++ b/config/suricata/suricata_alerts.js
@@ -14,9 +14,11 @@ function suricata_alerts_fetch_new_rules_callback(callback_data) {
for(var x=0; x<data_split.length-1; x++) {
row_split = data_split[x].split("||");
var line = '';
- line = '<td width="22%" class="listMRr" nowrap>' + row_split[0] + '<br/>' + row_split[1] + '</td>';
- line += '<td width="39%" class="listMRr">' + row_split[2] + '<br/>' + row_split[3] + '</td>';
- line += '<td width="39%" class="listMRr">' + 'Pri: ' + row_split[4] + '&nbsp;' + row_split[5] + '</td>';
+ line = '<td class="listMRr">' + row_split[0] + '<br/>' + row_split[1] + '</td>';
+ line += '<td class="listMRr ellipsis" nowrap><div style="display:inline;" title="';
+ line += row_split[2] + '">' + row_split[2] + '</div><br/><div style="display:inline;" title="';
+ line += row_split[3] + '">' + row_split[3] + '</div></td>';
+ line += '<td class="listMRr">' + 'Pri: ' + row_split[4] + ' ' + row_split[5] + '</td>';
new_data_to_add[new_data_to_add.length] = line;
}
suricata_alerts_update_div_rows(new_data_to_add);
diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php
index 3b135f32..99241b7e 100644
--- a/config/suricata/suricata_alerts.php
+++ b/config/suricata/suricata_alerts.php
@@ -121,12 +121,12 @@ function suricata_add_supplist_entry($suppress) {
return false;
}
-if ($_POST['instance'])
+if (is_numericint($_POST['instance']))
$instanceid = $_POST['instance'];
-// This is for the auto-refresh so wecan stay on the same interface
-if (is_numeric($_GET['instance']))
+// This is for the auto-refresh so we can stay on the same interface
+if (is_numericint($_GET['instance']))
$instanceid = $_GET['instance'];
-if (empty($instanceid))
+if (is_null($instanceid))
$instanceid = 0;
if (!is_array($config['installedpackages']['suricata']['rule']))
@@ -186,12 +186,12 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu
$suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n";
else
$suppress = "#{$_POST['descr']}\nsuppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n";
- $success = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List.");
+ $success = gettext("An entry for 'suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}' has been added to the Suppress List.");
break;
case "by_src":
case "by_dst":
// Check for valid IP addresses, exit if not valid
- if (is_ipaddr($_POST['ip']) || is_ipaddrv6($_POST['ip'])) {
+ if (is_ipaddr($_POST['ip'])) {
if (empty($_POST['descr']))
$suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}\n";
else
@@ -212,6 +212,7 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu
if (suricata_add_supplist_entry($suppress)) {
suricata_reload_config($a_instance[$instanceid]);
$savemsg = $success;
+ sleep(2);
}
else
$input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!");
@@ -269,8 +270,9 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen
/* Signal Suricata to live-load the new rules */
suricata_reload_config($a_instance[$instanceid]);
+ sleep(2);
- $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules.");
+ $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 15 secs for the process to complete before toggling additional rules.");
}
if ($_POST['delete']) {
@@ -372,7 +374,7 @@ if ($savemsg) {
$selected = "";
if ($id == $instanceid)
$selected = "selected";
- echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . "){$instance['descr']}</option>\n";
+ echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . ") {$instance['descr']}</option>\n";
}
?>
</select>&nbsp;&nbsp;<?php echo gettext('Choose which instance alerts you want to inspect.'); ?>
@@ -380,22 +382,23 @@ if ($savemsg) {
<tr>
<td width="22%" class="vncell"><?php echo gettext('Save or Remove Logs'); ?></td>
<td width="78%" class="vtable">
- <input name="download" type="submit" class="formbtns" value="Download"> <?php echo gettext('All ' .
- 'log files will be saved.'); ?>&nbsp;&nbsp;
- <input name="delete" type="submit" class="formbtns" value="Clear"
- onclick="return confirm('Do you really want to remove all instance logs?');">
- <span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span> <?php echo ' ' . gettext('all log files will be deleted.'); ?>
+ <input name="download" type="submit" class="formbtns" value="Download"
+ title="<?=gettext("Download interface log files as a gzip archive");?>"/>
+ &nbsp;<?php echo gettext('All log files will be saved.');?>&nbsp;&nbsp;
+ <input name="delete" type="submit" class="formbtns" value="Clear"
+ onclick="return confirm('Do you really want to remove all instance logs?')" title="<?=gettext("Clear all interface log files");?>"/>
+ &nbsp;<span class="red"><strong><?php echo gettext('Warning:'); ?></strong></span>&nbsp;<?php echo gettext('all log files will be deleted.'); ?>
</td>
</tr>
<tr>
<td width="22%" class="vncell"><?php echo gettext('Auto Refresh and Log View'); ?></td>
<td width="78%" class="vtable">
- <input name="save" type="submit" class="formbtns" value="Save">
- <?php echo gettext('Refresh'); ?> <input name="arefresh" type="checkbox" value="on"
- <?php if ($config['installedpackages']['suricata']['alertsblocks']['arefresh']=="on") echo "checked"; ?>>
- <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>&nbsp;&nbsp;
- <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>">
- <?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>
+ <input name="save" type="submit" class="formbtns" value=" Save " title="<?=gettext("Save auto-refresh and view settings");?>"/>
+ &nbsp;<?php echo gettext('Refresh');?>&nbsp;&nbsp;<input name="arefresh" type="checkbox" value="on"
+ <?php if ($config['installedpackages']['snortglobal']['alertsblocks']['arefresh']=="on") echo "checked"; ?>/>
+ <?php printf(gettext('%sDefault%s is %sON%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>&nbsp;&nbsp;
+ <input name="alertnumber" type="text" class="formfld unknown" id="alertnumber" size="5" value="<?=htmlspecialchars($anentries);?>"/>
+ &nbsp;<?php printf(gettext('Enter number of log entries to view. %sDefault%s is %s250%s.'), '<strong>', '</strong>', '<strong>', '</strong>'); ?>
</td>
</tr>
<tr>
@@ -404,31 +407,31 @@ if ($savemsg) {
</tr>
<tr>
<td width="100%" colspan="2">
- <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0">
+ <table id="myTable" style="table-layout: fixed;" width="100%" class="sortable" border="0" cellpadding="0" cellspacing="0">
<colgroup>
<col width="10%" align="center" axis="date">
- <col width="41" align="center" axis="number">
- <col width="64" align="center" axis="string">
+ <col width="40" align="center" axis="number">
+ <col width="52" align="center" axis="string">
<col width="10%" axis="string">
<col width="13%" align="center" axis="string">
- <col width="8%" align="center" axis="string">
+ <col width="7%" align="center" axis="string">
<col width="13%" align="center" axis="string">
- <col width="8%" align="center" axis="string">
- <col width="9%" align="center" axis="number">
+ <col width="7%" align="center" axis="string">
+ <col width="10%" align="center" axis="number">
<col axis="string">
</colgroup>
<thead>
<tr>
- <th class="listhdrr" axis="date"><?php echo gettext("DATE"); ?></th>
- <th class="listhdrr" axis="number"><?php echo gettext("PRI"); ?></th>
- <th class="listhdrr" axis="string"><?php echo gettext("PROTO"); ?></th>
- <th class="listhdrr" axis="string"><?php echo gettext("CLASS"); ?></th>
- <th class="listhdrr" axis="string"><?php echo gettext("SRC"); ?></th>
- <th class="listhdrr" axis="string"><?php echo gettext("SPORT"); ?></th>
- <th class="listhdrr" axis="string"><?php echo gettext("DST"); ?></th>
- <th class="listhdrr" axis="string"><?php echo gettext("DPORT"); ?></th>
+ <th class="listhdrr" axis="date"><?php echo gettext("Date"); ?></th>
+ <th class="listhdrr" axis="number"><?php echo gettext("Pri"); ?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Proto"); ?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Class"); ?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Src"); ?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("SPort"); ?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Dst"); ?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("DPort"); ?></th>
<th class="listhdrr" axis="number"><?php echo gettext("SID"); ?></th>
- <th class="listhdrr" axis="string"><?php echo gettext("DESCRIPTION"); ?></th>
+ <th class="listhdrr" axis="string"><?php echo gettext("Description"); ?></th>
</tr>
</thead>
<tbody>
@@ -444,7 +447,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
/* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */
$fd = fopen("/tmp/alerts_suricata{$suricata_uuid}", "r");
while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
- if(count($fields) < 12)
+ if(count($fields) < 13)
continue;
// Create a DateTime object from the event timestamp that
@@ -468,7 +471,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
/* Protocol */
$alert_proto = $fields[8];
/* IP SRC */
- $alert_ip_src = inet_ntop(inet_pton($fields[9]));
+ $alert_ip_src = $fields[9];
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$alert_ip_src = str_replace(":", ":&#8203;", $alert_ip_src);
/* Add Reverse DNS lookup icons */
@@ -497,7 +500,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
/* IP SRC Port */
$alert_src_p = $fields[10];
/* IP Destination */
- $alert_ip_dst = inet_ntop(inet_pton($fields[11]));
+ $alert_ip_dst = $fields[11];
/* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */
$alert_ip_dst = str_replace(":", ":&#8203;", $alert_ip_dst);
/* Add Reverse DNS lookup icons */
@@ -520,8 +523,8 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
}
/* Add icon for auto-removing from Blocked Table if required */
// if (isset($tmpblocked[$fields[11]])) {
-// $alert_ip_src .= "&nbsp;<input type='image' name='unblock[]' onClick=\"document.getElementById('ip').value='{$fields[11]}';\" ";
-// $alert_ip_src .= "title='" . gettext("Remove host from Blocked Table") . "' border='0' width='12' height='12' src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/>";
+// $alert_ip_dst .= "&nbsp;<input type='image' name='unblock[]' onClick=\"document.getElementById('ip').value='{$fields[11]}';\" ";
+// $alert_ip_dst .= "title='" . gettext("Remove host from Blocked Table") . "' border='0' width='12' height='12' src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/>";
// }
/* IP DST Port */
$alert_dst_p = $fields[12];
@@ -560,7 +563,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
<td class='listr' align='center' sorttable_customkey='{$fields[11]}'>{$alert_ip_dst}</td>
<td class='listr' align='center'>{$alert_dst_p}</td>
<td class='listr' align='center' sorttable_customkey='{$fields[3]}'>{$alert_sid_str}<br/>{$sidsupplink}&nbsp;&nbsp;{$sid_dsbl_link}</td>
- <td class='listr' style=\"word-wrap:break-word;\">{$alert_descr}</td>
+ <td class='listbg' style=\"word-wrap:break-word;\">{$alert_descr}</td>
</tr>\n";
$counter++;
diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php
index 370c6e96..21fad03d 100644
--- a/config/suricata/suricata_alerts.widget.php
+++ b/config/suricata/suricata_alerts.widget.php
@@ -80,8 +80,8 @@ if (isset($_GET['getNewAlerts'])) {
$suri_alerts = suricata_widget_get_alerts();
$counter = 0;
foreach ($suri_alerts as $a) {
- $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . ":" . $a['srcport'] . "||";
- $response .= $a['dst'] . ":" . $a['dstport'] . "||" . $a['priority'] . "||" . $a['category'] . "\n";
+ $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . "||";
+ $response .= $a['dst'] . "||" . $a['priority'] . "||" . $a['category'] . "\n";
$counter++;
if($counter >= $suri_nentries)
break;
@@ -134,10 +134,22 @@ function suricata_widget_get_alerts() {
$suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm));
$suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s");
$suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d");
- $suricata_alerts[$counter]['src'] = $fields[9];
- $suricata_alerts[$counter]['srcport'] = $fields[10];
- $suricata_alerts[$counter]['dst'] = $fields[11];
- $suricata_alerts[$counter]['dstport'] = $fields[12];
+ // Add square brackets around any IPv6 address
+ if (is_ipaddrv6($fields[9]))
+ $suricata_alerts[$counter]['src'] = "[" . $fields[9] . "]";
+ else
+ $suricata_alerts[$counter]['src'] = $fields[9];
+ // Add the SRC PORT if not null
+ if (!empty($fields[10]))
+ $suricata_alerts[$counter]['src'] .= ":" . $fields[10];
+ // Add square brackets around any IPv6 address
+ if (is_ipaddrv6($fields[11]))
+ $suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]";
+ else
+ $suricata_alerts[$counter]['dst'] = $fields[11];
+ // Add the SRC PORT if not null
+ if (!empty($fields[12]))
+ $suricata_alerts[$counter]['dst'] .= ":" . $fields[12];
$suricata_alerts[$counter]['priority'] = $fields[7];
$suricata_alerts[$counter]['category'] = $fields[6];
$counter++;
@@ -161,13 +173,6 @@ function suricata_widget_get_alerts() {
/* display the result */
?>
-<script type="text/javascript">
-//<![CDATA[
-var suricataupdateDelay = 10000; // update every 10 second
-var suri_nentries = <?php echo $suri_nentries; ?>;
-//]]>
-</script>
-
<input type="hidden" id="suricata_alerts-config" name="suricata_alerts-config" value=""/>
<div id="suricata_alerts-settings" class="widgetconfigdiv" style="display:none;">
<form action="/widgets/widgets/suricata_alerts.widget.php" method="post" name="iformd">
@@ -177,12 +182,17 @@ var suri_nentries = <?php echo $suri_nentries; ?>;
</form>
</div>
-<table width="100%" border="0" cellspacing="0" cellpadding="0">
+<table width="100%" border="0" cellspacing="0" cellpadding="0" style="table-layout: fixed;">
+ <colgroup>
+ <col style="width: 24%;" />
+ <col style="width: 38%;" />
+ <col style="width: 38%;" />
+ </colgroup>
<thead>
- <tr class="suricata-alert-header">
- <td width="22%" class="widgetsubheader" align="center">IF/Date</td>
- <td width="39%" class="widgetsubheader" align="center">Src/Dst</td>
- <td width="39%" class="widgetsubheader" align="center">Details</td>
+ <tr>
+ <th class="listhdrr"><?=gettext("IF/Date");?></th>
+ <th class="listhdrr"><?=gettext("Src/Dst Address");?></th>
+ <th class="listhdrr"><?=gettext("Classification");?></th>
</tr>
</thead>
<tbody id="suricata-alert-entries">
@@ -193,9 +203,9 @@ var suri_nentries = <?php echo $suri_nentries; ?>;
foreach ($suricata_alerts as $alert) {
$evenRowClass = $counter % 2 ? " listMReven" : " listMRodd";
echo(" <tr class='" . $evenRowClass . "'>
- <td width='22%' class='listMRr' nowrap>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td>
- <td width='39%' class='listMRr'>" . $alert['src'] . ":" . $alert['srcport'] . "<br>" . $alert['dst'] . ":" . $alert['dstport'] . "</td>
- <td width='39%' class='listMRr'>Pri: " . $alert['priority'] . "&nbsp;" . $alert['category'] . "</td></tr>");
+ <td class='listMRr'>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td>
+ <td class='listMRr ellipsis' nowrap><div style='display:inline;' title='" . $alert['src'] . "'>" . $alert['src'] . "</div><br/><div style='display:inline;' title='" . $alert['dst'] . "'>" . $alert['dst'] . "</div></td>
+ <td class='listMRr'>Pri: " . $alert['priority'] . " " . $alert['category'] . "</td></tr>");
$counter++;
if($counter >= $suri_nentries)
break;
@@ -211,7 +221,6 @@ var suri_nentries = <?php echo $suri_nentries; ?>;
var suri_nentries = <?php echo $suri_nentries; ?>; // default is 5
<!-- needed to display the widget settings menu -->
-//<![CDATA[
selectIntLink = "suricata_alerts-configure";
textlink = document.getElementById(selectIntLink);
textlink.style.display = "inline";
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php
index e1ae892e..e71dc261 100644
--- a/config/suricata/suricata_barnyard.php
+++ b/config/suricata/suricata_barnyard.php
@@ -55,6 +55,8 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['barnyard_dbpwd'] = base64_decode($a_nat[$id]['barnyard_dbpwd']);
if (empty($a_nat[$id]['barnyard_show_year']))
$pconfig['barnyard_show_year'] = "on";
+ if (empty($a_nat[$id]['unified2_log_limit']))
+ $pconfig['unified2_log_limit'] = "32";
if (empty($a_nat[$id]['barnyard_archive_enable']))
$pconfig['barnyard_archive_enable'] = "on";
if (empty($a_nat[$id]['barnyard_obfuscate_ip']))
@@ -71,6 +73,8 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['barnyard_syslog_priority'] = "LOG_INFO";
if (empty($a_nat[$id]['barnyard_bro_ids_dport']))
$pconfig['barnyard_bro_ids_dport'] = "47760";
+ if (empty($a_nat[$id]['barnyard_sensor_id']))
+ $pconfig['barnyard_sensor_id'] = "0";
if (empty($a_nat[$id]['barnyard_sensor_name']))
$pconfig['barnyard_sensor_name'] = php_uname("n");
}
@@ -81,6 +85,18 @@ if ($_POST['save']) {
$_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on")
$input_errors[] = gettext("You must enable at least one output option when using Barnyard2.");
+ // Validate unified2 log file limit
+ if ($_POST['barnyard_enable'] == 'on') {
+ if (!is_numericint($_POST['unified2_log_limit']) || $_POST['unified2_log_limit'] < 1)
+ $input_errors[] = gettext("The value for 'Unified2 Log Limit' must be a valid integer greater than zero.");
+ }
+
+ // Validate Sensor ID is a valid integer
+ if ($_POST['barnyard_enable'] == 'on') {
+ if (!is_numericint($_POST['barnyard_sensor_id']) || $_POST['barnyard_sensor_id'] < 0)
+ $input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer.");
+ }
+
// Validate inputs if MySQL database loggging enabled
if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
if (empty($_POST['barnyard_dbhost']))
@@ -126,7 +142,9 @@ if ($_POST['save']) {
$natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode'];
$natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto'];
+ if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0';
if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']);
+ if ($_POST['unified2_log_limit']) $natent['unified2_log_limit'] = $_POST['unified2_log_limit']; else unset($natent['unified2_log_limit']);
if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']);
if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']);
if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']);
@@ -266,6 +284,15 @@ include_once("head.inc");
</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Unified2 Log Limit"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="unified2_log_limit" type="text" class="formfld unknown"
+ id="unified2_log_limit" size="25" value="<?=htmlspecialchars($pconfig['unified2_log_limit']);?>"/>
+ &nbsp;<?php echo gettext("Log file size limit in megabytes (MB). Default is "); ?><strong><?=gettext("32 MB.");?></strong><br/>
+ <?php echo gettext("This sets the maximum size for a unified2 log file before it is rotated and a new one created."); ?>
+ </td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Archive Unified2 Logs"); ?></td>
<td width="78%" class="vtable">
<input name="barnyard_archive_enable" type="checkbox" value="on" <?php if ($pconfig['barnyard_archive_enable'] == "on") echo "checked"; ?>/>
@@ -287,11 +314,19 @@ include_once("head.inc");
<?php echo gettext("Enable obfuscation of logged IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?>
</td>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Sensor ID"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_sensor_id" type="text" class="formfld unknown"
+ id="barnyard_sensor_id" size="25" value="<?=htmlspecialchars($pconfig['barnyard_sensor_id']);?>"/>
+ &nbsp;<?php echo gettext("Sensor ID to use for this sensor. Default is ") . "<strong>" . gettext("0.") . "</strong>"; ?>
+ </td>
+ </tr>
+ <tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Sensor Name"); ?></td>
<td width="78%" class="vtable">
<input name="barnyard_sensor_name" type="text" class="formfld unknown"
id="barnyard_sensor_name" size="25" value="<?=htmlspecialchars($pconfig['barnyard_sensor_name']);?>"/>
- &nbsp;<?php echo gettext("Unique name to use for this sensor."); ?>
+ &nbsp;<?php echo gettext("Unique name to use for this sensor. (Optional)"); ?>
</td>
</tr>
<tr>
@@ -555,10 +590,12 @@ function enable_change(enable_change) {
endis = !(document.iform.barnyard_enable.checked || enable_change);
// make sure a default answer is called if this is invoked.
endis2 = (document.iform.barnyard_enable);
+ document.iform.unified2_log_limit.disabled = endis;
document.iform.barnyard_archive_enable.disabled = endis;
document.iform.barnyard_show_year.disabled = endis;
document.iform.barnyard_dump_payload.disabled = endis;
document.iform.barnyard_obfuscate_ip.disabled = endis;
+ document.iform.barnyard_sensor_id.disabled = endis;
document.iform.barnyard_sensor_name.disabled = endis;
document.iform.barnyard_mysql_enable.disabled = endis;
document.iform.barnyard_dbhost.disabled = endis;
diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php
index 3cf6b84b..867a7efe 100644
--- a/config/suricata/suricata_check_for_rule_updates.php
+++ b/config/suricata/suricata_check_for_rule_updates.php
@@ -29,6 +29,7 @@
require_once("functions.inc");
require_once("service-utils.inc");
+require_once("guiconfig.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules;
@@ -95,6 +96,9 @@ $snort_community_rules_filename = GPLV2_DNLD_FILENAME;
$snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5";
$snort_community_rules_url = GPLV2_DNLD_URL;
+/* Mount the Suricata conf directories R/W so we can modify files there */
+conf_mount_rw();
+
/* Set up Emerging Threats rules filenames and URL */
if ($etpro == "on") {
$emergingthreats_filename = ETPRO_DNLD_FILENAME;
@@ -137,24 +141,12 @@ function suricata_download_file_url($url, $file_out) {
/* It provides logging of returned CURL errors. */
/************************************************/
- global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update;
+ global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update, $rfc2616;
// Initialize required variables for the pfSense "read_body()" function
$file_size = 1;
$downloaded = 1;
$first_progress_update = TRUE;
-
-
- // Array of message strings for HTTP Response Codes
- $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content",
- 206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found",
- 305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request",
- 401 => "Unauthorized", 402 => "Payment Required", 403 => "Forbidden",
- 404 => "Not Found", 405 => "Method Not Allowed", 407 => "Proxy Authentication Required",
- 408 => "Request Timeout", 410 => "Gone", 500 => "Internal Server Error",
- 501 => "Not Implemented", 502 => "Bad Gateway", 503 => "Service Unavailable",
- 504 => "Gateway Timeout", 505 => "HTTP Version Not Supported" );
-
$last_curl_error = "";
$fout = fopen($file_out, "wb");
@@ -204,8 +196,8 @@ function suricata_download_file_url($url, $file_out) {
if ($rc === false)
$last_curl_error = curl_error($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
- if (isset($http_resp_msg[$http_code]))
- $last_curl_error = $http_resp_msg[$http_code];
+ if (is_rfc2616_code($http_code))
+ $last_curl_error = $rfc2616[$http_code];
curl_close($ch);
fclose($fout);
@@ -239,7 +231,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
/* error occurred. */
/**********************************************************/
- global $pkg_interface, $suricata_rules_upd_log, $last_curl_error;
+ global $pkg_interface, $suricata_rules_upd_log, $last_curl_error, $update_errors;
$suricatadir = SURICATADIR;
$filename_md5 = basename($file_dst);
@@ -284,6 +276,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
if ($pkg_interface == "console")
error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log);
error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+ $update_errors = true;
return false;
}
}
@@ -307,7 +300,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* FALSE if download was not successful. */
/**********************************************************/
- global $pkg_interface, $suricata_rules_upd_log, $last_curl_error;
+ global $pkg_interface, $suricata_rules_upd_log, $last_curl_error, $update_errors;
$suricatadir = SURICATADIR;
$filename = basename($file_dst);
@@ -337,6 +330,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $suricata_rules_upd_log);
error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $suricata_rules_upd_log);
error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+ $update_errors = true;
return false;
}
return true;
@@ -349,13 +343,13 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface == "console")
error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log);
error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+ $update_errors = true;
return false;
}
}
/* Start of main code */
-conf_mount_rw();
/* remove old $tmpfname files if present */
if (is_dir("{$tmpfname}"))
@@ -375,6 +369,7 @@ if (file_exists($suricata_rules_upd_log)) {
/* Log start time for this rules update */
error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $suricata_rules_upd_log);
$last_curl_error = "";
+$update_errors = false;
/* Check for and download any new Emerging Threats Rules sigs */
if ($emergingthreats == 'on') {
@@ -426,10 +421,10 @@ if ($emergingthreats == 'on') {
/* Remove the old Emerging Threats rules files */
$eto_prefix = ET_OPEN_FILE_PREFIX;
$etpro_prefix = ET_PRO_FILE_PREFIX;
- array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*.rules"));
- array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*.rules"));
- array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*ips.txt"));
- array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*ips.txt"));
+ unlink_if_exists("{$suricatadir}rules/{$eto_prefix}*.rules");
+ unlink_if_exists("{$suricatadir}rules/{$etpro_prefix}*.rules");
+ unlink_if_exists("{$suricatadir}rules/{$eto_prefix}*ips.txt");
+ unlink_if_exists("{$suricatadir}rules/{$etpro_prefix}*ips.txt");
// The code below renames ET files with a prefix, so we
// skip renaming the Suricata default events rule files
@@ -488,7 +483,7 @@ if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/{$snort_filename}")) {
/* Remove the old Snort rules files */
$vrt_prefix = VRT_FILE_PREFIX;
- array_map('unlink', glob("{$suricatadir}rules/{$vrt_prefix}*.rules"));
+ unlink_if_exists("{$suricatadir}rules/{$vrt_prefix}*.rules");
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT rules..."));
@@ -715,4 +710,12 @@ conf_mount_ro();
// Restore the state of $pkg_interface
$pkg_interface = $pkg_interface_orig;
+/* Save this update status to the configuration file */
+if ($update_errors)
+ $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("failed");
+else
+ $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("success");
+$config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'] = time();
+write_config();
+
?>
diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php
index 46030bd0..bae467e4 100644
--- a/config/suricata/suricata_download_updates.php
+++ b/config/suricata/suricata_download_updates.php
@@ -40,6 +40,16 @@ $emergingthreats = $config['installedpackages']['suricata']['config'][0]['enable
$etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'];
$snortcommunityrules = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules'];
+/* Get last update information if available */
+if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_time']))
+ $last_rule_upd_time = date('M-d Y H:i', $config['installedpackages']['suricata']['config'][0]['last_rule_upd_time']);
+else
+ $last_rule_upd_time = gettext("Unknown");
+if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_status']))
+ $last_rule_upd_status = htmlspecialchars($config['installedpackages']['suricata']['config'][0]['last_rule_upd_status']);
+else
+ $last_rule_upd_status = gettext("Unknown");
+
$snort_rules_file = VRT_DNLD_FILENAME;
$snort_community_rules_filename = GPLV2_DNLD_FILENAME;
@@ -211,6 +221,22 @@ include_once("head.inc");
</tr>
<tr>
<td align="center">
+ <table width="45%" border="0" cellpadding="0" cellspacing="0">
+ <tbody>
+ <tr>
+ <td class="list" align="right"><strong><?php echo gettext("Last Update:");?></strong></td>
+ <td class="list" align="left"><?php echo $last_rule_upd_time;?></td>
+ </tr>
+ <tr>
+ <td class="list" align="right"><strong><?php echo gettext("Result:");?></strong></td>
+ <td class="list" align="left"><?php echo $last_rule_upd_status;?></td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td align="center">
<?php if ($snortdownload != 'on' && $emergingthreats != 'on' && $etpro != 'on'): ?>
<br/><button disabled="disabled"><?=gettext("Check");?></button>&nbsp;&nbsp;&nbsp;&nbsp;
<button disabled="disabled"><?=gettext("Force");?></button>
@@ -226,7 +252,7 @@ include_once("head.inc");
title="<?php echo gettext("Check for new updates to enabled rule sets"); ?>"/>&nbsp;&nbsp;&nbsp;&nbsp;
<input type="submit" value="<?=gettext("Force");?>" name="force" id="force" class="formbtn"
title="<?=gettext("Force an update of all enabled rule sets");?>"
- onclick="return confirm('<?=gettext("This will zero-out the MD5 hashes to force a fresh download of enabled rule sets. Click OK to continue or CANCEL to quit");?>');"/>
+ onclick="return confirm('<?=gettext("This will zero-out the MD5 hashes to force a fresh download of all enabled rule sets. Click OK to continue or CANCEL to quit");?>');"/>
<br/><br/>
<?php endif; ?>
</td>
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index 0614adf8..115f0045 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -226,6 +226,16 @@ if ($suricatacfg['barnyard_enable'] == 'on')
else
$barnyard2_enabled = "no";
+if (isset($suricatacfg['unified2_log_limit']))
+ $unified2_log_limit = "{$suricatacfg['unified2_log_limit']}mb";
+else
+ $unified2_log_limit = "32mb";
+
+if (isset($suricatacfg['barnyard_sensor_id']))
+ $unified2_sensor_id = $suricatacfg['barnyard_sensor_id'];
+else
+ $unified2_sensor_id = "0";
+
// Add interface-specific IP defrag settings
if (!empty($suricatacfg['frag_memcap']))
$frag_memcap = $suricatacfg['frag_memcap'];
diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php
index 50ca99c1..5e5d8c44 100644
--- a/config/suricata/suricata_interfaces.php
+++ b/config/suricata/suricata_interfaces.php
@@ -190,7 +190,7 @@ include_once("head.inc");
<th class="list">&nbsp;</th>
<th class="listhdrr"><?php echo gettext("Interface"); ?></th>
<th class="listhdrr"><?php echo gettext("Suricata"); ?></th>
- <th class="listhdrr"><?php echo gettext("Pattern Matcher"); ?></th>
+ <th class="listhdrr"><?php echo gettext("Pattern Match"); ?></th>
<th class="listhdrr"><?php echo gettext("Block"); ?></th>
<th class="listhdrr"><?php echo gettext("Barnyard2"); ?></th>
<th class="listhdr"><?php echo gettext("Description"); ?></th>
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index d7b5a8cb..389566a2 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -40,10 +40,11 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
$config['installedpackages']['suricata']['rule'] = array();
$a_rule = &$config['installedpackages']['suricata']['rule'];
-if ($_GET['id']);
- $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401);
if ($_POST['id'])
$id = $_POST['id'];
+elseif ($_GET['id']);
+ $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401);
+
if (is_null($id))
$id = 0;
@@ -71,8 +72,8 @@ if (isset($id) && $a_rule[$id]) {
if (empty($pconfig['uuid']))
$pconfig['uuid'] = $suricata_uuid;
}
-// Must be a new interface, so try to pick next available physical interface to use
elseif (isset($id) && !isset($a_rule[$id])) {
+ // Must be a new interface, so try to pick next available physical interface to use
$ifaces = get_configured_interface_list();
$ifrules = array();
foreach($a_rule as $r)
@@ -95,8 +96,6 @@ if (empty($pconfig['blockoffendersip']))
$pconfig['blockoffendersip'] = "both";
if (empty($pconfig['max_pending_packets']))
$pconfig['max_pending_packets'] = "1024";
-if (empty($pconfig['inspect_recursion_limit']))
- $pconfig['inspect_recursion_limit'] = "3000";
if (empty($pconfig['detect_eng_profile']))
$pconfig['detect_eng_profile'] = "medium";
if (empty($pconfig['mpm_algo']))
@@ -127,17 +126,49 @@ if (empty($pconfig['max_pcap_log_files']))
$pconfig['max_pcap_log_files'] = "1000";
if ($_POST["save"]) {
- if (!$_POST['interface'])
+ // If the interface is not enabled, stop any running Suricata
+ // instance on it, save the new state and exit.
+ if (!isset($_POST['enable'])) {
+ if (isset($id) && $a_rule[$id]) {
+ $a_rule[$id]['enable'] = 'off';
+ $a_rule[$id]['interface'] = htmlspecialchars($_POST['interface']);
+ $a_rule[$id]['descr'] = htmlspecialchars($_POST['descr']);
+ suricata_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface']));
+
+ // Save configuration changes
+ write_config();
+
+ // Update suricata.conf and suricata.sh files for this interface
+ sync_suricata_package_config();
+
+ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
+ header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
+ header( 'Cache-Control: no-store, no-cache, must-revalidate' );
+ header( 'Cache-Control: post-check=0, pre-check=0', false );
+ header( 'Pragma: no-cache' );
+ header("Location: /suricata/suricata_interfaces.php");
+ exit;
+ }
+ }
+
+ // Validate inputs
+ if (!isset($_POST['interface']))
$input_errors[] = gettext("Choosing an Interface is mandatory!");
+ if (isset($_POST['stats_upd_interval']) && !is_numericint($_POST['stats_upd_interval']))
+ $input_errors[] = gettext("The value for Stats Update Interval must contain only digits and evaluate to an integer.");
+
if ($_POST['max_pending_packets'] < 1 || $_POST['max_pending_packets'] > 65000)
$input_errors[] = gettext("The value for Maximum-Pending-Packets must be between 1 and 65,000!");
- if (!empty($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size']))
+ if (isset($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size']))
$input_errors[] = gettext("The value for 'Max Packet Log Size' must be numbers only. Do not include any alphabetic characters.");
- if (!empty($_POST['max_pcap_log_files']) && !is_numeric($_POST['max_pcap_log_files']))
- $input_errors[] = gettext("The value for 'Max Packet Log Files' must be numbers only.");
+ if (isset($_POST['max_pcap_log_files']) && !is_numeric($_POST['max_pcap_log_files']))
+ $input_errors[] = gettext("The value for 'Max Packet Log Files' must be numbers only.");
+
+ if (!empty($_POST['inspect_recursion_limit']) && !is_numeric($_POST['inspect_recursion_limit']))
+ $input_errors[] = gettext("The value for Inspect Recursion Limit can either be blank or contain only digits evaluating to an integer greater than or equal to 0.");
// if no errors write to suricata.yaml
if (!$input_errors) {
@@ -146,12 +177,12 @@ if ($_POST["save"]) {
$natent['enable'] = $_POST['enable'] ? 'on' : 'off';
$natent['uuid'] = $pconfig['uuid'];
- if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']);
+ if ($_POST['descr']) $natent['descr'] = htmlspecialchars($_POST['descr']); else $natent['descr'] = strtoupper($natent['interface']);
if ($_POST['max_pcap_log_size']) $natent['max_pcap_log_size'] = $_POST['max_pcap_log_size']; else unset($natent['max_pcap_log_size']);
if ($_POST['max_pcap_log_files']) $natent['max_pcap_log_files'] = $_POST['max_pcap_log_files']; else unset($natent['max_pcap_log_files']);
if ($_POST['enable_stats_log'] == "on") { $natent['enable_stats_log'] = 'on'; }else{ $natent['enable_stats_log'] = 'off'; }
if ($_POST['append_stats_log'] == "on") { $natent['append_stats_log'] = 'on'; }else{ $natent['append_stats_log'] = 'off'; }
- if ($_POST['stats_upd_interval']) $natent['stats_upd_interval'] = $_POST['stats_upd_interval']; else $natent['stats_upd_interval'] = "10";
+ if ($_POST['stats_upd_interval'] >= 1) $natent['stats_upd_interval'] = $_POST['stats_upd_interval']; else $natent['stats_upd_interval'] = "10";
if ($_POST['enable_http_log'] == "on") { $natent['enable_http_log'] = 'on'; }else{ $natent['enable_http_log'] = 'off'; }
if ($_POST['append_http_log'] == "on") { $natent['append_http_log'] = 'on'; }else{ $natent['append_http_log'] = 'off'; }
if ($_POST['enable_tls_log'] == "on") { $natent['enable_tls_log'] = 'on'; }else{ $natent['enable_tls_log'] = 'off'; }
@@ -163,7 +194,7 @@ if ($_POST["save"]) {
if ($_POST['enable_tracked_files_md5'] == "on") { $natent['enable_tracked_files_md5'] = 'on'; }else{ $natent['enable_tracked_files_md5'] = 'off'; }
if ($_POST['enable_file_store'] == "on") { $natent['enable_file_store'] = 'on'; }else{ $natent['enable_file_store'] = 'off'; }
if ($_POST['max_pending_packets']) $natent['max_pending_packets'] = $_POST['max_pending_packets']; else unset($natent['max_pending_packets']);
- if ($_POST['inspect_recursion_limit']) $natent['inspect_recursion_limit'] = $_POST['inspect_recursion_limit']; else unset($natent['inspect_recursion_limit']);
+ if ($_POST['inspect_recursion_limit'] >= '0') $natent['inspect_recursion_limit'] = $_POST['inspect_recursion_limit']; else unset($natent['inspect_recursion_limit']);
if ($_POST['detect_eng_profile']) $natent['detect_eng_profile'] = $_POST['detect_eng_profile']; else unset($natent['detect_eng_profile']);
if ($_POST['mpm_algo']) $natent['mpm_algo'] = $_POST['mpm_algo']; else unset($natent['mpm_algo']);
if ($_POST['sgh_mpm_context']) $natent['sgh_mpm_context'] = $_POST['sgh_mpm_context']; else unset($natent['sgh_mpm_context']);
@@ -347,7 +378,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncellreq"><?php echo gettext("Description"); ?></td>
<td width="78%" class="vtable"><input name="descr" type="text"
class="formfld unknown" id="descr" size="40" value="<?=htmlspecialchars($pconfig['descr']); ?>"/> <br/>
- <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference."); ?></span><br/></td>
+ <span class="vexpl"><?php echo gettext("Enter a meaningful description here for your reference. The default is the interface name."); ?></span><br/></td>
</tr>
<tr>
<td colspan="2" class="listtopic"><?php echo gettext("Logging Settings"); ?></td>
@@ -859,6 +890,7 @@ function viewList(id, elemID, elemType) {
}
var url = "suricata_list_view.php?id=" + id + "&wlist=";
url = url + getSelectedValue(elemID) + "&type=" + elemType;
+ url = url + "&time=" + new Date().getTime();
wopen(url, 'WhitelistViewer', 640, 480);
}
diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php
index 9fc24927..f9c34ed0 100644
--- a/config/suricata/suricata_logs_browser.php
+++ b/config/suricata/suricata_logs_browser.php
@@ -150,7 +150,7 @@ if ($input_errors) {
$selected = "";
if ($id == $instanceid)
$selected = "selected";
- echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . "){$instance['descr']}</option>\n";
+ echo "<option value='{$id}' {$selected}> (" . convert_friendly_interface_to_friendly_descr($instance['interface']) . ") {$instance['descr']}</option>\n";
}
?>
</select>&nbsp;&nbsp;<?php echo gettext('Choose which instance logs you want to view.'); ?>
diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php
index 1a0c54b5..567c29ea 100644
--- a/config/suricata/suricata_rules.php
+++ b/config/suricata/suricata_rules.php
@@ -40,10 +40,11 @@ if (!is_array($config['installedpackages']['suricata']['rule']))
$config['installedpackages']['suricata']['rule'] = array();
$a_rule = &$config['installedpackages']['suricata']['rule'];
-if ($_GET['id'])
- $id = $_GET['id'];
-if ($_POST['id'])
+if (isset($_POST['id']))
$id = $_POST['id'];
+elseif (isset($_GET['id']) && is_numericint($_GET['id']))
+ $id = htmlspecialchars($_GET['id']);
+
if (is_null($id)) {
$id = 0;
}
@@ -95,6 +96,10 @@ $emergingdownload = $config['installedpackages']['suricata']['config'][0]['enabl
$etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'];
$categories = explode("||", $pconfig['rulesets']);
+// Add any previously saved rules files to the categories array
+if (!empty($pconfig['rulesets']))
+ $categories = explode("||", $pconfig['rulesets']);
+
if ($_GET['openruleset'])
$currentruleset = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401);
elseif ($_POST['selectbox'])
@@ -463,7 +468,7 @@ if ($savemsg) {
<td rowspan="5" width="48%" valign="middle"><input type="submit" name="apply" id="apply" value="<?php echo gettext("Apply"); ?>" class="formbtn"
title="<?php echo gettext("Click to rebuild the rules with your changes"); ?>"/><br/><br/>
<span class="vexpl"><span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
- gettext("Suricata must be restarted to activate any SID enable/disable changes made on this tab."); ?></span></td>
+ gettext("When finished, click APPLY to send any SID enable/disable changes made on this tab to the running Suricata process."); ?></span></td>
<td class="vexpl" valign="middle"><?php echo "<input type='image' name='resetcategory[]'
src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\"
onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"'
@@ -525,14 +530,14 @@ if ($savemsg) {
<td>
<table id="myTable" class="sortable" style="table-layout: fixed;" width="100%" border="0" cellpadding="0" cellspacing="0">
<colgroup>
- <col width="20" align="left" valign="middle">
+ <col width="14" align="left" valign="middle">
<col width="6%" align="center" axis="number">
- <col width="8%" align="center" axis="number">
+ <col width="9%" align="center" axis="number">
<col width="52" align="center" axis="string">
- <col width="12%" align="center" axis="string">
- <col width="9%" align="center" axis="string">
- <col width="12%" align="center" axis="string">
- <col width="9%" align="center" axis="string">
+ <col width="14%" align="center" axis="string">
+ <col width="10%" align="center" axis="string">
+ <col width="14%" align="center" axis="string">
+ <col width="10%" align="center" axis="string">
<col axis="string">
</colgroup>
<thead>
@@ -542,9 +547,9 @@ if ($savemsg) {
<th class="listhdrr"><?php echo gettext("SID"); ?></th>
<th class="listhdrr"><?php echo gettext("Proto"); ?></th>
<th class="listhdrr"><?php echo gettext("Source"); ?></th>
- <th class="listhdrr"><?php echo gettext("Port"); ?></th>
+ <th class="listhdrr"><?php echo gettext("SPort"); ?></th>
<th class="listhdrr"><?php echo gettext("Destination"); ?></th>
- <th class="listhdrr"><?php echo gettext("Port"); ?></th>
+ <th class="listhdrr"><?php echo gettext("DPort"); ?></th>
<th class="listhdrr"><?php echo gettext("Message"); ?></th>
</tr>
</thead>
@@ -604,36 +609,36 @@ if ($savemsg) {
$message = suricata_get_msg($v['rule']);
$sid_tooltip = gettext("View the raw text for this rule");
- echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\" sorttable_customkey=\"\">{$textss}
- <input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}';
+ echo "<tr><td class=\"listt\" align=\"left\" valign=\"middle\" sorttable_customkey=\"\">{$textss}
+ <a id=\"rule_{$gid}_{$sid}\" href='#'><input type=\"image\" onClick=\"document.getElementById('sid').value='{$sid}';
document.getElementById('gid').value='{$gid}';\"
src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\"
- title='{$title}' name=\"toggle[]\"/>{$textse}
+ title='{$title}' name=\"toggle[]\"/></a>{$textse}
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
+ <td class=\"listr\" style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$textss}{$gid}{$textse}
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
+ <td class=\"listr\" style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
<a href=\"javascript: void(0)\"
onclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\"
title='{$sid_tooltip}'>{$textss}{$sid}{$textse}</a>
</td>
- <td class=\"listlr\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
+ <td class=\"listr\" style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$textss}{$protocol}{$textse}
</td>
- <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
+ <td class=\"listr ellipsis\" nowrap style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$srcspan}{$source}</span>
</td>
- <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
+ <td class=\"listr ellipsis\" nowrap style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$srcprtspan}{$source_port}</span>
</td>
- <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
+ <td class=\"listr ellipsis\" nowrap style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$dstspan}{$destination}</span>
</td>
- <td class=\"listlr ellipsis\" align=\"center\" style=\"font-size: 11px;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
+ <td class=\"listr ellipsis\" nowrap style=\"text-align:center;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$dstprtspan}{$destination_port}</span>
</td>
- <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line; font-size: 11px; font-color: white;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
+ <td class=\"listbg\" style=\"word-wrap:break-word; whitespace:pre-line;\" ondblclick=\"wopen('suricata_rules_edit.php?id={$id}&openruleset={$currentruleset}&sid={$sid}&gid={$gid}','FileViewer',800,600);\">
{$textss}{$message}{$textse}
</td>
</tr>";
diff --git a/config/suricata/suricata_rules_edit.php b/config/suricata/suricata_rules_edit.php
index ad6b2986..b61c2f3a 100644
--- a/config/suricata/suricata_rules_edit.php
+++ b/config/suricata/suricata_rules_edit.php
@@ -33,31 +33,28 @@ require_once("/usr/local/pkg/suricata/suricata.inc");
$flowbit_rules_file = FLOWBITS_FILENAME;
$suricatadir = SURICATADIR;
-if (!is_array($config['installedpackages']['suricata']['rule'])) {
- $config['installedpackages']['suricata']['rule'] = array();
-}
-$a_rule = &$config['installedpackages']['suricata']['rule'];
+if (isset($_GET['id']) && is_numericint($_GET['id']))
+ $id = htmlspecialchars($_GET['id']);
-$id = $_GET['id'];
+// If we were not passed a valid index ID, close the pop-up and exit
if (is_null($id)) {
- header("Location: /suricata/suricata_interfaces.php");
+ echo '<html><body link="#000000" vlink="#000000" alink="#000000">';
+ echo '<script language="javascript" type="text/javascript">';
+ echo 'window.close();</script>';
+ echo '</body></html>';
exit;
}
-if (isset($id) && $a_rule[$id]) {
- $pconfig['enable'] = $a_rule[$id]['enable'];
- $pconfig['interface'] = $a_rule[$id]['interface'];
- $pconfig['rulesets'] = $a_rule[$id]['rulesets'];
-}
-else {
- header("Location: /suricata/suricata_interfaces.php");
- exit;
+if (!is_array($config['installedpackages']['suricata']['rule'])) {
+ $config['installedpackages']['suricata']['rule'] = array();
}
-/* convert fake interfaces to real */
-$if_real = get_real_interface($pconfig['interface']);
+$a_rule = &$config['installedpackages']['suricata']['rule'];
+
+$if_real = get_real_interface($a_rule[$id]['interface']);
$suricata_uuid = $a_rule[$id]['uuid'];
-$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}";
+$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/";
+
$file = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401);
$contents = '';
$wrap_flag = "off";
@@ -73,13 +70,13 @@ else
// a standard rules file, or a complete file name.
// Test for the special case of an IPS Policy file.
if (substr($file, 0, 10) == "IPS Policy") {
- $rules_map = suricata_load_vrt_policy($a_rule[$id]['ips_policy']);
- if (isset($_GET['ids'])) {
- $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule'];
+ $rules_map = suricata_load_vrt_policy(strtolower(trim(substr($file, strpos($file, "-")+1))));
+ if (isset($_GET['sid']) && is_numericint($_GET['sid']) && isset($_GET['gid']) && is_numericint($_GET['gid'])) {
+ $contents = $rules_map[$_GET['gid']][trim($_GET['sid'])]['rule'];
$wrap_flag = "soft";
}
else {
- $contents = "# Suricata IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']) . "\n\n";
+ $contents = "# Suricata IPS Policy - " . ucfirst(trim(substr($file, strpos($file, "-")+1))) . "\n\n";
foreach (array_keys($rules_map) as $k1) {
foreach (array_keys($rules_map[$k1]) as $k2) {
$contents .= "# Category: " . $rules_map[$k1][$k2]['category'] . " SID: {$k2}\n";
@@ -90,7 +87,7 @@ if (substr($file, 0, 10) == "IPS Policy") {
unset($rules_map);
}
// Is it a SID to load the rule text from?
-elseif (isset($_GET['sid']) && is_numeric(trim($_GET['sid']))) {
+elseif (isset($_GET['sid']) && is_numericint($_GET['sid']) && isset($_GET['gid']) && is_numericint($_GET['gid'])) {
// If flowbit rule, point to interface-specific file
if ($file == "Auto-Flowbit Rules")
$rules_map = suricata_load_rules_map("{$suricatacfgdir}rules/" . FLOWBITS_FILENAME);
diff --git a/config/suricata/suricata_rules_flowbits.php b/config/suricata/suricata_rules_flowbits.php
index 53019894..6470ff4b 100644
--- a/config/suricata/suricata_rules_flowbits.php
+++ b/config/suricata/suricata_rules_flowbits.php
@@ -43,8 +43,8 @@ $a_nat = &$config['installedpackages']['suricata']['rule'];
if (isset($_POST['id']))
$id = $_POST['id'];
-elseif (isset($_GET['id']))
- $id = $_GET['id'];
+elseif (isset($_GET['id']) && is_numericint($_GET['id']))
+ $id = htmlspecialchars($_GET['id']);
if (is_null($id)) {
header("Location: /suricata/suricata_interfaces.php");
@@ -205,13 +205,13 @@ if ($savemsg)
</tr>
<tr>
<td>
- <table id="myTable" width="100%" class="sortable" border="1" cellpadding="0" cellspacing="0">
+ <table id="myTable" width="100%" class="sortable" style="table-layout: fixed;" border="0" cellpadding="0" cellspacing="0">
<colgroup>
<col width="11%" axis="number">
- <col width="10%" axis="string">
+ <col width="52" axis="string">
<col width="14%" axis="string">
<col width="14%" axis="string">
- <col width="20%" axis="string">
+ <col width="24%" axis="string">
<col axis="string">
</colgroup>
<thead>
@@ -263,11 +263,11 @@ if ($savemsg)
// Use "echo" to write the table HTML row-by-row.
echo "<tr>" .
"<td class=\"listr\" sorttable_customkey=\"{$sid}\">{$sid}&nbsp;{$supplink}</td>" .
- "<td class=\"listr\">{$protocol}</td>" .
- "<td class=\"listr ellipsis\"><span title=\"{$rule_content[2]}\">{$source}</span></td>" .
- "<td class=\"listr ellipsis\"><span title=\"{$rule_content[5]}\">{$destination}</span></td>" .
+ "<td class=\"listr\" style=\"text-align:center;\">{$protocol}</td>" .
+ "<td class=\"listr ellipsis\" nowrap style=\"text-align:center;\"><span title=\"{$rule_content[2]}\">{$source}</span></td>" .
+ "<td class=\"listr ellipsis\" nowrap style=\"text-align:center;\"><span title=\"{$rule_content[5]}\">{$destination}</span></td>" .
"<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$flowbits}</td>" .
- "<td class=\"listr\" style=\"word-wrap:break-word; word-break:normal;\">{$message}</td>" .
+ "<td class=\"listbg\" style=\"word-wrap:break-word; word-break:normal;\">{$message}</td>" .
"</tr>";
$count++;
}
@@ -283,7 +283,6 @@ if ($savemsg)
<td align="center" valign="middle">
<input id="cancel" name="cancel" type="submit" class="formbtn" <?php
echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/>
- <input name="id" type="hidden" value="<?=$id;?>" />
</td>
</tr>
<?php endif; ?>
diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php
index e97006dc..12227f3d 100644
--- a/config/suricata/suricata_suppress.php
+++ b/config/suricata/suricata_suppress.php
@@ -122,7 +122,7 @@ if ($input_errors) {
$tab_array[] = array(gettext("Suricata Interfaces"), false, "/suricata/suricata_interfaces.php");
$tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php");
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
- $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$instanceid}");
+ $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php");
$tab_array[] = array(gettext("Suppress"), true, "/suricata/suricata_suppress.php");
$tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php");
display_top_tabs($tab_array);
diff --git a/config/suricata/suricata_suppress_edit.php b/config/suricata/suricata_suppress_edit.php
index c2c23f10..3d5bad27 100644
--- a/config/suricata/suricata_suppress_edit.php
+++ b/config/suricata/suricata_suppress_edit.php
@@ -142,7 +142,7 @@ if ($savemsg)
$tab_array[] = array(gettext("Interfaces"), false, "/suricata/suricata_interfaces.php");
$tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php");
$tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php");
- $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$instanceid}");
+ $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php");
$tab_array[] = array(gettext("Suppress"), true, "/suricata/suricata_suppress.php");
display_top_tabs($tab_array);
?>
diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc
index e62c48eb..07ada36e 100644
--- a/config/suricata/suricata_yaml_template.inc
+++ b/config/suricata/suricata_yaml_template.inc
@@ -40,9 +40,8 @@ outputs:
- unified2-alert:
enabled: {$barnyard2_enabled}
filename: unified2.alert
- limit: 32mb
- # Sensor ID field of unified2 alerts.
- sensor-id: 0
+ limit: {$unified2_log_limit}
+ sensor-id: {$unified2_sensor_id}
- http-log:
enabled: {$http_log_enabled}