diff options
Diffstat (limited to 'config/suricata/suricata.inc')
-rw-r--r-- | config/suricata/suricata.inc | 178 |
1 files changed, 41 insertions, 137 deletions
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 95b95711..b87e2f6a 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -29,6 +29,7 @@ require_once("pfsense-utils.inc"); require_once("config.inc"); require_once("functions.inc"); +require_once("services.inc"); require_once("service-utils.inc"); require_once("pkg-utils.inc"); require_once("filter.inc"); @@ -74,7 +75,7 @@ function suricata_generate_id() { function suricata_is_running($suricata_uuid, $if_real, $type = 'suricata') { global $config, $g; - if (file_exists("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid") && isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid")) + if (isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid")) return 'yes'; else return 'no'; @@ -84,9 +85,9 @@ function suricata_barnyard_stop($suricatacfg, $if_real) { global $config, $g; $suricata_uuid = $suricatacfg['uuid']; - if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Barnyard2 STOP for {$suricatacfg['descr']}({$if_real})..."); - exec("/bin/pkill -TERM -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid"); + killbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid"); } } @@ -94,14 +95,15 @@ function suricata_stop($suricatacfg, $if_real) { global $config, $g; $suricata_uuid = $suricatacfg['uuid']; - if (file_exists("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid") && isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Suricata STOP for {$suricatacfg['descr']}({$if_real})..."); - exec("/bin/pkill -TERM -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); - sleep(1); - } - if (file_exists("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid") && isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) - exec("/bin/pkill -TERM -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); + killbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); + sleep(2); + // For some reason Suricata seems to need a double TERM signal to actually shutdown + if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) + killbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); + } // Stop Barnyard2 on the interface if running suricata_barnyard_stop($suricatacfg, $if_real); } @@ -158,9 +160,10 @@ function suricata_reload_config($suricatacfg, $signal="USR2") { /* Only send the SIGUSR2 if Suricata is running and */ /* we can find a valid PID for the process. */ /******************************************************/ - if (file_exists("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid") && isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Suricata LIVE RULE RELOAD initiated for {$suricatacfg['descr']} ({$if_real})..."); - exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid 2>&1 &"); + sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", $signal); +// exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid 2>&1 &"); } } @@ -186,63 +189,34 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { /* Only send the SIGHUP if Barnyard2 is running and */ /* we can find a valid PID for the process. */ /******************************************************/ - if (file_exists("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid") && isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { + if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Barnyard2 CONFIG RELOAD initiated for {$suricatacfg['descr']} ({$if_real})..."); - exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid 2>&1 &"); + sigkillbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid", $signal); +// exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid 2>&1 &"); } } function suricata_get_friendly_interface($interface) { - if (function_exists('convert_friendly_interface_to_friendly_descr')) - $iface = convert_friendly_interface_to_friendly_descr($interface); - else { - if (!$interface || ($interface == "wan")) - $iface = "WAN"; - else if(strtolower($interface) == "lan") - $iface = "LAN"; - else if(strtolower($interface) == "pppoe") - $iface = "PPPoE"; - else if(strtolower($interface) == "pptp") - $iface = "PPTP"; - else - $iface = strtoupper($interface); - } - - return $iface; + // Pass this directly to the system for now. + // Later, this wrapper will be removed and all + // the Suricata code changed to use the system call. + return convert_friendly_interface_to_friendly_descr($interface); } function suricata_get_real_interface($interface) { - global $config; - - $lc_interface = strtolower($interface); - if (function_exists('get_real_interface')) - return get_real_interface($lc_interface); - else { - if ($lc_interface == "lan") { - if ($config['inerfaces']['lan']) - return $config['interfaces']['lan']['if']; - return $interface; - } - if ($lc_interface == "wan") - return $config['interfaces']['wan']['if']; - $ifdescrs = array(); - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { - $ifname = "opt{$j}"; - if(strtolower($ifname) == $lc_interface) - return $config['interfaces'][$ifname]['if']; - if(isset($config['interfaces'][$ifname]['descr']) && (strtolower($config['interfaces'][$ifname]['descr']) == $lc_interface)) - return $config['interfaces'][$ifname]['if']; - } - } - return $interface; + // Pass this directly to the system for now. + // Later, this wrapper will be removed and all + // the Suricata code changed to use the system call. + return get_real_interface($interface); } function suricata_get_blocked_ips() { + // This is a placeholder function for later use. + // Blocking is not currently enabled in Suricata. return array(); - } /* func builds custom white lists */ @@ -451,18 +425,9 @@ function suricata_build_list($suricatacfg, $listname = "", $whitelist = false) { function suricata_rules_up_install_cron($should_install) { global $config, $g; - if(!$config['cron']['item']) - $config['cron']['item'] = array(); + $command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/suricata/suricata_check_for_rule_updates.php"; - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], "suricata_check_for_rule_updates.php")) { - $is_installed = true; - break; - } - $x++; - } + // Get auto-rule update parameter from configuration $suricata_rules_up_info_ck = $config['installedpackages']['suricata']['config'][0]['autoruleupdate']; // See if a customized start time has been set for rule file updates @@ -525,65 +490,14 @@ function suricata_rules_up_install_cron($should_install) { $suricata_rules_up_month = "*"; $suricata_rules_up_wday = "*"; } - switch($should_install) { - case true: - $cron_item = array(); - $cron_item['minute'] = $suricata_rules_up_min; - $cron_item['hour'] = $suricata_rules_up_hr; - $cron_item['mday'] = $suricata_rules_up_mday; - $cron_item['month'] = $suricata_rules_up_month; - $cron_item['wday'] = $suricata_rules_up_wday; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/suricata/suricata_check_for_rule_updates.php"; - - // Add cron job if not already installed, else just update the existing one - if (!$is_installed) - $config['cron']['item'][] = $cron_item; - elseif ($is_installed) - $config['cron']['item'][$x] = $cron_item; - break; - case false: - if($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } + + // System call to manage the cron job. + install_cron_job($command, $should_install, $suricata_rules_up_min, $suricata_rules_up_hr, $suricata_rules_up_mday, $suricata_rules_up_month, $suricata_rules_up_wday, "root"); } function suricata_loglimit_install_cron($should_install) { - global $config, $g; - - if (!is_array($config['cron']['item'])) - $config['cron']['item'] = array(); - $x=0; - $is_installed = false; - foreach($config['cron']['item'] as $item) { - if (strstr($item['command'], 'suricata_check_cron_misc.inc')) { - $is_installed = true; - break; - } - $x++; - } - - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['minute'] = "*/5"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_check_cron_misc.inc"; - $config['cron']['item'][] = $cron_item; - } - break; - case false: - if($is_installed == true) - unset($config['cron']['item'][$x]); - break; - } + install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_check_cron_misc.inc", $should_install, "*/5"); } function sync_suricata_package_config() { @@ -617,13 +531,9 @@ function sync_suricata_package_config() { suricata_create_rc(); $suricataglob = $config['installedpackages']['suricata']['config'][0]; - + // setup the log directory size check job if enabled suricata_loglimit_install_cron($suricataglob['suricataloglimit'] == 'on' ? true : false); - - // set the suricata block hosts time IMPORTANT -// suricata_rm_blocked_install_cron($suricataglob['rm_blocked'] != "never_b" ? true : false); - - // set the suricata rules update time + // setup the suricata rules update job if enabled suricata_rules_up_install_cron($suricataglob['autoruleupdate'] != "never_up" ? true : false); write_config(); @@ -781,6 +691,7 @@ function suricata_post_delete_logs($suricata_uuid = 0) { unset($filelist[count($filelist) - 1]); foreach ($filelist as $file) @unlink($file); + unset($filelist); } } } @@ -1946,11 +1857,9 @@ esac EOD; // Write out the suricata.sh script file - if (!@file_put_contents("{$rcdir}/suricata.sh", $suricata_sh_text)) { - log_error("Could not open {$rcdir}/suricata.sh for writing."); - return; - } + @file_put_contents("{$rcdir}/suricata.sh", $suricata_sh_text); @chmod("{$rcdir}/suricata.sh", 0755); + unset($suricata_sh_text); } function suricata_generate_barnyard2_conf($suricatacfg, $if_real) { @@ -2051,6 +1960,7 @@ EOD; /* Write out barnyard2_conf text string to disk */ @file_put_contents("{$suricatadir}/barnyard2.conf", $barnyard2_conf_text); + unset($barnyard2_conf_text); } function suricata_generate_yaml($suricatacfg) { @@ -2096,14 +2006,8 @@ function suricata_generate_yaml($suricatacfg) { include("/usr/local/pkg/suricata/suricata_yaml_template.inc"); // Now write out the conf file using $suricata_conf_text contents - $conf = fopen("{$suricatacfgdir}/suricata.yaml", "w"); - if(!$conf) { - log_error("Could not open {$suricatacfgdir}/suricata.yaml for writing."); - return -1; - } - fwrite($conf, $suricata_conf_text); - fclose($conf); - + @file_put_contents("{$suricatacfgdir}/suricata.yaml", $suricata_conf_text); + unset($suricata_conf_text); conf_mount_ro(); } |