aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata
diff options
context:
space:
mode:
Diffstat (limited to 'config/suricata')
-rw-r--r--config/suricata/suricata.inc141
-rw-r--r--config/suricata/suricata.xml2
-rw-r--r--config/suricata/suricata_barnyard.php80
-rw-r--r--config/suricata/suricata_check_for_rule_updates.php73
-rw-r--r--config/suricata/suricata_flow_stream.php16
-rw-r--r--config/suricata/suricata_generate_yaml.php25
-rw-r--r--config/suricata/suricata_global.php2
-rw-r--r--config/suricata/suricata_interfaces_edit.php2
-rw-r--r--config/suricata/suricata_migrate_config.php20
-rw-r--r--config/suricata/suricata_post_install.php30
-rw-r--r--config/suricata/suricata_sync.xml83
-rw-r--r--config/suricata/suricata_yaml_template.inc1
12 files changed, 310 insertions, 165 deletions
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc
index 0180a4a2..bd7a181b 100644
--- a/config/suricata/suricata.inc
+++ b/config/suricata/suricata.inc
@@ -3304,7 +3304,7 @@ function suricata_sync_on_changes() {
/* Do not attempt a package sync while booting up or installing package */
if ($g['booting'] || $g['suricata_postinstall'] == TRUE) {
- log_error("[suricata] No xmlrpc sync to CARP targets when booting up or during package reinstallation.");
+ log_error("[suricata] Skipping XMLRPC sync when booting up or during package reinstallation.");
return;
}
@@ -3318,17 +3318,18 @@ function suricata_sync_on_changes() {
if (is_array($suricata_sync['row'])) {
$rs = $suricata_sync['row'];
} else {
- log_error("[suricata] xmlrpc CARP sync is enabled but there are no hosts configured as replication targets.");
+ log_error("[suricata] XMLRPC sync is enabled but there are no hosts configured as replication targets.");
return;
}
break;
case "auto":
- if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) {
- $system_carp = $config['installedpackages']['carpsettings']['config'][0];
+ if (is_array($config['hasync'])) {
+ $system_carp = $config['hasync'];
$rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip'];
$rs[0]['varsyncusername'] = $system_carp['username'];
$rs[0]['varsyncpassword'] = $system_carp['password'];
- $rs[0]['varsyncsuricatastart'] = "no";
+ $rs[0]['varsyncsuricatastart'] = FALSE;
+ $rs[0]['varsyncdestinenable'] = FALSE;
// XMLRPC sync is currently only supported over connections using the same protocol and port as this system
if ($config['system']['webgui']['protocol'] == "http") {
$rs[0]['varsyncprotocol'] = "http";
@@ -3338,11 +3339,13 @@ function suricata_sync_on_changes() {
$rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '443';
}
if ($system_carp['synchronizetoip'] == "") {
- log_error("[suricata] xmlrpc CARP sync is enabled but there are no system backup hosts configured as replication targets.");
+ log_error("[suricata] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets.");
return;
+ } else {
+ $rs[0]['varsyncdestinenable'] = TRUE;
}
} else {
- log_error("[suricata] xmlrpc CARP sync is enabled but there are no system backup hosts configured as replication targets.");
+ log_error("[suricata] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets.");
return;
}
break;
@@ -3351,44 +3354,42 @@ function suricata_sync_on_changes() {
break;
}
if (is_array($rs)) {
- log_error("[suricata] Suricata pkg xmlrpc CARP sync is starting.");
+ log_error("[suricata] XMLRPC sync is starting.");
foreach ($rs as $sh) {
- if ($sh['varsyncsuricatastart']) {
- $syncstartsuricata = $sh['varsyncsuricatastart'];
- } else {
- $syncstartsuricata = "OFF";
- }
- $sync_to_ip = $sh['varsyncipaddress'];
- $password = $sh['varsyncpassword'];
- $port = $sh['varsyncport'];
- $protocol = $sh['varsyncprotocol'];
- $error = '';
- $success = TRUE;
- if ($sh['varsyncusername']) {
- $username = $sh['varsyncusername'];
- } else {
- $username = 'admin';
- }
- if ($password == "") {
- $error = "Password parameter is empty. ";
- $success = FALSE;
- }
- if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) {
- $error .= "Misconfigured Replication Target IP Address. ";
- $success = FALSE;
- }
- if (!is_port($port)) {
- $error .= "Misconfigured Replication Target Port. ";
- $success = FALSE;
- }
- if ($success) {
- suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protocol, $username, $password, $synctimeout, $syncstartsuricata);
- } else {
- log_error("[suricata] Suricata pkg xmlrpc CARP sync aborted due to the following error(s): {$error}");
- return;
+ // Only sync enabled replication targets
+ if ($sh['varsyncdestinenable']) {
+ if ($sh['varsyncsuricatastart']) {
+ $syncstartsuricata = $sh['varsyncsuricatastart'];
+ } else {
+ $syncstartsuricata = "OFF";
+ }
+ $sync_to_ip = $sh['varsyncipaddress'];
+ $password = $sh['varsyncpassword'];
+ $port = $sh['varsyncport'];
+ $protocol = $sh['varsyncprotocol'];
+ $error = '';
+ $success = TRUE;
+ $username = $sh['varsyncusername'] ?: 'admin';
+ if ($password == "") {
+ $error = "Password parameter is empty. ";
+ $success = FALSE;
+ }
+ if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) {
+ $error .= "Misconfigured Replication Target IP Address. ";
+ $success = FALSE;
+ }
+ if (!is_port($port)) {
+ $error .= "Misconfigured Replication Target Port. ";
+ $success = FALSE;
+ }
+ if ($success) {
+ suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protocol, $username, $password, $synctimeout, $syncstartsuricata);
+ } else {
+ log_error("[suricata] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}");
+ }
}
}
- log_error("[suricata] Suricata pkg xmlrpc CARP sync completed.");
+ log_error("[suricata] XMLRPC sync completed.");
}
}
}
@@ -3399,12 +3400,12 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc
/* Do not attempt a package sync while booting up or installing package */
if ($g['booting'] || isset($g['suricata_postinstall'])) {
- log_error("[suricata] No xmlrpc sync to CARP targets when booting up or during package reinstallation.");
+ log_error("[suricata] Skipping XMLRPC sync when booting up or during package reinstallation.");
return;
}
if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") {
- log_error("[suricata] A required XMLRPC CARP sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync");
+ log_error("[suricata] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync");
return;
}
@@ -3428,25 +3429,25 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc
$method = 'pfsense.exec_php';
$params = array( XML_RPC_encode($password), XML_RPC_encode($payload) );
- log_error("[suricata] Suricata XMLRPC CARP sync sending auto-SID conf files to {$url}:{$port}.");
+ log_error("[suricata] XMLRPC sync sending auto-SID conf files to {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
$cli->setCredentials($username, $password);
$resp = $cli->send($msg, $synctimeout);
$error = "";
if (!$resp) {
- $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file);
+ $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file);
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
} elseif ($resp->faultCode()) {
- $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
}
}
if (!empty($sid_files) && $error == "") {
- log_error("[suricata] Suricata pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php).");
+ log_error("[suricata] XMLRPC sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php).");
}
/*************************************************/
@@ -3461,25 +3462,25 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc
$method = 'pfsense.exec_php';
$params = array( XML_RPC_encode($password), XML_RPC_encode($payload) );
- log_error("[suricata] Suricata XMLRPC CARP sync sending IPREP files to {$url}:{$port}.");
+ log_error("[suricata] Suricata XMLRPC sync sending IPREP files to {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
$cli->setCredentials($username, $password);
$resp = $cli->send($msg, $synctimeout);
$error = "";
if (!$resp) {
- $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file);
+ $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file);
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
} elseif ($resp->faultCode()) {
- $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
}
}
if (!empty($iprep_files) && $error == "") {
- log_error("[suricata] Suricata pkg XMLRPC CARP sync IPREP files success with {$url}:{$port} (pfsense.exec_php).");
+ log_error("[suricata] XMLRPC sync IPREP files success with {$url}:{$port} (pfsense.exec_php).");
}
/**************************************************/
@@ -3494,7 +3495,7 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc
XML_RPC_encode($xml)
);
- log_error("[suricata] Beginning Suricata pkg configuration XMLRPC sync to {$url}:{$port}.");
+ log_error("[suricata] Beginning package configuration XMLRPC sync to {$url}:{$port}.");
$method = 'pfsense.merge_installedpackages_section_xmlrpc';
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
@@ -3503,30 +3504,30 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc
/* send our XMLRPC message and timeout after defined sync timeout value*/
$resp = $cli->send($msg, $synctimeout);
if (!$resp) {
- $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}.";
+ $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}.";
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
} elseif ($resp->faultCode()) {
- $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
} else {
- log_error("[suricata] Suricata pkg configuration XMLRPC CARP sync successfully completed with {$url}:{$port}.");
+ log_error("[suricata] Package configuration XMLRPC sync successfully completed with {$url}:{$port}.");
}
$downloadrulescmd = "";
if ($syncdownloadrules == "yes") {
- $downloadrulescmd = "log_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Update of downloaded rule sets requested...\"));\n";
+ $downloadrulescmd = "log_error(gettext(\"[suricata] XMLRPC pkg sync: Update of downloaded rule sets requested...\"));\n";
$downloadrulescmd .= "\tinclude_once(\"/usr/local/pkg/suricata/suricata_check_for_rule_updates.php\");\n";
}
$suricatastart = "";
if ($syncstartsuricata == "ON") {
- $suricatastart = "log_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Checking Suricata status...\"));\n";
+ $suricatastart = "log_error(gettext(\"[suricata] XMLRPC pkg sync: Checking Suricata status...\"));\n";
$suricatastart .= "\tif (!is_process_running(\"suricata\")) {\n";
- $suricatastart .= "\t\tlog_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Suricata not running. Sending a start command...\"));\n";
+ $suricatastart .= "\t\tlog_error(gettext(\"[suricata] XMLRPC pkg sync: Suricata not running. Sending a start command...\"));\n";
$suricatastart .= "\t\t\$sh_script = RCFILEPREFIX . \"suricata.sh\";\n";
$suricatastart .= "\t\tmwexec_bg(\"{\$sh_script} start\");\n\t}\n";
- $suricatastart .= "\telse {\n\t\tlog_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Suricata is running...\"));\n\t}\n";
+ $suricatastart .= "\telse {\n\t\tlog_error(gettext(\"[suricata] XMLRPC pkg sync: Suricata is running...\"));\n\t}\n";
}
/*************************************************/
@@ -3546,14 +3547,14 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc
\$pkg_interface = "console";
{$downloadrulescmd}
unset(\$g["suricata_postinstall"]);
- log_error(gettext("[suricata] XMLRPC pkg CARP sync: Generating suricata.yaml file using Master Host settings..."));
+ log_error(gettext("[suricata] XMLRPC pkg sync: Generating suricata.yaml file using Master Host settings..."));
\$rebuild_rules = true;
conf_mount_rw();
sync_suricata_package_config();
conf_mount_ro();
\$rebuild_rules = false;
{$suricatastart}
- log_error(gettext("[suricata] XMLRPC pkg CARP sync process on this host is complete..."));
+ log_error(gettext("[suricata] XMLRPC pkg sync process on this host is complete..."));
\$pkg_interface = \$orig_pkg_interface;
unset(\$g["suricata_sync_in_progress"]);
return true;
@@ -3574,21 +3575,21 @@ EOD;
XML_RPC_encode($execcmd)
);
- log_error("[suricata] Suricata XMLRPC CARP sync sending reload configuration cmd set as a file to {$url}:{$port}.");
+ log_error("[suricata] XMLRPC sync sending reload configuration cmd set as a file to {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
$cli->setCredentials($username, $password);
$resp = $cli->send($msg, $synctimeout);
if (!$resp) {
- $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port} (pfsense.exec_php).";
+ $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
} elseif ($resp->faultCode()) {
- $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
} else {
- log_error("[suricata] Suricata pkg XMLRPC CARP sync reload configuration success with {$url}:{$port} (pfsense.exec_php).");
+ log_error("[suricata] XMLRPC sync reload configuration success with {$url}:{$port} (pfsense.exec_php).");
}
/*************************************************/
@@ -3600,19 +3601,19 @@ EOD;
XML_RPC_encode($password),
XML_RPC_encode($execcmd)
);
- log_error("[suricata] Suricata XMLRPC CARP sync sending {$url}:{$port} cmd to execute configuration reload.");
+ log_error("[suricata] XMLRPC sync sending {$url}:{$port} cmd to execute configuration reload.");
$msg2 = new XML_RPC_Message($method, $params2);
$resp = $cli->send($msg2, $synctimeout);
if (!$resp) {
- $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port} (pfsense.exec_php).";
+ $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
} elseif ($resp->faultCode()) {
- $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "Suricata Settings Sync", "");
} else {
- log_error("[suricata] Suricata pkg XMLRPC CARP sync reload configuration success with {$url}:{$port} (pfsense.exec_php).");
+ log_error("[suricata] XMLRPC sync reload configuration success with {$url}:{$port} (pfsense.exec_php).");
}
}
diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml
index e2c4735c..7c7e9e80 100644
--- a/config/suricata/suricata.xml
+++ b/config/suricata/suricata.xml
@@ -42,7 +42,7 @@
</copyright>
<description>Suricata IDS/IPS Package</description>
<name>suricata</name>
- <version>2.0.8 pkg v2.1.6</version>
+ <version>2.1.9</version>
<title>Services: Suricata IDS</title>
<include_file>/usr/local/pkg/suricata/suricata.inc</include_file>
<menu>
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php
index c4e438ba..81c7c503 100644
--- a/config/suricata/suricata_barnyard.php
+++ b/config/suricata/suricata_barnyard.php
@@ -14,7 +14,7 @@
* All rights reserved.
*
* Adapted for Suricata by:
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -86,6 +86,14 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['barnyard_bro_ids_dport'] = "47760";
if (empty($a_nat[$id]['barnyard_sensor_id']))
$pconfig['barnyard_sensor_id'] = "0";
+ if (empty($pconfig['barnyard_xff_logging']))
+ $pconfig['barnyard_xff_logging'] = "off";
+ if (empty($pconfig['barnyard_xff_mode']))
+ $pconfig['barnyard_xff_mode'] = "extra-data";
+ if (empty($pconfig['barnyard_xff_deployment']))
+ $pconfig['barnyard_xff_deployment'] = "reverse";
+ if (empty($pconfig['barnyard_xff_header']))
+ $pconfig['barnyard_xff_header'] = "X-Forwarded-For";
}
if ($_POST['save']) {
@@ -129,6 +137,9 @@ if ($_POST['save']) {
$input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer.");
}
+ if (empty($_POST['barnyard_xff_header']) && $_POST['barnyard_xff_logging'] == "on")
+ $input_errors[] = gettext("The value for the X-Forwarded-For Header cannot be blank when X-Forwarded-For logging is enabled.");
+
// Validate inputs if MySQL database loggging enabled
if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
if (empty($_POST['barnyard_dbhost']))
@@ -172,11 +183,13 @@ if ($_POST['save']) {
$natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off';
$natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off';
$natent['barnyard_disable_sig_ref_tbl'] = $_POST['barnyard_disable_sig_ref_tbl'] ? 'on' : 'off';
+ $natent['barnyard_xff_logging'] = $_POST['barnyard_xff_logging'] ? 'on' : 'off';
$natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode'];
$natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto'];
if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0';
if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']);
+ if ($_POST['barnyard_xff_header']) $natent['barnyard_xff_header'] = $_POST['barnyard_xff_header']; else $natent['barnyard_xff_header'] = 'X-Forwarded-For';
if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']);
if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']);
if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']);
@@ -335,6 +348,56 @@ include_once("head.inc");
</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Logging"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_xff_logging" id="barnyard_xff_logging" type="checkbox" value="on" <?php if ($pconfig['barnyard_xff_logging'] == "on") echo "checked"; ?> onClick="toggle_xff_log_options()"/>
+ <?php echo gettext("Enable logging of X-Forwarded-For IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?>
+ </td>
+ </tr>
+ <tbody id="xff_options">
+ <tr id="barnyard_xff_mode_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Mode"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="barnyard_xff_mode" id="barnyard_xff_mode" class="formselect">
+ <?php
+ $xff_modes = array( "extra-data", "overwrite" );
+ foreach ($xff_modes as $mode) {
+ $selected = "";
+ if ($mode == $pconfig['barnyard_xff_mode'])
+ $selected = " selected";
+ echo "<option value='{$mode}'{$selected}>" . $mode . "</option>\n";
+ }
+ ?></select>&nbsp;&nbsp;
+ <?php echo gettext("Select HTTP X-Forwarded-For Operation Mode. Default is ") . "<strong>" . gettext("extra-data") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr id="barnyard_xff_deployment_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Deployment"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="barnyard_xff_deployment" id="barnyard_xff_deployment" class="formselect">
+ <?php
+ $xff_deployments = array( "reverse", "forward" );
+ foreach ($xff_deployments as $deployment) {
+ $selected = "";
+ if ($mode == $pconfig['barnyard_xff_deployment'])
+ $selected = " selected";
+ echo "<option value='{$deployment}'{$selected}>" . $deployment . "</option>\n";
+ }
+ ?></select>&nbsp;&nbsp;
+ <?php echo gettext("Select HTTP X-Forwarded-For Deployment. Default is ") . "<strong>" . gettext("reverse") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr id="barnyard_xff_header_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Header"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_xff_header" type="text" class="formfld unknown" id="barnyard_xff_header"
+ size="18" value="<?=htmlspecialchars($pconfig['barnyard_xff_header']); ?>"/>&nbsp;
+ <?php echo gettext("Enter header where actual IP address is reported. Default is ") . "<strong>" .
+ gettext("X-Forwarded-For") . "</strong>."; ?><br/><br/><?php echo gettext("If more than one IP address is present, the last one will be used.") ?>
+ </td>
+ </tr>
+ </tbody>
+ <tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td>
</tr>
<tr>
@@ -600,6 +663,16 @@ function toggle_bro_ids() {
document.getElementById("bro_ids_config_rows").style.display = "";
}
+function toggle_xff_log_options() {
+ var endis = !(document.iform.barnyard_xff_logging.checked);
+ if (endis) {
+ document.getElementById("xff_options").style.display = "none";
+ }
+ else {
+ document.getElementById("xff_options").style.display = "";
+ }
+}
+
function enable_change(enable_change) {
endis = !(document.iform.barnyard_enable.checked || enable_change);
// make sure a default answer is called if this is invoked.
@@ -610,6 +683,10 @@ function enable_change(enable_change) {
document.iform.barnyard_obfuscate_ip.disabled = endis;
document.iform.barnyard_sensor_id.disabled = endis;
document.iform.barnyard_sensor_name.disabled = endis;
+ document.iform.barnyard_xff_logging.disabled = endis;
+ document.iform.barnyard_xff_mode.disabled = endis;
+ document.iform.barnyard_xff_deployment.disabled = endis;
+ document.iform.barnyard_xff_header.disabled = endis;
document.iform.barnyard_mysql_enable.disabled = endis;
document.iform.barnyard_dbhost.disabled = endis;
document.iform.barnyard_dbname.disabled = endis;
@@ -636,6 +713,7 @@ toggle_mySQL();
toggle_syslog();
toggle_local_syslog();
toggle_bro_ids();
+toggle_xff_log_options();
enable_change(false);
</script>
diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php
index 67334957..e245d71e 100644
--- a/config/suricata/suricata_check_for_rule_updates.php
+++ b/config/suricata/suricata_check_for_rule_updates.php
@@ -13,7 +13,7 @@
* All rights reserved.
*
* Adapted for Suricata by:
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -43,7 +43,7 @@ require_once("service-utils.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
require_once("/usr/local/pkg/suricata/suricata_defs.inc");
-global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules;
+global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules, $static_output;
$suricatadir = SURICATADIR;
$suricatalogdir = SURICATALOGDIR;
@@ -264,7 +264,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
/* error occurred. */
/**********************************************************/
- global $pkg_interface, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors, $static_output;
$suricatadir = SURICATADIR;
$filename_md5 = basename($file_dst);
@@ -301,7 +301,8 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
$suricata_err_msg = gettext("Server returned error code {$rc}.");
if ($pkg_interface <> "console") {
update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
- update_output_window(gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}"));
+ $static_output .= gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}");
+ update_output_window($static_output);
}
log_error(gettext("[Suricata] {$desc} md5 download failed..."));
log_error(gettext("[Suricata] Server returned error code {$rc}..."));
@@ -333,7 +334,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* FALSE if download was not successful. */
/**********************************************************/
- global $pkg_interface, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors, $static_output;
$suricatadir = SURICATADIR;
$filename = basename($file_dst);
@@ -354,8 +355,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
// Test integrity of the rules file. Turn off update if file has wrong md5 hash
if ($file_md5 != trim(md5_file($file_dst))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$desc} file MD5 checksum failed..."));
+ if ($pkg_interface <> "console") {
+ $static_output .= gettext("{$desc} file MD5 checksum failed!\n");
+ update_output_window($static_output);
+ }
log_error(gettext("[Suricata] {$desc} file download failed. Bad MD5 checksum..."));
log_error(gettext("[Suricata] Downloaded File MD5: " . md5_file($file_dst)));
log_error(gettext("[Suricata] Expected File MD5: {$file_md5}"));
@@ -369,8 +372,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
return true;
}
else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$desc} file download failed..."));
+ if ($pkg_interface <> "console") {
+ $static_output .= gettext("{$desc} file download failed!\n");
+ update_output_window($static_output);
+ }
log_error(gettext("[Suricata] {$desc} file download failed... server returned error '{$rc}'..."));
error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
if ($pkg_interface == "console")
@@ -451,7 +456,8 @@ if ($emergingthreats == 'on') {
if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
if ($pkg_interface <> "console") {
update_status(gettext("Extracting {$et_name} rules..."));
- update_output_window(gettext("Installing {$et_name} rules..."));
+ $static_output .= gettext("Installing {$et_name} rules...");
+ update_output_window($static_output);
}
error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
@@ -509,7 +515,8 @@ if ($emergingthreats == 'on') {
}
if ($pkg_interface <> "console") {
update_status(gettext("Extraction of {$et_name} rules completed..."));
- update_output_window(gettext("Installation of {$et_name} rules completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/emerging");
@@ -525,7 +532,8 @@ if ($snortdownload == 'on') {
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT rules..."));
- update_output_window(gettext("Installing Sourcefire VRT rules..."));
+ $static_output .= gettext("Installing Sourcefire VRT rules...");
+ update_output_window($static_output);
}
error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
@@ -549,7 +557,6 @@ if ($snortdownload == 'on') {
/* extract base etc files */
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT config and map files..."));
- update_output_window(gettext("Copying config and map files..."));
}
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/");
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
@@ -564,7 +571,8 @@ if ($snortdownload == 'on') {
}
if ($pkg_interface <> "console") {
update_status(gettext("Extraction of Snort VRT rules completed..."));
- update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
@@ -576,7 +584,8 @@ if ($snortcommunityrules == 'on') {
if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
- update_output_window(gettext("Installing Snort GPLv2 Community Rules..."));
+ $static_output .= gettext("Installing Snort GPLv2 Community Rules...");
+ update_output_window($static_output);
}
error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
@@ -599,7 +608,8 @@ if ($snortcommunityrules == 'on') {
}
if ($pkg_interface <> "console") {
update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
- update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/community");
@@ -680,17 +690,20 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
$tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ...";
if ($pkg_interface <> "console"){
update_status(gettext($tmp));
- update_output_window(gettext("Please wait while Suricata interface files are being updated..."));
+ $static_output .= $tmp;
+ update_output_window($static_output);
}
suricata_apply_customizations($value, $if_real);
$tmp = "\t" . $tmp . "\n";
error_log($tmp, 3, SURICATA_RULES_UPD_LOGFILE);
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
}
else {
if ($pkg_interface <> "console") {
- update_output_window(gettext("Warning: No interfaces configured for Suricata were found..."));
- update_output_window(gettext("No interfaces currently have Suricata configured and enabled on them..."));
+ $static_output .= gettext("Warning: No interfaces configured for Suricata were found!\nNo interfaces currently have Suricata configured and enabled on them.");
+ update_output_window($static_output);
}
error_log(gettext("\tWarning: No interfaces configured for Suricata were found...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
@@ -707,7 +720,6 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates'] == 'on') {
if ($pkg_interface <> "console") {
update_status(gettext('Signaling Suricata to live-load the new set of rules...'));
- update_output_window(gettext("Please wait ... the process should complete in a few seconds..."));
}
log_error(gettext("[Suricata] Live-Reload of rules from auto-update is enabled..."));
error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
@@ -721,34 +733,37 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
else {
if ($pkg_interface <> "console") {
update_status(gettext('Restarting Suricata to activate the new set of rules...'));
- update_output_window(gettext("Please wait ... restarting Suricata will take some time..."));
+ $static_output .= gettext("Restarting Suricata...");
+ update_output_window($static_output);
}
error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
restart_service("suricata");
- if ($pkg_interface <> "console")
- update_output_window(gettext("Suricata has restarted with your new set of rules..."));
+ if ($pkg_interface <> "console") {
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
+ }
log_error(gettext("[Suricata] Suricata has restarted with your new set of rules..."));
error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
}
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("The rules update task is complete..."));
- }
}
// Remove old $tmpfname files
if (is_dir("{$tmpfname}")) {
if ($pkg_interface <> "console") {
update_status(gettext("Cleaning up after rules extraction..."));
- update_output_window(gettext("Removing {$tmpfname} directory..."));
+ $static_output .= gettext("Removing {$tmpfname} directory...");
+ update_output_window($static_output);
}
rmdir_recursive("{$tmpfname}");
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
if ($pkg_interface <> "console") {
update_status(gettext("The Rules update has finished..."));
- update_output_window("");
+ $static_output .= gettext("Rules update task complete.\n");
+ update_output_window($static_output);
}
log_error(gettext("[Suricata] The Rules update has finished."));
error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SURICATA_RULES_UPD_LOGFILE);
diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php
index 9467ea7c..4be8dc35 100644
--- a/config/suricata/suricata_flow_stream.php
+++ b/config/suricata/suricata_flow_stream.php
@@ -14,7 +14,7 @@
* All rights reserved.
*
* Adapted for Suricata by:
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -250,8 +250,11 @@ elseif ($_POST['ResetAll']) {
$pconfig['flow_icmp_emerg_new_timeout'] = '10';
$pconfig['flow_icmp_emerg_established_timeout'] = '100';
- $pconfig['stream_memcap'] = '33554432';
+ // The default 'stream_memcap' value must be calculated as follows:
+ // 216 * prealloc_sessions * number of threads = memory use in bytes
+ // 64 MB is a decent all-around default, but some setups need more.
$pconfig['stream_prealloc_sessions'] = '32768';
+ $pconfig['stream_memcap'] = '67108864';
$pconfig['reassembly_memcap'] = '67108864';
$pconfig['reassembly_depth'] = '1048576';
$pconfig['reassembly_to_server_chunk'] = '2560';
@@ -298,7 +301,7 @@ elseif ($_POST['save'] || $_POST['apply']) {
if ($_POST['flow_icmp_emerg_new_timeout'] != "") { $natent['flow_icmp_emerg_new_timeout'] = $_POST['flow_icmp_emerg_new_timeout']; }else{ $natent['flow_icmp_emerg_new_timeout'] = "10"; }
if ($_POST['flow_icmp_emerg_established_timeout'] != "") { $natent['flow_icmp_emerg_established_timeout'] = $_POST['flow_icmp_emerg_established_timeout']; }else{ $natent['flow_icmp_emerg_established_timeout'] = "100"; }
- if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "33554432"; }
+ if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "67108864"; }
if ($_POST['stream_prealloc_sessions'] != "") { $natent['stream_prealloc_sessions'] = $_POST['stream_prealloc_sessions']; }else{ $natent['stream_prealloc_sessions'] = "32768"; }
if ($_POST['enable_midstream_sessions'] == "on") { $natent['enable_midstream_sessions'] = 'on'; }else{ $natent['enable_midstream_sessions'] = 'off'; }
if ($_POST['enable_async_sessions'] == "on") { $natent['enable_async_sessions'] = 'on'; }else{ $natent['enable_async_sessions'] = 'off'; }
@@ -764,8 +767,11 @@ if ($savemsg) {
<input name="stream_memcap" type="text" class="formfld unknown" id="stream_memcap" size="9"
value="<?=htmlspecialchars($pconfig['stream_memcap']);?>">&nbsp;
<?php echo gettext("Max memory to be used by stream engine. Default is ") .
- "<strong>" . gettext("33,554,432") . "</strong>" . gettext(" bytes (32MB)"); ?><br/><br/>
- <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine."); ?>
+ "<strong>" . gettext("67,108,864") . "</strong>" . gettext(" bytes (64MB)"); ?><br/><br/>
+ <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine. ");?><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("This number will likely need to be increased beyond the default value in systems with more than 4 processor cores. " .
+ "If Suricata fails to start and logs a memory allocation error, increase this value in 4 MB chunks until Suricata starts successfully."); ?>
</td>
</tr>
<tr>
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index 328702b9..3394ad4c 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -292,6 +292,7 @@ if (!empty($suricatacfg['max_pcap_log_files']))
else
$pcap_log_max_files = "1000";
+// Unified2 Alert Log Settings
if ($suricatacfg['barnyard_enable'] == 'on')
$barnyard2_enabled = "yes";
else
@@ -307,6 +308,28 @@ if (isset($suricatacfg['barnyard_sensor_id']))
else
$unified2_sensor_id = "0";
+// Unified2 X-Forwarded-For logging options
+if ($suricatacfg['barnyard_xff_logging'] == 'on') {
+ $unified2_xff_output = "xff:";
+ $unified2_xff_output .= "\n enabled: yes";
+ if (!empty($suricatacfg['barnyard_xff_mode']))
+ $unified2_xff_output .= "\n mode: {$suricatacfg['barnyard_xff_mode']}";
+ else
+ $unified2_xff_output .= "\n mode: extra-data";
+ if (!empty($suricatacfg['barnyard_xff_deployment']))
+ $unified2_xff_output .= "\n deployment: {$suricatacfg['barnyard_xff_deployment']}";
+ else
+ $unified2_xff_output .= "\n deployment: reverse";
+ if (!empty($suricatacfg['barnyard_xff_header']))
+ $unified2_xff_output .= "\n header: {$suricatacfg['barnyard_xff_header']}";
+ else
+ $unified2_xff_output .= "\n header: X-Forwarded-For";
+}
+else {
+ $unified2_xff_output = "xff:";
+ $unified2_xff_output .= "\n enabled: no";
+}
+
// EVE JSON log output settings
if ($suricatacfg['enable_eve_log'] == 'on')
$enable_eve_log = "yes";
@@ -494,7 +517,7 @@ else
if (!empty($suricatacfg['stream_memcap']))
$stream_memcap = $suricatacfg['stream_memcap'];
else
- $stream_memcap = "33554432";
+ $stream_memcap = "67108864";
if (!empty($suricatacfg['stream_prealloc_sessions']))
$stream_prealloc_sessions = $suricatacfg['stream_prealloc_sessions'];
diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php
index 013cde3e..26fbd12e 100644
--- a/config/suricata/suricata_global.php
+++ b/config/suricata/suricata_global.php
@@ -308,7 +308,7 @@ if ($input_errors)
<td><input name="snort_rules_file" type="text" class="formfld unknown" id="snort_rules_file" size="52"
value="<?=htmlspecialchars($pconfig['snort_rules_file']);?>"/><br/>
<?php echo gettext("Enter the rules tarball filename (filename only, do not include the URL.)"); ?>
- <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2962.tar.gz");?><br/><br/></td>
+ <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2976.tar.gz");?><br/><br/></td>
</tr>
<tr>
<td valign="top" align="right"><span class="vexpl"><strong><?php echo gettext("Oinkmaster Code:"); ?></strong></span>&nbsp;</td>
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index 4319182d..f188194d 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -372,7 +372,7 @@ if ($_POST["save"] && !$input_errors) {
$natent['flow_icmp_emerg_new_timeout'] = '10';
$natent['flow_icmp_emerg_established_timeout'] = '100';
- $natent['stream_memcap'] = '33554432';
+ $natent['stream_memcap'] = '67108864';
$natent['stream_prealloc_sessions'] = '32768';
$natent['reassembly_memcap'] = '67108864';
$natent['reassembly_depth'] = '1048576';
diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php
index 2fd5f96e..4a4a489f 100644
--- a/config/suricata/suricata_migrate_config.php
+++ b/config/suricata/suricata_migrate_config.php
@@ -471,6 +471,26 @@ foreach ($rule as &$r) {
$updated_cfg = true;
}
+ /**********************************************************/
+ /* Create interface Unified2 XFF log settings if not set */
+ /**********************************************************/
+ if (!isset($pconfig['barnyard_xff_logging'])) {
+ $pconfig['barnyard_xff_logging'] = "off";
+ $updated_cfg = true;
+ }
+ if (!isset($pconfig['barnyard_xff_mode'])) {
+ $pconfig['barnyard_xff_mode'] = "extra-data";
+ $updated_cfg = true;
+ }
+ if (!isset($pconfig['barnyard_xff_deployment'])) {
+ $pconfig['barnyard_xff_deployment'] = "reverse";
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['barnyard_xff_header'])) {
+ $pconfig['barnyard_xff_header'] = "X-Forwarded-For";
+ $updated_cfg = true;
+ }
+
// Save the new configuration data into the $config array pointer
$r = $pconfig;
}
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php
index ea1d7b0a..42722d79 100644
--- a/config/suricata/suricata_post_install.php
+++ b/config/suricata/suricata_post_install.php
@@ -13,7 +13,7 @@
* All rights reserved.
*
* Adapted for Suricata by:
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -50,7 +50,7 @@ require_once("functions.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
require("/usr/local/pkg/suricata/suricata_defs.inc");
-global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include;
+global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include, $static_output;
/****************************************
* Define any new constants here that *
@@ -201,11 +201,12 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
/****************************************************************/
/* Do one-time settings migration for new version configuration */
- update_output_window(gettext("Please wait... migrating settings to new configuration..."));
+ $static_output .= gettext("\nMigrating settings to new configuration...");
+ update_output_window($static_output);
include('/usr/local/pkg/suricata/suricata_migrate_config.php');
- update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
log_error(gettext("[Suricata] Downloading and updating configured rule types..."));
- update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
if ($pkg_interface <> "console")
$suricata_gui_include = true;
include('/usr/local/pkg/suricata/suricata_check_for_rule_updates.php');
@@ -219,7 +220,8 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
$if_real = get_real_interface($suricatacfg['interface']);
$suricata_uuid = $suricatacfg['uuid'];
$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}";
- update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "..."));
+ $static_output .= gettext("Generating YAML configuration file for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "...");
+ update_output_window($static_output);
// Pull in the PHP code that generates the suricata.yaml file
// variables that will be substituted further down below.
@@ -238,6 +240,9 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
// create barnyard2.conf file for interface
if ($suricatacfg['barnyard_enable'] == 'on')
suricata_generate_barnyard2_conf($suricatacfg, $if_real);
+
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
// create Suricata bootup file suricata.sh
@@ -259,17 +264,21 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
}
$rebuild_rules = false;
- if ($pkg_interface <> "console")
- update_output_window(gettext("Finished rebuilding Suricata configuration files..."));
+ if ($pkg_interface <> "console") {
+ $static_output .= gettext("Finished rebuilding Suricata configuration from saved settings.\n");
+ update_output_window($static_output);
+ }
log_error(gettext("[Suricata] Finished rebuilding installation from saved settings..."));
// Only try to start Suricata if not in reboot
if (!$g['booting']) {
if ($pkg_interface <> "console") {
update_status(gettext("Starting Suricata using rebuilt configuration..."));
- update_output_window(gettext("Please wait while Suricata is started..."));
+ $static_output .= gettext("Starting Suricata using the rebuilt configuration...");
+ update_output_window($static_output);
mwexec_bg("{$rcdir}suricata.sh start");
- update_output_window(gettext("Suricata is starting as a background task using the rebuilt configuration..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
else
mwexec_bg("{$rcdir}suricata.sh start");
@@ -291,6 +300,7 @@ write_config("Suricata pkg v{$config['installedpackages']['package'][get_pkg_id(
// Done with post-install, so clear flag
unset($g['suricata_postinstall']);
log_error(gettext("[Suricata] Package post-installation tasks completed..."));
+update_status("");
return true;
?>
diff --git a/config/suricata/suricata_sync.xml b/config/suricata/suricata_sync.xml
index 28083d8d..c2f5ec83 100644
--- a/config/suricata/suricata_sync.xml
+++ b/config/suricata/suricata_sync.xml
@@ -1,56 +1,49 @@
<?xml version="1.0" encoding="utf-8" ?>
-<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
-<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
<packagegui>
- <copyright>
+ <copyright>
<![CDATA[
/* $Id$ */
-/* ========================================================================== */
+/* ====================================================================================== */
/*
-based on snortsync.xml developed as part
-of pfSense (http://www.pfSense.com)
-Copyright (C) 2013 Marcello Coutinho
-based on pfblocker_sync.xml
-All rights reserved.
-
-modified for use with Suricata package
-Copyright (C) 2014 Bill Meeks
-All rights reserved.
-
-Based on m0n0wall (http://m0n0.ch/wall)
-Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
-All rights reserved.
+ suricata_sync.xml
+ part of pfSense (https://www.pfSense.org/)
+ Copyright (C) 2013 Marcello Coutinho
+ Copyright (C) 2014-2015 Bill Meeks
+ Copyright (C) 2015 ESF, LLC
+ All rights reserved.
*/
-/* ========================================================================== */
+/* ====================================================================================== */
/*
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
-1. Redistributions of source code MUST retain the above copyright notice,
-this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
-2. Redistributions in binary form MUST reproduce the above copyright
-notice, this list of conditions and the following disclaimer in the
-documentation and/or other materials provided with the distribution.
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
-AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
-OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGE.
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
*/
-/* ========================================================================== */
-]]></copyright>
- <description><![CDATA[Describe your package here]]></description>
- <requirements>Describe your package requirements here</requirements>
- <faq>Currently there are no FAQ items provided.</faq>
+/* ====================================================================================== */
+ ]]>
+ </copyright>
<name>suricatasync</name>
- <version>1.0</version>
+ <version>2.1.8</version>
<title>Suricata: XMLRPC Sync</title>
<include_file>/usr/local/pkg/suricata/suricata.inc</include_file>
<tabs>
@@ -183,11 +176,11 @@ POSSIBILITY OF SUCH DAMAGE.
</options>
</rowhelperfield>
<rowhelperfield>
- <fielddescr>IP-Address</fielddescr>
+ <fielddescr>IP Address/Hostname</fielddescr>
<fieldname>varsyncipaddress</fieldname>
- <description><![CDATA[IP Address of the destination host.]]></description>
+ <description><![CDATA[IP address or hostname of the destination host.]]></description>
<type>input</type>
- <size>15</size>
+ <size>40</size>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Port</fielddescr>
@@ -213,8 +206,6 @@ POSSIBILITY OF SUCH DAMAGE.
</rowhelper>
</field>
</fields>
- <custom_delete_php_command>
- </custom_delete_php_command>
<custom_php_resync_config_command>
write_config("Suricata pkg: updating CARP sync info.");suricata_sync_on_changes();
</custom_php_resync_config_command>
diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc
index a8b06ebe..82723958 100644
--- a/config/suricata/suricata_yaml_template.inc
+++ b/config/suricata/suricata_yaml_template.inc
@@ -54,6 +54,7 @@ outputs:
filename: unified2.alert
limit: {$unified2_log_limit}
sensor-id: {$unified2_sensor_id}
+ {$unified2_xff_output}
- http-log:
enabled: {$http_log_enabled}