diff options
Diffstat (limited to 'config/suricata')
-rw-r--r-- | config/suricata/suricata.inc | 141 | ||||
-rw-r--r-- | config/suricata/suricata.xml | 2 | ||||
-rw-r--r-- | config/suricata/suricata_barnyard.php | 80 | ||||
-rw-r--r-- | config/suricata/suricata_check_for_rule_updates.php | 73 | ||||
-rw-r--r-- | config/suricata/suricata_flow_stream.php | 16 | ||||
-rw-r--r-- | config/suricata/suricata_generate_yaml.php | 25 | ||||
-rw-r--r-- | config/suricata/suricata_global.php | 2 | ||||
-rw-r--r-- | config/suricata/suricata_interfaces_edit.php | 2 | ||||
-rw-r--r-- | config/suricata/suricata_migrate_config.php | 20 | ||||
-rw-r--r-- | config/suricata/suricata_post_install.php | 30 | ||||
-rw-r--r-- | config/suricata/suricata_sync.xml | 83 | ||||
-rw-r--r-- | config/suricata/suricata_yaml_template.inc | 1 |
12 files changed, 310 insertions, 165 deletions
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 0180a4a2..bd7a181b 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -3304,7 +3304,7 @@ function suricata_sync_on_changes() { /* Do not attempt a package sync while booting up or installing package */ if ($g['booting'] || $g['suricata_postinstall'] == TRUE) { - log_error("[suricata] No xmlrpc sync to CARP targets when booting up or during package reinstallation."); + log_error("[suricata] Skipping XMLRPC sync when booting up or during package reinstallation."); return; } @@ -3318,17 +3318,18 @@ function suricata_sync_on_changes() { if (is_array($suricata_sync['row'])) { $rs = $suricata_sync['row']; } else { - log_error("[suricata] xmlrpc CARP sync is enabled but there are no hosts configured as replication targets."); + log_error("[suricata] XMLRPC sync is enabled but there are no hosts configured as replication targets."); return; } break; case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { - $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + if (is_array($config['hasync'])) { + $system_carp = $config['hasync']; $rs[0]['varsyncipaddress'] = $system_carp['synchronizetoip']; $rs[0]['varsyncusername'] = $system_carp['username']; $rs[0]['varsyncpassword'] = $system_carp['password']; - $rs[0]['varsyncsuricatastart'] = "no"; + $rs[0]['varsyncsuricatastart'] = FALSE; + $rs[0]['varsyncdestinenable'] = FALSE; // XMLRPC sync is currently only supported over connections using the same protocol and port as this system if ($config['system']['webgui']['protocol'] == "http") { $rs[0]['varsyncprotocol'] = "http"; @@ -3338,11 +3339,13 @@ function suricata_sync_on_changes() { $rs[0]['varsyncport'] = $config['system']['webgui']['port'] ?: '443'; } if ($system_carp['synchronizetoip'] == "") { - log_error("[suricata] xmlrpc CARP sync is enabled but there are no system backup hosts configured as replication targets."); + log_error("[suricata] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; + } else { + $rs[0]['varsyncdestinenable'] = TRUE; } } else { - log_error("[suricata] xmlrpc CARP sync is enabled but there are no system backup hosts configured as replication targets."); + log_error("[suricata] XMLRPC CARP/HA sync is enabled but there are no system backup hosts configured as replication targets."); return; } break; @@ -3351,44 +3354,42 @@ function suricata_sync_on_changes() { break; } if (is_array($rs)) { - log_error("[suricata] Suricata pkg xmlrpc CARP sync is starting."); + log_error("[suricata] XMLRPC sync is starting."); foreach ($rs as $sh) { - if ($sh['varsyncsuricatastart']) { - $syncstartsuricata = $sh['varsyncsuricatastart']; - } else { - $syncstartsuricata = "OFF"; - } - $sync_to_ip = $sh['varsyncipaddress']; - $password = $sh['varsyncpassword']; - $port = $sh['varsyncport']; - $protocol = $sh['varsyncprotocol']; - $error = ''; - $success = TRUE; - if ($sh['varsyncusername']) { - $username = $sh['varsyncusername']; - } else { - $username = 'admin'; - } - if ($password == "") { - $error = "Password parameter is empty. "; - $success = FALSE; - } - if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { - $error .= "Misconfigured Replication Target IP Address. "; - $success = FALSE; - } - if (!is_port($port)) { - $error .= "Misconfigured Replication Target Port. "; - $success = FALSE; - } - if ($success) { - suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protocol, $username, $password, $synctimeout, $syncstartsuricata); - } else { - log_error("[suricata] Suricata pkg xmlrpc CARP sync aborted due to the following error(s): {$error}"); - return; + // Only sync enabled replication targets + if ($sh['varsyncdestinenable']) { + if ($sh['varsyncsuricatastart']) { + $syncstartsuricata = $sh['varsyncsuricatastart']; + } else { + $syncstartsuricata = "OFF"; + } + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + $port = $sh['varsyncport']; + $protocol = $sh['varsyncprotocol']; + $error = ''; + $success = TRUE; + $username = $sh['varsyncusername'] ?: 'admin'; + if ($password == "") { + $error = "Password parameter is empty. "; + $success = FALSE; + } + if (!is_ipaddr($sync_to_ip) && !is_hostname($sync_to_ip) && !is_domain($sync_to_ip)) { + $error .= "Misconfigured Replication Target IP Address. "; + $success = FALSE; + } + if (!is_port($port)) { + $error .= "Misconfigured Replication Target Port. "; + $success = FALSE; + } + if ($success) { + suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protocol, $username, $password, $synctimeout, $syncstartsuricata); + } else { + log_error("[suricata] XMLRPC sync with '{$sync_to_ip}' aborted due to the following error(s): {$error}"); + } } } - log_error("[suricata] Suricata pkg xmlrpc CARP sync completed."); + log_error("[suricata] XMLRPC sync completed."); } } } @@ -3399,12 +3400,12 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc /* Do not attempt a package sync while booting up or installing package */ if ($g['booting'] || isset($g['suricata_postinstall'])) { - log_error("[suricata] No xmlrpc sync to CARP targets when booting up or during package reinstallation."); + log_error("[suricata] Skipping XMLRPC sync when booting up or during package reinstallation."); return; } if ($username == "" || $password == "" || $sync_to_ip == "" || $port == "" || $protocol == "") { - log_error("[suricata] A required XMLRPC CARP sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); + log_error("[suricata] A required XMLRPC sync parameter (username, password, replication target, port or protocol) is empty ... aborting pkg sync"); return; } @@ -3428,25 +3429,25 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc $method = 'pfsense.exec_php'; $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); - log_error("[suricata] Suricata XMLRPC CARP sync sending auto-SID conf files to {$url}:{$port}."); + log_error("[suricata] XMLRPC sync sending auto-SID conf files to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); $error = ""; if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } } if (!empty($sid_files) && $error == "") { - log_error("[suricata] Suricata pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[suricata] XMLRPC sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); } /*************************************************/ @@ -3461,25 +3462,25 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc $method = 'pfsense.exec_php'; $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); - log_error("[suricata] Suricata XMLRPC CARP sync sending IPREP files to {$url}:{$port}."); + log_error("[suricata] Suricata XMLRPC sync sending IPREP files to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); $error = ""; if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } } if (!empty($iprep_files) && $error == "") { - log_error("[suricata] Suricata pkg XMLRPC CARP sync IPREP files success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[suricata] XMLRPC sync IPREP files success with {$url}:{$port} (pfsense.exec_php)."); } /**************************************************/ @@ -3494,7 +3495,7 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc XML_RPC_encode($xml) ); - log_error("[suricata] Beginning Suricata pkg configuration XMLRPC sync to {$url}:{$port}."); + log_error("[suricata] Beginning package configuration XMLRPC sync to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -3503,30 +3504,30 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc /* send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}."; + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } else { - log_error("[suricata] Suricata pkg configuration XMLRPC CARP sync successfully completed with {$url}:{$port}."); + log_error("[suricata] Package configuration XMLRPC sync successfully completed with {$url}:{$port}."); } $downloadrulescmd = ""; if ($syncdownloadrules == "yes") { - $downloadrulescmd = "log_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Update of downloaded rule sets requested...\"));\n"; + $downloadrulescmd = "log_error(gettext(\"[suricata] XMLRPC pkg sync: Update of downloaded rule sets requested...\"));\n"; $downloadrulescmd .= "\tinclude_once(\"/usr/local/pkg/suricata/suricata_check_for_rule_updates.php\");\n"; } $suricatastart = ""; if ($syncstartsuricata == "ON") { - $suricatastart = "log_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Checking Suricata status...\"));\n"; + $suricatastart = "log_error(gettext(\"[suricata] XMLRPC pkg sync: Checking Suricata status...\"));\n"; $suricatastart .= "\tif (!is_process_running(\"suricata\")) {\n"; - $suricatastart .= "\t\tlog_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Suricata not running. Sending a start command...\"));\n"; + $suricatastart .= "\t\tlog_error(gettext(\"[suricata] XMLRPC pkg sync: Suricata not running. Sending a start command...\"));\n"; $suricatastart .= "\t\t\$sh_script = RCFILEPREFIX . \"suricata.sh\";\n"; $suricatastart .= "\t\tmwexec_bg(\"{\$sh_script} start\");\n\t}\n"; - $suricatastart .= "\telse {\n\t\tlog_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Suricata is running...\"));\n\t}\n"; + $suricatastart .= "\telse {\n\t\tlog_error(gettext(\"[suricata] XMLRPC pkg sync: Suricata is running...\"));\n\t}\n"; } /*************************************************/ @@ -3546,14 +3547,14 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $protoc \$pkg_interface = "console"; {$downloadrulescmd} unset(\$g["suricata_postinstall"]); - log_error(gettext("[suricata] XMLRPC pkg CARP sync: Generating suricata.yaml file using Master Host settings...")); + log_error(gettext("[suricata] XMLRPC pkg sync: Generating suricata.yaml file using Master Host settings...")); \$rebuild_rules = true; conf_mount_rw(); sync_suricata_package_config(); conf_mount_ro(); \$rebuild_rules = false; {$suricatastart} - log_error(gettext("[suricata] XMLRPC pkg CARP sync process on this host is complete...")); + log_error(gettext("[suricata] XMLRPC pkg sync process on this host is complete...")); \$pkg_interface = \$orig_pkg_interface; unset(\$g["suricata_sync_in_progress"]); return true; @@ -3574,21 +3575,21 @@ EOD; XML_RPC_encode($execcmd) ); - log_error("[suricata] Suricata XMLRPC CARP sync sending reload configuration cmd set as a file to {$url}:{$port}."); + log_error("[suricata] XMLRPC sync sending reload configuration cmd set as a file to {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port} (pfsense.exec_php)."; + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } else { - log_error("[suricata] Suricata pkg XMLRPC CARP sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[suricata] XMLRPC sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } /*************************************************/ @@ -3600,19 +3601,19 @@ EOD; XML_RPC_encode($password), XML_RPC_encode($execcmd) ); - log_error("[suricata] Suricata XMLRPC CARP sync sending {$url}:{$port} cmd to execute configuration reload."); + log_error("[suricata] XMLRPC sync sending {$url}:{$port} cmd to execute configuration reload."); $msg2 = new XML_RPC_Message($method, $params2); $resp = $cli->send($msg2, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port} (pfsense.exec_php)."; + $error = "A communications error occurred while attempting Suricata XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } elseif ($resp->faultCode()) { - $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Suricata XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Suricata Settings Sync", ""); } else { - log_error("[suricata] Suricata pkg XMLRPC CARP sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[suricata] XMLRPC sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); } } diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index e2c4735c..7c7e9e80 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -42,7 +42,7 @@ </copyright> <description>Suricata IDS/IPS Package</description> <name>suricata</name> - <version>2.0.8 pkg v2.1.6</version> + <version>2.1.9</version> <title>Services: Suricata IDS</title> <include_file>/usr/local/pkg/suricata/suricata.inc</include_file> <menu> diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index c4e438ba..81c7c503 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -14,7 +14,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -86,6 +86,14 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_bro_ids_dport'] = "47760"; if (empty($a_nat[$id]['barnyard_sensor_id'])) $pconfig['barnyard_sensor_id'] = "0"; + if (empty($pconfig['barnyard_xff_logging'])) + $pconfig['barnyard_xff_logging'] = "off"; + if (empty($pconfig['barnyard_xff_mode'])) + $pconfig['barnyard_xff_mode'] = "extra-data"; + if (empty($pconfig['barnyard_xff_deployment'])) + $pconfig['barnyard_xff_deployment'] = "reverse"; + if (empty($pconfig['barnyard_xff_header'])) + $pconfig['barnyard_xff_header'] = "X-Forwarded-For"; } if ($_POST['save']) { @@ -129,6 +137,9 @@ if ($_POST['save']) { $input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer."); } + if (empty($_POST['barnyard_xff_header']) && $_POST['barnyard_xff_logging'] == "on") + $input_errors[] = gettext("The value for the X-Forwarded-For Header cannot be blank when X-Forwarded-For logging is enabled."); + // Validate inputs if MySQL database loggging enabled if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_dbhost'])) @@ -172,11 +183,13 @@ if ($_POST['save']) { $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; $natent['barnyard_disable_sig_ref_tbl'] = $_POST['barnyard_disable_sig_ref_tbl'] ? 'on' : 'off'; + $natent['barnyard_xff_logging'] = $_POST['barnyard_xff_logging'] ? 'on' : 'off'; $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0'; if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['barnyard_xff_header']) $natent['barnyard_xff_header'] = $_POST['barnyard_xff_header']; else $natent['barnyard_xff_header'] = 'X-Forwarded-For'; if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); @@ -335,6 +348,56 @@ include_once("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Logging"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_xff_logging" id="barnyard_xff_logging" type="checkbox" value="on" <?php if ($pconfig['barnyard_xff_logging'] == "on") echo "checked"; ?> onClick="toggle_xff_log_options()"/> + <?php echo gettext("Enable logging of X-Forwarded-For IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?> + </td> + </tr> + <tbody id="xff_options"> + <tr id="barnyard_xff_mode_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Mode"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_xff_mode" id="barnyard_xff_mode" class="formselect"> + <?php + $xff_modes = array( "extra-data", "overwrite" ); + foreach ($xff_modes as $mode) { + $selected = ""; + if ($mode == $pconfig['barnyard_xff_mode']) + $selected = " selected"; + echo "<option value='{$mode}'{$selected}>" . $mode . "</option>\n"; + } + ?></select> + <?php echo gettext("Select HTTP X-Forwarded-For Operation Mode. Default is ") . "<strong>" . gettext("extra-data") . "</strong>."; ?> + </td> + </tr> + <tr id="barnyard_xff_deployment_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Deployment"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_xff_deployment" id="barnyard_xff_deployment" class="formselect"> + <?php + $xff_deployments = array( "reverse", "forward" ); + foreach ($xff_deployments as $deployment) { + $selected = ""; + if ($mode == $pconfig['barnyard_xff_deployment']) + $selected = " selected"; + echo "<option value='{$deployment}'{$selected}>" . $deployment . "</option>\n"; + } + ?></select> + <?php echo gettext("Select HTTP X-Forwarded-For Deployment. Default is ") . "<strong>" . gettext("reverse") . "</strong>."; ?> + </td> + </tr> + <tr id="barnyard_xff_header_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Header"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_xff_header" type="text" class="formfld unknown" id="barnyard_xff_header" + size="18" value="<?=htmlspecialchars($pconfig['barnyard_xff_header']); ?>"/> + <?php echo gettext("Enter header where actual IP address is reported. Default is ") . "<strong>" . + gettext("X-Forwarded-For") . "</strong>."; ?><br/><br/><?php echo gettext("If more than one IP address is present, the last one will be used.") ?> + </td> + </tr> + </tbody> + <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td> </tr> <tr> @@ -600,6 +663,16 @@ function toggle_bro_ids() { document.getElementById("bro_ids_config_rows").style.display = ""; } +function toggle_xff_log_options() { + var endis = !(document.iform.barnyard_xff_logging.checked); + if (endis) { + document.getElementById("xff_options").style.display = "none"; + } + else { + document.getElementById("xff_options").style.display = ""; + } +} + function enable_change(enable_change) { endis = !(document.iform.barnyard_enable.checked || enable_change); // make sure a default answer is called if this is invoked. @@ -610,6 +683,10 @@ function enable_change(enable_change) { document.iform.barnyard_obfuscate_ip.disabled = endis; document.iform.barnyard_sensor_id.disabled = endis; document.iform.barnyard_sensor_name.disabled = endis; + document.iform.barnyard_xff_logging.disabled = endis; + document.iform.barnyard_xff_mode.disabled = endis; + document.iform.barnyard_xff_deployment.disabled = endis; + document.iform.barnyard_xff_header.disabled = endis; document.iform.barnyard_mysql_enable.disabled = endis; document.iform.barnyard_dbhost.disabled = endis; document.iform.barnyard_dbname.disabled = endis; @@ -636,6 +713,7 @@ toggle_mySQL(); toggle_syslog(); toggle_local_syslog(); toggle_bro_ids(); +toggle_xff_log_options(); enable_change(false); </script> diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 67334957..e245d71e 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -13,7 +13,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -43,7 +43,7 @@ require_once("service-utils.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); require_once("/usr/local/pkg/suricata/suricata_defs.inc"); -global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules; +global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules, $static_output; $suricatadir = SURICATADIR; $suricatalogdir = SURICATALOGDIR; @@ -264,7 +264,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $pkg_interface, $last_curl_error, $update_errors, $static_output; $suricatadir = SURICATADIR; $filename_md5 = basename($file_dst); @@ -301,7 +301,8 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { $suricata_err_msg = gettext("Server returned error code {$rc}."); if ($pkg_interface <> "console") { update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}")); + $static_output .= gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}"); + update_output_window($static_output); } log_error(gettext("[Suricata] {$desc} md5 download failed...")); log_error(gettext("[Suricata] Server returned error code {$rc}...")); @@ -333,7 +334,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $pkg_interface, $last_curl_error, $update_errors; + global $pkg_interface, $last_curl_error, $update_errors, $static_output; $suricatadir = SURICATADIR; $filename = basename($file_dst); @@ -354,8 +355,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { // Test integrity of the rules file. Turn off update if file has wrong md5 hash if ($file_md5 != trim(md5_file($file_dst))){ - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file MD5 checksum failed...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("{$desc} file MD5 checksum failed!\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] {$desc} file download failed. Bad MD5 checksum...")); log_error(gettext("[Suricata] Downloaded File MD5: " . md5_file($file_dst))); log_error(gettext("[Suricata] Expected File MD5: {$file_md5}")); @@ -369,8 +372,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { return true; } else { - if ($pkg_interface <> "console") - update_output_window(gettext("{$desc} file download failed...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("{$desc} file download failed!\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] {$desc} file download failed... server returned error '{$rc}'...")); error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SURICATA_RULES_UPD_LOGFILE); if ($pkg_interface == "console") @@ -451,7 +456,8 @@ if ($emergingthreats == 'on') { if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting {$et_name} rules...")); - update_output_window(gettext("Installing {$et_name} rules...")); + $static_output .= gettext("Installing {$et_name} rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/"); @@ -509,7 +515,8 @@ if ($emergingthreats == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of {$et_name} rules completed...")); - update_output_window(gettext("Installation of {$et_name} rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/emerging"); @@ -525,7 +532,8 @@ if ($snortdownload == 'on') { if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); - update_output_window(gettext("Installing Sourcefire VRT rules...")); + $static_output .= gettext("Installing Sourcefire VRT rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); @@ -549,7 +557,6 @@ if ($snortdownload == 'on') { /* extract base etc files */ if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT config and map files...")); - update_output_window(gettext("Copying config and map files...")); } exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/"); foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -564,7 +571,8 @@ if ($snortdownload == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of Snort VRT rules completed...")); - update_output_window(gettext("Installation of Sourcefire VRT rules completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); } @@ -576,7 +584,8 @@ if ($snortcommunityrules == 'on') { if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) { if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort GPLv2 Community Rules...")); - update_output_window(gettext("Installing Snort GPLv2 Community Rules...")); + $static_output .= gettext("Installing Snort GPLv2 Community Rules..."); + update_output_window($static_output); } error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/"); @@ -599,7 +608,8 @@ if ($snortcommunityrules == 'on') { } if ($pkg_interface <> "console") { update_status(gettext("Extraction of Snort GPLv2 Community Rules completed...")); - update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE); rmdir_recursive("{$tmpfname}/community"); @@ -680,17 +690,20 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = $tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ..."; if ($pkg_interface <> "console"){ update_status(gettext($tmp)); - update_output_window(gettext("Please wait while Suricata interface files are being updated...")); + $static_output .= $tmp; + update_output_window($static_output); } suricata_apply_customizations($value, $if_real); $tmp = "\t" . $tmp . "\n"; error_log($tmp, 3, SURICATA_RULES_UPD_LOGFILE); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } } else { if ($pkg_interface <> "console") { - update_output_window(gettext("Warning: No interfaces configured for Suricata were found...")); - update_output_window(gettext("No interfaces currently have Suricata configured and enabled on them...")); + $static_output .= gettext("Warning: No interfaces configured for Suricata were found!\nNo interfaces currently have Suricata configured and enabled on them."); + update_output_window($static_output); } error_log(gettext("\tWarning: No interfaces configured for Suricata were found...\n"), 3, SURICATA_RULES_UPD_LOGFILE); } @@ -707,7 +720,6 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates'] == 'on') { if ($pkg_interface <> "console") { update_status(gettext('Signaling Suricata to live-load the new set of rules...')); - update_output_window(gettext("Please wait ... the process should complete in a few seconds...")); } log_error(gettext("[Suricata] Live-Reload of rules from auto-update is enabled...")); error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, SURICATA_RULES_UPD_LOGFILE); @@ -721,34 +733,37 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = else { if ($pkg_interface <> "console") { update_status(gettext('Restarting Suricata to activate the new set of rules...')); - update_output_window(gettext("Please wait ... restarting Suricata will take some time...")); + $static_output .= gettext("Restarting Suricata..."); + update_output_window($static_output); } error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE); restart_service("suricata"); - if ($pkg_interface <> "console") - update_output_window(gettext("Suricata has restarted with your new set of rules...")); + if ($pkg_interface <> "console") { + $static_output .= gettext(" done.\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] Suricata has restarted with your new set of rules...")); error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, SURICATA_RULES_UPD_LOGFILE); } } - else { - if ($pkg_interface <> "console") - update_output_window(gettext("The rules update task is complete...")); - } } // Remove old $tmpfname files if (is_dir("{$tmpfname}")) { if ($pkg_interface <> "console") { update_status(gettext("Cleaning up after rules extraction...")); - update_output_window(gettext("Removing {$tmpfname} directory...")); + $static_output .= gettext("Removing {$tmpfname} directory..."); + update_output_window($static_output); } rmdir_recursive("{$tmpfname}"); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } if ($pkg_interface <> "console") { update_status(gettext("The Rules update has finished...")); - update_output_window(""); + $static_output .= gettext("Rules update task complete.\n"); + update_output_window($static_output); } log_error(gettext("[Suricata] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SURICATA_RULES_UPD_LOGFILE); diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index 9467ea7c..4be8dc35 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -14,7 +14,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -250,8 +250,11 @@ elseif ($_POST['ResetAll']) { $pconfig['flow_icmp_emerg_new_timeout'] = '10'; $pconfig['flow_icmp_emerg_established_timeout'] = '100'; - $pconfig['stream_memcap'] = '33554432'; + // The default 'stream_memcap' value must be calculated as follows: + // 216 * prealloc_sessions * number of threads = memory use in bytes + // 64 MB is a decent all-around default, but some setups need more. $pconfig['stream_prealloc_sessions'] = '32768'; + $pconfig['stream_memcap'] = '67108864'; $pconfig['reassembly_memcap'] = '67108864'; $pconfig['reassembly_depth'] = '1048576'; $pconfig['reassembly_to_server_chunk'] = '2560'; @@ -298,7 +301,7 @@ elseif ($_POST['save'] || $_POST['apply']) { if ($_POST['flow_icmp_emerg_new_timeout'] != "") { $natent['flow_icmp_emerg_new_timeout'] = $_POST['flow_icmp_emerg_new_timeout']; }else{ $natent['flow_icmp_emerg_new_timeout'] = "10"; } if ($_POST['flow_icmp_emerg_established_timeout'] != "") { $natent['flow_icmp_emerg_established_timeout'] = $_POST['flow_icmp_emerg_established_timeout']; }else{ $natent['flow_icmp_emerg_established_timeout'] = "100"; } - if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "33554432"; } + if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "67108864"; } if ($_POST['stream_prealloc_sessions'] != "") { $natent['stream_prealloc_sessions'] = $_POST['stream_prealloc_sessions']; }else{ $natent['stream_prealloc_sessions'] = "32768"; } if ($_POST['enable_midstream_sessions'] == "on") { $natent['enable_midstream_sessions'] = 'on'; }else{ $natent['enable_midstream_sessions'] = 'off'; } if ($_POST['enable_async_sessions'] == "on") { $natent['enable_async_sessions'] = 'on'; }else{ $natent['enable_async_sessions'] = 'off'; } @@ -764,8 +767,11 @@ if ($savemsg) { <input name="stream_memcap" type="text" class="formfld unknown" id="stream_memcap" size="9" value="<?=htmlspecialchars($pconfig['stream_memcap']);?>"> <?php echo gettext("Max memory to be used by stream engine. Default is ") . - "<strong>" . gettext("33,554,432") . "</strong>" . gettext(" bytes (32MB)"); ?><br/><br/> - <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine."); ?> + "<strong>" . gettext("67,108,864") . "</strong>" . gettext(" bytes (64MB)"); ?><br/><br/> + <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine. ");?><br/> + <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . + gettext("This number will likely need to be increased beyond the default value in systems with more than 4 processor cores. " . + "If Suricata fails to start and logs a memory allocation error, increase this value in 4 MB chunks until Suricata starts successfully."); ?> </td> </tr> <tr> diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 328702b9..3394ad4c 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -292,6 +292,7 @@ if (!empty($suricatacfg['max_pcap_log_files'])) else $pcap_log_max_files = "1000"; +// Unified2 Alert Log Settings if ($suricatacfg['barnyard_enable'] == 'on') $barnyard2_enabled = "yes"; else @@ -307,6 +308,28 @@ if (isset($suricatacfg['barnyard_sensor_id'])) else $unified2_sensor_id = "0"; +// Unified2 X-Forwarded-For logging options +if ($suricatacfg['barnyard_xff_logging'] == 'on') { + $unified2_xff_output = "xff:"; + $unified2_xff_output .= "\n enabled: yes"; + if (!empty($suricatacfg['barnyard_xff_mode'])) + $unified2_xff_output .= "\n mode: {$suricatacfg['barnyard_xff_mode']}"; + else + $unified2_xff_output .= "\n mode: extra-data"; + if (!empty($suricatacfg['barnyard_xff_deployment'])) + $unified2_xff_output .= "\n deployment: {$suricatacfg['barnyard_xff_deployment']}"; + else + $unified2_xff_output .= "\n deployment: reverse"; + if (!empty($suricatacfg['barnyard_xff_header'])) + $unified2_xff_output .= "\n header: {$suricatacfg['barnyard_xff_header']}"; + else + $unified2_xff_output .= "\n header: X-Forwarded-For"; +} +else { + $unified2_xff_output = "xff:"; + $unified2_xff_output .= "\n enabled: no"; +} + // EVE JSON log output settings if ($suricatacfg['enable_eve_log'] == 'on') $enable_eve_log = "yes"; @@ -494,7 +517,7 @@ else if (!empty($suricatacfg['stream_memcap'])) $stream_memcap = $suricatacfg['stream_memcap']; else - $stream_memcap = "33554432"; + $stream_memcap = "67108864"; if (!empty($suricatacfg['stream_prealloc_sessions'])) $stream_prealloc_sessions = $suricatacfg['stream_prealloc_sessions']; diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 013cde3e..26fbd12e 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -308,7 +308,7 @@ if ($input_errors) <td><input name="snort_rules_file" type="text" class="formfld unknown" id="snort_rules_file" size="52" value="<?=htmlspecialchars($pconfig['snort_rules_file']);?>"/><br/> <?php echo gettext("Enter the rules tarball filename (filename only, do not include the URL.)"); ?> - <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2962.tar.gz");?><br/><br/></td> + <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2976.tar.gz");?><br/><br/></td> </tr> <tr> <td valign="top" align="right"><span class="vexpl"><strong><?php echo gettext("Oinkmaster Code:"); ?></strong></span> </td> diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 4319182d..f188194d 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -372,7 +372,7 @@ if ($_POST["save"] && !$input_errors) { $natent['flow_icmp_emerg_new_timeout'] = '10'; $natent['flow_icmp_emerg_established_timeout'] = '100'; - $natent['stream_memcap'] = '33554432'; + $natent['stream_memcap'] = '67108864'; $natent['stream_prealloc_sessions'] = '32768'; $natent['reassembly_memcap'] = '67108864'; $natent['reassembly_depth'] = '1048576'; diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 2fd5f96e..4a4a489f 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -471,6 +471,26 @@ foreach ($rule as &$r) { $updated_cfg = true; } + /**********************************************************/ + /* Create interface Unified2 XFF log settings if not set */ + /**********************************************************/ + if (!isset($pconfig['barnyard_xff_logging'])) { + $pconfig['barnyard_xff_logging'] = "off"; + $updated_cfg = true; + } + if (!isset($pconfig['barnyard_xff_mode'])) { + $pconfig['barnyard_xff_mode'] = "extra-data"; + $updated_cfg = true; + } + if (!isset($pconfig['barnyard_xff_deployment'])) { + $pconfig['barnyard_xff_deployment'] = "reverse"; + $updated_cfg = true; + } + if (empty($pconfig['barnyard_xff_header'])) { + $pconfig['barnyard_xff_header'] = "X-Forwarded-For"; + $updated_cfg = true; + } + // Save the new configuration data into the $config array pointer $r = $pconfig; } diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index ea1d7b0a..42722d79 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -13,7 +13,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -50,7 +50,7 @@ require_once("functions.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); require("/usr/local/pkg/suricata/suricata_defs.inc"); -global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include; +global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include, $static_output; /**************************************** * Define any new constants here that * @@ -201,11 +201,12 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = /****************************************************************/ /* Do one-time settings migration for new version configuration */ - update_output_window(gettext("Please wait... migrating settings to new configuration...")); + $static_output .= gettext("\nMigrating settings to new configuration..."); + update_output_window($static_output); include('/usr/local/pkg/suricata/suricata_migrate_config.php'); - update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); log_error(gettext("[Suricata] Downloading and updating configured rule types...")); - update_output_window(gettext("Please wait... downloading and updating configured rule types...")); if ($pkg_interface <> "console") $suricata_gui_include = true; include('/usr/local/pkg/suricata/suricata_check_for_rule_updates.php'); @@ -219,7 +220,8 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = $if_real = get_real_interface($suricatacfg['interface']); $suricata_uuid = $suricatacfg['uuid']; $suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}"; - update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "...")); + $static_output .= gettext("Generating YAML configuration file for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "..."); + update_output_window($static_output); // Pull in the PHP code that generates the suricata.yaml file // variables that will be substituted further down below. @@ -238,6 +240,9 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = // create barnyard2.conf file for interface if ($suricatacfg['barnyard_enable'] == 'on') suricata_generate_barnyard2_conf($suricatacfg, $if_real); + + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } // create Suricata bootup file suricata.sh @@ -259,17 +264,21 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = } $rebuild_rules = false; - if ($pkg_interface <> "console") - update_output_window(gettext("Finished rebuilding Suricata configuration files...")); + if ($pkg_interface <> "console") { + $static_output .= gettext("Finished rebuilding Suricata configuration from saved settings.\n"); + update_output_window($static_output); + } log_error(gettext("[Suricata] Finished rebuilding installation from saved settings...")); // Only try to start Suricata if not in reboot if (!$g['booting']) { if ($pkg_interface <> "console") { update_status(gettext("Starting Suricata using rebuilt configuration...")); - update_output_window(gettext("Please wait while Suricata is started...")); + $static_output .= gettext("Starting Suricata using the rebuilt configuration..."); + update_output_window($static_output); mwexec_bg("{$rcdir}suricata.sh start"); - update_output_window(gettext("Suricata is starting as a background task using the rebuilt configuration...")); + $static_output .= gettext(" done.\n"); + update_output_window($static_output); } else mwexec_bg("{$rcdir}suricata.sh start"); @@ -291,6 +300,7 @@ write_config("Suricata pkg v{$config['installedpackages']['package'][get_pkg_id( // Done with post-install, so clear flag unset($g['suricata_postinstall']); log_error(gettext("[Suricata] Package post-installation tasks completed...")); +update_status(""); return true; ?> diff --git a/config/suricata/suricata_sync.xml b/config/suricata/suricata_sync.xml index 28083d8d..c2f5ec83 100644 --- a/config/suricata/suricata_sync.xml +++ b/config/suricata/suricata_sync.xml @@ -1,56 +1,49 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> + <copyright> <![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -based on snortsync.xml developed as part -of pfSense (http://www.pfSense.com) -Copyright (C) 2013 Marcello Coutinho -based on pfblocker_sync.xml -All rights reserved. - -modified for use with Suricata package -Copyright (C) 2014 Bill Meeks -All rights reserved. - -Based on m0n0wall (http://m0n0.ch/wall) -Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. -All rights reserved. + suricata_sync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2013 Marcello Coutinho + Copyright (C) 2014-2015 Bill Meeks + Copyright (C) 2015 ESF, LLC + All rights reserved. */ -/* ========================================================================== */ +/* ====================================================================================== */ /* -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. -1. Redistributions of source code MUST retain the above copyright notice, -this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. -2. Redistributions in binary form MUST reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution. -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. */ -/* ========================================================================== */ -]]></copyright> - <description><![CDATA[Describe your package here]]></description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> +/* ====================================================================================== */ + ]]> + </copyright> <name>suricatasync</name> - <version>1.0</version> + <version>2.1.8</version> <title>Suricata: XMLRPC Sync</title> <include_file>/usr/local/pkg/suricata/suricata.inc</include_file> <tabs> @@ -183,11 +176,11 @@ POSSIBILITY OF SUCH DAMAGE. </options> </rowhelperfield> <rowhelperfield> - <fielddescr>IP-Address</fielddescr> + <fielddescr>IP Address/Hostname</fielddescr> <fieldname>varsyncipaddress</fieldname> - <description><![CDATA[IP Address of the destination host.]]></description> + <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> - <size>15</size> + <size>40</size> </rowhelperfield> <rowhelperfield> <fielddescr>Port</fielddescr> @@ -213,8 +206,6 @@ POSSIBILITY OF SUCH DAMAGE. </rowhelper> </field> </fields> - <custom_delete_php_command> - </custom_delete_php_command> <custom_php_resync_config_command> write_config("Suricata pkg: updating CARP sync info.");suricata_sync_on_changes(); </custom_php_resync_config_command> diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index a8b06ebe..82723958 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -54,6 +54,7 @@ outputs: filename: unified2.alert limit: {$unified2_log_limit} sensor-id: {$unified2_sensor_id} + {$unified2_xff_output} - http-log: enabled: {$http_log_enabled} |