diff options
Diffstat (limited to 'config/suricata')
-rw-r--r-- | config/suricata/suricata_barnyard.php | 80 | ||||
-rw-r--r-- | config/suricata/suricata_generate_yaml.php | 23 | ||||
-rw-r--r-- | config/suricata/suricata_migrate_config.php | 20 | ||||
-rw-r--r-- | config/suricata/suricata_yaml_template.inc | 1 |
4 files changed, 123 insertions, 1 deletions
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index c4e438ba..81c7c503 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -14,7 +14,7 @@ * All rights reserved. * * Adapted for Suricata by: - * Copyright (C) 2014 Bill Meeks + * Copyright (C) 2015 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -86,6 +86,14 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_bro_ids_dport'] = "47760"; if (empty($a_nat[$id]['barnyard_sensor_id'])) $pconfig['barnyard_sensor_id'] = "0"; + if (empty($pconfig['barnyard_xff_logging'])) + $pconfig['barnyard_xff_logging'] = "off"; + if (empty($pconfig['barnyard_xff_mode'])) + $pconfig['barnyard_xff_mode'] = "extra-data"; + if (empty($pconfig['barnyard_xff_deployment'])) + $pconfig['barnyard_xff_deployment'] = "reverse"; + if (empty($pconfig['barnyard_xff_header'])) + $pconfig['barnyard_xff_header'] = "X-Forwarded-For"; } if ($_POST['save']) { @@ -129,6 +137,9 @@ if ($_POST['save']) { $input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer."); } + if (empty($_POST['barnyard_xff_header']) && $_POST['barnyard_xff_logging'] == "on") + $input_errors[] = gettext("The value for the X-Forwarded-For Header cannot be blank when X-Forwarded-For logging is enabled."); + // Validate inputs if MySQL database loggging enabled if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_dbhost'])) @@ -172,11 +183,13 @@ if ($_POST['save']) { $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; $natent['barnyard_disable_sig_ref_tbl'] = $_POST['barnyard_disable_sig_ref_tbl'] ? 'on' : 'off'; + $natent['barnyard_xff_logging'] = $_POST['barnyard_xff_logging'] ? 'on' : 'off'; $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0'; if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['barnyard_xff_header']) $natent['barnyard_xff_header'] = $_POST['barnyard_xff_header']; else $natent['barnyard_xff_header'] = 'X-Forwarded-For'; if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); @@ -335,6 +348,56 @@ include_once("head.inc"); </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Logging"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_xff_logging" id="barnyard_xff_logging" type="checkbox" value="on" <?php if ($pconfig['barnyard_xff_logging'] == "on") echo "checked"; ?> onClick="toggle_xff_log_options()"/> + <?php echo gettext("Enable logging of X-Forwarded-For IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?> + </td> + </tr> + <tbody id="xff_options"> + <tr id="barnyard_xff_mode_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Mode"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_xff_mode" id="barnyard_xff_mode" class="formselect"> + <?php + $xff_modes = array( "extra-data", "overwrite" ); + foreach ($xff_modes as $mode) { + $selected = ""; + if ($mode == $pconfig['barnyard_xff_mode']) + $selected = " selected"; + echo "<option value='{$mode}'{$selected}>" . $mode . "</option>\n"; + } + ?></select> + <?php echo gettext("Select HTTP X-Forwarded-For Operation Mode. Default is ") . "<strong>" . gettext("extra-data") . "</strong>."; ?> + </td> + </tr> + <tr id="barnyard_xff_deployment_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Deployment"); ?></td> + <td width="78%" class="vtable"> + <select name="barnyard_xff_deployment" id="barnyard_xff_deployment" class="formselect"> + <?php + $xff_deployments = array( "reverse", "forward" ); + foreach ($xff_deployments as $deployment) { + $selected = ""; + if ($mode == $pconfig['barnyard_xff_deployment']) + $selected = " selected"; + echo "<option value='{$deployment}'{$selected}>" . $deployment . "</option>\n"; + } + ?></select> + <?php echo gettext("Select HTTP X-Forwarded-For Deployment. Default is ") . "<strong>" . gettext("reverse") . "</strong>."; ?> + </td> + </tr> + <tr id="barnyard_xff_header_row"> + <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Header"); ?></td> + <td width="78%" class="vtable"> + <input name="barnyard_xff_header" type="text" class="formfld unknown" id="barnyard_xff_header" + size="18" value="<?=htmlspecialchars($pconfig['barnyard_xff_header']); ?>"/> + <?php echo gettext("Enter header where actual IP address is reported. Default is ") . "<strong>" . + gettext("X-Forwarded-For") . "</strong>."; ?><br/><br/><?php echo gettext("If more than one IP address is present, the last one will be used.") ?> + </td> + </tr> + </tbody> + <tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td> </tr> <tr> @@ -600,6 +663,16 @@ function toggle_bro_ids() { document.getElementById("bro_ids_config_rows").style.display = ""; } +function toggle_xff_log_options() { + var endis = !(document.iform.barnyard_xff_logging.checked); + if (endis) { + document.getElementById("xff_options").style.display = "none"; + } + else { + document.getElementById("xff_options").style.display = ""; + } +} + function enable_change(enable_change) { endis = !(document.iform.barnyard_enable.checked || enable_change); // make sure a default answer is called if this is invoked. @@ -610,6 +683,10 @@ function enable_change(enable_change) { document.iform.barnyard_obfuscate_ip.disabled = endis; document.iform.barnyard_sensor_id.disabled = endis; document.iform.barnyard_sensor_name.disabled = endis; + document.iform.barnyard_xff_logging.disabled = endis; + document.iform.barnyard_xff_mode.disabled = endis; + document.iform.barnyard_xff_deployment.disabled = endis; + document.iform.barnyard_xff_header.disabled = endis; document.iform.barnyard_mysql_enable.disabled = endis; document.iform.barnyard_dbhost.disabled = endis; document.iform.barnyard_dbname.disabled = endis; @@ -636,6 +713,7 @@ toggle_mySQL(); toggle_syslog(); toggle_local_syslog(); toggle_bro_ids(); +toggle_xff_log_options(); enable_change(false); </script> diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 73a56cb6..3394ad4c 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -292,6 +292,7 @@ if (!empty($suricatacfg['max_pcap_log_files'])) else $pcap_log_max_files = "1000"; +// Unified2 Alert Log Settings if ($suricatacfg['barnyard_enable'] == 'on') $barnyard2_enabled = "yes"; else @@ -307,6 +308,28 @@ if (isset($suricatacfg['barnyard_sensor_id'])) else $unified2_sensor_id = "0"; +// Unified2 X-Forwarded-For logging options +if ($suricatacfg['barnyard_xff_logging'] == 'on') { + $unified2_xff_output = "xff:"; + $unified2_xff_output .= "\n enabled: yes"; + if (!empty($suricatacfg['barnyard_xff_mode'])) + $unified2_xff_output .= "\n mode: {$suricatacfg['barnyard_xff_mode']}"; + else + $unified2_xff_output .= "\n mode: extra-data"; + if (!empty($suricatacfg['barnyard_xff_deployment'])) + $unified2_xff_output .= "\n deployment: {$suricatacfg['barnyard_xff_deployment']}"; + else + $unified2_xff_output .= "\n deployment: reverse"; + if (!empty($suricatacfg['barnyard_xff_header'])) + $unified2_xff_output .= "\n header: {$suricatacfg['barnyard_xff_header']}"; + else + $unified2_xff_output .= "\n header: X-Forwarded-For"; +} +else { + $unified2_xff_output = "xff:"; + $unified2_xff_output .= "\n enabled: no"; +} + // EVE JSON log output settings if ($suricatacfg['enable_eve_log'] == 'on') $enable_eve_log = "yes"; diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 2fd5f96e..8cf69ba6 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -471,6 +471,26 @@ foreach ($rule as &$r) { $updated_cfg = true; } + /**********************************************************/ + /* Create interface Unified2 XFF log settings if not set */ + /**********************************************************/ + if (!isset($pconfig['barnyard_log_xff'])) { + $pconfig['barnyard_log_xff'] = "off"; + $updated_cfg = true; + } + if (!isset($pconfig['barnyard_xff_mode'])) { + $pconfig['barnyard_xff_mode'] = "extra-data"; + $updated_cfg = true; + } + if (!isset($pconfig['barnyard_xff_deployment'])) { + $pconfig['barnyard_xff_deployment'] = "reverse"; + $updated_cfg = true; + } + if (empty($pconfig['barnyard_xff_header'])) { + $pconfig['barnyard_xff_header'] = "X-Forwarded-For"; + $updated_cfg = true; + } + // Save the new configuration data into the $config array pointer $r = $pconfig; } diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index a8b06ebe..82723958 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -54,6 +54,7 @@ outputs: filename: unified2.alert limit: {$unified2_log_limit} sensor-id: {$unified2_sensor_id} + {$unified2_xff_output} - http-log: enabled: {$http_log_enabled} |