aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata
diff options
context:
space:
mode:
Diffstat (limited to 'config/suricata')
-rw-r--r--config/suricata/suricata.xml2
-rw-r--r--config/suricata/suricata_barnyard.php80
-rw-r--r--config/suricata/suricata_check_for_rule_updates.php73
-rw-r--r--config/suricata/suricata_flow_stream.php16
-rw-r--r--config/suricata/suricata_generate_yaml.php25
-rw-r--r--config/suricata/suricata_global.php2
-rw-r--r--config/suricata/suricata_interfaces_edit.php2
-rw-r--r--config/suricata/suricata_migrate_config.php20
-rw-r--r--config/suricata/suricata_post_install.php30
-rw-r--r--config/suricata/suricata_yaml_template.inc1
10 files changed, 202 insertions, 49 deletions
diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml
index e2c4735c..7c7e9e80 100644
--- a/config/suricata/suricata.xml
+++ b/config/suricata/suricata.xml
@@ -42,7 +42,7 @@
</copyright>
<description>Suricata IDS/IPS Package</description>
<name>suricata</name>
- <version>2.0.8 pkg v2.1.6</version>
+ <version>2.1.9</version>
<title>Services: Suricata IDS</title>
<include_file>/usr/local/pkg/suricata/suricata.inc</include_file>
<menu>
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php
index c4e438ba..81c7c503 100644
--- a/config/suricata/suricata_barnyard.php
+++ b/config/suricata/suricata_barnyard.php
@@ -14,7 +14,7 @@
* All rights reserved.
*
* Adapted for Suricata by:
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -86,6 +86,14 @@ if (isset($id) && $a_nat[$id]) {
$pconfig['barnyard_bro_ids_dport'] = "47760";
if (empty($a_nat[$id]['barnyard_sensor_id']))
$pconfig['barnyard_sensor_id'] = "0";
+ if (empty($pconfig['barnyard_xff_logging']))
+ $pconfig['barnyard_xff_logging'] = "off";
+ if (empty($pconfig['barnyard_xff_mode']))
+ $pconfig['barnyard_xff_mode'] = "extra-data";
+ if (empty($pconfig['barnyard_xff_deployment']))
+ $pconfig['barnyard_xff_deployment'] = "reverse";
+ if (empty($pconfig['barnyard_xff_header']))
+ $pconfig['barnyard_xff_header'] = "X-Forwarded-For";
}
if ($_POST['save']) {
@@ -129,6 +137,9 @@ if ($_POST['save']) {
$input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer.");
}
+ if (empty($_POST['barnyard_xff_header']) && $_POST['barnyard_xff_logging'] == "on")
+ $input_errors[] = gettext("The value for the X-Forwarded-For Header cannot be blank when X-Forwarded-For logging is enabled.");
+
// Validate inputs if MySQL database loggging enabled
if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") {
if (empty($_POST['barnyard_dbhost']))
@@ -172,11 +183,13 @@ if ($_POST['save']) {
$natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off';
$natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off';
$natent['barnyard_disable_sig_ref_tbl'] = $_POST['barnyard_disable_sig_ref_tbl'] ? 'on' : 'off';
+ $natent['barnyard_xff_logging'] = $_POST['barnyard_xff_logging'] ? 'on' : 'off';
$natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode'];
$natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto'];
if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0';
if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']);
+ if ($_POST['barnyard_xff_header']) $natent['barnyard_xff_header'] = $_POST['barnyard_xff_header']; else $natent['barnyard_xff_header'] = 'X-Forwarded-For';
if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']);
if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']);
if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']);
@@ -335,6 +348,56 @@ include_once("head.inc");
</td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Logging"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_xff_logging" id="barnyard_xff_logging" type="checkbox" value="on" <?php if ($pconfig['barnyard_xff_logging'] == "on") echo "checked"; ?> onClick="toggle_xff_log_options()"/>
+ <?php echo gettext("Enable logging of X-Forwarded-For IP addresses. Default value is ") . "<strong>" . gettext("Not Checked") . "</strong>"; ?>
+ </td>
+ </tr>
+ <tbody id="xff_options">
+ <tr id="barnyard_xff_mode_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Mode"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="barnyard_xff_mode" id="barnyard_xff_mode" class="formselect">
+ <?php
+ $xff_modes = array( "extra-data", "overwrite" );
+ foreach ($xff_modes as $mode) {
+ $selected = "";
+ if ($mode == $pconfig['barnyard_xff_mode'])
+ $selected = " selected";
+ echo "<option value='{$mode}'{$selected}>" . $mode . "</option>\n";
+ }
+ ?></select>&nbsp;&nbsp;
+ <?php echo gettext("Select HTTP X-Forwarded-For Operation Mode. Default is ") . "<strong>" . gettext("extra-data") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr id="barnyard_xff_deployment_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Deployment"); ?></td>
+ <td width="78%" class="vtable">
+ <select name="barnyard_xff_deployment" id="barnyard_xff_deployment" class="formselect">
+ <?php
+ $xff_deployments = array( "reverse", "forward" );
+ foreach ($xff_deployments as $deployment) {
+ $selected = "";
+ if ($mode == $pconfig['barnyard_xff_deployment'])
+ $selected = " selected";
+ echo "<option value='{$deployment}'{$selected}>" . $deployment . "</option>\n";
+ }
+ ?></select>&nbsp;&nbsp;
+ <?php echo gettext("Select HTTP X-Forwarded-For Deployment. Default is ") . "<strong>" . gettext("reverse") . "</strong>."; ?>
+ </td>
+ </tr>
+ <tr id="barnyard_xff_header_row">
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("X-Forwarded-For Header"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="barnyard_xff_header" type="text" class="formfld unknown" id="barnyard_xff_header"
+ size="18" value="<?=htmlspecialchars($pconfig['barnyard_xff_header']); ?>"/>&nbsp;
+ <?php echo gettext("Enter header where actual IP address is reported. Default is ") . "<strong>" .
+ gettext("X-Forwarded-For") . "</strong>."; ?><br/><br/><?php echo gettext("If more than one IP address is present, the last one will be used.") ?>
+ </td>
+ </tr>
+ </tbody>
+ <tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("MySQL Database Output Settings"); ?></td>
</tr>
<tr>
@@ -600,6 +663,16 @@ function toggle_bro_ids() {
document.getElementById("bro_ids_config_rows").style.display = "";
}
+function toggle_xff_log_options() {
+ var endis = !(document.iform.barnyard_xff_logging.checked);
+ if (endis) {
+ document.getElementById("xff_options").style.display = "none";
+ }
+ else {
+ document.getElementById("xff_options").style.display = "";
+ }
+}
+
function enable_change(enable_change) {
endis = !(document.iform.barnyard_enable.checked || enable_change);
// make sure a default answer is called if this is invoked.
@@ -610,6 +683,10 @@ function enable_change(enable_change) {
document.iform.barnyard_obfuscate_ip.disabled = endis;
document.iform.barnyard_sensor_id.disabled = endis;
document.iform.barnyard_sensor_name.disabled = endis;
+ document.iform.barnyard_xff_logging.disabled = endis;
+ document.iform.barnyard_xff_mode.disabled = endis;
+ document.iform.barnyard_xff_deployment.disabled = endis;
+ document.iform.barnyard_xff_header.disabled = endis;
document.iform.barnyard_mysql_enable.disabled = endis;
document.iform.barnyard_dbhost.disabled = endis;
document.iform.barnyard_dbname.disabled = endis;
@@ -636,6 +713,7 @@ toggle_mySQL();
toggle_syslog();
toggle_local_syslog();
toggle_bro_ids();
+toggle_xff_log_options();
enable_change(false);
</script>
diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php
index 67334957..e245d71e 100644
--- a/config/suricata/suricata_check_for_rule_updates.php
+++ b/config/suricata/suricata_check_for_rule_updates.php
@@ -13,7 +13,7 @@
* All rights reserved.
*
* Adapted for Suricata by:
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -43,7 +43,7 @@ require_once("service-utils.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
require_once("/usr/local/pkg/suricata/suricata_defs.inc");
-global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules;
+global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules, $static_output;
$suricatadir = SURICATADIR;
$suricatalogdir = SURICATALOGDIR;
@@ -264,7 +264,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
/* error occurred. */
/**********************************************************/
- global $pkg_interface, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors, $static_output;
$suricatadir = SURICATADIR;
$filename_md5 = basename($file_dst);
@@ -301,7 +301,8 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
$suricata_err_msg = gettext("Server returned error code {$rc}.");
if ($pkg_interface <> "console") {
update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
- update_output_window(gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}"));
+ $static_output .= gettext("{$desc} will not be updated.\n\t{$suricata_err_msg}");
+ update_output_window($static_output);
}
log_error(gettext("[Suricata] {$desc} md5 download failed..."));
log_error(gettext("[Suricata] Server returned error code {$rc}..."));
@@ -333,7 +334,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* FALSE if download was not successful. */
/**********************************************************/
- global $pkg_interface, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors, $static_output;
$suricatadir = SURICATADIR;
$filename = basename($file_dst);
@@ -354,8 +355,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
// Test integrity of the rules file. Turn off update if file has wrong md5 hash
if ($file_md5 != trim(md5_file($file_dst))){
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$desc} file MD5 checksum failed..."));
+ if ($pkg_interface <> "console") {
+ $static_output .= gettext("{$desc} file MD5 checksum failed!\n");
+ update_output_window($static_output);
+ }
log_error(gettext("[Suricata] {$desc} file download failed. Bad MD5 checksum..."));
log_error(gettext("[Suricata] Downloaded File MD5: " . md5_file($file_dst)));
log_error(gettext("[Suricata] Expected File MD5: {$file_md5}"));
@@ -369,8 +372,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
return true;
}
else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("{$desc} file download failed..."));
+ if ($pkg_interface <> "console") {
+ $static_output .= gettext("{$desc} file download failed!\n");
+ update_output_window($static_output);
+ }
log_error(gettext("[Suricata] {$desc} file download failed... server returned error '{$rc}'..."));
error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
if ($pkg_interface == "console")
@@ -451,7 +456,8 @@ if ($emergingthreats == 'on') {
if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) {
if ($pkg_interface <> "console") {
update_status(gettext("Extracting {$et_name} rules..."));
- update_output_window(gettext("Installing {$et_name} rules..."));
+ $static_output .= gettext("Installing {$et_name} rules...");
+ update_output_window($static_output);
}
error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
@@ -509,7 +515,8 @@ if ($emergingthreats == 'on') {
}
if ($pkg_interface <> "console") {
update_status(gettext("Extraction of {$et_name} rules completed..."));
- update_output_window(gettext("Installation of {$et_name} rules completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/emerging");
@@ -525,7 +532,8 @@ if ($snortdownload == 'on') {
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT rules..."));
- update_output_window(gettext("Installing Sourcefire VRT rules..."));
+ $static_output .= gettext("Installing Sourcefire VRT rules...");
+ update_output_window($static_output);
}
error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
@@ -549,7 +557,6 @@ if ($snortdownload == 'on') {
/* extract base etc files */
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT config and map files..."));
- update_output_window(gettext("Copying config and map files..."));
}
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} etc/");
foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) {
@@ -564,7 +571,8 @@ if ($snortdownload == 'on') {
}
if ($pkg_interface <> "console") {
update_status(gettext("Extraction of Snort VRT rules completed..."));
- update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
@@ -576,7 +584,8 @@ if ($snortcommunityrules == 'on') {
if (file_exists("{$tmpfname}/{$snort_community_rules_filename}")) {
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
- update_output_window(gettext("Installing Snort GPLv2 Community Rules..."));
+ $static_output .= gettext("Installing Snort GPLv2 Community Rules...");
+ update_output_window($static_output);
}
error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
@@ -599,7 +608,8 @@ if ($snortcommunityrules == 'on') {
}
if ($pkg_interface <> "console") {
update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
- update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/community");
@@ -680,17 +690,20 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
$tmp = "Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($value['interface']) . " ...";
if ($pkg_interface <> "console"){
update_status(gettext($tmp));
- update_output_window(gettext("Please wait while Suricata interface files are being updated..."));
+ $static_output .= $tmp;
+ update_output_window($static_output);
}
suricata_apply_customizations($value, $if_real);
$tmp = "\t" . $tmp . "\n";
error_log($tmp, 3, SURICATA_RULES_UPD_LOGFILE);
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
}
else {
if ($pkg_interface <> "console") {
- update_output_window(gettext("Warning: No interfaces configured for Suricata were found..."));
- update_output_window(gettext("No interfaces currently have Suricata configured and enabled on them..."));
+ $static_output .= gettext("Warning: No interfaces configured for Suricata were found!\nNo interfaces currently have Suricata configured and enabled on them.");
+ update_output_window($static_output);
}
error_log(gettext("\tWarning: No interfaces configured for Suricata were found...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
@@ -707,7 +720,6 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates'] == 'on') {
if ($pkg_interface <> "console") {
update_status(gettext('Signaling Suricata to live-load the new set of rules...'));
- update_output_window(gettext("Please wait ... the process should complete in a few seconds..."));
}
log_error(gettext("[Suricata] Live-Reload of rules from auto-update is enabled..."));
error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
@@ -721,34 +733,37 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
else {
if ($pkg_interface <> "console") {
update_status(gettext('Restarting Suricata to activate the new set of rules...'));
- update_output_window(gettext("Please wait ... restarting Suricata will take some time..."));
+ $static_output .= gettext("Restarting Suricata...");
+ update_output_window($static_output);
}
error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
restart_service("suricata");
- if ($pkg_interface <> "console")
- update_output_window(gettext("Suricata has restarted with your new set of rules..."));
+ if ($pkg_interface <> "console") {
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
+ }
log_error(gettext("[Suricata] Suricata has restarted with your new set of rules..."));
error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
}
- else {
- if ($pkg_interface <> "console")
- update_output_window(gettext("The rules update task is complete..."));
- }
}
// Remove old $tmpfname files
if (is_dir("{$tmpfname}")) {
if ($pkg_interface <> "console") {
update_status(gettext("Cleaning up after rules extraction..."));
- update_output_window(gettext("Removing {$tmpfname} directory..."));
+ $static_output .= gettext("Removing {$tmpfname} directory...");
+ update_output_window($static_output);
}
rmdir_recursive("{$tmpfname}");
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
if ($pkg_interface <> "console") {
update_status(gettext("The Rules update has finished..."));
- update_output_window("");
+ $static_output .= gettext("Rules update task complete.\n");
+ update_output_window($static_output);
}
log_error(gettext("[Suricata] The Rules update has finished."));
error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SURICATA_RULES_UPD_LOGFILE);
diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php
index 9467ea7c..4be8dc35 100644
--- a/config/suricata/suricata_flow_stream.php
+++ b/config/suricata/suricata_flow_stream.php
@@ -14,7 +14,7 @@
* All rights reserved.
*
* Adapted for Suricata by:
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -250,8 +250,11 @@ elseif ($_POST['ResetAll']) {
$pconfig['flow_icmp_emerg_new_timeout'] = '10';
$pconfig['flow_icmp_emerg_established_timeout'] = '100';
- $pconfig['stream_memcap'] = '33554432';
+ // The default 'stream_memcap' value must be calculated as follows:
+ // 216 * prealloc_sessions * number of threads = memory use in bytes
+ // 64 MB is a decent all-around default, but some setups need more.
$pconfig['stream_prealloc_sessions'] = '32768';
+ $pconfig['stream_memcap'] = '67108864';
$pconfig['reassembly_memcap'] = '67108864';
$pconfig['reassembly_depth'] = '1048576';
$pconfig['reassembly_to_server_chunk'] = '2560';
@@ -298,7 +301,7 @@ elseif ($_POST['save'] || $_POST['apply']) {
if ($_POST['flow_icmp_emerg_new_timeout'] != "") { $natent['flow_icmp_emerg_new_timeout'] = $_POST['flow_icmp_emerg_new_timeout']; }else{ $natent['flow_icmp_emerg_new_timeout'] = "10"; }
if ($_POST['flow_icmp_emerg_established_timeout'] != "") { $natent['flow_icmp_emerg_established_timeout'] = $_POST['flow_icmp_emerg_established_timeout']; }else{ $natent['flow_icmp_emerg_established_timeout'] = "100"; }
- if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "33554432"; }
+ if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "67108864"; }
if ($_POST['stream_prealloc_sessions'] != "") { $natent['stream_prealloc_sessions'] = $_POST['stream_prealloc_sessions']; }else{ $natent['stream_prealloc_sessions'] = "32768"; }
if ($_POST['enable_midstream_sessions'] == "on") { $natent['enable_midstream_sessions'] = 'on'; }else{ $natent['enable_midstream_sessions'] = 'off'; }
if ($_POST['enable_async_sessions'] == "on") { $natent['enable_async_sessions'] = 'on'; }else{ $natent['enable_async_sessions'] = 'off'; }
@@ -764,8 +767,11 @@ if ($savemsg) {
<input name="stream_memcap" type="text" class="formfld unknown" id="stream_memcap" size="9"
value="<?=htmlspecialchars($pconfig['stream_memcap']);?>">&nbsp;
<?php echo gettext("Max memory to be used by stream engine. Default is ") .
- "<strong>" . gettext("33,554,432") . "</strong>" . gettext(" bytes (32MB)"); ?><br/><br/>
- <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine."); ?>
+ "<strong>" . gettext("67,108,864") . "</strong>" . gettext(" bytes (64MB)"); ?><br/><br/>
+ <?php echo gettext("Sets the maximum amount of memory, in bytes, to be used by the stream engine. ");?><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" .
+ gettext("This number will likely need to be increased beyond the default value in systems with more than 4 processor cores. " .
+ "If Suricata fails to start and logs a memory allocation error, increase this value in 4 MB chunks until Suricata starts successfully."); ?>
</td>
</tr>
<tr>
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index 328702b9..3394ad4c 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -292,6 +292,7 @@ if (!empty($suricatacfg['max_pcap_log_files']))
else
$pcap_log_max_files = "1000";
+// Unified2 Alert Log Settings
if ($suricatacfg['barnyard_enable'] == 'on')
$barnyard2_enabled = "yes";
else
@@ -307,6 +308,28 @@ if (isset($suricatacfg['barnyard_sensor_id']))
else
$unified2_sensor_id = "0";
+// Unified2 X-Forwarded-For logging options
+if ($suricatacfg['barnyard_xff_logging'] == 'on') {
+ $unified2_xff_output = "xff:";
+ $unified2_xff_output .= "\n enabled: yes";
+ if (!empty($suricatacfg['barnyard_xff_mode']))
+ $unified2_xff_output .= "\n mode: {$suricatacfg['barnyard_xff_mode']}";
+ else
+ $unified2_xff_output .= "\n mode: extra-data";
+ if (!empty($suricatacfg['barnyard_xff_deployment']))
+ $unified2_xff_output .= "\n deployment: {$suricatacfg['barnyard_xff_deployment']}";
+ else
+ $unified2_xff_output .= "\n deployment: reverse";
+ if (!empty($suricatacfg['barnyard_xff_header']))
+ $unified2_xff_output .= "\n header: {$suricatacfg['barnyard_xff_header']}";
+ else
+ $unified2_xff_output .= "\n header: X-Forwarded-For";
+}
+else {
+ $unified2_xff_output = "xff:";
+ $unified2_xff_output .= "\n enabled: no";
+}
+
// EVE JSON log output settings
if ($suricatacfg['enable_eve_log'] == 'on')
$enable_eve_log = "yes";
@@ -494,7 +517,7 @@ else
if (!empty($suricatacfg['stream_memcap']))
$stream_memcap = $suricatacfg['stream_memcap'];
else
- $stream_memcap = "33554432";
+ $stream_memcap = "67108864";
if (!empty($suricatacfg['stream_prealloc_sessions']))
$stream_prealloc_sessions = $suricatacfg['stream_prealloc_sessions'];
diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php
index 013cde3e..26fbd12e 100644
--- a/config/suricata/suricata_global.php
+++ b/config/suricata/suricata_global.php
@@ -308,7 +308,7 @@ if ($input_errors)
<td><input name="snort_rules_file" type="text" class="formfld unknown" id="snort_rules_file" size="52"
value="<?=htmlspecialchars($pconfig['snort_rules_file']);?>"/><br/>
<?php echo gettext("Enter the rules tarball filename (filename only, do not include the URL.)"); ?>
- <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2962.tar.gz");?><br/><br/></td>
+ <br/><span class="red"><strong><?php echo gettext("Example: ") . "</strong></span>" . gettext("snortrules-snapshot-2976.tar.gz");?><br/><br/></td>
</tr>
<tr>
<td valign="top" align="right"><span class="vexpl"><strong><?php echo gettext("Oinkmaster Code:"); ?></strong></span>&nbsp;</td>
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index 4319182d..f188194d 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -372,7 +372,7 @@ if ($_POST["save"] && !$input_errors) {
$natent['flow_icmp_emerg_new_timeout'] = '10';
$natent['flow_icmp_emerg_established_timeout'] = '100';
- $natent['stream_memcap'] = '33554432';
+ $natent['stream_memcap'] = '67108864';
$natent['stream_prealloc_sessions'] = '32768';
$natent['reassembly_memcap'] = '67108864';
$natent['reassembly_depth'] = '1048576';
diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php
index 2fd5f96e..4a4a489f 100644
--- a/config/suricata/suricata_migrate_config.php
+++ b/config/suricata/suricata_migrate_config.php
@@ -471,6 +471,26 @@ foreach ($rule as &$r) {
$updated_cfg = true;
}
+ /**********************************************************/
+ /* Create interface Unified2 XFF log settings if not set */
+ /**********************************************************/
+ if (!isset($pconfig['barnyard_xff_logging'])) {
+ $pconfig['barnyard_xff_logging'] = "off";
+ $updated_cfg = true;
+ }
+ if (!isset($pconfig['barnyard_xff_mode'])) {
+ $pconfig['barnyard_xff_mode'] = "extra-data";
+ $updated_cfg = true;
+ }
+ if (!isset($pconfig['barnyard_xff_deployment'])) {
+ $pconfig['barnyard_xff_deployment'] = "reverse";
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['barnyard_xff_header'])) {
+ $pconfig['barnyard_xff_header'] = "X-Forwarded-For";
+ $updated_cfg = true;
+ }
+
// Save the new configuration data into the $config array pointer
$r = $pconfig;
}
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php
index ea1d7b0a..42722d79 100644
--- a/config/suricata/suricata_post_install.php
+++ b/config/suricata/suricata_post_install.php
@@ -13,7 +13,7 @@
* All rights reserved.
*
* Adapted for Suricata by:
- * Copyright (C) 2014 Bill Meeks
+ * Copyright (C) 2015 Bill Meeks
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -50,7 +50,7 @@ require_once("functions.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
require("/usr/local/pkg/suricata/suricata_defs.inc");
-global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include;
+global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include, $static_output;
/****************************************
* Define any new constants here that *
@@ -201,11 +201,12 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
/****************************************************************/
/* Do one-time settings migration for new version configuration */
- update_output_window(gettext("Please wait... migrating settings to new configuration..."));
+ $static_output .= gettext("\nMigrating settings to new configuration...");
+ update_output_window($static_output);
include('/usr/local/pkg/suricata/suricata_migrate_config.php');
- update_output_window(gettext("Please wait... rebuilding installation with saved settings..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
log_error(gettext("[Suricata] Downloading and updating configured rule types..."));
- update_output_window(gettext("Please wait... downloading and updating configured rule types..."));
if ($pkg_interface <> "console")
$suricata_gui_include = true;
include('/usr/local/pkg/suricata/suricata_check_for_rule_updates.php');
@@ -219,7 +220,8 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
$if_real = get_real_interface($suricatacfg['interface']);
$suricata_uuid = $suricatacfg['uuid'];
$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}";
- update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "..."));
+ $static_output .= gettext("Generating YAML configuration file for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "...");
+ update_output_window($static_output);
// Pull in the PHP code that generates the suricata.yaml file
// variables that will be substituted further down below.
@@ -238,6 +240,9 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
// create barnyard2.conf file for interface
if ($suricatacfg['barnyard_enable'] == 'on')
suricata_generate_barnyard2_conf($suricatacfg, $if_real);
+
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
// create Suricata bootup file suricata.sh
@@ -259,17 +264,21 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
}
$rebuild_rules = false;
- if ($pkg_interface <> "console")
- update_output_window(gettext("Finished rebuilding Suricata configuration files..."));
+ if ($pkg_interface <> "console") {
+ $static_output .= gettext("Finished rebuilding Suricata configuration from saved settings.\n");
+ update_output_window($static_output);
+ }
log_error(gettext("[Suricata] Finished rebuilding installation from saved settings..."));
// Only try to start Suricata if not in reboot
if (!$g['booting']) {
if ($pkg_interface <> "console") {
update_status(gettext("Starting Suricata using rebuilt configuration..."));
- update_output_window(gettext("Please wait while Suricata is started..."));
+ $static_output .= gettext("Starting Suricata using the rebuilt configuration...");
+ update_output_window($static_output);
mwexec_bg("{$rcdir}suricata.sh start");
- update_output_window(gettext("Suricata is starting as a background task using the rebuilt configuration..."));
+ $static_output .= gettext(" done.\n");
+ update_output_window($static_output);
}
else
mwexec_bg("{$rcdir}suricata.sh start");
@@ -291,6 +300,7 @@ write_config("Suricata pkg v{$config['installedpackages']['package'][get_pkg_id(
// Done with post-install, so clear flag
unset($g['suricata_postinstall']);
log_error(gettext("[Suricata] Package post-installation tasks completed..."));
+update_status("");
return true;
?>
diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc
index a8b06ebe..82723958 100644
--- a/config/suricata/suricata_yaml_template.inc
+++ b/config/suricata/suricata_yaml_template.inc
@@ -54,6 +54,7 @@ outputs:
filename: unified2.alert
limit: {$unified2_log_limit}
sensor-id: {$unified2_sensor_id}
+ {$unified2_xff_output}
- http-log:
enabled: {$http_log_enabled}