diff options
Diffstat (limited to 'config')
-rw-r--r-- | config/havp/havp.inc | 18 | ||||
-rw-r--r-- | config/ntopng/ntopng.xml | 30 | ||||
-rw-r--r-- | config/suricata/deprecated_rules | 63 | ||||
-rw-r--r-- | config/suricata/suricata.inc | 101 | ||||
-rw-r--r-- | config/suricata/suricata.xml | 7 | ||||
-rw-r--r-- | config/suricata/suricata_alerts.widget.php | 5 | ||||
-rw-r--r-- | config/suricata/suricata_check_for_rule_updates.php | 14 | ||||
-rw-r--r-- | config/suricata/suricata_define_vars.php | 4 | ||||
-rw-r--r-- | config/suricata/suricata_defs.inc | 12 | ||||
-rw-r--r-- | config/suricata/suricata_global.php | 15 | ||||
-rw-r--r-- | config/suricata/suricata_interfaces.php | 3 | ||||
-rw-r--r-- | config/suricata/suricata_ip_reputation.php | 3 | ||||
-rw-r--r-- | config/suricata/suricata_list_view.php | 2 | ||||
-rw-r--r-- | config/suricata/suricata_migrate_config.php | 8 | ||||
-rw-r--r-- | config/suricata/suricata_passlist.php | 3 | ||||
-rw-r--r-- | config/suricata/suricata_passlist_edit.php | 6 | ||||
-rw-r--r-- | config/suricata/suricata_post_install.php | 12 | ||||
-rw-r--r-- | config/systempatches/system_patches.php | 51 |
18 files changed, 311 insertions, 46 deletions
diff --git a/config/havp/havp.inc b/config/havp/havp.inc index 1648bcb0..e7966a38 100644 --- a/config/havp/havp.inc +++ b/config/havp/havp.inc @@ -76,7 +76,13 @@ define('HVDEF_PROXYPORT', '8080'); define('HVDEF_MAXSCANSIZE', '5000000'); # [bytes] ! do not enter 0 or big size ! define('HVDEF_MAXARCSCANSIZE', '5000000'); # [bytes] ! do not enter 0 or big size ! define('HVDEF_PID_FILE', '/var/run/havp.pid'); -define('HVDEF_WORK_DIR', '/usr/local/etc/havp'); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version == "2.1" || $pf_version == "2.2") + define("HVDEF_WORK_DIR", "/usr/pbi/havp-" . php_uname("m") . "/local/etc"); + else + define("HVDEF_WORK_DIR", "/usr/local/etc/havp"); + $pfSversion = str_replace("\s", "", file_get_contents("/etc/version")); if(preg_match("/^2./",$pfSversion)) @@ -101,8 +107,8 @@ define('HVDEF_HAVP_MINSRV', '3'); define('HVDEF_HAVP_MAXSRV', '100'); # Clam -#define('HVDEF_CLAM_RUNDIR', '/var/run/clamav'); -define('HVDEF_CLAM_RUNDIR', '/var/run'); +define('HVDEF_CLAM_RUNDIR', '/var/run/clamav'); +#define('HVDEF_CLAM_RUNDIR', '/var/run'); define('HVDEF_CLAM_DBDIR', '/var/db/clamav'); if(preg_match("/^2./",$pfSversion)) define('HVDEF_AVLOG_DIR', '/var/log/clamav'); @@ -446,9 +452,9 @@ function havp_check_system() # =-= ClamAV =-= # catalog for Pid and Socket files -# if (!file_exists(HVDEF_CLAM_RUNDIR)) -# mwexec("mkdir -p " . HVDEF_CLAM_RUNDIR); -# havp_set_file_access(HVDEF_CLAM_RUNDIR, HVDEF_USER, '0774'); + if (!file_exists(HVDEF_CLAM_RUNDIR)) + mwexec("mkdir -p " . HVDEF_CLAM_RUNDIR); + havp_set_file_access(HVDEF_CLAM_RUNDIR, HVDEF_USER, '0774'); # AV update script file_put_contents(HVDEF_AVUPD_SCRIPT, havp_AVupdate_script()); diff --git a/config/ntopng/ntopng.xml b/config/ntopng/ntopng.xml index 778881e8..dcb3f2b7 100644 --- a/config/ntopng/ntopng.xml +++ b/config/ntopng/ntopng.xml @@ -156,7 +156,15 @@ safe_mkdir("/var/db/ntopng/rrd/graphics", 0755, true); system("/bin/chmod -R 755 /var/db/ntopng"); system("/usr/sbin/chown -R nobody:nobody /var/db/ntopng"); - system("/bin/cp -Rp /usr/local/lib/X11/fonts/webfonts/ /usr/local/lib/X11/fonts/TTF/"); + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); + if ($pf_version == "2.2") { + $fonts_path = "/usr/pbi/ntopng-" . php_uname("m") . "/local/lib/X11/fonts"; + } else if ($pf_version == "2.1") { + $fonts_path = "/usr/pbi/ntopng-" . php_uname("m") . "/lib/X11/fonts"; + } else { + $fonts_path = "/usr/local/lib/X11/fonts"; + } + system("/bin/cp -Rp {$fonts_path}/webfonts/ {$fonts_path}/TTF/"); $first = 0; foreach($ntopng_config['interface_array'] as $iface) { $if = convert_friendly_interface_to_real_interface_name($iface); @@ -246,12 +254,23 @@ config_unlock(); } function ntopng_update_geoip() { + $fetchcmd = "/usr/bin/fetch"; + $geolite_city = "https://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz"; + $geolite_city_v6 = "https://geolite.maxmind.com/download/geoip/database/GeoLiteCityv6-beta/GeoLiteCityv6.dat.gz"; + $geoip_asnum = "https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz"; + $geoip_asnum_v6 = "https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz"; $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version == "2.1" || $pf_version == "2.2") { - mwexec("/usr/pbi/ntopng-" . php_uname("m") . "/bin/ntopng-geoipupdate.sh"); + $output_dir = "/usr/pbi/ntopng-" . php_uname("m") . "/share/ntopng"; } else { - mwexec("/usr/local/bin/ntopng-geoipupdate.sh"); + $output_dir = "/usr/local/share/ntopng"; } + + mwexec("{$fetchcmd} -o {$output_dir} -T 5 {$geolite_city}"); + mwexec("{$fetchcmd} -o {$output_dir} -T 5 {$geolite_city_v6}"); + mwexec("{$fetchcmd} -o {$output_dir} -T 5 {$geoip_asnum}"); + mwexec("{$fetchcmd} -o {$output_dir} -T 5 {$geoip_asnum_v6}"); + ntopng_fixup_geoip(); restart_service("ntopng"); } @@ -265,10 +284,13 @@ $source_dir = "/usr/local/share/ntopng"; } + safe_mkdir($target_dir, 0755); + foreach(glob("{$source_dir}/Geo*.dat*") as $geofile) { /* Decompress if needed. */ if (substr($geofile, -3, 3) == ".gz") { - mwexec("/usr/bin/gzip -d " . escapeshellarg($geofile)); + // keep -f here, otherwise the files will not get updated + mwexec("/usr/bin/gzip -d -f " . escapeshellarg($geofile)); } } diff --git a/config/suricata/deprecated_rules b/config/suricata/deprecated_rules new file mode 100644 index 00000000..42dd6386 --- /dev/null +++ b/config/suricata/deprecated_rules @@ -0,0 +1,63 @@ +# +# Obsoleted Snort VRT rule categories +# +snort_attack-responses.rules +snort_backdoor.rules +snort_bad-traffic.rules +snort_botnet-cnc.rules +snort_chat.rules +snort_ddos.rules +snort_dns.rules +snort_dos.rules +snort_experimental.rules +snort_exploit.rules +snort_finger.rules +snort_ftp.rules +snort_icmp-info.rules +snort_icmp.rules +snort_imap.rules +snort_info.rules +snort_misc.rules +snort_multimedia.rules +snort_mysql.rules +snort_nntp.rules +snort_oracle.rules +snort_other-ids.rules +snort_p2p.rules +snort_phishing-spam.rules +snort_policy.rules +snort_pop2.rules +snort_pop3.rules +snort_rpc.rules +snort_rservices.rules +snort_scada.rules +snort_scan.rules +snort_shellcode.rules +snort_smtp.rules +snort_snmp.rules +snort_specific-threats.rules +snort_spyware-put.rules +snort_telnet.rules +snort_tftp.rules +snort_virus.rules +snort_voip.rules +snort_web-activex.rules +snort_web-attacks.rules +snort_web-cgi.rules +snort_web-client.rules +snort_web-coldfusion.rules +snort_web-frontpage.rules +snort_web-iis.rules +snort_web-misc.rules +snort_web-php.rules +# +# Obsoleted Emerging Threats Categories +# +emerging-rbn-malvertisers.rules +emerging-rbn.rules +# +# Obsoleted Emerging Threats PRO Categories +# +etpro-rbn-malvertisers.rules +etpro-rbn.rules + diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 73208f61..e3028570 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -481,7 +481,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // iterate all vips and add to passlist if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { foreach($config['virtualip']['vip'] as $vip) { - if ($vip['subnet'] && $vip['mode'] != 'proxyarp') { + if ($vip['subnet']) { if (!in_array("{$vip['subnet']}/{$vip['subnet_bits']}", $home_net)) $home_net[] = "{$vip['subnet']}/{$vip['subnet_bits']}"; } @@ -3231,6 +3231,73 @@ function suricata_generate_yaml($suricatacfg) { unset($suricata_conf_text); } +function suricata_remove_dead_rules() { + + /*********************************************************/ + /* This function removes dead and deprecated rules */ + /* category files from the base Suricata rules directory */ + /* and from the RULESETS setting of each interface. */ + /* The file "deprecated_rules", if it exists, is used */ + /* to determine which rules files to remove. */ + /*********************************************************/ + + global $config, $g; + $rulesdir = SURICATADIR . "rules/"; + $count = 0; + $cats = array(); + + // If there is no "deprecated_rules" file, then exit + if (!file_exists("{$rulesdir}deprecated_rules")) + return; + + // Open a SplFileObject to read in deprecated rules + $file = new SplFileObject("{$rulesdir}deprecated_rules"); + $file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE); + while (!$file->eof()) { + $line = $file->fgets(); + + // Skip any lines with just spaces + if (trim($line) == "") + continue; + + // Skip any comment lines starting with '#' + if (preg_match('/^\s*\#+/', $line)) + continue; + + $cats[] = $line; + } + + // Close the SplFileObject since we are finished with it + $file = null; + + // Delete any dead rules files from the Suricata RULES directory + foreach ($cats as $file) { + if (file_exists("{$rulesdir}{$file}")) + $count++; + unlink_if_exists("{$rulesdir}{$file}"); + } + + // Log how many obsoleted files were removed + log_error(gettext("[Suricata] Removed {$count} obsoleted rules category files.")); + + // Now remove any dead rules files from the interface configurations + if (!empty($cats) && is_array($config['installedpackages']['suricata']['rule'])) { + foreach ($config['installedpackages']['suricata']['rule'] as &$iface) { + $enabled_rules = explode("||", $iface['rulesets']); + foreach ($enabled_rules as $k => $v) { + foreach ($cats as $d) { + if (strpos(trim($v), $d) !== false) + unset($enabled_rules[$k]); + } + } + $iface['rulesets'] = implode("||", $enabled_rules); + } + } + + // Clean up + unset($cats, $enabled_rules); +} + /* Uses XMLRPC to synchronize the changes to a remote node */ function suricata_sync_on_changes() { global $config, $g; @@ -3366,6 +3433,38 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $userna if (!empty($sid_files) && $error == "") log_error("[suricata] Suricata pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); + /*************************************************/ + /* Send over any IPREP IP List files */ + /*************************************************/ + $iprep_files = glob(SURICATA_IPREP_PATH . '*'); + foreach ($iprep_files as $file) { + $content = base64_encode(file_get_contents($file)); + $payload = "@file_put_contents('{$file}', base64_decode('{$content}'));"; + + /* assemble xmlrpc payload */ + $method = 'pfsense.exec_php'; + $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); + + log_error("[suricata] Suricata XMLRPC CARP sync sending IPREP files to {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + $error = ""; + if(!$resp) { + $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } + } + + if (!empty($iprep_files) && $error == "") + log_error("[suricata] Suricata pkg XMLRPC CARP sync IPREP files success with {$url}:{$port} (pfsense.exec_php)."); + /**************************************************/ /* Send over the <suricata> portion of config.xml */ /* $xml will hold the section to sync. */ diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index 91708672..79189b44 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -42,7 +42,7 @@ <description>Suricata IDS/IPS Package</description> <requirements>None</requirements> <name>suricata</name> - <version>2.0.8 pkg v2.1.5</version> + <version>2.0.8 pkg v2.1.6</version> <title>Services: Suricata IDS</title> <include_file>/usr/local/pkg/suricata/suricata.inc</include_file> <menu> @@ -123,6 +123,11 @@ <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> + <item>https://packages.pfsense.org/packages/config/suricata/deprecated_rules</item> + <prefix>/usr/local/pkg/suricata/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> <item>https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php</item> <prefix>/usr/local/www/suricata/</prefix> <chmod>0755</chmod> diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index 81d17c2e..954fef17 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -124,7 +124,10 @@ function suricata_widget_get_alerts() { /* 0 1 2 3 4 5 6 7 */ /************** *************************************************************************************************************************/ - $fd = fopen("/tmp/surialerts_{$suricata_uuid}", "r"); + if (!$fd = fopen("/tmp/surialerts_{$suricata_uuid}", "r")) { + log_error(gettext("[Suricata Widget] Failed to open file /tmp/surialerts_{$suricata_uuid}")); + continue; + } $buf = ""; while (($buf = fgets($fd)) !== FALSE) { $fields = array(); diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 0fa4fb2d..67334957 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -196,9 +196,11 @@ function suricata_download_file_url($url, $file_out) { } curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); - curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Win64; x64; Trident/6.0)"); - curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); - curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); + curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 Chrome/43.0.2357.65 Safari/537.36"); + curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "TLSv1.2, TLSv1"); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, true); + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 15); curl_setopt($ch, CURLOPT_TIMEOUT, 0); // Use the system proxy server setttings if configured @@ -604,6 +606,12 @@ if ($snortcommunityrules == 'on') { } } +// If removing deprecated rules categories, then do it +if ($config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] == "on") { + log_error(gettext("[Suricata] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.")); + suricata_remove_dead_rules(); +} + function suricata_apply_customizations($suricatacfg, $if_real) { global $vrt_enabled, $rebuild_rules; diff --git a/config/suricata/suricata_define_vars.php b/config/suricata/suricata_define_vars.php index 1aff122c..eac0c2a8 100644 --- a/config/suricata/suricata_define_vars.php +++ b/config/suricata/suricata_define_vars.php @@ -101,10 +101,14 @@ if ($_POST) { foreach ($suricata_servers as $key => $server) { if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"])) $input_errors[] = "Only aliases are allowed"; + if ($_POST["def_{$key}"] && is_alias($_POST["def_{$key}"]) && trim(filter_expand_alias($_POST["def_{$key}"])) == "") + $input_errors[] = "FQDN aliases are not allowed for IP variables in Suricata."; } foreach ($suricata_ports as $key => $server) { if ($_POST["def_{$key}"] && !is_alias($_POST["def_{$key}"])) $input_errors[] = "Only aliases are allowed"; + if ($_POST["def_{$key}"] && is_alias($_POST["def_{$key}"]) && trim(filter_expand_alias($_POST["def_{$key}"])) == "") + $input_errors[] = "FQDN aliases are not allowed for port variables in Suricata."; } /* if no errors write to suricata.yaml */ if (!$input_errors) { diff --git a/config/suricata/suricata_defs.inc b/config/suricata/suricata_defs.inc index 5467f88c..29e0a368 100644 --- a/config/suricata/suricata_defs.inc +++ b/config/suricata/suricata_defs.inc @@ -52,7 +52,7 @@ if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); /* Get installed package version for display */ -$suricata_package_version = "Suricata {$config['installedpackages']['package'][get_pkg_id("suricata")]['version']}"; +$suricata_package_version = "{$config['installedpackages']['package'][get_pkg_id("suricata")]['version']}"; // Define the installed package version if (!defined('SURICATA_PKG_VER')) @@ -71,6 +71,16 @@ if (!defined('SURICATA_PBI_BASEDIR')) { if (!defined('SURICATA_PBI_BINDIR')) define('SURICATA_PBI_BINDIR', SURICATA_PBI_BASEDIR . 'bin/'); +if (!defined("SURICATA_BIN_VERSION")) { + // Grab the Suricata binary version programmatically + $suricatabindir = SURICATA_PBI_BINDIR; + $suricataver = exec_command("{$suricatabindir}suricata -V 2>&1 |/usr/bin/cut -c26-"); + if (!empty($suricataver)) + define("SURICATA_BIN_VERSION", $suricataver); + else + define("SURICATA_BIN_VERSION", ""); +} + // Define the name of the pf table used for IP blocks if (!defined('SURICATA_PF_TABLE')) define('SURICATA_PF_TABLE', 'snort2c'); diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 8eea8d2d..013cde3e 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -67,6 +67,7 @@ else { $pconfig['snortcommunityrules'] = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules']; $pconfig['snort_rules_file'] = $config['installedpackages']['suricata']['config'][0]['snort_rules_file']; $pconfig['autogeoipupdate'] = $config['installedpackages']['suricata']['config'][0]['autogeoipupdate']; + $pconfig['hide_deprecated_rules'] = $config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] == "on" ? 'on' : 'off'; } // Do input validation on parameters @@ -99,6 +100,7 @@ if (!$input_errors) { $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules'] = $_POST['enable_etopen_rules'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'] = $_POST['enable_etpro_rules'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] = $_POST['autogeoipupdate'] ? 'on' : 'off'; + $config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] = $_POST['hide_deprecated_rules'] ? 'on' : 'off'; // If any rule sets are being turned off, then remove them // from the active rules section of each interface. Start @@ -135,6 +137,12 @@ if (!$input_errors) { } } + // If deprecated rules should be removed, then do it + if ($config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] == "on") { + log_error(gettext("[Suricata] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.")); + suricata_remove_dead_rules(); + } + $config['installedpackages']['suricata']['config'][0]['snort_rules_file'] = $_POST['snort_rules_file']; $config['installedpackages']['suricata']['config'][0]['oinkcode'] = $_POST['oinkcode']; $config['installedpackages']['suricata']['config'][0]['etprocode'] = $_POST['etprocode']; @@ -329,6 +337,13 @@ if ($input_errors) </table></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Hide Deprecated Rules Categories"); ?></td> + <td width="78%" class="vtable"><input name="hide_deprecated_rules" id="hide_deprecated_rules" type="checkbox" value="yes" + <?php if ($pconfig['hide_deprecated_rules']=="on") echo "checked"; ?> /> + <?php echo gettext("Hide deprecated rules categories in the GUI and remove them from the configuration. Default is ") . + "<strong>" . gettext("Not Checked") . "</strong>" . gettext("."); ?></td> +</tr> +<tr> <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Rules Update Settings"); ?></td> </tr> <tr> diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php index e996a24f..39291803 100644 --- a/config/suricata/suricata_interfaces.php +++ b/config/suricata/suricata_interfaces.php @@ -145,8 +145,9 @@ if ($_POST['toggle']) { header("Location: /suricata/suricata_interfaces.php"); exit; } +$suri_bin_ver = SURICATA_BIN_VERSION; $suri_pkg_ver = SURICATA_PKG_VER; -$pgtitle = "Services: {$suri_pkg_ver} - Intrusion Detection System"; +$pgtitle = "Services: Suricata {$suri_bin_ver} pkg v{$suri_pkg_ver} - Intrusion Detection System"; include_once("head.inc"); ?> diff --git a/config/suricata/suricata_ip_reputation.php b/config/suricata/suricata_ip_reputation.php index d9d45a5f..953b167c 100644 --- a/config/suricata/suricata_ip_reputation.php +++ b/config/suricata/suricata_ip_reputation.php @@ -163,6 +163,9 @@ if ($_POST['save'] || $_POST['apply']) { // Soft-restart Suricata to live-load new variables suricata_reload_config($a_nat[$id]); + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); + // We have saved changes and done a soft restart, so clear "dirty" flag clear_subsystem_dirty('suricata_iprep'); } diff --git a/config/suricata/suricata_list_view.php b/config/suricata/suricata_list_view.php index ec335abd..93ecd305 100644 --- a/config/suricata/suricata_list_view.php +++ b/config/suricata/suricata_list_view.php @@ -90,7 +90,7 @@ $pgtitle = array(gettext("Suricata"), gettext($title . " Viewer")); <td class="tabcont"> <table width="100%" cellpadding="0" cellspacing="6" bgcolor="#eeeeee"> <tr> - <td class="pgtitle" colspan="2">Snort: <?php echo gettext($title . " Viewer"); ?></td> + <td class="pgtitle" colspan="2">Suricata: <?php echo gettext($title . " Viewer"); ?></td> </tr> <tr> <td align="left" width="20%"> diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 384033b3..2fd5f96e 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -95,6 +95,14 @@ if (empty($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enabl } /**********************************************************/ +/* Create new HIDE_DEPRECATED_RULES setting if not set */ +/**********************************************************/ +if (empty($config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'])) { + $config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] = "off"; + $updated_cfg = true; +} + +/**********************************************************/ /* Set default log size and retention limits if not set */ /**********************************************************/ if (!isset($config['installedpackages']['suricata']['config'][0]['alert_log_retention']) && $config['installedpackages']['suricata']['config'][0]['alert_log_retention'] != '0') { diff --git a/config/suricata/suricata_passlist.php b/config/suricata/suricata_passlist.php index e7e55d20..e414fbd0 100644 --- a/config/suricata/suricata_passlist.php +++ b/config/suricata/suricata_passlist.php @@ -207,7 +207,8 @@ if ($savemsg) { <p><?php echo gettext("1. Here you can create Pass List files for your Suricata package rules. Hosts on a Pass List are never blocked by Suricata."); ?><br/> <?php echo gettext("2. Add all the IP addresses or networks (in CIDR notation) you want to protect against Suricata block decisions."); ?><br/> <?php echo gettext("3. The default Pass List includes the WAN IP and gateway, defined DNS servers, VPNs and locally-attached networks."); ?><br/> - <?php echo gettext("4. Be careful, it is very easy to get locked out of your system by altering the default settings."); ?></p></span></td> + <?php echo gettext("4. Be careful, it is very easy to get locked out of your system by altering the default settings."); ?><br/> + <?php echo gettext("5. To use a custom Pass List on an interface, you must manually assign the list using the drop-down control on the Interface Settings tab."); ?></p></span></td> </tr> <tr> <td width="100%"><span class="vexpl"><?php echo gettext("Remember you must restart Suricata on the interface for changes to take effect!"); ?></span></td> diff --git a/config/suricata/suricata_passlist_edit.php b/config/suricata/suricata_passlist_edit.php index 1d92e644..357b3818 100644 --- a/config/suricata/suricata_passlist_edit.php +++ b/config/suricata/suricata_passlist_edit.php @@ -154,10 +154,12 @@ if ($_POST['save']) { } } - if ($_POST['address']) + if ($_POST['address']) { if (!is_alias($_POST['address'])) $input_errors[] = gettext("A valid alias must be provided"); - + if (is_alias($_POST['address']) && trim(filter_expand_alias($_POST['address'])) == "") + $input_errors[] = gettext("FQDN aliases are not supported in Suricata."); + } if (!$input_errors) { $p_list = array(); /* post user input */ diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index aec8983e..ea1d7b0a 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -130,6 +130,10 @@ if ($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'] == install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_etiqrisk_update.php", TRUE, 0, "*/6", "*", "*", "*", "root"); } +// Move deprecated_rules file to SURICATADIR/rules directory +@rename("/usr/local/pkg/suricata/deprecated_rules", "{$suricatadir}rules/deprecated_rules"); + + /*********************************************************/ /* START OF BUG FIX CODE */ /* */ @@ -264,8 +268,8 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = if ($pkg_interface <> "console") { update_status(gettext("Starting Suricata using rebuilt configuration...")); update_output_window(gettext("Please wait while Suricata is started...")); - mwexec("{$rcdir}suricata.sh start"); - update_output_window(gettext("Suricata has been started using the rebuilt configuration...")); + mwexec_bg("{$rcdir}suricata.sh start"); + update_output_window(gettext("Suricata is starting as a background task using the rebuilt configuration...")); } else mwexec_bg("{$rcdir}suricata.sh start"); @@ -281,8 +285,8 @@ if (empty($config['installedpackages']['suricata']['config'][0]['forcekeepsettin conf_mount_ro(); // Update Suricata package version in configuration -$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.1.5"; -write_config("Suricata pkg v2.1.5: post-install configuration saved."); +$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = $config['installedpackages']['package'][get_pkg_id("suricata")]['version']; +write_config("Suricata pkg v{$config['installedpackages']['package'][get_pkg_id("suricata")]['version']}: post-install configuration saved."); // Done with post-install, so clear flag unset($g['suricata_postinstall']); diff --git a/config/systempatches/system_patches.php b/config/systempatches/system_patches.php index 43c8c22b..97e00b32 100644 --- a/config/systempatches/system_patches.php +++ b/config/systempatches/system_patches.php @@ -180,11 +180,11 @@ include("head.inc"); <td width="5%" class="list"> </td> <td width="5%" class="listhdrr"><?=gettext("Description");?></td> <td width="60%" class="listhdrr"><?=gettext("URL/ID");?></td> +<td width="5%" class="listhdrr"><?=gettext("Status");?></td> <td width="5%" class="listhdrr"><?=gettext("Fetch");?></td> -<td width="5%" class="listhdrr"><?=gettext("Test");?></td> -<td width="5%" class="listhdrr"><?=gettext("Apply");?></td> -<td width="5%" class="listhdr"><?=gettext("Revert");?></td> +<td width="5%" class="listhdrr"><?=gettext("Apply");?>/<br /><?=gettext("Revert");?></td> <td width="5%" class="listhdr"><?=gettext("Auto Apply");?></td> +<td width="5%" class="listhdrr"><?=gettext("Test");?></td> <td width="5%" class="list"> <table border="0" cellspacing="0" cellpadding="1" summary="buttons"> <tr><td width="17"> @@ -213,39 +213,50 @@ foreach ($a_patches as $thispatch): <?=$thispatch['descr'];?> </td> <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> - <?php - if (!empty($thispatch['location'])) - echo $thispatch['location']; - elseif (!empty($thispatch['patch'])) - echo gettext("Saved Patch"); + if (!empty($thispatch['location'])) + echo $thispatch['location']; + elseif (!empty($thispatch['patch'])) { + // saved patch with no location => manually entered/user defined + echo gettext("User-defined"); + } ?> </td> - <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> - <?php if (empty($thispatch['patch'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext("Fetch"); ?></a> - <?php elseif (!empty($thispatch['location'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext("Re-Fetch"); ?></a> - <?php endif; ?> + + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';" nowrap> + <?php + if ($can_apply) { + echo gettext("Valid, not applied"); + } elseif ($can_revert) { + echo gettext("Valid, applied"); + } elseif (empty($thispatch['patch'])) { + echo gettext("Unknown, no code stored"); + } else { + echo gettext("Not valid, does not match"); + } + ?> </td> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> - <?php if (!empty($thispatch['patch'])): ?> - <a href="system_patches.php?id=<?=$i;?>&act=test"><?php echo gettext("Test"); ?></a> + <?php if (!empty($thispatch['location'])): ?> + <a href="system_patches.php?id=<?=$i;?>&act=fetch"><?php echo gettext(empty($thispatch['patch']) ? "Fetch" : "Re-Fetch"); ?></a> <?php endif; ?> </td> <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?php if ($can_apply): ?> <a href="system_patches.php?id=<?=$i;?>&act=apply"><?php echo gettext("Apply"); ?></a> - <?php endif; ?> - </td> - <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> - <?php if ($can_revert): ?> + <?php elseif ($can_revert): ?> <a href="system_patches.php?id=<?=$i;?>&act=revert"><?php echo gettext("Revert"); ?></a> <?php endif; ?> </td> <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> <?= isset($thispatch['autoapply']) ? "Yes" : "No" ?> </td> + <td class="listr" onclick="fr_toggle(<?=$npatches;?>)" id="frd<?=$npatches;?>" ondblclick="document.location='system_patches_edit.php?id=<?=$npatches;?>';"> + <?php if (!empty($thispatch['patch'])): ?> + <a href="system_patches.php?id=<?=$i;?>&act=test"><?php echo gettext("Test"); ?></a> + <?php endif; ?> + </td> <td valign="middle" class="list" nowrap> <table border="0" cellspacing="0" cellpadding="1" summary="edit"> <tr> |