From a0b0e148eaf46486906888b497640300f5c34875 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 4 Mar 2014 20:14:08 -0500 Subject: Change missed $_GET to $_POST in save message. --- config/suricata/suricata_alerts.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 3b135f32..29002251 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -186,7 +186,7 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu $suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n"; else $suppress = "#{$_POST['descr']}\nsuppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}\n"; - $success = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); + $success = gettext("An entry for 'suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}' has been added to the Suppress List."); break; case "by_src": case "by_dst": -- cgit v1.2.3 From 66c2763650a2543071042d6ca523e984dca146a1 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 15:44:10 -0500 Subject: Add fix for IPv6 address overflowing column layout. --- config/suricata/suricata_alerts.widget.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index 370c6e96..c9cfc98e 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -134,9 +134,11 @@ function suricata_widget_get_alerts() { $suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm)); $suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s"); $suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d"); - $suricata_alerts[$counter]['src'] = $fields[9]; + // Add zero-width space as soft-break opportunity after each colon in any IPv6 address + $suricata_alerts[$counter]['src'] = str_replace(":", ":​", $fields[9]); $suricata_alerts[$counter]['srcport'] = $fields[10]; - $suricata_alerts[$counter]['dst'] = $fields[11]; + // Add zero-width space as soft-break opportunity after each colon in any IPv6 address + $suricata_alerts[$counter]['dst'] = str_replace(":", ":​", $fields[11]); $suricata_alerts[$counter]['dstport'] = $fields[12]; $suricata_alerts[$counter]['priority'] = $fields[7]; $suricata_alerts[$counter]['category'] = $fields[6]; -- cgit v1.2.3 From 3bb4d3df6243a654d9a323df8bc4c648da22c18f Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 15:45:10 -0500 Subject: Add new 'Last Update' time and status message to window. --- .../suricata/suricata_check_for_rule_updates.php | 16 +++++++++++-- config/suricata/suricata_download_updates.php | 28 +++++++++++++++++++++- 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 3cf6b84b..4d159cdb 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -239,7 +239,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { /* error occurred. */ /**********************************************************/ - global $pkg_interface, $suricata_rules_upd_log, $last_curl_error; + global $pkg_interface, $suricata_rules_upd_log, $last_curl_error, $update_errors; $suricatadir = SURICATADIR; $filename_md5 = basename($file_dst); @@ -284,6 +284,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") { if ($pkg_interface == "console") error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log); error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log); + $update_errors = true; return false; } } @@ -307,7 +308,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { /* FALSE if download was not successful. */ /**********************************************************/ - global $pkg_interface, $suricata_rules_upd_log, $last_curl_error; + global $pkg_interface, $suricata_rules_upd_log, $last_curl_error, $update_errors; $suricatadir = SURICATADIR; $filename = basename($file_dst); @@ -337,6 +338,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $suricata_rules_upd_log); error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $suricata_rules_upd_log); error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $suricata_rules_upd_log); + $update_errors = true; return false; } return true; @@ -349,6 +351,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { if ($pkg_interface == "console") error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log); error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log); + $update_errors = true; return false; } @@ -375,6 +378,7 @@ if (file_exists($suricata_rules_upd_log)) { /* Log start time for this rules update */ error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $suricata_rules_upd_log); $last_curl_error = ""; +$update_errors = false; /* Check for and download any new Emerging Threats Rules sigs */ if ($emergingthreats == 'on') { @@ -715,4 +719,12 @@ conf_mount_ro(); // Restore the state of $pkg_interface $pkg_interface = $pkg_interface_orig; +/* Save this update status to the configuration file */ +if ($update_errors) + $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("failed"); +else + $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("success"); +$config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'] = gettext(date("M-d Y H:i")); +write_config(); + ?> diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php index 46030bd0..a353b054 100644 --- a/config/suricata/suricata_download_updates.php +++ b/config/suricata/suricata_download_updates.php @@ -40,6 +40,16 @@ $emergingthreats = $config['installedpackages']['suricata']['config'][0]['enable $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; $snortcommunityrules = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules']; +/* Get last update information if available */ +if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'])) + $last_rule_upd_time = htmlspecialchars($config['installedpackages']['suricata']['config'][0]['last_rule_upd_time']); +else + $last_rule_upd_time = gettext("Unknown"); +if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'])) + $last_rule_upd_status = htmlspecialchars($config['installedpackages']['suricata']['config'][0]['last_rule_upd_status']); +else + $last_rule_upd_status = gettext("Unknown"); + $snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; @@ -209,6 +219,22 @@ include_once("head.inc"); + + + + + + + + + + + + + +
+ + @@ -226,7 +252,7 @@ include_once("head.inc"); title=""/>     " name="force" id="force" class="formbtn" title="" - onclick="return confirm('');"/> + onclick="return confirm('');"/>

-- cgit v1.2.3 From 3400ffcd318018dd32f96de6927bd445c35ca872 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 15:46:19 -0500 Subject: Fix logic error preventing disabling of Suricata interfaces. --- config/suricata/suricata_interfaces_edit.php | 57 +++++++++++++++++++++------- 1 file changed, 44 insertions(+), 13 deletions(-) diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index d7b5a8cb..46d2aa1d 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -40,10 +40,11 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; -if ($_GET['id']); - $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); if ($_POST['id']) $id = $_POST['id']; +elseif ($_GET['id']); + $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); + if (is_null($id)) $id = 0; @@ -71,8 +72,8 @@ if (isset($id) && $a_rule[$id]) { if (empty($pconfig['uuid'])) $pconfig['uuid'] = $suricata_uuid; } -// Must be a new interface, so try to pick next available physical interface to use elseif (isset($id) && !isset($a_rule[$id])) { + // Must be a new interface, so try to pick next available physical interface to use $ifaces = get_configured_interface_list(); $ifrules = array(); foreach($a_rule as $r) @@ -95,8 +96,6 @@ if (empty($pconfig['blockoffendersip'])) $pconfig['blockoffendersip'] = "both"; if (empty($pconfig['max_pending_packets'])) $pconfig['max_pending_packets'] = "1024"; -if (empty($pconfig['inspect_recursion_limit'])) - $pconfig['inspect_recursion_limit'] = "3000"; if (empty($pconfig['detect_eng_profile'])) $pconfig['detect_eng_profile'] = "medium"; if (empty($pconfig['mpm_algo'])) @@ -127,17 +126,49 @@ if (empty($pconfig['max_pcap_log_files'])) $pconfig['max_pcap_log_files'] = "1000"; if ($_POST["save"]) { - if (!$_POST['interface']) + // If the interface is not enabled, stop any running Suricata + // instance on it, save the new state and exit. + if (!isset($_POST['enable'])) { + if (isset($id) && $a_rule[$id]) { + $a_rule[$id]['enable'] = 'off'; + $a_rule[$id]['interface'] = htmlspecialchars($_POST['interface']); + $a_rule[$id]['descr'] = htmlspecialchars($_POST['descr']); + suricata_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface'])); + + // Save configuration changes + write_config(); + + // Update suricata.conf and suricata.sh files for this interface + sync_suricata_package_config(); + + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /suricata/suricata_interfaces.php"); + exit; + } + } + + // Validate inputs + if (!isset($_POST['interface'])) $input_errors[] = gettext("Choosing an Interface is mandatory!"); + if (isset($_POST['stats_upd_interval']) && !is_numericint($_POST['stats_upd_interval'])) + $input_errors[] = gettext("The value for Stats Update Interval must contain only digits and evaluate to an integer."); + if ($_POST['max_pending_packets'] < 1 || $_POST['max_pending_packets'] > 65000) $input_errors[] = gettext("The value for Maximum-Pending-Packets must be between 1 and 65,000!"); - if (!empty($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size'])) + if (isset($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size'])) $input_errors[] = gettext("The value for 'Max Packet Log Size' must be numbers only. Do not include any alphabetic characters."); - if (!empty($_POST['max_pcap_log_files']) && !is_numeric($_POST['max_pcap_log_files'])) - $input_errors[] = gettext("The value for 'Max Packet Log Files' must be numbers only."); + if (isset($_POST['max_pcap_log_files']) && !is_numeric($_POST['max_pcap_log_files'])) + $input_errors[] = gettext("The value for 'Max Packet Log Files' must be numbers only."); + + if (!empty($_POST['inspect_recursion_limit']) && !is_numeric($_POST['inspect_recursion_limit'])) + $input_errors[] = gettext("The value for Inspect Recursion Limit can either be blank or contain only digits evaluating to an integer greater than or equal to 0."); // if no errors write to suricata.yaml if (!$input_errors) { @@ -146,12 +177,12 @@ if ($_POST["save"]) { $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; - if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']); + if ($_POST['descr']) $natent['descr'] = htmlspecialchars($_POST['descr']); else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['max_pcap_log_size']) $natent['max_pcap_log_size'] = $_POST['max_pcap_log_size']; else unset($natent['max_pcap_log_size']); if ($_POST['max_pcap_log_files']) $natent['max_pcap_log_files'] = $_POST['max_pcap_log_files']; else unset($natent['max_pcap_log_files']); if ($_POST['enable_stats_log'] == "on") { $natent['enable_stats_log'] = 'on'; }else{ $natent['enable_stats_log'] = 'off'; } if ($_POST['append_stats_log'] == "on") { $natent['append_stats_log'] = 'on'; }else{ $natent['append_stats_log'] = 'off'; } - if ($_POST['stats_upd_interval']) $natent['stats_upd_interval'] = $_POST['stats_upd_interval']; else $natent['stats_upd_interval'] = "10"; + if ($_POST['stats_upd_interval'] >= 1) $natent['stats_upd_interval'] = $_POST['stats_upd_interval']; else $natent['stats_upd_interval'] = "10"; if ($_POST['enable_http_log'] == "on") { $natent['enable_http_log'] = 'on'; }else{ $natent['enable_http_log'] = 'off'; } if ($_POST['append_http_log'] == "on") { $natent['append_http_log'] = 'on'; }else{ $natent['append_http_log'] = 'off'; } if ($_POST['enable_tls_log'] == "on") { $natent['enable_tls_log'] = 'on'; }else{ $natent['enable_tls_log'] = 'off'; } @@ -163,7 +194,7 @@ if ($_POST["save"]) { if ($_POST['enable_tracked_files_md5'] == "on") { $natent['enable_tracked_files_md5'] = 'on'; }else{ $natent['enable_tracked_files_md5'] = 'off'; } if ($_POST['enable_file_store'] == "on") { $natent['enable_file_store'] = 'on'; }else{ $natent['enable_file_store'] = 'off'; } if ($_POST['max_pending_packets']) $natent['max_pending_packets'] = $_POST['max_pending_packets']; else unset($natent['max_pending_packets']); - if ($_POST['inspect_recursion_limit']) $natent['inspect_recursion_limit'] = $_POST['inspect_recursion_limit']; else unset($natent['inspect_recursion_limit']); + if ($_POST['inspect_recursion_limit'] >= '0') $natent['inspect_recursion_limit'] = $_POST['inspect_recursion_limit']; else unset($natent['inspect_recursion_limit']); if ($_POST['detect_eng_profile']) $natent['detect_eng_profile'] = $_POST['detect_eng_profile']; else unset($natent['detect_eng_profile']); if ($_POST['mpm_algo']) $natent['mpm_algo'] = $_POST['mpm_algo']; else unset($natent['mpm_algo']); if ($_POST['sgh_mpm_context']) $natent['sgh_mpm_context'] = $_POST['sgh_mpm_context']; else unset($natent['sgh_mpm_context']); @@ -347,7 +378,7 @@ if ($savemsg) {
-
+
-- cgit v1.2.3 From 7a22fff9519edd7375a935e80f2b2df69e7834e2 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 15:49:27 -0500 Subject: Remove inet_ntop and inet_pton calls plus tidy up some HTML. --- config/suricata/suricata_alerts.php | 47 ++++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 29002251..46a68b56 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -121,12 +121,12 @@ function suricata_add_supplist_entry($suppress) { return false; } -if ($_POST['instance']) +if (is_numericint($_POST['instance'])) $instanceid = $_POST['instance']; -// This is for the auto-refresh so wecan stay on the same interface -if (is_numeric($_GET['instance'])) +// This is for the auto-refresh so we can stay on the same interface +if (is_numericint($_GET['instance'])) $instanceid = $_GET['instance']; -if (empty($instanceid)) +if (is_null($instanceid)) $instanceid = 0; if (!is_array($config['installedpackages']['suricata']['rule'])) @@ -191,7 +191,7 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu case "by_src": case "by_dst": // Check for valid IP addresses, exit if not valid - if (is_ipaddr($_POST['ip']) || is_ipaddrv6($_POST['ip'])) { + if (is_ipaddr($_POST['ip'])) { if (empty($_POST['descr'])) $suppress = "suppress gen_id {$_POST['gen_id']}, sig_id {$_POST['sidid']}, track {$method}, ip {$_POST['ip']}\n"; else @@ -212,6 +212,7 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu if (suricata_add_supplist_entry($suppress)) { suricata_reload_config($a_instance[$instanceid]); $savemsg = $success; + sleep(2); } else $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); @@ -269,8 +270,9 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen /* Signal Suricata to live-load the new rules */ suricata_reload_config($a_instance[$instanceid]); + sleep(2); - $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 30 secs for the process to complete before toggling additional rules."); + $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 15 secs for the process to complete before toggling additional rules."); } if ($_POST['delete']) { @@ -380,22 +382,23 @@ if ($savemsg) { -    - - + "/> +     + "/> +    - - > - ', '', '', ''); ?>   - - ', '', '', ''); ?> + "/> +    /> + ', '', '', ''); ?>   + +  ', '', '', ''); ?> @@ -444,7 +447,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */ $fd = fopen("/tmp/alerts_suricata{$suricata_uuid}", "r"); while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { - if(count($fields) < 12) + if(count($fields) < 13) continue; // Create a DateTime object from the event timestamp that @@ -468,7 +471,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* Protocol */ $alert_proto = $fields[8]; /* IP SRC */ - $alert_ip_src = inet_ntop(inet_pton($fields[9])); + $alert_ip_src = $fields[9]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); /* Add Reverse DNS lookup icons */ @@ -497,7 +500,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* IP SRC Port */ $alert_src_p = $fields[10]; /* IP Destination */ - $alert_ip_dst = inet_ntop(inet_pton($fields[11])); + $alert_ip_dst = $fields[11]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); /* Add Reverse DNS lookup icons */ @@ -520,8 +523,8 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo } /* Add icon for auto-removing from Blocked Table if required */ // if (isset($tmpblocked[$fields[11]])) { -// $alert_ip_src .= " "; +// $alert_ip_dst .= " "; // } /* IP DST Port */ $alert_dst_p = $fields[12]; -- cgit v1.2.3 From 08c5a4d7d40b0ce059daa832a231a95f46946c14 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 15:50:45 -0500 Subject: Add sid-msg.map v2 format capability and tidy up some funtions. --- config/suricata/suricata.inc | 142 +++++++++++++++++++++++-------------------- 1 file changed, 77 insertions(+), 65 deletions(-) diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 1b6f5eb3..5c052cd2 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -77,16 +77,12 @@ function suricata_generate_id() { } function suricata_is_running($suricata_uuid, $if_real, $type = 'suricata') { - global $config, $g; - - if (isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid")) - return true; - else - return false; + global $g; + return isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid"); } function suricata_barnyard_stop($suricatacfg, $if_real) { - global $config, $g; + global $g; $suricata_uuid = $suricatacfg['uuid']; if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { @@ -96,13 +92,13 @@ function suricata_barnyard_stop($suricatacfg, $if_real) { } function suricata_stop($suricatacfg, $if_real) { - global $config, $g; + global $g; $suricata_uuid = $suricatacfg['uuid']; if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Suricata STOP for {$suricatacfg['descr']}({$if_real})..."); killbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); - sleep(2); + sleep(1); // For some reason Suricata seems to need a double TERM signal to actually shutdown if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) @@ -113,7 +109,7 @@ function suricata_stop($suricatacfg, $if_real) { } function suricata_barnyard_start($suricatacfg, $if_real) { - global $config, $g; + global $g; $suricata_uuid = $suricatacfg['uuid']; $suricatadir = SURICATADIR . "suricata_{$suricata_uuid}_{$if_real}"; @@ -121,19 +117,19 @@ function suricata_barnyard_start($suricatacfg, $if_real) { if ($suricatacfg['barnyard_enable'] == 'on') { log_error("[Suricata] Barnyard2 START for {$suricatacfg['descr']}({$if_real})..."); - exec("/usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}/barnyard2.conf -d {$suricatalogdir} -D -q"); + mwexec_bg("/usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}/barnyard2.conf -d {$suricatalogdir} -D -q"); } } function suricata_start($suricatacfg, $if_real) { - global $config, $g; + global $g; $suricatadir = SURICATADIR; $suricata_uuid = $suricatacfg['uuid']; if ($suricatacfg['enable'] == 'on') { log_error("[Suricata] Suricata START for {$suricatacfg['descr']}({$if_real})..."); - exec("/usr/local/bin/suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); + mwexec_bg("/usr/local/bin/suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); } else return; @@ -154,7 +150,7 @@ function suricata_reload_config($suricatacfg, $signal="USR2") { /* */ /* $signal = USR2 (default) parses and reloads config. */ /**************************************************************/ - global $config, $g; + global $g; $suricatadir = SURICATADIR; $suricata_uuid = $suricatacfg['uuid']; @@ -166,8 +162,8 @@ function suricata_reload_config($suricatacfg, $signal="USR2") { /******************************************************/ if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Suricata LIVE RULE RELOAD initiated for {$suricatacfg['descr']} ({$if_real})..."); - sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", $signal); -// exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid 2>&1 &"); +// sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", $signal); + mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); } } @@ -183,7 +179,7 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { /* */ /* $signal = HUP (default) parses and reloads config. */ /**************************************************************/ - global $config, $g; + global $g; $suricatadir = SURICATADIR; $suricata_uuid = $suricatacfg['uuid']; @@ -195,8 +191,8 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { /******************************************************/ if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Barnyard2 CONFIG RELOAD initiated for {$suricatacfg['descr']} ({$if_real})..."); - sigkillbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid", $signal); -// exec("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid 2>&1 &"); +// sigkillbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid", $signal); + mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid"); } } @@ -698,16 +694,28 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { /*************************************************************/ /* This function reads all the rules file in the passed */ /* $rules_path variable and produces a properly formatted */ - /* sid-msg.map file for use by Suricata and/or barnyard2. */ + /* sid-msg.map v2 file for use by Suricata and barnyard2. */ + /* */ + /* This function produces the new v2 format sid-msg.map */ + /* with the field layout as follows: */ + /* */ + /* GID || SID || REV || CLASSTYPE || PRI || MSG || REF ... */ + /* */ + /* On Entry: $rules_path --> array or directory of files */ + /* or a single file containing */ + /* the rules to read. */ + /* $sid_file --> the complete destination path */ + /* and filename for the output */ + /* sid-msg.map file. */ /*************************************************************/ $sidMap = array(); $rule_files = array(); - // First check if we were passed a directory, a single file - // or an array of filenames to read. Set our $rule_files - // variable accordingly. If we can't figure it out, return - // and don't write a sid_msg_map file. + /* First check if we were passed a directory, a single file */ + /* or an array of filenames to read. Set our $rule_files */ + /* variable accordingly. If we can't figure it out, return */ + /* and don't write a sid-msg.map file. */ if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -719,14 +727,14 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { else return; - // Read the rule files into an array, then iterate the list + /* Read the rule files into an array, then iterate the list */ foreach ($rule_files as $file) { - // Don't process files with "deleted" in the filename + /* Don't process files with "deleted" in the filename */ if (stristr($file, "deleted")) continue; - // Read the file into an array, skipping missing files. + /* Read the file into an array, skipping missing files. */ if (!file_exists($file)) continue; @@ -734,24 +742,24 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { $record = ""; $b_Multiline = false; - // Read and process each line from the rules in the current file + /* Read and process each line from the rules in the current file */ foreach ($rules_array as $rule) { - // Skip any non-rule lines unless we're in multiline mode. + /* Skip any non-rule lines unless we're in multiline mode. */ if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) continue; - // Test for a multi-line rule, and reassemble the - // pieces back into a single line. + /* Test for a multi-line rule, and reassemble the */ + /* pieces back into a single line. */ if (preg_match('/\\\\s*[\n]$/m', $rule)) { $rule = substr($rule, 0, strrpos($rule, '\\')); $record .= $rule; $b_Multiline = true; continue; } - // If the last segment of a multiline rule, then - // append it onto the previous parts to form a - // single-line rule for further processing below. + /* If the last segment of a multiline rule, then */ + /* append it onto the previous parts to form a */ + /* single-line rule for further processing below. */ elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { $record .= $rule; $rule = $record; @@ -759,8 +767,12 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { $b_Multiline = false; $record = ""; - // Parse the rule to find sid and any references. + /* Parse the rule to find sid and any references. */ + $gid = '1'; // default to 1 for regular rules $sid = ''; + $rev = ''; + $classtype = 'NOCLASS'; // required default for v2 format + $priority = '0'; // required default for v2 format $msg = ''; $matches = ''; $sidEntry = ''; @@ -768,23 +780,32 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { $msg = trim($matches[1]); if (preg_match('/\bsid\s*:\s*(\d+)\s*;/i', $rule, $matches)) $sid = trim($matches[1]); - if (!empty($sid) && !empty($msg)) { - $sidEntry = $sid . ' || ' . $msg; + if (preg_match('/\bgid\s*:\s*(\d+)\s*;/i', $rule, $matches)) + $gid = trim($matches[1]); + if (preg_match('/\brev\s*:\s*([^\;]+)/i', $rule, $matches)) + $rev = trim($matches[1]); + if (preg_match('/\bclasstype\s*:\s*([^\;]+)/i', $rule, $matches)) + $classtype = trim($matches[1]); + if (preg_match('/\bpriority\s*:\s*([^\;]+)/i', $rule, $matches)) + $priority = trim($matches[1]); + + if (!empty($gid) && !empty($sid) && !empty($msg)) { + $sidEntry = $gid . ' || ' . $sid . ' || ' . $rev . ' || ' . $classtype . ' || '; + $sidEntry .= $priority . ' || ' . $msg; preg_match_all('/\breference\s*:\s*([^\;]+)/i', $rule, $matches); foreach ($matches[1] as $ref) $sidEntry .= " || " . trim($ref); $sidEntry .= "\n"; - if (!is_array($sidMap[$sid])) - $sidMap[$sid] = array(); - $sidMap[$sid] = $sidEntry; + $sidMap[] = $sidEntry; } } } - // Sort the generated sid-msg map by sid - ksort($sidMap); + /* Sort the generated sid-msg map */ + natcasesort($sidMap); - // Now print the result to the supplied file - @file_put_contents($sid_file, array_values($sidMap)); + /* Now print the result to the supplied file */ + @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n"); + @file_put_contents($sid_file, array_values($sidMap), FILE_APPEND); } function suricata_merge_reference_configs($cfg_in, $cfg_out) { @@ -1688,27 +1709,18 @@ function suricata_create_rc() { $start_barnyard = <</dev/null; do - sleep 1 - time=\$((time+1)) - if [ \$time -gt \$timeout ]; then - break - fi - done - if [ -f /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid ]; then - /bin/rm /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid - fi + /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$suricata_uuid}_{$if_real})..." + /bin/pkill -HUP \$pid + else + /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 START for {$value['descr']}({$suricata_uuid}_{$if_real})..." + /usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/barnyard2.conf -d {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} -D -q fi - /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 START for {$value['descr']}({$suricata_uuid}_{$if_real})..." - /usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/barnyard2.conf -d {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} -D -q EOE; $stop_barnyard2 = <</dev/null; do sleep 1 @@ -1754,7 +1766,7 @@ EOE; ###### For Each Iface # Start suricata and barnyard2 if [ ! -f {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid ]; then - pid=`/bin/pgrep -f "suricata -i {$if_real} "` + pid=`/bin/pgrep -fn "suricata -i {$if_real} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid` fi @@ -1790,10 +1802,10 @@ EOE; /bin/rm /var/run/suricata_{$if_real}{$suricata_uuid}.pid fi else - pid=`/bin/pgrep -f "suricata -i {$if_real} "` + pid=`/bin/pgrep -fn "suricata -i {$if_real} "` if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SuricataStartup "Suricata STOP for {$value['descr']}({$suricata_uuid}_{$if_real})..." - /bin/pkill -TERM -f "suricata -i {$if_real} " + /bin/pkill -TERM -fn "suricata -i {$if_real} " time=0 timeout=30 while /bin/kill -TERM \$pid 2>/dev/null; do sleep 1 -- cgit v1.2.3 From 62a833a2b268b4374bdba95b13c117470d380786 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 15:53:08 -0500 Subject: Increase rigor of $_POST and $_GET parameter value validation. --- config/suricata/suricata_rules.php | 19 ++++++++------ config/suricata/suricata_rules_edit.php | 39 +++++++++++------------------ config/suricata/suricata_rules_flowbits.php | 5 ++-- 3 files changed, 29 insertions(+), 34 deletions(-) diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index 1a0c54b5..85427e6f 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -40,10 +40,11 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; -if ($_GET['id']) - $id = $_GET['id']; -if ($_POST['id']) +if (isset($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); + if (is_null($id)) { $id = 0; } @@ -95,6 +96,10 @@ $emergingdownload = $config['installedpackages']['suricata']['config'][0]['enabl $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; $categories = explode("||", $pconfig['rulesets']); +// Add any previously saved rules files to the categories array +if (!empty($pconfig['rulesets'])) + $categories = explode("||", $pconfig['rulesets']); + if ($_GET['openruleset']) $currentruleset = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401); elseif ($_POST['selectbox']) @@ -463,7 +468,7 @@ if ($savemsg) { " class="formbtn" title=""/>

" . - gettext("Suricata must be restarted to activate any SID enable/disable changes made on this tab."); ?> + gettext("When finished, click APPLY to send any SID enable/disable changes made on this tab to the running Suricata process."); ?> {$textss} - {$textss} + {$textse} + title='{$title}' name=\"toggle[]\"/>{$textse} {$textss}{$gid}{$textse} diff --git a/config/suricata/suricata_rules_edit.php b/config/suricata/suricata_rules_edit.php index ad6b2986..c02d3eba 100644 --- a/config/suricata/suricata_rules_edit.php +++ b/config/suricata/suricata_rules_edit.php @@ -33,31 +33,22 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); $flowbit_rules_file = FLOWBITS_FILENAME; $suricatadir = SURICATADIR; -if (!is_array($config['installedpackages']['suricata']['rule'])) { - $config['installedpackages']['suricata']['rule'] = array(); -} -$a_rule = &$config['installedpackages']['suricata']['rule']; +if (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); -$id = $_GET['id']; -if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); +if (is_null($id)) exit; -} -if (isset($id) && $a_rule[$id]) { - $pconfig['enable'] = $a_rule[$id]['enable']; - $pconfig['interface'] = $a_rule[$id]['interface']; - $pconfig['rulesets'] = $a_rule[$id]['rulesets']; -} -else { - header("Location: /suricata/suricata_interfaces.php"); - exit; +if (!is_array($config['installedpackages']['suricata']['rule'])) { + $config['installedpackages']['suricata']['rule'] = array(); } -/* convert fake interfaces to real */ -$if_real = get_real_interface($pconfig['interface']); +$a_rule = &$config['installedpackages']['suricata']['rule']; + +$if_real = get_real_interface($a_rule[$id]['interface']); $suricata_uuid = $a_rule[$id]['uuid']; -$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}"; +$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/"; + $file = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401); $contents = ''; $wrap_flag = "off"; @@ -73,13 +64,13 @@ else // a standard rules file, or a complete file name. // Test for the special case of an IPS Policy file. if (substr($file, 0, 10) == "IPS Policy") { - $rules_map = suricata_load_vrt_policy($a_rule[$id]['ips_policy']); - if (isset($_GET['ids'])) { - $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; + $rules_map = suricata_load_vrt_policy(strtolower(trim(substr($file, strpos($file, "-")+1)))); + if (isset($_GET['sid']) && is_numericint($_GET['sid']) && isset($_GET['gid']) && is_numericint($_GET['gid'])) { + $contents = $rules_map[$_GET['gid']][trim($_GET['sid'])]['rule']; $wrap_flag = "soft"; } else { - $contents = "# Suricata IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']) . "\n\n"; + $contents = "# Snort IPS Policy - " . ucfirst(trim(substr($file, strpos($file, "-")+1))) . "\n\n"; foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { $contents .= "# Category: " . $rules_map[$k1][$k2]['category'] . " SID: {$k2}\n"; @@ -90,7 +81,7 @@ if (substr($file, 0, 10) == "IPS Policy") { unset($rules_map); } // Is it a SID to load the rule text from? -elseif (isset($_GET['sid']) && is_numeric(trim($_GET['sid']))) { +elseif (isset($_GET['sid']) && is_numericint($_GET['sid']) && isset($_GET['gid']) && is_numericint($_GET['gid'])) { // If flowbit rule, point to interface-specific file if ($file == "Auto-Flowbit Rules") $rules_map = suricata_load_rules_map("{$suricatacfgdir}rules/" . FLOWBITS_FILENAME); diff --git a/config/suricata/suricata_rules_flowbits.php b/config/suricata/suricata_rules_flowbits.php index 53019894..d5629fae 100644 --- a/config/suricata/suricata_rules_flowbits.php +++ b/config/suricata/suricata_rules_flowbits.php @@ -43,8 +43,8 @@ $a_nat = &$config['installedpackages']['suricata']['rule']; if (isset($_POST['id'])) $id = $_POST['id']; -elseif (isset($_GET['id'])) - $id = $_GET['id']; +elseif (isset($_GET['id']) && is_numericint($_GET['id'])) + $id = htmlspecialchars($_GET['id']); if (is_null($id)) { header("Location: /suricata/suricata_interfaces.php"); @@ -283,7 +283,6 @@ if ($savemsg) /> - -- cgit v1.2.3 From 6d7dad52b45aae7faab7dd1863b0ef85d365d18e Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 16:01:41 -0500 Subject: Remove bogus query string from ALERTS hyperlink tab. --- config/suricata/suricata_suppress.php | 2 +- config/suricata/suricata_suppress_edit.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php index e97006dc..12227f3d 100644 --- a/config/suricata/suricata_suppress.php +++ b/config/suricata/suricata_suppress.php @@ -122,7 +122,7 @@ if ($input_errors) { $tab_array[] = array(gettext("Suricata Interfaces"), false, "/suricata/suricata_interfaces.php"); $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); - $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$instanceid}"); + $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); $tab_array[] = array(gettext("Suppress"), true, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); display_top_tabs($tab_array); diff --git a/config/suricata/suricata_suppress_edit.php b/config/suricata/suricata_suppress_edit.php index c2c23f10..3d5bad27 100644 --- a/config/suricata/suricata_suppress_edit.php +++ b/config/suricata/suricata_suppress_edit.php @@ -142,7 +142,7 @@ if ($savemsg) $tab_array[] = array(gettext("Interfaces"), false, "/suricata/suricata_interfaces.php"); $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); - $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$instanceid}"); + $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); $tab_array[] = array(gettext("Suppress"), true, "/suricata/suricata_suppress.php"); display_top_tabs($tab_array); ?> -- cgit v1.2.3 From c7526cc17efff74791562bfe0f01dfa21ebfed8d Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 16:25:47 -0500 Subject: Change "Snort" back to "Suricata" from copy-paste mistake. --- config/suricata/suricata.inc | 34 ++++++++++++++++----------------- config/suricata/suricata_rules_edit.php | 2 +- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 5c052cd2..2660fae6 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -712,10 +712,10 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { $sidMap = array(); $rule_files = array(); - /* First check if we were passed a directory, a single file */ - /* or an array of filenames to read. Set our $rule_files */ - /* variable accordingly. If we can't figure it out, return */ - /* and don't write a sid-msg.map file. */ + // First check if we were passed a directory, a single file + // or an array of filenames to read. Set our $rule_files + // variable accordingly. If we can't figure it out, return + // and don't write a sid-msg.map file. if (is_string($rules_path)) { if (is_dir($rules_path)) $rule_files = glob($rules_path . "*.rules"); @@ -727,14 +727,14 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { else return; - /* Read the rule files into an array, then iterate the list */ + // Read the rule files into an array, then iterate the list foreach ($rule_files as $file) { - /* Don't process files with "deleted" in the filename */ + // Don't process files with "deleted" in the filename if (stristr($file, "deleted")) continue; - /* Read the file into an array, skipping missing files. */ + // Read the file into an array, skipping missing files. if (!file_exists($file)) continue; @@ -742,24 +742,24 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { $record = ""; $b_Multiline = false; - /* Read and process each line from the rules in the current file */ + // Read and process each line from the rules in the current file foreach ($rules_array as $rule) { - /* Skip any non-rule lines unless we're in multiline mode. */ + // Skip any non-rule lines unless we're in multiline mode. if (!preg_match('/^\s*#*\s*(alert|drop|pass)/i', $rule) && !$b_Multiline) continue; - /* Test for a multi-line rule, and reassemble the */ - /* pieces back into a single line. */ + // Test for a multi-line rule, and reassemble the + // pieces back into a single line. if (preg_match('/\\\\s*[\n]$/m', $rule)) { $rule = substr($rule, 0, strrpos($rule, '\\')); $record .= $rule; $b_Multiline = true; continue; } - /* If the last segment of a multiline rule, then */ - /* append it onto the previous parts to form a */ - /* single-line rule for further processing below. */ + // If the last segment of a multiline rule, then + // append it onto the previous parts to form a + // single-line rule for further processing below. elseif (!preg_match('/\\\\s*[\n]$/m', $rule) && $b_Multiline) { $record .= $rule; $rule = $record; @@ -767,7 +767,7 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { $b_Multiline = false; $record = ""; - /* Parse the rule to find sid and any references. */ + // Parse the rule to find sid and any references. $gid = '1'; // default to 1 for regular rules $sid = ''; $rev = ''; @@ -800,10 +800,10 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { } } } - /* Sort the generated sid-msg map */ + // Sort the generated sid-msg map natcasesort($sidMap); - /* Now print the result to the supplied file */ + // Now print the result to the supplied file @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n"); @file_put_contents($sid_file, array_values($sidMap), FILE_APPEND); } diff --git a/config/suricata/suricata_rules_edit.php b/config/suricata/suricata_rules_edit.php index c02d3eba..491bda61 100644 --- a/config/suricata/suricata_rules_edit.php +++ b/config/suricata/suricata_rules_edit.php @@ -70,7 +70,7 @@ if (substr($file, 0, 10) == "IPS Policy") { $wrap_flag = "soft"; } else { - $contents = "# Snort IPS Policy - " . ucfirst(trim(substr($file, strpos($file, "-")+1))) . "\n\n"; + $contents = "# Suricata IPS Policy - " . ucfirst(trim(substr($file, strpos($file, "-")+1))) . "\n\n"; foreach (array_keys($rules_map) as $k1) { foreach (array_keys($rules_map[$k1]) as $k2) { $contents .= "# Category: " . $rules_map[$k1][$k2]['category'] . " SID: {$k2}\n"; -- cgit v1.2.3 From bca1905789f4fdf938f81a7cfe5dd98751726aa7 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 7 Mar 2014 21:35:27 -0500 Subject: Put [] around IPv6 addr and tidy up Suri Dashboard Widget. --- config/suricata/suricata_alerts.js | 6 +++--- config/suricata/suricata_alerts.widget.php | 29 ++++++++++++++++++++--------- 2 files changed, 23 insertions(+), 12 deletions(-) diff --git a/config/suricata/suricata_alerts.js b/config/suricata/suricata_alerts.js index 9e5b0b29..16e0c73c 100644 --- a/config/suricata/suricata_alerts.js +++ b/config/suricata/suricata_alerts.js @@ -14,9 +14,9 @@ function suricata_alerts_fetch_new_rules_callback(callback_data) { for(var x=0; x' + row_split[1] + ''; - line += '' + row_split[2] + '
' + row_split[3] + ''; - line += '' + 'Pri: ' + row_split[4] + ' ' + row_split[5] + ''; + line = '' + row_split[0] + '
' + row_split[1] + ''; + line += '' + row_split[2] + '
' + row_split[3] + ''; + line += '' + 'Pri: ' + row_split[4] + ' ' + row_split[5] + ''; new_data_to_add[new_data_to_add.length] = line; } suricata_alerts_update_div_rows(new_data_to_add); diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index c9cfc98e..ce01c0a4 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -135,10 +135,16 @@ function suricata_widget_get_alerts() { $suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s"); $suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d"); // Add zero-width space as soft-break opportunity after each colon in any IPv6 address - $suricata_alerts[$counter]['src'] = str_replace(":", ":​", $fields[9]); + if (is_ipaddrv6($fields[9]) && !empty($fields[10])) + $suricata_alerts[$counter]['src'] = "[" . str_replace(":", ":​", $fields[9]) . "]"; + else + $suricata_alerts[$counter]['src'] = $fields[9]; $suricata_alerts[$counter]['srcport'] = $fields[10]; // Add zero-width space as soft-break opportunity after each colon in any IPv6 address - $suricata_alerts[$counter]['dst'] = str_replace(":", ":​", $fields[11]); + if (is_ipaddrv6($fields[11]) && !empty($fields[12])) + $suricata_alerts[$counter]['dst'] = "[" . str_replace(":", ":​", $fields[11]) . "]"; + else + $suricata_alerts[$counter]['dst'] = $fields[11]; $suricata_alerts[$counter]['dstport'] = $fields[12]; $suricata_alerts[$counter]['priority'] = $fields[7]; $suricata_alerts[$counter]['category'] = $fields[6]; @@ -179,12 +185,17 @@ var suri_nentries = ; - +
+ + + + + - - - + + + @@ -195,9 +206,9 @@ var suri_nentries = ; foreach ($suricata_alerts as $alert) { $evenRowClass = $counter % 2 ? " listMReven" : " listMRodd"; echo(" - - - "); + + + "); $counter++; if($counter >= $suri_nentries) break; -- cgit v1.2.3 From 3bd710acc08252498e46e5c5d8608a3c6fbd122f Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 8 Mar 2014 12:31:26 -0500 Subject: Add ellipsis class and tooltips to Dashboard Widget IP columns. --- config/suricata/suricata_alerts.js | 8 ++++-- config/suricata/suricata_alerts.widget.php | 44 ++++++++++++++++-------------- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/config/suricata/suricata_alerts.js b/config/suricata/suricata_alerts.js index 16e0c73c..b6a5d3c3 100644 --- a/config/suricata/suricata_alerts.js +++ b/config/suricata/suricata_alerts.js @@ -14,9 +14,11 @@ function suricata_alerts_fetch_new_rules_callback(callback_data) { for(var x=0; x' + row_split[1] + ''; - line += ''; - line += ''; + line = ''; + line += ''; + line += ''; new_data_to_add[new_data_to_add.length] = line; } suricata_alerts_update_div_rows(new_data_to_add); diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index ce01c0a4..6c30ecdc 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -80,8 +80,8 @@ if (isset($_GET['getNewAlerts'])) { $suri_alerts = suricata_widget_get_alerts(); $counter = 0; foreach ($suri_alerts as $a) { - $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . ":" . $a['srcport'] . "||"; - $response .= $a['dst'] . ":" . $a['dstport'] . "||" . $a['priority'] . "||" . $a['category'] . "\n"; + $response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . "||"; + $response .= $a['dst'] . "||" . $a['priority'] . "||" . $a['category'] . "\n"; $counter++; if($counter >= $suri_nentries) break; @@ -134,18 +134,22 @@ function suricata_widget_get_alerts() { $suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm)); $suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s"); $suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d"); - // Add zero-width space as soft-break opportunity after each colon in any IPv6 address - if (is_ipaddrv6($fields[9]) && !empty($fields[10])) - $suricata_alerts[$counter]['src'] = "[" . str_replace(":", ":​", $fields[9]) . "]"; + // Add square brackets around any IPv6 address + if (is_ipaddrv6($fields[9])) + $suricata_alerts[$counter]['src'] = "[" . $fields[9] . "]"; else $suricata_alerts[$counter]['src'] = $fields[9]; - $suricata_alerts[$counter]['srcport'] = $fields[10]; - // Add zero-width space as soft-break opportunity after each colon in any IPv6 address - if (is_ipaddrv6($fields[11]) && !empty($fields[12])) - $suricata_alerts[$counter]['dst'] = "[" . str_replace(":", ":​", $fields[11]) . "]"; + // Add the SRC PORT if not null + if (!empty($fields[10])) + $suricata_alerts[$counter]['src'] .= ":" . $fields[10]; + // Add square brackets around any IPv6 address + if (is_ipaddrv6($fields[11])) + $suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]"; else $suricata_alerts[$counter]['dst'] = $fields[11]; - $suricata_alerts[$counter]['dstport'] = $fields[12]; + // Add the SRC PORT if not null + if (!empty($fields[12])) + $suricata_alerts[$counter]['dst'] .= ":" . $fields[12]; $suricata_alerts[$counter]['priority'] = $fields[7]; $suricata_alerts[$counter]['category'] = $fields[6]; $counter++; @@ -187,15 +191,15 @@ var suri_nentries = ;
IF/DateSrc/DstDetailsIF/DateSrc/DstDetails
" . $alert['instanceid'] . " " . $alert['dateonly'] . "
" . $alert['timeonly'] . "
" . $alert['src'] . ":" . $alert['srcport'] . "
" . $alert['dst'] . ":" . $alert['dstport'] . "
Pri: " . $alert['priority'] . " " . $alert['category'] . "
" . $alert['instanceid'] . " " . $alert['dateonly'] . "
" . $alert['timeonly'] . "
" . $alert['src'] . ":" . $alert['srcport'] . "
" . $alert['dst'] . ":" . $alert['dstport'] . "
Pri: " . $alert['priority'] . " " . $alert['category'] . "
' + row_split[2] + '
' + row_split[3] + '
' + 'Pri: ' + row_split[4] + ' ' + row_split[5] + '' + row_split[0] + '
' + row_split[1] + '
' + row_split[2] + '

' + row_split[3] + '
' + 'Pri: ' + row_split[4] + ' ' + row_split[5] + '
- - - + + + - - - - + + + + @@ -206,9 +210,9 @@ var suri_nentries = ; foreach ($suricata_alerts as $alert) { $evenRowClass = $counter % 2 ? " listMReven" : " listMRodd"; echo(" - - - "); + + + "); $counter++; if($counter >= $suri_nentries) break; -- cgit v1.2.3 From 09798494c3e32ef7c0958c681b2eccc846a3000c Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 8 Mar 2014 13:53:25 -0500 Subject: Add code to close pop-up window if error is encountered. --- config/suricata/suricata_rules_edit.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/config/suricata/suricata_rules_edit.php b/config/suricata/suricata_rules_edit.php index 491bda61..b61c2f3a 100644 --- a/config/suricata/suricata_rules_edit.php +++ b/config/suricata/suricata_rules_edit.php @@ -36,8 +36,14 @@ $suricatadir = SURICATADIR; if (isset($_GET['id']) && is_numericint($_GET['id'])) $id = htmlspecialchars($_GET['id']); -if (is_null($id)) +// If we were not passed a valid index ID, close the pop-up and exit +if (is_null($id)) { + echo ''; + echo ''; + echo ''; exit; +} if (!is_array($config['installedpackages']['suricata']['rule'])) { $config['installedpackages']['suricata']['rule'] = array(); -- cgit v1.2.3 From 279bed909a58259a0f04c5de575955ce9e956ec0 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 8 Mar 2014 16:45:50 -0500 Subject: Cleanup HTML and formatting on a few panels. --- config/suricata/suricata_alerts.php | 52 ++++++++++++++--------------- config/suricata/suricata_logs_browser.php | 2 +- config/suricata/suricata_rules.php | 34 +++++++++---------- config/suricata/suricata_rules_flowbits.php | 14 ++++---- 4 files changed, 51 insertions(+), 51 deletions(-) diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 46a68b56..8e1effa7 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -374,7 +374,7 @@ if ($savemsg) { $selected = ""; if ($id == $instanceid) $selected = "selected"; - echo "\n"; + echo "\n"; } ?>    @@ -407,31 +407,31 @@ if ($savemsg) {
IF/DateSrc/DstDetails
" . $alert['instanceid'] . " " . $alert['dateonly'] . "
" . $alert['timeonly'] . "
" . $alert['src'] . ":" . $alert['srcport'] . "
" . $alert['dst'] . ":" . $alert['dstport'] . "
Pri: " . $alert['priority'] . " " . $alert['category'] . "
" . $alert['instanceid'] . " " . $alert['dateonly'] . "
" . $alert['timeonly'] . "
" . $alert['src'] . "

" . $alert['dst'] . "
Pri: " . $alert['priority'] . " " . $alert['category'] . "
- +
- - + + - + - - + + - - - - - - - - + + + + + + + + - + @@ -554,16 +554,16 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo $alert_class = $fields[6]; echo " - - - - - - - - - - + + + + + + + + + + \n"; $counter++; diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index 9fc24927..f9c34ed0 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -150,7 +150,7 @@ if ($input_errors) { $selected = ""; if ($id == $instanceid) $selected = "selected"; - echo "\n"; + echo "\n"; } ?>    diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index 85427e6f..d532c6b1 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -530,14 +530,14 @@ if ($savemsg) {
{$alert_date}
{$alert_time}
{$alert_priority}{$alert_proto}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link}
{$alert_descr}{$alert_date}
{$alert_time}
{$alert_priority}{$alert_proto}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link}
{$alert_descr}
- + - + - - - - + + + + @@ -547,9 +547,9 @@ if ($savemsg) { - + - + @@ -610,35 +610,35 @@ if ($savemsg) { $sid_tooltip = gettext("View the raw text for this rule"); echo " - - - - - - - - "; diff --git a/config/suricata/suricata_rules_flowbits.php b/config/suricata/suricata_rules_flowbits.php index d5629fae..6470ff4b 100644 --- a/config/suricata/suricata_rules_flowbits.php +++ b/config/suricata/suricata_rules_flowbits.php @@ -205,13 +205,13 @@ if ($savemsg)
{$textss} - {$textse} + {$textss}{$gid}{$textse} + {$textss}{$sid}{$textse} + {$textss}{$protocol}{$textse} + {$srcspan}{$source} + {$srcprtspan}{$source_port} + {$dstspan}{$destination} + {$dstprtspan}{$destination_port} + {$textss}{$message}{$textse}
- +
- + - + @@ -263,11 +263,11 @@ if ($savemsg) // Use "echo" to write the table HTML row-by-row. echo "" . "" . - "" . - "" . - "" . + "" . + "" . + "" . "" . - "" . + "" . ""; $count++; } -- cgit v1.2.3 From a6f4ab08784d3bcaef35b74f7e22358378acdc53 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Mar 2014 12:42:08 -0400 Subject: Add log_limit and sensor_id params to Barnyard2 configuration page. --- config/suricata/suricata_barnyard.php | 39 +++++++++++++++++++++++++++++- config/suricata/suricata_generate_yaml.php | 10 ++++++++ config/suricata/suricata_yaml_template.inc | 5 ++-- 3 files changed, 50 insertions(+), 4 deletions(-) diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index e1ae892e..e71dc261 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -55,6 +55,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_dbpwd'] = base64_decode($a_nat[$id]['barnyard_dbpwd']); if (empty($a_nat[$id]['barnyard_show_year'])) $pconfig['barnyard_show_year'] = "on"; + if (empty($a_nat[$id]['unified2_log_limit'])) + $pconfig['unified2_log_limit'] = "32"; if (empty($a_nat[$id]['barnyard_archive_enable'])) $pconfig['barnyard_archive_enable'] = "on"; if (empty($a_nat[$id]['barnyard_obfuscate_ip'])) @@ -71,6 +73,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_syslog_priority'] = "LOG_INFO"; if (empty($a_nat[$id]['barnyard_bro_ids_dport'])) $pconfig['barnyard_bro_ids_dport'] = "47760"; + if (empty($a_nat[$id]['barnyard_sensor_id'])) + $pconfig['barnyard_sensor_id'] = "0"; if (empty($a_nat[$id]['barnyard_sensor_name'])) $pconfig['barnyard_sensor_name'] = php_uname("n"); } @@ -81,6 +85,18 @@ if ($_POST['save']) { $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on") $input_errors[] = gettext("You must enable at least one output option when using Barnyard2."); + // Validate unified2 log file limit + if ($_POST['barnyard_enable'] == 'on') { + if (!is_numericint($_POST['unified2_log_limit']) || $_POST['unified2_log_limit'] < 1) + $input_errors[] = gettext("The value for 'Unified2 Log Limit' must be a valid integer greater than zero."); + } + + // Validate Sensor ID is a valid integer + if ($_POST['barnyard_enable'] == 'on') { + if (!is_numericint($_POST['barnyard_sensor_id']) || $_POST['barnyard_sensor_id'] < 0) + $input_errors[] = gettext("The value for 'Sensor ID' must be a valid positive integer."); + } + // Validate inputs if MySQL database loggging enabled if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_dbhost'])) @@ -126,7 +142,9 @@ if ($_POST['save']) { $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; + if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0'; if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['unified2_log_limit']) $natent['unified2_log_limit'] = $_POST['unified2_log_limit']; else unset($natent['unified2_log_limit']); if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); @@ -265,6 +283,15 @@ include_once("head.inc"); " . gettext("Checked") . ""; ?> + + + + + + + + @@ -555,10 +590,12 @@ function enable_change(enable_change) { endis = !(document.iform.barnyard_enable.checked || enable_change); // make sure a default answer is called if this is invoked. endis2 = (document.iform.barnyard_enable); + document.iform.unified2_log_limit.disabled = endis; document.iform.barnyard_archive_enable.disabled = endis; document.iform.barnyard_show_year.disabled = endis; document.iform.barnyard_dump_payload.disabled = endis; document.iform.barnyard_obfuscate_ip.disabled = endis; + document.iform.barnyard_sensor_id.disabled = endis; document.iform.barnyard_sensor_name.disabled = endis; document.iform.barnyard_mysql_enable.disabled = endis; document.iform.barnyard_dbhost.disabled = endis; diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 0614adf8..115f0045 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -226,6 +226,16 @@ if ($suricatacfg['barnyard_enable'] == 'on') else $barnyard2_enabled = "no"; +if (isset($suricatacfg['unified2_log_limit'])) + $unified2_log_limit = "{$suricatacfg['unified2_log_limit']}mb"; +else + $unified2_log_limit = "32mb"; + +if (isset($suricatacfg['barnyard_sensor_id'])) + $unified2_sensor_id = $suricatacfg['barnyard_sensor_id']; +else + $unified2_sensor_id = "0"; + // Add interface-specific IP defrag settings if (!empty($suricatacfg['frag_memcap'])) $frag_memcap = $suricatacfg['frag_memcap']; diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index e62c48eb..07ada36e 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -40,9 +40,8 @@ outputs: - unified2-alert: enabled: {$barnyard2_enabled} filename: unified2.alert - limit: 32mb - # Sensor ID field of unified2 alerts. - sensor-id: 0 + limit: {$unified2_log_limit} + sensor-id: {$unified2_sensor_id} - http-log: enabled: {$http_log_enabled} -- cgit v1.2.3 From ca24f17206d370ac5b31ec5a5b535ad2599ecd1e Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Mar 2014 12:44:38 -0400 Subject: Store last update time as timestamp instead of date string. --- .../suricata/suricata_check_for_rule_updates.php | 35 ++++++++-------------- config/suricata/suricata_download_updates.php | 2 +- 2 files changed, 14 insertions(+), 23 deletions(-) diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 4d159cdb..867a7efe 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -29,6 +29,7 @@ require_once("functions.inc"); require_once("service-utils.inc"); +require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules; @@ -95,6 +96,9 @@ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; $snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5"; $snort_community_rules_url = GPLV2_DNLD_URL; +/* Mount the Suricata conf directories R/W so we can modify files there */ +conf_mount_rw(); + /* Set up Emerging Threats rules filenames and URL */ if ($etpro == "on") { $emergingthreats_filename = ETPRO_DNLD_FILENAME; @@ -137,24 +141,12 @@ function suricata_download_file_url($url, $file_out) { /* It provides logging of returned CURL errors. */ /************************************************/ - global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; + global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update, $rfc2616; // Initialize required variables for the pfSense "read_body()" function $file_size = 1; $downloaded = 1; $first_progress_update = TRUE; - - - // Array of message strings for HTTP Response Codes - $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", - 206 => "Partial Content", 301 => "Moved Permanently", 302 => "Found", - 305 => "Use Proxy", 307 => "Temporary Redirect", 400 => "Bad Request", - 401 => "Unauthorized", 402 => "Payment Required", 403 => "Forbidden", - 404 => "Not Found", 405 => "Method Not Allowed", 407 => "Proxy Authentication Required", - 408 => "Request Timeout", 410 => "Gone", 500 => "Internal Server Error", - 501 => "Not Implemented", 502 => "Bad Gateway", 503 => "Service Unavailable", - 504 => "Gateway Timeout", 505 => "HTTP Version Not Supported" ); - $last_curl_error = ""; $fout = fopen($file_out, "wb"); @@ -204,8 +196,8 @@ function suricata_download_file_url($url, $file_out) { if ($rc === false) $last_curl_error = curl_error($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); - if (isset($http_resp_msg[$http_code])) - $last_curl_error = $http_resp_msg[$http_code]; + if (is_rfc2616_code($http_code)) + $last_curl_error = $rfc2616[$http_code]; curl_close($ch); fclose($fout); @@ -358,7 +350,6 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") { } /* Start of main code */ -conf_mount_rw(); /* remove old $tmpfname files if present */ if (is_dir("{$tmpfname}")) @@ -430,10 +421,10 @@ if ($emergingthreats == 'on') { /* Remove the old Emerging Threats rules files */ $eto_prefix = ET_OPEN_FILE_PREFIX; $etpro_prefix = ET_PRO_FILE_PREFIX; - array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*.rules")); - array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*.rules")); - array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*ips.txt")); - array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*ips.txt")); + unlink_if_exists("{$suricatadir}rules/{$eto_prefix}*.rules"); + unlink_if_exists("{$suricatadir}rules/{$etpro_prefix}*.rules"); + unlink_if_exists("{$suricatadir}rules/{$eto_prefix}*ips.txt"); + unlink_if_exists("{$suricatadir}rules/{$etpro_prefix}*ips.txt"); // The code below renames ET files with a prefix, so we // skip renaming the Suricata default events rule files @@ -492,7 +483,7 @@ if ($snortdownload == 'on') { if (file_exists("{$tmpfname}/{$snort_filename}")) { /* Remove the old Snort rules files */ $vrt_prefix = VRT_FILE_PREFIX; - array_map('unlink', glob("{$suricatadir}rules/{$vrt_prefix}*.rules")); + unlink_if_exists("{$suricatadir}rules/{$vrt_prefix}*.rules"); if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); @@ -724,7 +715,7 @@ if ($update_errors) $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("failed"); else $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("success"); -$config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'] = gettext(date("M-d Y H:i")); +$config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'] = time(); write_config(); ?> diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php index a353b054..bae467e4 100644 --- a/config/suricata/suricata_download_updates.php +++ b/config/suricata/suricata_download_updates.php @@ -42,7 +42,7 @@ $snortcommunityrules = $config['installedpackages']['suricata']['config'][0]['sn /* Get last update information if available */ if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'])) - $last_rule_upd_time = htmlspecialchars($config['installedpackages']['suricata']['config'][0]['last_rule_upd_time']); + $last_rule_upd_time = date('M-d Y H:i', $config['installedpackages']['suricata']['config'][0]['last_rule_upd_time']); else $last_rule_upd_time = gettext("Unknown"); if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'])) -- cgit v1.2.3 From 28ff681374aa023f5f59fd044e8a094fcbea32ef Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Mar 2014 12:47:58 -0400 Subject: Change CSS class from "listlr" to "listr" on table rows. --- config/suricata/suricata_alerts.php | 18 +++++++++--------- config/suricata/suricata_rules.php | 14 +++++++------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 8e1effa7..99241b7e 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -554,15 +554,15 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo $alert_class = $fields[6]; echo " - - - - - - - - - + + + + + + + + + \n"; diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index d532c6b1..567c29ea 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -615,27 +615,27 @@ if ($savemsg) { src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" title='{$title}' name=\"toggle[]\"/>{$textse} - - - - - - - - + -- cgit v1.2.3 From 172270f302e2cdb0e0b6f7581152bc32befa99bc Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Mar 2014 12:51:13 -0400 Subject: Append time of day to GET request to work around browser caching. --- config/suricata/suricata_interfaces_edit.php | 1 + 1 file changed, 1 insertion(+) diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 46d2aa1d..389566a2 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -890,6 +890,7 @@ function viewList(id, elemID, elemType) { } var url = "suricata_list_view.php?id=" + id + "&wlist="; url = url + getSelectedValue(elemID) + "&type=" + elemType; + url = url + "&time=" + new Date().getTime(); wopen(url, 'WhitelistViewer', 640, 480); } -- cgit v1.2.3
{$sid} {$supplink}{$protocol}{$source}{$destination}{$protocol}{$source}{$destination}{$flowbits}{$message}{$message}
+ +  
+ +
@@ -286,12 +313,20 @@ include_once("head.inc"); /> " . gettext("Not Checked") . ""; ?>
+ +  " . gettext("0.") . ""; ?> +
-   +  
{$alert_date}
{$alert_time}
{$alert_priority}{$alert_proto}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link}
{$alert_date}
{$alert_time}
{$alert_priority}{$alert_proto}{$alert_class}{$alert_ip_src}{$alert_src_p}{$alert_ip_dst}{$alert_dst_p}{$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link}
{$alert_descr}
+ {$textss}{$gid}{$textse} + {$textss}{$sid}{$textse} + {$textss}{$protocol}{$textse} + {$srcspan}{$source} + {$srcprtspan}{$source_port} + {$dstspan}{$destination} + {$dstprtspan}{$destination_port} -- cgit v1.2.3 From 66712d6f4db59a164d74b35d5ae030d79bb86d7d Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 18 Mar 2014 12:48:55 -0400 Subject: Remove redundant JavaScript variable declarations. --- config/suricata/suricata_alerts.widget.php | 8 -------- 1 file changed, 8 deletions(-) diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index 6c30ecdc..21fad03d 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -173,13 +173,6 @@ function suricata_widget_get_alerts() { /* display the result */ ?> - -