From 6c0d365bdb5f4e4fdc2bf57561178573be5a36cc Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 26 Aug 2014 21:39:21 -0400 Subject: Upgrade Suricata to 2.0.3 and GUI package to v2.0 --- config/suricata/suricata_rulesets.php | 267 +++++++++++++++++++++------------- 1 file changed, 164 insertions(+), 103 deletions(-) (limited to 'config/suricata/suricata_rulesets.php') diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php index c939ef25..14da068e 100644 --- a/config/suricata/suricata_rulesets.php +++ b/config/suricata/suricata_rulesets.php @@ -63,15 +63,12 @@ if (is_null($id)) $id = 0; if (isset($id) && $a_nat[$id]) { - $pconfig['enable'] = $a_nat[$id]['enable']; - $pconfig['interface'] = $a_nat[$id]['interface']; - $pconfig['rulesets'] = $a_nat[$id]['rulesets']; - $pconfig['autoflowbitrules'] = $a_nat[$id]['autoflowbitrules']; + $pconfig['autoflowbits'] = $a_nat[$id]['autoflowbitrules']; $pconfig['ips_policy_enable'] = $a_nat[$id]['ips_policy_enable']; $pconfig['ips_policy'] = $a_nat[$id]['ips_policy']; } -$if_real = get_real_interface($pconfig['interface']); +$if_real = get_real_interface($a_nat[$id]['interface']); $suricata_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules'] == 'on' ? 'on' : 'off'; $emergingdownload = $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules'] == 'on' ? 'on' : 'off'; @@ -81,6 +78,8 @@ $snortcommunitydownload = $config['installedpackages']['suricata']['config'][0][ $no_emerging_files = false; $no_snort_files = false; +$enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); + /* Test rule categories currently downloaded to $SURICATADIR/rules and set appropriate flags */ if ($emergingdownload == 'on') { $test = glob("{$suricatadir}rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); @@ -147,81 +146,73 @@ if ($_POST["save"]) { @unlink("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); } - write_config(); + write_config("Suricata pkg: save enabled rule categories for {$a_nat[$id]['interface']}."); /*************************************************/ /* Update the suricata.yaml file and rebuild the */ /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); suricata_generate_yaml($a_nat[$id]); + conf_mount_ro(); $rebuild_rules = false; /* Signal Suricata to "live reload" the rules */ suricata_reload_config($a_nat[$id]); + + $pconfig = $_POST; + $enabled_rulesets_array = explode("||", $enabled_items); + if (suricata_is_running($suricata_uuid, $if_real)) + $savemsg = gettext("Suricata is 'live-loading' the new rule set on this interface."); } elseif ($_POST['unselectall']) { // Remove all but the default events and files rules - $a_nat[$id]['rulesets'] = implode("||", $default_rules); - - if ($_POST['ips_policy_enable'] == "on") { - $a_nat[$id]['ips_policy_enable'] = 'on'; - $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; - } - else { - $a_nat[$id]['ips_policy_enable'] = 'off'; - unset($a_nat[$id]['ips_policy']); - } + $enabled_rulesets_array = array(); + $enabled_rulesets_array = implode("||", $default_rules); - write_config(); - sync_suricata_package_config(); + $savemsg = gettext("All rule categories have been de-selected. "); + if ($_POST['ips_policy_enable']) + $savemsg .= gettext("Only the rules included in the selected IPS Policy will be used."); + else + $savemsg .= gettext("There currently are no inspection rules enabled for this Suricata instance!"); } elseif ($_POST['selectall']) { // Start with the required default events and files rules - $rulesets = $default_rules; - - if ($_POST['ips_policy_enable'] == "on") { - $a_nat[$id]['ips_policy_enable'] = 'on'; - $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; - } - else { - $a_nat[$id]['ips_policy_enable'] = 'off'; - unset($a_nat[$id]['ips_policy']); - } + $enabled_rulesets_array = $default_rules; if ($emergingdownload == 'on') { $files = glob("{$suricatadir}rules/" . ET_OPEN_FILE_PREFIX . "*.rules"); foreach ($files as $file) - $rulesets[] = basename($file); + $enabled_rulesets_array[] = basename($file); } elseif ($etpro == 'on') { $files = glob("{$suricatadir}rules/" . ET_PRO_FILE_PREFIX . "*.rules"); foreach ($files as $file) - $rulesets[] = basename($file); + $enabled_rulesets_array[] = basename($file); } if ($snortcommunitydownload == 'on') { $files = glob("{$suricatadir}rules/" . GPL_FILE_PREFIX . "community.rules"); foreach ($files as $file) - $rulesets[] = basename($file); + $enabled_rulesets_array[] = basename($file); } /* Include the Snort VRT rules only if enabled and no IPS policy is set */ - if ($snortdownload == 'on' && $a_nat[$id]['ips_policy_enable'] == 'off') { + if ($snortdownload == 'on' && empty($_POST['ips_policy_enable'])) { $files = glob("{$suricatadir}rules/" . VRT_FILE_PREFIX . "*.rules"); foreach ($files as $file) - $rulesets[] = basename($file); + $enabled_rulesets_array[] = basename($file); } - - $a_nat[$id]['rulesets'] = implode("||", $rulesets); - - write_config(); - sync_suricata_package_config(); } +// Get any automatic rule category enable/disable modifications +// if auto-SID Mgmt is enabled. +$cat_mods = suricata_sid_mgmt_auto_categories($a_nat[$id], FALSE); + // See if we have any Auto-Flowbit rules and enable // the VIEW button if we do. -if ($a_nat[$id]['autoflowbitrules'] == 'on') { +if ($pconfig['autoflowbits'] == 'on') { if (file_exists("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}") && filesize("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}") > 0) { $btn_view_flowb_rules = " title=\"" . gettext("View flowbit-required rules") . "\""; @@ -232,9 +223,7 @@ if ($a_nat[$id]['autoflowbitrules'] == 'on') { else $btn_view_flowb_rules = " disabled"; -$enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); - -$if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Suricata IDS: Interface {$if_friendly} - Categories"); include_once("head.inc"); ?> @@ -258,18 +247,21 @@ if ($savemsg) {
+'; echo ' - - - - - - + + + + + + + + +
'; @@ -289,6 +281,7 @@ if ($savemsg) {
+ +
- +
+ - @@ -349,8 +344,9 @@ if ($savemsg) { - @@ -392,15 +391,27 @@ if ($savemsg) { + - + + + + + + + + + + + + + - - @@ -438,19 +463,19 @@ if ($savemsg) { ?> - + - + - + - + - + \n"; if (!empty($emergingrules[$j])) { $file = $emergingrules[$j]; - echo "\n"; echo "\n"; echo "\n"; } ?> -

+ + @@ -340,6 +334,7 @@ if ($savemsg) { " . gettext("Note: ") . "" . gettext("Auto-enabled rules generating unwanted alerts should have their GID:SID added to the Suppression List for the interface."); ?>
+
/> + />   

+ + - + + + - + +
@@ -365,7 +361,9 @@ if ($savemsg) { "although Emerging Threats categories may still be selected if enabled on the Global Settings tab. " . "These will be added to the pre-defined Snort IPS policy rules from the Snort VRT."); ?>
  
 
- - - - - - +
"/>"/>"/>
+ + + + + + + + + + + +
"/>"/>"/>
+     + +
+
+ " />
+ " />
+
+ />
"; + echo ""; if(is_array($enabled_rulesets_array)) { - if(in_array($file, $enabled_rulesets_array)) + if(in_array($file, $enabled_rulesets_array) && !isset($cat_mods[$file])) $CHECKED = " checked=\"checked\""; else $CHECKED = ""; } else $CHECKED = ""; - echo " \n\n"; + if (isset($cat_mods[$file])) { + if (in_array($file, $enabled_rulesets_array)) + echo "\n"; + if ($cat_mods[$file] == 'enabled') { + $CHECKED = "enabled"; + echo " \n\n"; + } + else { + echo " \n\n"; + } + } + else { + echo " \n\n"; + } echo "\n"; if (empty($CHECKED)) @@ -503,17 +541,30 @@ if ($savemsg) { if (!empty($snortrules[$j])) { $file = $snortrules[$j]; - echo ""; + echo ""; if(is_array($enabled_rulesets_array)) { if (!empty($disable_vrt_rules)) $CHECKED = $disable_vrt_rules; - elseif(in_array($file, $enabled_rulesets_array)) + elseif(in_array($file, $enabled_rulesets_array) && !isset($cat_mods[$file])) $CHECKED = " checked=\"checked\""; else $CHECKED = ""; } else $CHECKED = ""; - echo " \n\n"; + if (isset($cat_mods[$file])) { + if (in_array($file, $enabled_rulesets_array)) + echo "\n"; + if ($cat_mods[$file] == 'enabled') { + $CHECKED = "enabled"; + echo " \n\n"; + } + else { + echo " \n\n"; + } + } + else { + echo " \n\n"; + } echo "\n"; if (empty($CHECKED) || $CHECKED == "disabled") @@ -526,21 +577,30 @@ if ($savemsg) { echo "
+
 
- "/>

+ +
+ +

+ "/>
+
Date: Mon, 1 Sep 2014 16:27:09 -0400 Subject: Include new 'dns-events.rules' file for Suricata 2.0.3 --- config/suricata/suricata_rulesets.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/suricata/suricata_rulesets.php') diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php index 14da068e..ce32af20 100644 --- a/config/suricata/suricata_rulesets.php +++ b/config/suricata/suricata_rulesets.php @@ -47,7 +47,7 @@ $suricatadir = SURICATADIR; $flowbit_rules_file = FLOWBITS_FILENAME; // Array of default events rules for Suricata -$default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", +$default_rules = array( "decoder-events.rules", "dns-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ); if (!is_array($config['installedpackages']['suricata']['rule'])) { -- cgit v1.2.3