From 99b5013e94ede6ab5f3dc16a5996d4ce1f1a52b3 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 14 May 2014 14:06:09 -0400 Subject: Use system functions where possible & omit deletion of suricata user. --- config/suricata/suricata_uninstall.php | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php index 2317578e..2a82e473 100644 --- a/config/suricata/suricata_uninstall.php +++ b/config/suricata/suricata_uninstall.php @@ -58,7 +58,7 @@ killbyname("suricata"); sleep(1); // Delete any leftover suricata PID files in /var/run -array_map('@unlink', glob("/var/run/suricata_*.pid")); +unlink_if_exists("{$g['varrun_path']}/suricata_*.pid"); /* Make sure all active Barnyard2 processes are terminated */ /* Log a message only if a running process is detected */ @@ -68,10 +68,7 @@ killbyname("barnyard2"); sleep(1); // Delete any leftover barnyard2 PID files in /var/run -array_map('@unlink', glob("/var/run/barnyard2_*.pid")); - -/* Remove the suricata user and group */ -mwexec('/usr/sbin/pw userdel suricata; /usr/sbin/pw groupdel suricata', true); +unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid"); /* Remove the Suricata cron jobs. */ install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/suricata/suricata_check_for_rule_updates.php", false); -- cgit v1.2.3 From d8921424a0431833d0f12ade382a2d36d4983470 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 14 May 2014 14:41:52 -0400 Subject: Fix-up call-time pass-by-reference use for PHP 5.5 --- config/suricata/suricata_passlist_edit.php | 7 ++++++- config/suricata/suricata_suppress_edit.php | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_passlist_edit.php b/config/suricata/suricata_passlist_edit.php index 35c7b66e..437ae9a8 100644 --- a/config/suricata/suricata_passlist_edit.php +++ b/config/suricata/suricata_passlist_edit.php @@ -114,7 +114,12 @@ if ($_POST['save']) { /* input validation */ $reqdfields = explode(" ", "name"); $reqdfieldsn = explode(",", "Name"); - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); + if ($pf_version < 2.1) + $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;'); + else + do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if(strtolower($_POST['name']) == "defaultpasslist") $input_errors[] = gettext("Pass List file names may not be named defaultpasslist."); diff --git a/config/suricata/suricata_suppress_edit.php b/config/suricata/suricata_suppress_edit.php index a46e9e99..d4549e56 100644 --- a/config/suricata/suricata_suppress_edit.php +++ b/config/suricata/suricata_suppress_edit.php @@ -88,7 +88,12 @@ if ($_POST['save']) { $reqdfields = explode(" ", "name"); $reqdfieldsn = array("Name"); - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); + if ($pf_version < 2.1) + $input_errors = eval('do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); return $input_errors;'); + else + do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if(strtolower($_POST['name']) == "defaultwhitelist") $input_errors[] = "Whitelist file names may not be named defaultwhitelist."; -- cgit v1.2.3 From 0bab9a3ac108381f4b7308c1e2968dc3fe48db39 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 14 May 2014 14:46:11 -0400 Subject: Fix copy-paste typo in code ported over from Snort pkg. --- config/suricata/suricata_alerts.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 07e4eb1f..2f0f114f 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -410,7 +410,7 @@ if ($savemsg) { "/>    /> + /> ', '', '', ''); ?>    ', '', '', ''); ?> -- cgit v1.2.3 From 2d30e78dba257910ad69e4a3cb043c2a97704266 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 14 May 2014 14:55:39 -0400 Subject: Test for 2.2 install, adjust conf file path accordingly. --- config/suricata/suricata.inc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index c767f2d0..6f0bdc8f 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -60,7 +60,12 @@ define('SURICATA_PKG_VER', $suricata_package_version); define('SURICATA_PF_TABLE', 'snort2c'); // Create some other useful defines -define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/etc/suricata/'); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version >= 2.2) + define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/local/etc/suricata/'); +else + define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/etc/suricata/'); + define('SURICATALOGDIR', '/var/log/suricata/'); define('RULES_UPD_LOGFILE', SURICATALOGDIR . 'suricata_rules_update.log'); define('ENFORCING_RULES_FILENAME', 'suricata.rules'); -- cgit v1.2.3 From 7bd64136fd373b22cd57e73f000aa9a95afee750 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 14 May 2014 15:02:47 -0400 Subject: Use system vars where possible; bump GUI config version. --- config/suricata/suricata_post_install.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index c44b392f..eb193d58 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -60,14 +60,14 @@ if(is_process_running("suricata")) { killbyname("suricata"); sleep(2); // Delete any leftover suricata PID files in /var/run - unlink_if_exists("/var/run/suricata_*.pid"); + unlink_if_exists("{$g['varrun_path']}/suricata_*.pid"); } // Hard kill any running Barnyard2 processes if(is_process_running("barnyard")) { killbyname("barnyard2"); sleep(2); // Delete any leftover barnyard2 PID files in /var/run - unlink_if_exists("/var/run/barnyard2_*.pid"); + unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid"); } // Set flag for post-install in progress @@ -148,7 +148,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = } // Update Suricata package version in configuration -$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "v1.0.1"; +$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "v1.0.2"; write_config(); // Done with post-install, so clear flag -- cgit v1.2.3 From 6bb8f2645df25737dc48c14bf99fffbd0305add6 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 14 May 2014 15:12:16 -0400 Subject: Fix typo in new alert-pf blocking plugin name. --- config/suricata/suricata_yaml_template.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index c20ca8db..44fd1d5f 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -29,7 +29,7 @@ default-log-dir: {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} # Configure the type of alert (and other) logging. outputs: - # alert_pf blocking plugin + # alert-pf blocking plugin - alert-pf: enabled: {$suri_blockoffenders} kill-state: {$suri_killstates} -- cgit v1.2.3 From 8a90a221025cd200222b1c9e90311c90d0da4fa8 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 15 May 2014 13:29:50 -0400 Subject: Add DUP capability to create new Suricata instance based on existing one. --- config/suricata/suricata_interfaces.php | 45 ++++++++++++++++++++--- config/suricata/suricata_interfaces_edit.php | 55 ++++++++++++++++++++++++++-- 2 files changed, 90 insertions(+), 10 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php index 26d57b71..205a872b 100644 --- a/config/suricata/suricata_interfaces.php +++ b/config/suricata/suricata_interfaces.php @@ -57,6 +57,10 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $a_nat = &$config['installedpackages']['suricata']['rule']; $id_gen = count($config['installedpackages']['suricata']['rule']); +// Get list of configured firewall interfaces +$ifaces = get_configured_interface_list(); + + if ($_POST['del_x']) { /* delete selected interfaces */ if (is_array($_POST['rule'])) { @@ -207,9 +211,22 @@ include_once("head.inc"); - - + + + + + + + + + + + " + onclick="return intf_del()"> + @@ -342,7 +359,15 @@ include_once("head.inc"); + width="17" height="17" border="0" title=""> + + + + + + @@ -354,8 +379,16 @@ include_once("head.inc");   - - + + + + + + + +
" method="post" name="iform" id="iform"> + + + -- cgit v1.2.3 From 1400477cf28f995d8410763d258b2e83dab0295a Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 15 May 2014 14:44:45 -0400 Subject: Change "Snort" to "Suricata" in comment line for sid-msg.map file. --- config/suricata/suricata.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 6f0bdc8f..89bb572f 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -938,7 +938,7 @@ function suricata_build_sid_msg_map($rules_path, $sid_file) { natcasesort($sidMap); // Now print the result to the supplied file - @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Snort.\n\n"); + @file_put_contents($sid_file, "#v2\n# sid-msg.map file auto-generated by Suricata.\n\n"); @file_put_contents($sid_file, array_values($sidMap), FILE_APPEND); } -- cgit v1.2.3 From 722547921de086254b8fd5b2e458c95d1bb68c96 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 15 May 2014 15:08:17 -0400 Subject: Bump Suricata GUI pkg to version 1.0.2 --- config/suricata/suricata.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index 1a64d619..a2acd49e 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -51,7 +51,7 @@ Suricata IDS/IPS Package None suricata - 1.4.6 pkg v1.0 + 1.4.6 pkg v1.0.2 Services: Suricata IDS /usr/local/pkg/suricata/suricata.inc -- cgit v1.2.3 From 59ed3438729fd56452f58a0f79f0c288db982ac3 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 20 May 2014 08:59:44 -0400 Subject: Fix file browser vulnerability on LOGS BROWSER tab. --- config/suricata/suricata_logs_browser.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index 04edf373..566ab93f 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -55,21 +55,22 @@ $suricata_uuid = $a_instance[$instanceid]['uuid']; $if_real = get_real_interface($a_instance[$instanceid]['interface']); // Construct a pointer to the instance's logging subdirectory -$suricatalogdir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}"; +$suricatalogdir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}/"; -$logfile = $_POST['file']; +// Limit all file access to just the currently selected interface's logging subdirectory +$logfile = htmlspecialchars($suricatalogdir . basename($_POST['file'])); if ($_POST['action'] == 'load') { - if(!is_file($_POST['file'])) { + if(!is_file($logfile)) { echo "|3|" . gettext("Log file does not exist or that logging feature is not enabled") . ".|"; } else { - $data = file_get_contents($_POST['file']); + $data = file_get_contents($logfile); if($data === false) { echo "|1|" . gettext("Failed to read log file") . ".|"; } else { $data = base64_encode($data); - echo "|0|{$_POST['file']}|{$data}|"; + echo "|0|{$logfile}|{$data}|"; } } exit; @@ -180,7 +181,7 @@ if ($input_errors) { $selected = ""; if ($log == basename($logfile)) $selected = "selected"; - echo "\n"; + echo "\n"; } ?>    @@ -222,7 +223,7 @@ if ($input_errors) {
"/> -
- + -- cgit v1.2.3 From 2cd38ef500629821e72ddbce30c4bbd54ca201aa Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 20 May 2014 09:36:35 -0400 Subject: Need to include "instance" val in $_POST data for Ajax. --- config/suricata/suricata_logs_browser.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index 566ab93f..b949b499 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -48,6 +48,8 @@ elseif (isset($_GET['instance']) && is_numericint($_GET['instance'])) if (empty($instanceid)) $instanceid = 0; +log_error("Instance ID: {$instanceid}"); + if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_instance = $config['installedpackages']['suricata']['rule']; @@ -102,7 +104,7 @@ if ($input_errors) { jQuery.ajax( "", { type: 'POST', - data: "action=load&file=" + jQuery("#logFile").val(), + data: "instance=" + jQuery("#instance").val() + "&action=load&file=" + jQuery("#logFile").val(), complete: loadComplete } ); -- cgit v1.2.3 From 9bc3ab11bf16b35875baa0dae75996ab3c8775a2 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 20 May 2014 09:44:41 -0400 Subject: Remove debugging line inadvertently left in. --- config/suricata/suricata_logs_browser.php | 2 -- 1 file changed, 2 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index b949b499..cbe5ee7b 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -48,8 +48,6 @@ elseif (isset($_GET['instance']) && is_numericint($_GET['instance'])) if (empty($instanceid)) $instanceid = 0; -log_error("Instance ID: {$instanceid}"); - if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_instance = $config['installedpackages']['suricata']['rule']; -- cgit v1.2.3 From 97e0eebfbdaa33bd2e7fbf674da94998abf81ced Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 20 May 2014 10:54:12 -0400 Subject: Do not provide default value for Barnyard2 sensor name. --- config/suricata/suricata_barnyard.php | 2 -- 1 file changed, 2 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index d4afe4f4..c7488fe4 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -86,8 +86,6 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_bro_ids_dport'] = "47760"; if (empty($a_nat[$id]['barnyard_sensor_id'])) $pconfig['barnyard_sensor_id'] = "0"; - if (empty($a_nat[$id]['barnyard_sensor_name'])) - $pconfig['barnyard_sensor_name'] = php_uname("n"); } if ($_POST['save']) { -- cgit v1.2.3