From 56f7c116d00eea10ef796ac41c477330a4d1daac Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Mon, 1 Sep 2014 16:27:09 -0400
Subject: Include new 'dns-events.rules' file for Suricata 2.0.3

---
 config/suricata/dns-events.rules                    | 15 +++++++++++++++
 config/suricata/suricata.xml                        |  5 +++++
 config/suricata/suricata_check_for_rule_updates.php |  2 +-
 config/suricata/suricata_interfaces_edit.php        |  2 +-
 config/suricata/suricata_migrate_config.php         |  8 ++++++++
 config/suricata/suricata_post_install.php           |  5 +++++
 config/suricata/suricata_rulesets.php               |  2 +-
 7 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 config/suricata/dns-events.rules

(limited to 'config/suricata')

diff --git a/config/suricata/dns-events.rules b/config/suricata/dns-events.rules
new file mode 100644
index 00000000..693f2f1b
--- /dev/null
+++ b/config/suricata/dns-events.rules
@@ -0,0 +1,15 @@
+# Response (answer) we didn't see a Request for. Could be packet loss.
+alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;)
+# Malformed data in request. Malformed means length fields are wrong, etc.
+alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;)
+alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;)
+# Response flag set on to_server packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;)
+# Response flag not set on to_client packet
+alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;)
+# Z flag (reserved) not 0
+alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;)
+# Request Flood Detected
+alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;)
+# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting.
+alert dns any any -> any any (msg:"SURICATA DNS flow memcap reached"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:2;)
diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml
index d5ea59ad..f9bbd379 100644
--- a/config/suricata/suricata.xml
+++ b/config/suricata/suricata.xml
@@ -107,6 +107,11 @@
 		<prefix>/usr/local/pkg/suricata/</prefix>
 		<chmod>0755</chmod>
 	</additional_files_needed>
+	<additional_files_needed>
+		<item>https://packages.pfsense.org/packages/config/suricata/dns-events.rules</item>
+		<prefix>/usr/local/pkg/suricata/</prefix>
+		<chmod>0755</chmod>
+	</additional_files_needed>
 	<additional_files_needed>
 		<item>https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php</item>
 		<prefix>/usr/local/www/suricata/</prefix>
diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php
index 5e977f36..6a3e51f7 100644
--- a/config/suricata/suricata_check_for_rule_updates.php
+++ b/config/suricata/suricata_check_for_rule_updates.php
@@ -486,7 +486,7 @@ if ($emergingthreats == 'on') {
 		// The code below renames ET files with a prefix, so we
 		// skip renaming the Suricata default events rule files
 		// that are also bundled in the ET rules.
-		$default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" );
+		$default_rules = array( "decoder-events.rules", "dns-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" );
 		$files = glob("{$tmpfname}/emerging/rules/*.rules");
 		// Determine the correct prefix to use based on which
 		// Emerging Threats rules package is enabled.
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index 55c97efc..a3b2e78a 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -399,7 +399,7 @@ if ($_POST["save"] && !$input_errors) {
 			$natent['libhtp_policy']['item'][] = $default;
 
 			// Enable the basic default rules for the interface
-			$natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules";
+			$natent['rulesets'] = "decoder-events.rules||dns-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules";
 
 			// Adding a new interface, so set flag to build new rules
 			$rebuild_rules = true;
diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php
index 97e3cde6..abbdcf64 100644
--- a/config/suricata/suricata_migrate_config.php
+++ b/config/suricata/suricata_migrate_config.php
@@ -115,6 +115,14 @@ foreach ($rule as &$r) {
 		}
 	}
 
+	/***********************************************************/
+	/* Add the new 'dns-events.rules' file to the rulesets.    */
+	/***********************************************************/
+	if (strpos("dns-events.rules", $pconfig['rulesets']) === FALSE) {
+		$pconfig['rulesets'] = rtrim($pconfig['rulesets'], "||") . "||dns-events.rules";	
+		$updated_cfg = true;
+	}
+
 	/***********************************************************/
 	/* Add new HTTP Log Extended Info setting if not present   */
 	/***********************************************************/
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php
index 955751ad..47dd3ad7 100644
--- a/config/suricata/suricata_post_install.php
+++ b/config/suricata/suricata_post_install.php
@@ -112,6 +112,11 @@ safe_mkdir(SURICATALOGDIR);
 safe_mkdir(SID_MODS_PATH);
 safe_mkdir(IPREP_PATH);
 
+// Copy the new dns-events.rules file to the
+// Suricata directory if not already present.
+if (!file_exists(SURICATADIR . "rules/dns-events.rules"))
+	@copy("/usr/local/pkg/suricata/dns-events.rules", SURICATADIR . "rules/dns-events.rules");
+
 // remake saved settings
 if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') {
 	log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings..."));
diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php
index 14da068e..ce32af20 100644
--- a/config/suricata/suricata_rulesets.php
+++ b/config/suricata/suricata_rulesets.php
@@ -47,7 +47,7 @@ $suricatadir = SURICATADIR;
 $flowbit_rules_file = FLOWBITS_FILENAME;
 
 // Array of default events rules for Suricata
-$default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", 
+$default_rules = array( "decoder-events.rules", "dns-events.rules", "files.rules", "http-events.rules", 
 			"smtp-events.rules", "stream-events.rules", "tls-events.rules" );
 
 if (!is_array($config['installedpackages']['suricata']['rule'])) {
-- 
cgit v1.2.3