From 93b31c59eaa2dbde1720fa85ee42c53b46db2cab Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 30 Aug 2014 12:22:42 -0400 Subject: Suricata prefers CIDR masks on HOME_NET and EXTERNAL_NET addresses. --- config/suricata/suricata.inc | 70 +++++++++++++++--------------- config/suricata/suricata_generate_yaml.php | 10 ++++- config/suricata/suricata_list_view.php | 15 +++++-- 3 files changed, 56 insertions(+), 39 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 14b9ecd4..ca4ade1c 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -270,9 +270,6 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e if (!$externallist && ($listname == 'default' || empty($listname))) { $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; } - elseif ($externallist && $listname == 'default') { - return array( "!\$HOME_NET" ); - } else { $list = suricata_find_list($listname); if (empty($list)) @@ -289,10 +286,10 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Always add loopback to HOME_NET and passlist if (!$externallist) { - if (!in_array("127.0.0.1", $home_net)) - $home_net[] = "127.0.0.1"; - if (!in_array("::1", $home_net)) - $home_net[] = "::1"; + if (!in_array("127.0.0.1/32", $home_net)) + $home_net[] = "127.0.0.1/32"; + if (!in_array("::1/128", $home_net)) + $home_net[] = "::1/128"; } /********************************************************************/ @@ -305,7 +302,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e /********************************************************************/ $suricataip = get_interface_ip($suricatacfg['interface']); if (($externallist && $localnet == 'yes') || (!$externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { - if (is_ipaddr($suricataip)) { + if (is_ipaddrv4($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnet($suricatacfg['interface']); $ip = gen_subnet($suricataip, $sn) . "/{$sn}"; @@ -315,12 +312,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } } elseif (!$externallist && $localnet != 'yes') { - if (is_ipaddr($suricataip)) { - if (!in_array($suricataip, $home_net)) - $home_net[] = $suricataip; + if (is_ipaddrv4($suricataip)) { + if (!in_array($suricataip . "/32", $home_net)) + $home_net[] = $suricataip . "/32"; } } + // Grab the IPv6 address if we have one assigned $suricataip = get_interface_ipv6($suricatacfg['interface']); // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) @@ -337,8 +335,8 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } elseif (!$externallist && $localnet != 'yes') { if (is_ipaddrv6($suricataip)) { - if (!in_array($suricataip, $home_net)) - $home_net[] = $suricataip; + if (!in_array($suricataip . "/128", $home_net)) + $home_net[] = $suricataip . "/128"; } } @@ -348,8 +346,8 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); - if (!in_array($suricataip, $home_net)) - $home_net[] = $suricataip; + if (!in_array($suricataip . "/128", $home_net)) + $home_net[] = $suricataip . "/128"; } if (($$externallist && $localnet == 'yes') || (!$externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { @@ -364,7 +362,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e if ($int == "wan") continue; $subnet = get_interface_ip($int); - if (is_ipaddr($subnet)) { + if (is_ipaddrv4($subnet)) { $sn = get_interface_subnet($int); $ip = gen_subnet($subnet, $sn) . "/{$sn}"; if (!in_array($ip, $home_net)) @@ -388,25 +386,25 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); - if (!in_array($suricataip, $home_net)) - $home_net[] = $suricataip; + if (!in_array($suricataip . "/128", $home_net)) + $home_net[] = $suricataip . "/128"; } } } if ($wanip == 'yes') { $ip = get_interface_ip("wan"); - if (is_ipaddr($ip)) { - if (!in_array($ip, $home_net)) - $home_net[] = $ip; + if (is_ipaddrv4($ip)) { + if (!in_array($ip . "/32", $home_net)) + $home_net[] = $ip . "/32"; } $ip = get_interface_ipv6("wan"); // Trim off the interface designation (e.g., %em1) if present if (strpos($ip, "%") !== FALSE) $ip = substr($ip, 0, strpos($ip, "%")); if (is_ipaddrv6($ip)) { - if (!in_array($ip, $home_net)) - $home_net[] = $ip; + if (!in_array($ip . "/128", $home_net)) + $home_net[] = $ip . "/128"; } // Explicitly grab the WAN Link-Local address $ip = get_interface_linklocal("wan"); @@ -414,35 +412,39 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Trim off the interface designation (e.g., %em1) if present if (strpos($ip, "%") !== FALSE) $ip = substr($ip, 0, strpos($ip, "%")); - if (!in_array($ip, $home_net)) - $home_net[] = $ip; + if (!in_array($ip . "/128", $home_net)) + $home_net[] = $ip . "/128"; } } if ($wangw == 'yes') { // Grab the default gateway if set $default_gw = exec("/sbin/route -n get default |grep 'gateway:' | /usr/bin/awk '{ print $2 }'"); - if (is_ipaddr($default_gw) && !in_array($default_gw, $home_net)) - $home_net[] = $default_gw; - if (is_ipaddrv6($default_gw) && !in_array($default_gw, $home_net)) - $home_net[] = $default_gw; + if (is_ipaddrv4($default_gw) && !in_array($default_gw . "/32", $home_net)) + $home_net[] = $default_gw . "/32"; + if (is_ipaddrv6($default_gw) && !in_array($default_gw . "/128", $home_net)) + $home_net[] = $default_gw . "/128"; // Get any other interface gateway and put in $HOME_NET if not there already $gw = get_interface_gateway($suricatacfg['interface']); - if (is_ipaddr($gw) && !in_array($gw, $home_net)) - $home_net[] = $gw; + if (is_ipaddrv4($gw) && !in_array($gw . "/32", $home_net)) + $home_net[] = $gw . "/32"; $gw = get_interface_gateway_v6($suricatacfg['interface']); // Trim off the interface designation (e.g., %em1) if present if (strpos($gw, "%") !== FALSE) $gw = substr($gw, 0, strpos($gw, "%")); - if (is_ipaddrv6($gw) && !in_array($gw, $home_net)) - $home_net[] = $gw; + if (is_ipaddrv6($gw) && !in_array($gw . "/128", $home_net)) + $home_net[] = $gw . "/128"; } if ($wandns == 'yes') { // Add DNS server for WAN interface to Pass List $dns_servers = get_dns_servers(); foreach ($dns_servers as $dns) { + if (is_ipaddrv4($dns)) + $dns .= "/32"; + elseif (is_addrv6($dns)) + $dns .= "/128"; if ($dns && !in_array($dns, $home_net)) $home_net[] = $dns; } @@ -460,7 +462,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } } - // grab a list of vpns and whitelist if user desires + // Grab a list of vpns enabled - these come back as CIDR mask networks if ($vpns == 'yes') { $vpns_list = filter_get_vpns_list(); if (!empty($vpns_list)) { diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 7c0a7bdd..0715471d 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -68,11 +68,17 @@ foreach ($suricata_files as $file) { $home_net_list = suricata_build_list($suricatacfg, $suricatacfg['homelistname']); $home_net = implode(",", $home_net_list); $home_net = trim($home_net); -$external_net = '!$HOME_NET'; +$external_net = ""; if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] != 'default') { $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname'], false, true); $external_net = implode(",", $external_net_list); - $external_net = '[' . trim($external_net) . ']'; + $external_net = "[" . trim($external_net) . "]"; +} +else { + $external_net = "["; + foreach ($home_net_list as $ip) + $external_net .= "!{$ip},"; + $external_net = trim($external_net, ', ') . "]"; } // Set the PASS LIST and write its contents to disk diff --git a/config/suricata/suricata_list_view.php b/config/suricata/suricata_list_view.php index dc5a2b04..ec335abd 100644 --- a/config/suricata/suricata_list_view.php +++ b/config/suricata/suricata_list_view.php @@ -42,7 +42,7 @@ $type = htmlspecialchars($_GET['type']); $title = "List"; if (isset($id) && isset($wlist)) { - $a_rule = $config['installedpackages']['suricataglobal']['rule'][$id]; + $a_rule = $config['installedpackages']['suricata']['rule'][$id]; if ($type == "homenet") { $list = suricata_build_list($a_rule, $wlist); $contents = implode("\n", $list); @@ -59,8 +59,17 @@ if (isset($id) && isset($wlist)) { $title = "Suppress List"; } elseif ($type == "externalnet") { - $list = suricata_build_list($a_rule, $wlist, false, true); - $contents = implode("\n", $list); + if ($wlist == "default") { + $list = suricata_build_list($a_rule, $a_rule['homelistname']); + $contents = ""; + foreach ($list as $ip) + $contents .= "!{$ip}\n"; + $contents = trim($contents, "\n"); + } + else { + $list = suricata_build_list($a_rule, $wlist, false, true); + $contents = implode("\n", $list); + } $title = "EXTERNAL_NET"; } else -- cgit v1.2.3