From afba4e722681c35163ec48b7cacffa8b8cb88e5f Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 22 Jul 2015 20:31:30 -0400 Subject: Add new feature to hide deprecated rules categories in GUI. --- config/suricata/deprecated_rules | 63 ++++++++++++++++++++ config/suricata/suricata.inc | 67 ++++++++++++++++++++++ config/suricata/suricata.xml | 5 ++ .../suricata/suricata_check_for_rule_updates.php | 6 ++ config/suricata/suricata_global.php | 15 +++++ config/suricata/suricata_migrate_config.php | 8 +++ config/suricata/suricata_post_install.php | 4 ++ 7 files changed, 168 insertions(+) create mode 100644 config/suricata/deprecated_rules (limited to 'config/suricata') diff --git a/config/suricata/deprecated_rules b/config/suricata/deprecated_rules new file mode 100644 index 00000000..42dd6386 --- /dev/null +++ b/config/suricata/deprecated_rules @@ -0,0 +1,63 @@ +# +# Obsoleted Snort VRT rule categories +# +snort_attack-responses.rules +snort_backdoor.rules +snort_bad-traffic.rules +snort_botnet-cnc.rules +snort_chat.rules +snort_ddos.rules +snort_dns.rules +snort_dos.rules +snort_experimental.rules +snort_exploit.rules +snort_finger.rules +snort_ftp.rules +snort_icmp-info.rules +snort_icmp.rules +snort_imap.rules +snort_info.rules +snort_misc.rules +snort_multimedia.rules +snort_mysql.rules +snort_nntp.rules +snort_oracle.rules +snort_other-ids.rules +snort_p2p.rules +snort_phishing-spam.rules +snort_policy.rules +snort_pop2.rules +snort_pop3.rules +snort_rpc.rules +snort_rservices.rules +snort_scada.rules +snort_scan.rules +snort_shellcode.rules +snort_smtp.rules +snort_snmp.rules +snort_specific-threats.rules +snort_spyware-put.rules +snort_telnet.rules +snort_tftp.rules +snort_virus.rules +snort_voip.rules +snort_web-activex.rules +snort_web-attacks.rules +snort_web-cgi.rules +snort_web-client.rules +snort_web-coldfusion.rules +snort_web-frontpage.rules +snort_web-iis.rules +snort_web-misc.rules +snort_web-php.rules +# +# Obsoleted Emerging Threats Categories +# +emerging-rbn-malvertisers.rules +emerging-rbn.rules +# +# Obsoleted Emerging Threats PRO Categories +# +etpro-rbn-malvertisers.rules +etpro-rbn.rules + diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 73208f61..1c21181b 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -3231,6 +3231,73 @@ function suricata_generate_yaml($suricatacfg) { unset($suricata_conf_text); } +function suricata_remove_dead_rules() { + + /*********************************************************/ + /* This function removes dead and deprecated rules */ + /* category files from the base Suricata rules directory */ + /* and from the RULESETS setting of each interface. */ + /* The file "deprecated_rules", if it exists, is used */ + /* to determine which rules files to remove. */ + /*********************************************************/ + + global $config, $g; + $rulesdir = SURICATADIR . "rules/"; + $count = 0; + $cats = array(); + + // If there is no "deprecated_rules" file, then exit + if (!file_exists("{$rulesdir}deprecated_rules")) + return; + + // Open a SplFileObject to read in deprecated rules + $file = new SplFileObject("{$rulesdir}deprecated_rules"); + $file->setFlags(SplFileObject::READ_AHEAD | SplFileObject::SKIP_EMPTY | SplFileObject::DROP_NEW_LINE); + while (!$file->eof()) { + $line = $file->fgets(); + + // Skip any lines with just spaces + if (trim($line) == "") + continue; + + // Skip any comment lines starting with '#' + if (preg_match('/^\s*\#+/', $line)) + continue; + + $cats[] = $line; + } + + // Close the SplFileObject since we are finished with it + $file = null; + + // Delete any dead rules files from the Suricata RULES directory + foreach ($cats as $file) { + if (file_exists("{$rulesdir}{$file}")) + $count++; + unlink_if_exists("{$rulesdir}{$file}"); + } + + // Log how many obsoleted files were removed + log_error(gettext("[Suricata] Removed {$count} obsoleted rules category files.")); + + // Now remove any dead rules files from the interface configurations + if (!empty($cats) && is_array($config['installedpackages']['suricata']['rule'])) { + foreach ($config['installedpackages']['suricata']['rule'] as &$iface) { + $enabled_rules = explode("||", $iface['rulesets']); + foreach ($enabled_rules as $k => $v) { + foreach ($cats as $d) { + if (strpos(trim($v), $d) !== false) + unset($enabled_rules[$k]); + } + } + $iface['rulesets'] = implode("||", $enabled_rules); + } + } + + // Clean up + unset($cats, $enabled_rules); +} + /* Uses XMLRPC to synchronize the changes to a remote node */ function suricata_sync_on_changes() { global $config, $g; diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index 91708672..c4eef31a 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -122,6 +122,11 @@ /usr/local/pkg/suricata/ 0755 + + https://packages.pfsense.org/packages/config/suricata/deprecated_rules + /usr/local/pkg/suricata/ + 0755 + https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php /usr/local/www/suricata/ diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 0fa4fb2d..9360d464 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -604,6 +604,12 @@ if ($snortcommunityrules == 'on') { } } +// If removing deprecated rules categories, then do it +if ($config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] == "on") { + log_error(gettext("[Suricata] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.")); + suricata_remove_dead_rules(); +} + function suricata_apply_customizations($suricatacfg, $if_real) { global $vrt_enabled, $rebuild_rules; diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 8eea8d2d..013cde3e 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -67,6 +67,7 @@ else { $pconfig['snortcommunityrules'] = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules']; $pconfig['snort_rules_file'] = $config['installedpackages']['suricata']['config'][0]['snort_rules_file']; $pconfig['autogeoipupdate'] = $config['installedpackages']['suricata']['config'][0]['autogeoipupdate']; + $pconfig['hide_deprecated_rules'] = $config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] == "on" ? 'on' : 'off'; } // Do input validation on parameters @@ -99,6 +100,7 @@ if (!$input_errors) { $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules'] = $_POST['enable_etopen_rules'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'] = $_POST['enable_etpro_rules'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] = $_POST['autogeoipupdate'] ? 'on' : 'off'; + $config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] = $_POST['hide_deprecated_rules'] ? 'on' : 'off'; // If any rule sets are being turned off, then remove them // from the active rules section of each interface. Start @@ -135,6 +137,12 @@ if (!$input_errors) { } } + // If deprecated rules should be removed, then do it + if ($config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] == "on") { + log_error(gettext("[Suricata] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.")); + suricata_remove_dead_rules(); + } + $config['installedpackages']['suricata']['config'][0]['snort_rules_file'] = $_POST['snort_rules_file']; $config['installedpackages']['suricata']['config'][0]['oinkcode'] = $_POST['oinkcode']; $config['installedpackages']['suricata']['config'][0]['etprocode'] = $_POST['etprocode']; @@ -328,6 +336,13 @@ if ($input_errors) + + + /> +   " . gettext("Not Checked") . "" . gettext("."); ?> + diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 384033b3..2fd5f96e 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -94,6 +94,14 @@ if (empty($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enabl $updated_cfg = true; } +/**********************************************************/ +/* Create new HIDE_DEPRECATED_RULES setting if not set */ +/**********************************************************/ +if (empty($config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'])) { + $config['installedpackages']['suricata']['config'][0]['hide_deprecated_rules'] = "off"; + $updated_cfg = true; +} + /**********************************************************/ /* Set default log size and retention limits if not set */ /**********************************************************/ diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index aec8983e..3931d682 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -130,6 +130,10 @@ if ($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'] == install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_etiqrisk_update.php", TRUE, 0, "*/6", "*", "*", "*", "root"); } +// Move deprecated_rules file to SURICATADIR/rules directory +@rename("/usr/local/pkg/suricata/deprecated_rules", "{$suricatadir}rules/deprecated_rules"); + + /*********************************************************/ /* START OF BUG FIX CODE */ /* */ -- cgit v1.2.3