From ce07b15de33b4847df5498f9bbae93e2b1e893ca Mon Sep 17 00:00:00 2001
From: bmeeks8 <bmeeks8@bellsouth.net>
Date: Wed, 27 Aug 2014 18:15:44 -0400
Subject: Improve HOME_NET and EXTERNAL_NET variable generation.

---
 config/suricata/suricata.inc                 | 36 ++++++++++++++++------------
 config/suricata/suricata_generate_yaml.php   |  6 ++---
 config/suricata/suricata_interfaces_edit.php |  6 ++++-
 config/suricata/suricata_list_view.php       |  5 ++++
 4 files changed, 34 insertions(+), 19 deletions(-)

(limited to 'config/suricata')

diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc
index 2626f70a..59c620b4 100644
--- a/config/suricata/suricata.inc
+++ b/config/suricata/suricata.inc
@@ -257,7 +257,7 @@ function suricata_find_list($find_name, $type = 'passlist') {
 	return array();
 }
 
-function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
+function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $externallist = false) {
 
 	/***********************************************************/
 	/* The default is to build a HOME_NET variable unless      */
@@ -267,9 +267,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
 	global $config, $g, $aliastable, $filterdns;
 	$home_net = array();
 
-	if ($listname == 'default' || empty($listname)) {
+	if (!$externallist && ($listname == 'default' || empty($listname))) {
 		$localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes';
-	} else {
+	}
+	elseif ($externallist && $listname == 'default') {
+		return array( "any" );
+	}
+	else {
                 $list = suricata_find_list($listname);
                 if (empty($list))
                         return $list;
@@ -283,11 +287,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
 			$home_net = explode(" ", trim(filter_expand_alias($list['address'])));
 	}
 
-	// Always add loopback to HOME_NET and passlist (ftphelper)
-	if (!in_array("127.0.0.1", $home_net))
-		$home_net[] = "127.0.0.1";
-	if (!in_array("::1", $home_net))
-		$home_net[] = "::1";
+	// Always add loopback to HOME_NET and passlist
+	if (!externallist) {
+		if (!in_array("127.0.0.1", $home_net))
+			$home_net[] = "127.0.0.1";
+		if (!in_array("::1", $home_net))
+			$home_net[] = "::1";
+	}
 
 	/********************************************************************/
 	/* Always put the interface running Suricata in HOME_NET and        */
@@ -298,7 +304,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
 	/* IP for Suricata, though, to prevent locking out the firewall.    */
 	/********************************************************************/
 	$suricataip = get_interface_ip($suricatacfg['interface']);
-	if (!$passlist || $localnet == 'yes' || empty($localnet)) {
+	if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) {
 		if (is_ipaddr($suricataip)) {
 			if ($suricatacfg['interface'] <> "wan") {
 				$sn = get_interface_subnet($suricatacfg['interface']);
@@ -308,7 +314,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
 			}
 		}
 	}
-	else {
+	elseif (!externallist && $localnet != 'yes') {
 		if (is_ipaddr($suricataip)) {
 			if (!in_array($suricataip, $home_net))
 				$home_net[] = $suricataip;
@@ -319,7 +325,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
 	// Trim off the interface designation (e.g., %em1) if present
 	if (strpos($suricataip, "%") !== FALSE)
 		$suricataip = substr($suricataip, 0, strpos($suricataip, "%"));
-	if (!$passlist || $localnet == 'yes' || empty($localnet)) {
+	if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) {
 		if (is_ipaddrv6($suricataip)) {
 			if ($suricatacfg['interface'] <> "wan") {
 				$sn = get_interface_subnetv6($suricatacfg['interface']);
@@ -329,16 +335,16 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
 			}
 		}
 	}
-	else {
+	elseif (!externallist && $localnet != 'yes') {
 		if (is_ipaddrv6($suricataip)) {
 			if (!in_array($suricataip, $home_net))
 				$home_net[] = $suricataip;
 		}
 	}
 
-	// Add link-local address
+	// Add link-local address if user included locally-attached networks
 	$suricataip = get_interface_linklocal($suricatacfg['interface']);
-	if (!empty($suricataip)) {
+	if (!empty($suricataip) && $localnet == 'yes') {
 		// Trim off the interface designation (e.g., %em1) if present
 		if (strpos($suricataip, "%") !== FALSE)
 			$suricataip = substr($suricataip, 0, strpos($suricataip, "%"));
@@ -346,7 +352,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) {
 			$home_net[] = $suricataip;
 	}
 
-	if (!$passlist || $localnet == 'yes' || empty($localnet)) {		
+	if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) {		
 		/*************************************************************************/
 		/*  Iterate through the interface list and write out pass list items and */
 		/*  also compile a HOME_NET list of all local interfaces for suricata.   */
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index 91dc06a5..05d6dea8 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -68,11 +68,11 @@ foreach ($suricata_files as $file) {
 $home_net_list = suricata_build_list($suricatacfg, $suricatacfg['homelistname']);
 $home_net = implode(",", $home_net_list);
 $home_net = trim($home_net);
-$external_net = '!$HOME_NET';
+$external_net = 'any';
 if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] != 'default') {
-	$external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname']);
+	$external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname'], false, true);
 	$external_net = implode(",", $external_net_list);
-	$external_net = trim($external_net);
+	$external_net = '[' . trim($external_net) . ']';
 }
 
 // Set the PASS LIST and write its contents to disk
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index 1bef338a..55c97efc 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -937,7 +937,11 @@ if ($savemsg) {
 						}
 					}
 				?>
-			</select>&nbsp;&nbsp;
+			</select>
+			&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="button" class="formbtns" value="View List"  
+			onclick="viewList('<?=$id;?>','externallistname','externalnet')" id="btnExternalNet" 
+			title="<?php echo gettext("Click to view currently selected External Net contents"); ?>"/>
+			<br/>
 			<?php echo gettext("Choose the External Net you want this interface " .
 			"to use."); ?>&nbsp;<br/><br/>
 			<span class="red"><?php echo gettext("Note:"); ?></span>&nbsp;<?php echo gettext("Default " .
diff --git a/config/suricata/suricata_list_view.php b/config/suricata/suricata_list_view.php
index 722bf47a..dc5a2b04 100644
--- a/config/suricata/suricata_list_view.php
+++ b/config/suricata/suricata_list_view.php
@@ -58,6 +58,11 @@ if (isset($id) && isset($wlist)) {
 		$contents = str_replace("\r", "", base64_decode($list['suppresspassthru']));
 		$title = "Suppress List";
 	}
+	elseif ($type == "externalnet") {
+		$list = suricata_build_list($a_rule, $wlist, false, true);
+		$contents = implode("\n", $list);
+		$title = "EXTERNAL_NET";
+	}
 	else
 		$contents = gettext("\n\nERROR -- Requested List Type entity is not valid!");
 }
-- 
cgit v1.2.3