From ce07b15de33b4847df5498f9bbae93e2b1e893ca Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 27 Aug 2014 18:15:44 -0400 Subject: Improve HOME_NET and EXTERNAL_NET variable generation. --- config/suricata/suricata.inc | 36 ++++++++++++++++------------ config/suricata/suricata_generate_yaml.php | 6 ++--- config/suricata/suricata_interfaces_edit.php | 6 ++++- config/suricata/suricata_list_view.php | 5 ++++ 4 files changed, 34 insertions(+), 19 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 2626f70a..59c620b4 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -257,7 +257,7 @@ function suricata_find_list($find_name, $type = 'passlist') { return array(); } -function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { +function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $externallist = false) { /***********************************************************/ /* The default is to build a HOME_NET variable unless */ @@ -267,9 +267,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { global $config, $g, $aliastable, $filterdns; $home_net = array(); - if ($listname == 'default' || empty($listname)) { + if (!$externallist && ($listname == 'default' || empty($listname))) { $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; - } else { + } + elseif ($externallist && $listname == 'default') { + return array( "any" ); + } + else { $list = suricata_find_list($listname); if (empty($list)) return $list; @@ -283,11 +287,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } - // Always add loopback to HOME_NET and passlist (ftphelper) - if (!in_array("127.0.0.1", $home_net)) - $home_net[] = "127.0.0.1"; - if (!in_array("::1", $home_net)) - $home_net[] = "::1"; + // Always add loopback to HOME_NET and passlist + if (!externallist) { + if (!in_array("127.0.0.1", $home_net)) + $home_net[] = "127.0.0.1"; + if (!in_array("::1", $home_net)) + $home_net[] = "::1"; + } /********************************************************************/ /* Always put the interface running Suricata in HOME_NET and */ @@ -298,7 +304,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { /* IP for Suricata, though, to prevent locking out the firewall. */ /********************************************************************/ $suricataip = get_interface_ip($suricatacfg['interface']); - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddr($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnet($suricatacfg['interface']); @@ -308,7 +314,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { } } } - else { + elseif (!externallist && $localnet != 'yes') { if (is_ipaddr($suricataip)) { if (!in_array($suricataip, $home_net)) $home_net[] = $suricataip; @@ -319,7 +325,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddrv6($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnetv6($suricatacfg['interface']); @@ -329,16 +335,16 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { } } } - else { + elseif (!externallist && $localnet != 'yes') { if (is_ipaddrv6($suricataip)) { if (!in_array($suricataip, $home_net)) $home_net[] = $suricataip; } } - // Add link-local address + // Add link-local address if user included locally-attached networks $suricataip = get_interface_linklocal($suricatacfg['interface']); - if (!empty($suricataip)) { + if (!empty($suricataip) && $localnet == 'yes') { // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); @@ -346,7 +352,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { $home_net[] = $suricataip; } - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { /*************************************************************************/ /* Iterate through the interface list and write out pass list items and */ /* also compile a HOME_NET list of all local interfaces for suricata. */ diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 91dc06a5..05d6dea8 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -68,11 +68,11 @@ foreach ($suricata_files as $file) { $home_net_list = suricata_build_list($suricatacfg, $suricatacfg['homelistname']); $home_net = implode(",", $home_net_list); $home_net = trim($home_net); -$external_net = '!$HOME_NET'; +$external_net = 'any'; if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] != 'default') { - $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname']); + $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname'], false, true); $external_net = implode(",", $external_net_list); - $external_net = trim($external_net); + $external_net = '[' . trim($external_net) . ']'; } // Set the PASS LIST and write its contents to disk diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 1bef338a..55c97efc 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -937,7 +937,11 @@ if ($savemsg) { } } ?> -    + +      "/> +