From e88d8c9a13c12769dc2420a02de073f3f4627214 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 24 Apr 2014 15:07:08 -0400 Subject: Implement blocking function support in Suricata pkg GUI. --- config/suricata/suricata.inc | 57 +++-- config/suricata/suricata.priv.inc | 6 +- config/suricata/suricata.xml | 20 ++ config/suricata/suricata_alerts.php | 33 +-- config/suricata/suricata_app_parsers.php | 10 +- config/suricata/suricata_barnyard.php | 66 ++---- config/suricata/suricata_blocked.php | 320 ++++++++++++++++++++++++++ config/suricata/suricata_define_vars.php | 8 +- config/suricata/suricata_download_updates.php | 4 +- config/suricata/suricata_flow_stream.php | 7 +- config/suricata/suricata_generate_yaml.php | 25 ++ config/suricata/suricata_global.php | 4 +- config/suricata/suricata_interfaces.php | 7 +- config/suricata/suricata_interfaces_edit.php | 91 ++++---- config/suricata/suricata_list_view.php | 65 +++--- config/suricata/suricata_logs_browser.php | 4 +- config/suricata/suricata_logs_mgmt.php | 4 +- config/suricata/suricata_passlist.php | 195 ++++++++++++++++ config/suricata/suricata_passlist_edit.php | 317 +++++++++++++++++++++++++ config/suricata/suricata_rules.php | 8 +- config/suricata/suricata_rulesets.php | 8 +- config/suricata/suricata_select_alias.php | 241 +++++++++++++++++++ config/suricata/suricata_suppress.php | 4 +- config/suricata/suricata_suppress_edit.php | 4 +- config/suricata/suricata_yaml_template.inc | 8 + 25 files changed, 1344 insertions(+), 172 deletions(-) create mode 100644 config/suricata/suricata_blocked.php create mode 100644 config/suricata/suricata_passlist.php create mode 100644 config/suricata/suricata_passlist_edit.php create mode 100644 config/suricata/suricata_select_alias.php (limited to 'config/suricata') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index b5f5fb56..d9842eb5 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -39,9 +39,14 @@ global $g, $config; if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); -// Define the binary and package build versions -define('SURICATA_VER', '1.4.6'); -define('SURICATA_PKG_VER', 'v0.3-BETA'); +/* Get installed package version for display */ +$suricata_package_version = "Suricata {$config['installedpackages']['package'][get_pkg_id("suricata")]['version']}"; + +// Define the installed package version +define('SURICATA_PKG_VER', $suricata_package_version); + +// Define the name of the pf table used for IP blocks +define('SURICATA_PF_TABLE', 'snort2c'); // Create some other useful defines define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/etc/suricata/'); @@ -198,13 +203,26 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { function suricata_get_blocked_ips() { - // This is a placeholder function for later use. - // Blocking is not currently enabled in Suricata. - return array(); + $suri_pf_table = SURICATA_PF_TABLE; + $blocked_ips = ""; + + exec("/sbin/pfctl -t {$suri_pf_table} -T show", $blocked_ips); + + $blocked_ips_array = array(); + if (!empty($blocked_ips)) { + if (is_array($blocked_ips)) { + foreach ($blocked_ips as $blocked_ip) { + if (empty($blocked_ip)) + continue; + $blocked_ips_array[] = trim($blocked_ip, " \n\t"); + } + } + } + return $blocked_ips_array; } -/* func builds custom white lists */ -function suricata_find_list($find_name, $type = 'whitelist') { +/* func builds custom Pass Lists */ +function suricata_find_list($find_name, $type = 'passlist') { global $config; $suricataglob = $config['installedpackages']['suricata']; @@ -221,11 +239,11 @@ function suricata_find_list($find_name, $type = 'whitelist') { return array(); } -function suricata_build_list($suricatacfg, $listname = "", $whitelist = false) { +function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { /***********************************************************/ /* The default is to build a HOME_NET variable unless */ - /* '$whitelist' is set to 'true' when calling. */ + /* '$passlist' is set to 'true' when calling. */ /***********************************************************/ global $config, $g, $aliastable, $filterdns; @@ -247,7 +265,7 @@ function suricata_build_list($suricatacfg, $listname = "", $whitelist = false) { $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } - // Always add loopback to HOME_NET and whitelist (ftphelper) + // Always add loopback to HOME_NET and passlist (ftphelper) if (!in_array("127.0.0.1", $home_net)) $home_net[] = "127.0.0.1"; @@ -255,8 +273,8 @@ function suricata_build_list($suricatacfg, $listname = "", $whitelist = false) { /* Always put the interface running Suricata in HOME_NET and */ /* whitelist unless it's the WAN. WAN options are handled further */ /* down. If the user specifically chose not to include LOCAL_NETS */ - /* in the WHITELIST, then do not include the Suricata interface */ - /* subnet in the WHITELIST. We do include the actual LAN interface */ + /* in the PASS LIST, then do not include the Suricata interface */ + /* subnet in the PASS LIST. We do include the actual LAN interface */ /* IP for Suricata, though, to prevent locking out the firewall. */ /********************************************************************/ $suricataip = get_interface_ip($suricatacfg['interface']); @@ -297,8 +315,8 @@ function suricata_build_list($suricatacfg, $listname = "", $whitelist = false) { if (!$whitelist || $localnet == 'yes' || empty($localnet)) { /*************************************************************************/ - /* Iterate through the interface list and write out whitelist items and */ - /* also compile a HOME_NET list of all the local interfaces for suricata. */ + /* Iterate through the interface list and write out pass list items and */ + /* also compile a HOME_NET list of all local interfaces for suricata. */ /* Skip the WAN interface as we do not typically want that whole subnet */ /* whitelisted (just the i/f IP itself which was handled earlier). */ /*************************************************************************/ @@ -365,7 +383,7 @@ function suricata_build_list($suricatacfg, $listname = "", $whitelist = false) { } if($vips == 'yes') { - // iterate all vips and add to whitelist + // iterate all vips and add to passlist if (is_array($config['virtualip']) && is_array($config['virtualip']['vip'])) { foreach($config['virtualip']['vip'] as $vip) { if ($vip['subnet'] && $vip['mode'] != 'proxyarp') { @@ -1911,7 +1929,12 @@ function suricata_generate_barnyard2_conf($suricatacfg, $if_real) { $by2_dbpwd = base64_decode($suricatacfg['barnyard_dbpwd']); $suricatabarnyardlog_output_plugins .= "# database: log to a MySQL DB\noutput database: alert, mysql, "; $suricatabarnyardlog_output_plugins .= "user={$suricatacfg['barnyard_dbuser']} password={$by2_dbpwd} "; - $suricatabarnyardlog_output_plugins .= "dbname={$suricatacfg['barnyard_dbname']} host={$suricatacfg['barnyard_dbhost']}\n\n"; + $suricatabarnyardlog_output_plugins .= "dbname={$suricatacfg['barnyard_dbname']} host={$suricatacfg['barnyard_dbhost']}"; + if (isset($suricatacfg['barnyard_sensor_name']) && strlen($suricatacfg['barnyard_sensor_name']) > 0) + $suricatabarnyardlog_output_plugins .= " sensor_name={$suricatacfg['barnyard_sensor_name']}"; + if ($suricatacfg['barnyard_disable_sig_ref_tbl'] == 'on') + $suricatabarnyardlog_output_plugins .= " disable_signature_reference_table"; + $suricatabarnyardlog_output_plugins .= "\n\n"; } if ($suricatacfg['barnyard_syslog_enable'] == 'on') { $suricatabarnyardlog_output_plugins .= "# syslog_full: log to a syslog receiver\n"; diff --git a/config/suricata/suricata.priv.inc b/config/suricata/suricata.priv.inc index 8dcec887..3bbee55a 100644 --- a/config/suricata/suricata.priv.inc +++ b/config/suricata/suricata.priv.inc @@ -8,6 +8,7 @@ $priv_list['page-services-suricata']['descr'] = "Allow access to suricata packag $priv_list['page-services-suricata']['match'] = array(); $priv_list['page-services-suricata']['match'][] = "suricata/suricata_alerts.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_barnyard.php*"; +$priv_list['page-services-suricata']['match'][] = "suricata/suricata_blocked.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_check_for_rule_updates.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_define_vars.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_download_rules.php*"; @@ -20,11 +21,12 @@ $priv_list['page-services-suricata']['match'][] = "suricata/suricata_interfaces_ $priv_list['page-services-suricata']['match'][] = "suricata/suricata_interfaces_global.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_suppress.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_suppress_edit.php*"; -$priv_list['page-services-suricata']['match'][] = "suricata/suricata_interfaces_whitelist.php*"; -$priv_list['page-services-suricata']['match'][] = "suricata/suricata_interfaces_whitelist_edit.php*"; +$priv_list['page-services-suricata']['match'][] = "suricata/suricata_select_alias.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_list_view.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_logs_browser.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_logs_mgmt.php*"; +$priv_list['page-services-suricata']['match'][] = "suricata/suricata_passlist.php*"; +$priv_list['page-services-suricata']['match'][] = "suricata/suricata_passlist_edit.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_post_install.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_flow_stream.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_rules.php*"; diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index fb296aed..87f50eb4 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -207,6 +207,26 @@ /usr/local/www/suricata/ 0755 + + /usr/local/www/suricata/ + 0644 + https://packages.pfsense.org/packages/config/suricata/suricata_blocked.php + + + /usr/local/www/suricata/ + 0644 + https://packages.pfsense.org/packages/config/suricata/suricata_passlist.php + + + /usr/local/www/suricata/ + 0644 + https://packages.pfsense.org/packages/config/suricata/suricata_passlist_edit.php + + + /usr/local/www/suricata/ + 0644 + https://packages.pfsense.org/packages/config/suricata/suricata_select_alias.php + /usr/local/www/widgets/javascript/ 0644 diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 01d4daeb..71739f82 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -32,6 +32,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); $supplist = array(); +$suri_pf_table = SURICATA_PF_TABLE; function suricata_is_alert_globally_suppressed($list, $gid, $sid) { @@ -165,12 +166,12 @@ if ($_POST['save']) { exit; } -//if ($_POST['unblock'] && $_POST['ip']) { -// if (is_ipaddr($_POST['ip'])) { -// exec("/sbin/pfctl -t snort2c -T delete {$_POST['ip']}"); -// $savemsg = gettext("Host IP address {$_POST['ip']} has been removed from the Blocked Table."); -// } -//} +if ($_POST['unblock'] && $_POST['ip']) { + if (is_ipaddr($_POST['ip'])) { + exec("/sbin/pfctl -t {$suri_pf_table} -T delete {$_POST['ip']}"); + $savemsg = gettext("Host IP address {$_POST['ip']} has been removed from the Blocked Table."); + } +} if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsuppress']) && is_numeric($_POST['sidid']) && is_numeric($_POST['gen_id'])) { if ($_POST['addsuppress_srcip']) @@ -355,10 +356,12 @@ if ($savemsg) { $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), true, "/suricata/suricata_alerts.php"); + $tab_array[] = array(gettext("Blocked"), false, "/suricata/suricata_blocked.php"); + $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$instanceid}"); $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> @@ -495,10 +498,10 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo $alert_ip_src .= "title='" . gettext("This alert track by_src IP is already in the Suppress List") . "'/>"; } /* Add icon for auto-removing from Blocked Table if required */ -// if (isset($tmpblocked[$fields[9]])) { -// $alert_ip_src .= " "; -// } + if (isset($tmpblocked[$fields[9]])) { + $alert_ip_src .= " "; + } /* IP SRC Port */ $alert_src_p = $fields[10]; /* IP Destination */ @@ -524,10 +527,10 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo $alert_ip_dst .= "title='" . gettext("This alert track by_dst IP is already in the Suppress List") . "'/>"; } /* Add icon for auto-removing from Blocked Table if required */ -// if (isset($tmpblocked[$fields[11]])) { -// $alert_ip_dst .= " "; -// } + if (isset($tmpblocked[$fields[11]])) { + $alert_ip_dst .= " "; + } /* IP DST Port */ $alert_dst_p = $fields[12]; /* SID */ diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php index 8d0bb4f4..9d78775c 100644 --- a/config/suricata/suricata_app_parsers.php +++ b/config/suricata/suricata_app_parsers.php @@ -379,7 +379,7 @@ include_once("head.inc"); '; echo ''; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); @@ -412,7 +414,7 @@ include_once("head.inc"); $tab_array[] = array($menu_iface . gettext("App Parsers"), true, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?>
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index 850e4bed..af784845 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -133,6 +133,7 @@ if ($_POST['save']) { $natent['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable'] ? 'on' : 'off'; $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; + $natent['barnyard_disable_sig_ref_tbl'] = $_POST['barnyard_disable_sig_ref_tbl'] ? 'on' : 'off'; $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; @@ -167,50 +168,21 @@ if ($_POST['save']) { elseif ($a_nat[$id]['barnyard_enable'] == "on") { if (suricata_is_running($a_nat[$id]['uuid'], get_real_interface($a_nat[$id]['interface']), "barnyard2")) suricata_barnyard_reload_config($a_nat[$id], "HUP"); - else - suricata_barnyard_start($a_nat[$id], get_real_interface($a_nat[$id]['interface'])); + else { + // Notify user a Suricata restart is required if enabling Barnyard2 for the first time + $savemsg = gettext("NOTE: you must restart Suricata on this interface to activate unified2 logging for Barnyard2."); + } } - // after click go to this page - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: suricata_barnyard.php?id=$id"); - exit; + $pconfig = $natent; } else { - // We had errors, so save incoming field data to prevent retyping - $pconfig['barnyard_enable'] = $_POST['barnyard_enable']; - $pconfig['barnyard_show_year'] = $_POST['barnyard_show_year']; - $pconfig['barnyard_archive_enable'] = $_POST['barnyard_archive_enable']; - $pconfig['barnyard_dump_payload'] = $_POST['barnyard_dump_payload']; - $pconfig['barnyard_obfuscate_ip'] = $_POST['barnyard_obfuscate_ip']; - $pconfig['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable']; - $pconfig['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable']; - $pconfig['barnyard_syslog_local'] = $_POST['barnyard_syslog_local']; - $pconfig['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; - $pconfig['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; - $pconfig['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable']; - - $pconfig['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; - $pconfig['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; - $pconfig['barnyard_dbhost'] = $_POST['barnyard_dbhost']; - $pconfig['barnyard_dbname'] = $_POST['barnyard_dbname']; - $pconfig['barnyard_dbuser'] = $_POST['barnyard_dbuser']; - $pconfig['barnyard_dbpwd'] = $_POST['barnyard_dbpwd']; - $pconfig['barnyard_syslog_rhost'] = $_POST['barnyard_syslog_rhost']; - $pconfig['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; - $pconfig['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; - $pconfig['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; - $pconfig['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; - $pconfig['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; - $pconfig['barnconfigpassthru'] = $_POST['barnconfigpassthru']; + // We had errors, so save previous field data to prevent retyping + $pconfig = $_POST; } } -$if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Suricata: Interface {$if_friendly} - Barnyard2 Settings"); include_once("head.inc"); @@ -221,7 +193,7 @@ include_once("head.inc"); /* Display Alert message */ if ($input_errors) { - print_input_errors($input_errors); // TODO: add checks + print_input_errors($input_errors); } if ($savemsg) { @@ -235,14 +207,16 @@ include_once("head.inc"); '; echo ''; $tab_array = array(); @@ -254,7 +228,7 @@ include_once("head.inc"); $tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/suricata/suricata_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> @@ -358,6 +332,14 @@ include_once("head.inc");   + + + + /> + " . gettext("Not Checked") . ""; ?>
+
+ + @@ -521,6 +503,7 @@ function toggle_mySQL() { document.iform.barnyard_dbname.disabled = endis; document.iform.barnyard_dbuser.disabled = endis; document.iform.barnyard_dbpwd.disabled = endis; + document.iform.barnyard_disable_sig_ref_tbl.disabled = endis; if (endis) document.getElementById("mysql_config_rows").style.display = "none"; @@ -587,6 +570,7 @@ function enable_change(enable_change) { document.iform.barnyard_dbname.disabled = endis; document.iform.barnyard_dbuser.disabled = endis; document.iform.barnyard_dbpwd.disabled = endis; + document.iform.barnyard_disable_sig_ref_tbl.disabled = endis; document.iform.barnyard_syslog_enable.disabled = endis; document.iform.barnyard_syslog_local.disabled = endis; document.iform.barnyard_syslog_opmode_default.disabled = endis; diff --git a/config/suricata/suricata_blocked.php b/config/suricata/suricata_blocked.php new file mode 100644 index 00000000..47b9a7d0 --- /dev/null +++ b/config/suricata/suricata_blocked.php @@ -0,0 +1,320 @@ + 0) { + $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); + $file_name = "suricata_blocked_{$save_date}.tar.gz"; + exec('/bin/mkdir -p /tmp/suricata_blocked'); + file_put_contents("/tmp/suricata_blocked/suricata_block.pf", ""); + foreach($blocked_ips_array_save as $counter => $fileline) { + if (empty($fileline)) + continue; + $fileline = trim($fileline, " \n\t"); + file_put_contents("/tmp/suricata_blocked/suricata_block.pf", "{$fileline}\n", FILE_APPEND); + } + + // Create a tar gzip archive of blocked host IP addresses + exec("/usr/bin/tar -czf /tmp/{$file_name} -C/tmp/suricata_blocked suricata_block.pf"); + + // If we successfully created the archive, send it to the browser. + if(file_exists("/tmp/{$file_name}")) { + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); + header("Content-length: " . filesize("/tmp/{$file_name}")); + header("Content-disposition: attachment; filename = {$file_name}"); + ob_end_clean(); //important or other post will fail + readfile("/tmp/{$file_name}"); + + // Clean up the temp files and directory + @unlink("/tmp/{$file_name}"); + exec("/bin/rm -fr /tmp/suricata_blocked"); + } else + $savemsg = gettext("An error occurred while creating archive"); + } else + $savemsg = gettext("No content on suricata block list"); +} + +if ($_POST['save']) +{ + /* no errors */ + if (!$input_errors) { + $config['installedpackages']['suricata']['alertsblocks']['brefresh'] = $_POST['brefresh'] ? 'on' : 'off'; + $config['installedpackages']['suricata']['alertsblocks']['blertnumber'] = $_POST['blertnumber']; + + write_config("Suricata pkg: updated BLOCKED tab settings."); + + header("Location: /suricata/suricata_blocked.php"); + exit; + } + +} + +$pgtitle = gettext("Suricata: Blocked Hosts"); +include_once("head.inc"); + +?> + + + + +\n"; + +/* Display Alert message */ +if ($input_errors) { + print_input_errors($input_errors); // TODO: add checks +} +if ($savemsg) { + print_info_box($savemsg); +} +?> + +
+ + + + + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + +
+ "/> +     + " + onClick="return confirm('');"/>  +   +
+ "/> +    /> +  ', '', '', ''); ?>   +  ', '', '', ''); ?> +
+ + + + + + + + + + + + + + + + + $blocked_msg) { + $blocked_desc = implode("
", $blocked_msg); + if($counter > $bnentries) + break; + else + $counter++; + + /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ + $tmp_ip = str_replace(":", ":​", $blocked_ip); + /* Add reverse DNS lookup icons (two different links if pfSense version supports them) */ + $rdns_link = ""; + $rdns_link .= ""; + $rdns_link .= " "; + $rdns_link .= ""; + $rdns_link .= ""; + /* use one echo to do the magic*/ + echo " + + + + + \n"; + } + } + ?> + +
#
{$counter}{$tmp_ip}
{$rdns_link}
{$blocked_desc} +
+
+ 1) + echo "{$counter}" . gettext(" host IP addresses are currently being blocked."); + else + echo "{$counter}" . gettext(" host IP address is currently being blocked."); + } + else { + echo gettext("There are currently no hosts being blocked by Suricata."); + } + ?> +
+
+
+
+ + + diff --git a/config/suricata/suricata_define_vars.php b/config/suricata/suricata_define_vars.php index 22b8ab3c..67167c05 100644 --- a/config/suricata/suricata_define_vars.php +++ b/config/suricata/suricata_define_vars.php @@ -158,14 +158,16 @@ if ($savemsg) '; echo ''; $tab_array = array(); @@ -177,7 +179,7 @@ if ($savemsg) $tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), true, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php index 188255c8..d47c931c 100644 --- a/config/suricata/suricata_download_updates.php +++ b/config/suricata/suricata_download_updates.php @@ -176,10 +176,12 @@ include_once("head.inc"); $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), true, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); + $tab_array[] = array(gettext("Blocked"), false, "/suricata/suricata_blocked.php"); + $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index cc00f350..1ac57342 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -438,14 +438,15 @@ include_once("head.inc"); '; echo ''; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); @@ -457,7 +458,7 @@ include_once("head.inc"); $tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?>
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 0e348631..e4d2c153 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -64,6 +64,11 @@ if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] $external_net = trim($external_net); } +// Set the PASS LIST and write its contents to disk +$plist = suricata_build_list($suricatacfg, $suricatacfg['passlistname'], true); +@file_put_contents("{$suricatacfgdir}/passlist", implode("\n", $plist)); +$suri_passlist = "{$suricatacfgdir}/passlist"; + // Set default and user-defined variables for SERVER_VARS and PORT_VARS $suricata_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", @@ -137,6 +142,26 @@ if (!empty($suricatacfg['inspect_recursion_limit']) || $suricatacfg['inspect_rec else $inspection_recursion_limit = ""; +// Add interface-specific blocking settings +if ($suricatacfg['blockoffenders'] == 'on') + $suri_blockoffenders = "yes"; +else + $suri_blockoffenders = "no"; + +if ($suricatacfg['blockoffenderskill'] == 'on') + $suri_killstates = "yes"; +else + $suri_killstates = "no"; + +if ($suricatacfg['blockoffendersip'] == 'src') + $suri_blockip = 'SRC'; +elseif ($suricatacfg['blockoffendersip'] == 'dst') + $suri_blockip = 'DST'; +else + $suri_blockip = 'BOTH'; + +$suri_pf_table = SURICATA_PF_TABLE; + // Add interface-specific logging settings if ($suricatacfg['alertsystemlog'] == 'on') $alert_syslog = "yes"; diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 938d6a97..07638b97 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -168,10 +168,12 @@ if ($input_errors) $tab_array[] = array(gettext("Global Settings"), true, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); + $tab_array[] = array(gettext("Blocked"), false, "/suricata/suricata_blocked.php"); + $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php index e8125986..062745dd 100644 --- a/config/suricata/suricata_interfaces.php +++ b/config/suricata/suricata_interfaces.php @@ -134,9 +134,8 @@ if ($_POST['toggle']) { header("Location: /suricata/suricata_interfaces.php"); exit; } -$suri_bin_ver = SURICATA_VER; $suri_pkg_ver = SURICATA_PKG_VER; -$pgtitle = "Services: Suricata {$suri_bin_ver} pkg {$suri_pkg_ver} - Intrusion Detection System"; +$pgtitle = "Services: {$suri_pkg_ver} - Intrusion Detection System"; include_once("head.inc"); ?> @@ -164,10 +163,12 @@ include_once("head.inc"); $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); + $tab_array[] = array(gettext("Blocked"), false, "/suricata/suricata_blocked.php"); + $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index fbb78aa2..62c5eecb 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -32,6 +32,9 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); global $g, $rebuild_rules; +$suricatadir = SURICATADIR; +$suricatalogdir = SURICATALOGDIR; + if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); $suricataglob = $config['installedpackages']['suricata']; @@ -173,6 +176,16 @@ if ($_POST["save"]) { if (!empty($_POST['inspect_recursion_limit']) && !is_numeric($_POST['inspect_recursion_limit'])) $input_errors[] = gettext("The value for Inspect Recursion Limit can either be blank or contain only digits evaluating to an integer greater than or equal to 0."); + /* See if assigned interface is already in use */ + if (isset($_POST['interface'])) { + foreach ($a_rule as $k => $v) { + if (($v['interface'] == $_POST['interface']) && ($id <> $k)) { + $input_errors[] = gettext("The '{$_POST['interface']}' interface is already assigned to another Suricata instance."); + break; + } + } + } + // if no errors write to suricata.yaml if (!$input_errors) { $natent = $a_rule[$id]; @@ -204,7 +217,7 @@ if ($_POST["save"]) { if ($_POST['blockoffenders'] == "on") $natent['blockoffenders'] = 'on'; else $natent['blockoffenders'] = 'off'; if ($_POST['blockoffenderskill'] == "on") $natent['blockoffenderskill'] = 'on'; else unset($natent['blockoffenderskill']); if ($_POST['blockoffendersip']) $natent['blockoffendersip'] = $_POST['blockoffendersip']; else unset($natent['blockoffendersip']); - if ($_POST['whitelistname']) $natent['whitelistname'] = $_POST['whitelistname']; else unset($natent['whitelistname']); + if ($_POST['passlistname']) $natent['passlistname'] = $_POST['passlistname']; else unset($natent['passlistname']); if ($_POST['homelistname']) $natent['homelistname'] = $_POST['homelistname']; else unset($natent['homelistname']); if ($_POST['externallistname']) $natent['externallistname'] = $_POST['externallistname']; else unset($natent['externallistname']); if ($_POST['suppresslistname']) $natent['suppresslistname'] = $_POST['suppresslistname']; else unset($natent['suppresslistname']); @@ -213,14 +226,20 @@ if ($_POST["save"]) { $if_real = get_real_interface($natent['interface']); if (isset($id) && $a_rule[$id]) { + // See if moving an existing Suricata instance to another physical interface if ($natent['interface'] != $a_rule[$id]['interface']) { $oif_real = get_real_interface($a_rule[$id]['interface']); - suricata_stop($a_rule[$id], $oif_real); - exec("rm -r /var/log/suricata_{$oif_real}" . $a_rule[$id]['uuid']); - exec("mv -f {$suricatadir}/suricata_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$suricatadir}/suricata_" . $a_rule[$id]['uuid'] . "_{$if_real}"); + if (suricata_is_running($a_rule[$id]['uuid'], $oif_real)) { + suricata_stop($a_rule[$id], $oif_real); + $suricata_start = true; + } + else + $suricata_start = false; + exec("mv -f {$suricatalogdir}suricata_{$oif_real}" . $a_rule[$id]['uuid'] . " {$suricatalogdir}suricata_{$if_real}" . $a_rule[$id]['uuid']); + conf_mount_rw(); + exec("mv -f {$suricatadir}suricata_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$suricatadir}suricata_" . $a_rule[$id]['uuid'] . "_{$if_real}"); + conf_mount_ro(); } - // Edits don't require a rules rebuild, so turn it "off" - $rebuild_rules = false; $a_rule[$id] = $natent; } else { // Adding new interface, so set interface configuration parameter defaults @@ -330,14 +349,16 @@ if ($savemsg) { '; echo ''; $tab_array = array(); @@ -349,7 +370,7 @@ if ($savemsg) { $tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?>
@@ -490,8 +511,6 @@ if ($savemsg) { " . gettext("1000") . "."; ?>

- - - @@ -666,17 +682,16 @@ if ($savemsg) { "setting at default. Create an Alias for custom External Net settings."); ?>
- @@ -756,11 +769,11 @@ if ($savemsg) { + +
+ + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+    +

+
/> +
/> +
/> +
/> +
/> +
/> +
+ + + +     "/> +
  + + +
+
+
+
+ + + + diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index 5883ed8e..3c412152 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -385,14 +385,16 @@ if ($savemsg) { '; echo ''; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");; @@ -404,7 +406,7 @@ if ($savemsg) { $tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?>
diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php index e607acc1..1259a5a7 100644 --- a/config/suricata/suricata_rulesets.php +++ b/config/suricata/suricata_rulesets.php @@ -250,14 +250,16 @@ if ($savemsg) { '; echo ''; $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); @@ -269,7 +271,7 @@ if ($savemsg) { $tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> diff --git a/config/suricata/suricata_select_alias.php b/config/suricata/suricata_select_alias.php new file mode 100644 index 00000000..527412d1 --- /dev/null +++ b/config/suricata/suricata_select_alias.php @@ -0,0 +1,241 @@ + + + + +
+ + + + + + +
+ + + + + + + + + + + + + + + + + + + + + + +

+
+ + + + + + + + + + + + + + + + + + "; + $textse = ""; + $disable = true; + $tooltip = gettext("Aliases resolving to multiple address entries cannot be used with the destination target."); + } + elseif (($alias['type'] == "network" || $alias['type'] == "host") && + trim(filter_expand_alias($alias['name'])) == "") { + $textss = ""; + $textse = ""; + $disable = true; + $tooltip = gettext("Aliases representing a FQDN host cannot be used in Suricata configurations."); + } + else { + $textss = ""; + $textse = ""; + $disable = ""; + $selectablealias = true; + $tooltip = gettext("Selected entry will be imported. Click to toggle selection."); + } + ?> + + + + + + + + + + +
+ +
+ 10) { + echo "..."; + } + ?> + +   +
+
+ "/> +
+ "/>    + "/> +
+
+
+
+
+ + + diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php index 1b833276..963486a1 100644 --- a/config/suricata/suricata_suppress.php +++ b/config/suricata/suricata_suppress.php @@ -123,10 +123,12 @@ if ($input_errors) { $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); + $tab_array[] = array(gettext("Blocked"), false, "/suricata/suricata_blocked.php"); + $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php"); $tab_array[] = array(gettext("Suppress"), true, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?> diff --git a/config/suricata/suricata_suppress_edit.php b/config/suricata/suricata_suppress_edit.php index aad67a95..25a47c87 100644 --- a/config/suricata/suricata_suppress_edit.php +++ b/config/suricata/suricata_suppress_edit.php @@ -144,10 +144,12 @@ if ($savemsg) $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); + $tab_array[] = array(gettext("Blocked"), false, "/suricata/suricata_blocked.php"); + $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php"); $tab_array[] = array(gettext("Suppress"), true, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php"); - display_top_tabs($tab_array); + display_top_tabs($tab_array, true); ?>
diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index 07ada36e..4a2f7c85 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -29,6 +29,14 @@ default-log-dir: {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} # Configure the type of alert (and other) logging. outputs: + # alert_pf blocking plugin + - alert-pf: + enabled: {$suri_blockoffenders} + kill-state: {$suri_killstates} + pass-list: {$suri_passlist} + block-ip: {$suri_blockip} + pf-table: {$suri_pf_table} + # a line based alerts log similar to Snort's fast.log - fast: enabled: yes -- cgit v1.2.3 From 969a7bbc18ee5f222f2e7c4c324c4a8eefc328e0 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 25 Apr 2014 00:16:12 -0400 Subject: Add support for new block.log file from alert-pf plugin. --- config/suricata/suricata_logs_browser.php | 2 +- config/suricata/suricata_logs_mgmt.php | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index 609a9eb5..bbde5aeb 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -164,7 +164,7 @@ if ($input_errors) { + $l): ?> + + + + + + + + files-json gettext('NEVER'), '15m_b' => gettext('15 MINS'), '30m_b' => gettext('30 MINS'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS')); foreach ($interfaces3 as $iface3 => $ifacename3): ?> - - -   + + +  

" . gettext("Hint:") . "" . gettext(" in most cases, 1 hour is a good choice.");?> -- cgit v1.2.3 From 0404d74878ef9dc4e015cbfdeea04f0e764b5895 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 27 Apr 2014 12:11:13 -0400 Subject: Use block.log contents to populate BLOCKED HOSTS tab. --- config/suricata/suricata_blocked.php | 43 ++++++++++++++---------------------- 1 file changed, 17 insertions(+), 26 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_blocked.php b/config/suricata/suricata_blocked.php index 47b9a7d0..4747d98f 100644 --- a/config/suricata/suricata_blocked.php +++ b/config/suricata/suricata_blocked.php @@ -215,39 +215,29 @@ if ($savemsg) { - $blocked_msg) { $blocked_desc = implode("
", $blocked_msg); @@ -267,14 +257,15 @@ if ($savemsg) { else $counter++; + $block_ip_str = inet_ntop($blocked_ip); /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ - $tmp_ip = str_replace(":", ":​", $blocked_ip); - /* Add reverse DNS lookup icons (two different links if pfSense version supports them) */ + $tmp_ip = str_replace(":", ":​", $block_ip_str); + /* Add reverse DNS lookup icons */ $rdns_link = ""; - $rdns_link .= ""; + $rdns_link .= ""; $rdns_link .= " "; - $rdns_link .= ""; + $rdns_link .= ""; $rdns_link .= ""; /* use one echo to do the magic*/ @@ -283,7 +274,7 @@ if ($savemsg) { {$tmp_ip}
{$rdns_link} {$blocked_desc} - \n"; } -- cgit v1.2.3 From 66d1a76e5f20e655a7343909c382cb8098709d1e Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 27 Apr 2014 15:17:33 -0400 Subject: Fix path to the magic.mgc file for file capture function. --- config/suricata/suricata_yaml_template.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index 4a2f7c85..4ced9059 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -107,7 +107,7 @@ outputs: force-md5: {$json_log_md5} # Magic file. The extension .mgc is added to the value here. -magic-file: {$suricatacfgdir}/magic +magic-file: /usr/share/misc/magic # Specify a threshold config file threshold-file: {$suricatacfgdir}/threshold.config -- cgit v1.2.3 From 06cf384a6603bc771dd91773b0d1f4347b47904b Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 27 Apr 2014 19:15:29 -0400 Subject: Add auto-prune and retention params to File Store dirs. --- config/suricata/suricata_check_cron_misc.inc | 32 +++++++++++++++++++--------- config/suricata/suricata_logs_mgmt.php | 18 ++++++++++++++++ 2 files changed, 40 insertions(+), 10 deletions(-) (limited to 'config/suricata') diff --git a/config/suricata/suricata_check_cron_misc.inc b/config/suricata/suricata_check_cron_misc.inc index b9ba3fb7..0a3bf113 100644 --- a/config/suricata/suricata_check_cron_misc.inc +++ b/config/suricata/suricata_check_cron_misc.inc @@ -173,19 +173,31 @@ if ($config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] == $suricata_log_dir = SURICATALOGDIR . "suricata_{$if_real}{$value['uuid']}"; foreach ($logs as $k => $p) suricata_check_rotate_log("{$suricata_log_dir}/{$k}", $p['limit']*1024, $p['retention']); - } - // Prune any aged-out Barnyard2 archived logs if any exist - if (is_dir("{$suricata_log_dir}/barnyard2/archive") && - $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] > 0) { - $now = time(); - $files = glob("{$suricata_log_dir}/barnyard2/archive/unified2.alert.*"); - foreach ($files as $f) { - if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] * 3600)) - unlink_if_exists($f); + // Prune any aged-out Barnyard2 archived logs if any exist + if (is_dir("{$suricata_log_dir}/barnyard2/archive") && + $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] > 0) { + $now = time(); + $files = glob("{$suricata_log_dir}/barnyard2/archive/unified2.alert.*"); + foreach ($files as $f) { + if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] * 3600)) + unlink_if_exists($f); + } + } + unset($files); + + // Prune aged-out File Store files if any exist + if (is_dir("{$suricata_log_dir}/files") && + $config['installedpackages']['suricata']['config'][0]['file_store_retention'] > 0) { + $now = time(); + $files = glob("{$suricata_log_dir}/files/file.*"); + foreach ($files as $f) { + if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['file_store_retention'] * 3600)) + unlink_if_exists($f); + } } + unset($files); } - unset($files); } // Check the overall log directory limit (if enabled) and prune if necessary diff --git a/config/suricata/suricata_logs_mgmt.php b/config/suricata/suricata_logs_mgmt.php index d02d708c..577cd510 100644 --- a/config/suricata/suricata_logs_mgmt.php +++ b/config/suricata/suricata_logs_mgmt.php @@ -56,6 +56,7 @@ $pconfig['tls_log_limit_size'] = $config['installedpackages']['suricata']['confi $pconfig['tls_log_retention'] = $config['installedpackages']['suricata']['config'][0]['tls_log_retention']; $pconfig['unified2_log_limit'] = $config['installedpackages']['suricata']['config'][0]['unified2_log_limit']; $pconfig['u2_archive_log_retention'] = $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention']; +$pconfig['file_store_retention'] = $config['installedpackages']['suricata']['config'][0]['file_store_retention']; // Load up some arrays with selection values (we use these later). // The keys in the $retentions array are the retention period @@ -91,6 +92,8 @@ if (empty($pconfig['tls_log_retention'])) $pconfig['tls_log_retention'] = "336"; if (empty($pconfig['u2_archive_log_retention'])) $pconfig['u2_archive_log_retention'] = "168"; +if (empty($pconfig['file_store_retention'])) + $pconfig['file_store_retention'] = "168"; // Set default log file size limits if (empty($pconfig['alert_log_limit_size'])) @@ -137,6 +140,7 @@ if ($_POST["save"]) { $config['installedpackages']['suricata']['config'][0]['tls_log_retention'] = $_POST['tls_log_retention']; $config['installedpackages']['suricata']['config'][0]['unified2_log_limit'] = $_POST['unified2_log_limit']; $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] = $_POST['u2_archive_log_retention']; + $config['installedpackages']['suricata']['config'][0]['file_store_retention'] = $_POST['file_store_retention']; write_config(); sync_suricata_package_config(); @@ -415,6 +419,19 @@ if ($input_errors) gettext("remain in the archive folder before they are automatically deleted.");?> + + +  " . gettext("7 days."). "";?>

+ + +
@@ -444,6 +461,7 @@ function enable_change() { document.iform.tls_log_retention.disabled = endis; document.iform.unified2_log_limit.disabled = endis; document.iform.u2_archive_log_retention.disabled = endis; + document.iform.file_store_retention.disabled = endis; } function enable_change_dirSize() { -- cgit v1.2.3