From f5db56193887749bc9998218f0aa3b91723f249d Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 20 Feb 2014 12:54:50 -0500 Subject: Fix custom rules clear bug and enable custom rule testing. --- config/suricata/suricata_rules.php | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index b848b4e8..94e43fc7 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -49,11 +49,8 @@ if (is_null($id)) { } if (isset($id) && $a_rule[$id]) { - $pconfig['enable'] = $a_rule[$id]['enable']; $pconfig['interface'] = $a_rule[$id]['interface']; $pconfig['rulesets'] = $a_rule[$id]['rulesets']; - if (!empty($a_rule[$id]['customrules'])) - $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); } function truncate($string, $length) { @@ -357,26 +354,29 @@ if ($_POST['clear']) { } if ($_POST['customrules']) { - $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); + if ($_POST['customrules']) + $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); + else + unset($a_rule[$id]['customrules']); write_config(); $rebuild_rules = true; suricata_generate_yaml($a_rule[$id]); $rebuild_rules = false; $output = ""; $retcode = ""; -// exec("/usr/local/bin/snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode); -// if (intval($retcode) != 0) { -// $error = ""; -// $start = count($output); -// $end = $start - 4; -// for($i = $start; $i > $end; $i--) -// $error .= $output[$i]; -// $input_errors[] = "Custom rules have errors:\n {$error}"; -// } -// else { -// header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); -// exit; -// } + exec("/usr/local/bin/suricata -T --init-errors-fatal -c {$suricatacfgdir}/suricata.yaml 2>&1", $output, $retcode); + if (intval($retcode) != 0) { + $error = ""; + $start = count($output); + $end = $start - 4; + for($i = $start; $i > $end; $i--) + $error .= $output[$i]; + $input_errors[] = "Custom rules have errors:\n {$error}"; + } + else { + header("Location: /suricata/suricata_rules.php?id={$id}&openruleset={$currentruleset}"); + exit; + } } else if ($_POST['apply']) { -- cgit v1.2.3 From f8f2d8493be025464627ba990133a542bd071700 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 20 Feb 2014 15:32:18 -0500 Subject: unlink() can't delete directory, use "/bin/rm -rf" instead. --- config/suricata/suricata_uninstall.php | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php index 071a89a4..0a7f8d5a 100644 --- a/config/suricata/suricata_uninstall.php +++ b/config/suricata/suricata_uninstall.php @@ -73,8 +73,8 @@ if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on') } /* Remove the Suricata GUI app directories */ -@unlink("/usr/local/pkg/suricata"); -@unlink("/usr/local/www/suricata"); +mwexec("/bin/rm -rf /usr/local/pkg/suricata"); +mwexec("/bin/rm -rf /usr/local/www/suricata"); /* Keep this as a last step */ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] != 'on') { @@ -83,7 +83,6 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] ! unset($config['installedpackages']['suricatasync']); @unlink("{$suricata_rules_upd_log}"); mwexec("/bin/rm -rf {$suricatalogdir}"); - @unlink(SURICATALOGDIR); log_error(gettext("[Suricata] The package has been removed from this system...")); } -- cgit v1.2.3 From 4d68da5d12cc272337f38d338913f66a8c703898 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 21 Feb 2014 14:44:36 -0500 Subject: Remove use of $_GET wherever possible for security. --- config/suricata/suricata_interfaces.php | 6 ++++++ config/suricata/suricata_interfaces_edit.php | 27 ++++++++------------------- 2 files changed, 14 insertions(+), 19 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php index 26ccada3..364abe62 100644 --- a/config/suricata/suricata_interfaces.php +++ b/config/suricata/suricata_interfaces.php @@ -449,6 +449,12 @@ if ($pfsense_stable == 'yes') diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index b1e05f99..20deb885 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -40,7 +40,7 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; -if ($_GET['id'] && is_numeric($_POST['id'])); +if ($_GET['id'] && is_numeric($_GET['id'])); $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); if ($_POST['id'] && is_numeric($_POST['id'])) $id = $_POST['id']; diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index 94e43fc7..428bc9be 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -40,7 +40,8 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; -$id = $_GET['id']; +if (is_numeric($_GET['id'])) + $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; if (is_null($id)) { @@ -108,7 +109,7 @@ $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rul $categories = explode("||", $pconfig['rulesets']); if ($_GET['openruleset']) - $currentruleset = $_GET['openruleset']; + $currentruleset = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401); else if ($_POST['openruleset']) $currentruleset = $_POST['openruleset']; else -- cgit v1.2.3 From dba0780dfe6de88f84f7c78a64a8f3eb60fecee3 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 22 Feb 2014 11:16:57 -0500 Subject: Fix it so all ET-Open rules files get correct prefix. --- config/suricata/suricata_check_for_rule_updates.php | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 9aa14f6e..280add7a 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -431,17 +431,27 @@ if ($emergingthreats == 'on') { array_map('unlink', glob("{$suricatadir}rules/{$eto_prefix}*ips.txt")); array_map('unlink', glob("{$suricatadir}rules/{$etpro_prefix}*ips.txt")); - // The code below renames ET-Pro files with a prefix, so we + // The code below renames ET files with a prefix, so we // skip renaming the Suricata default events rule files - // that are also bundled in the ET-Pro rules. + // that are also bundled in the ET rules. $default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" ); $files = glob("{$tmpfname}/emerging/rules/*.rules"); + // Determine the correct prefix to use based on which + // Emerging Threats rules package is enabled. + if ($etpro == "on") + $prefix = ET_PRO_FILE_PREFIX; + else + $prefix = ET_OPEN_FILE_PREFIX; foreach ($files as $file) { $newfile = basename($file); - if ($etpro == "on" && !in_array($newfile, $default_rules)) - @copy($file, "{$suricatadir}rules/" . ET_PRO_FILE_PREFIX . "{$newfile}"); - else + if (in_array($newfile, $default_rules)) @copy($file, "{$suricatadir}rules/{$newfile}"); + else { + if (strpos($newfile, $prefix) === FALSE) + @copy($file, "{$suricatadir}rules/{$prefix}{$newfile}"); + else + @copy($file, "{$suricatadir}rules/{$newfile}"); + } } /* IP lists for Emerging Threats rules */ $files = glob("{$tmpfname}/emerging/rules/*ips.txt"); -- cgit v1.2.3 From c1717f2d9752d19c54e86e1bcb6cb81f5b253710 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 24 Feb 2014 00:45:10 -0500 Subject: Bug fixes and replace $_GET with $_POST where possible. --- config/suricata/suricata_alerts.php | 12 +- config/suricata/suricata_app_parsers.php | 145 +++++++++----- config/suricata/suricata_download_updates.php | 18 +- config/suricata/suricata_flow_stream.php | 144 +++++++++----- config/suricata/suricata_global.php | 12 +- config/suricata/suricata_import_aliases.php | 191 ++++-------------- config/suricata/suricata_interfaces_edit.php | 43 ++-- config/suricata/suricata_libhtp_policy_engine.php | 12 +- config/suricata/suricata_os_policy_engine.php | 12 +- config/suricata/suricata_rules.php | 228 +++++++++------------- config/suricata/suricata_rulesets.php | 60 ++---- 11 files changed, 408 insertions(+), 469 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 2f23260b..3fc39f36 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -208,9 +208,11 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu exit; } - /* Add the new entry to the Suppress List */ - if (suricata_add_supplist_entry($suppress)) + /* Add the new entry to the Suppress List and signal Suricata to reload config */ + if (suricata_add_supplist_entry($suppress)) { + suricata_reload_config($a_instance[$instanceid]); $savemsg = $success; + } else $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } @@ -547,11 +549,11 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo {$alert_priority} {$alert_proto} {$alert_class} - {$alert_ip_src} + {$alert_ip_src} {$alert_src_p} - {$alert_ip_dst} + {$alert_ip_dst} {$alert_dst_p} - {$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link} + {$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link} {$alert_descr} \n"; diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php index 0be45c32..1706f04a 100644 --- a/config/suricata/suricata_app_parsers.php +++ b/config/suricata/suricata_app_parsers.php @@ -28,7 +28,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); @@ -37,10 +36,8 @@ global $g, $rebuild_rules; $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; -if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); - exit; -} +if (is_null($id)) + $id = 0; if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); @@ -51,10 +48,21 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) if (!is_array($config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item'])) $config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item'] = array(); +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; + $a_nat = &$config['installedpackages']['suricata']['rule']; $libhtp_engine_next_id = count($a_nat[$id]['libhtp_policy']['item']); +// Build a lookup array of currently used engine 'bind_to' Aliases +// so we can screen matching Alias names from the list. +$used = array(); +foreach ($a_nat[$id]['host_os_policy']['item'] as $v) + $used[$v['bind_to']] = true; + $pconfig = array(); if (isset($id) && $a_nat[$id]) { /* Get current values from config for page form fields */ @@ -78,29 +86,32 @@ if (isset($id) && $a_nat[$id]) { $pconfig['libhtp_policy'] = $a_nat[$id]['libhtp_policy']; } -// Check for returned "selected alias" if action is import -if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { - $pconfig[$_GET['varname']] = $_GET['varvalue']; +// Check for "import alias mode" and set flag if TRUE +if ($_POST['import_alias']) { + $importalias = true; + $title = "HTTP Server Policy"; } +else + $importalias = false; -if ($_GET['act'] && isset($_GET['eng_id'])) { - +if ($_POST['add_libhtp_policy']) { + header("Location: suricata_libhtp_policy_engine.php?id={$id}&eng_id={$libhtp_engine_next_id}"); + exit; +} +elseif ($_POST['del_libhtp_policy']) { $natent = array(); $natent = $pconfig; - if ($_GET['act'] == "del_libhtp_policy") - unset($natent['libhtp_policy']['item'][$_GET['eng_id']]); - + if ($_POST['eng_id'] != "") { + unset($natent['libhtp_policy']['item'][$_POST['eng_id']]); + $pconfig = $natent; + } if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config(); } - - header("Location: /suricata/suricata_app_parsers.php?id=$id"); - exit; } - -if ($_POST['ResetAll']) { +elseif ($_POST['ResetAll']) { /* Reset all the settings to defaults */ $pconfig['asn1_max_frames'] = "256"; @@ -108,7 +119,57 @@ if ($_POST['ResetAll']) { /* Log a message at the top of the page to inform the user */ $savemsg = gettext("All flow and stream settings have been reset to their defaults."); } -elseif ($_POST['Submit']) { +elseif ($_POST['save_import_alias']) { + $engine = array( "name" => "", "bind_to" => "", "personality" => "IDS", + "request-body-limit" => "4096", "response-body-limit" => "4096", + "double-decode-path" => "no", "double-decode-query" => "no" ); + + // See if anything was checked to import + if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { + foreach ($_POST['aliastoimport'] as $item) { + $engine['name'] = strtolower($item); + $engine['bind_to'] = $item; + $a_nat[$id]['libhtp_policy']['item'][] = $engine; + } + } + else { + $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); + $importalias = true; + } + + // if no errors, write new entry to conf + if (!$input_errors) { + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom if + // the array contains more than one entry. + if (count($a_nat[$id]['libhtp_policy']['item']) > 1) { + $i = -1; + foreach ($a_nat[$id]['libhtp_policy']['item'] as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + // Only relocate the entry if we + // found it, and it's not already + // at the end. + if ($i > -1 && ($i < (count($a_nat[$id]['libhtp_policy']['item']) - 1))) { + $tmp = $a_nat[$id]['libhtp_policy']['item'][$i]; + unset($a_nat[$id]['libhtp_policy']['item'][$i]); + $a_nat[$id]['libhtp_policy']['item'][] = $tmp; + } + $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; + } + + // Write the new engine array to config file + write_config(); + $importalias = false; + } +} +elseif ($_POST['cancel_import_alias']) { + $importalias = false; +} +elseif ($_POST['save']) { $natent = array(); $natent = $pconfig; @@ -149,29 +210,19 @@ include_once("head.inc"); ?> - -' . $pgtitle . '

';} - - - /* Display Alert message */ - + - - - -
+ + +
+ + + + + @@ -231,11 +287,9 @@ include_once("head.inc"); - @@ -247,8 +301,8 @@ include_once("head.inc"); "> "all") : ?> - - ">
- "> - - "/> + ">
  - "> -      +     
+ + +
diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php index ecfd5f8b..200bc834 100644 --- a/config/suricata/suricata_download_updates.php +++ b/config/suricata/suricata_download_updates.php @@ -91,6 +91,9 @@ if ($_POST['view']&& $suricata_rules_upd_log_chk == 'yes') { $input_errors[] = gettext("Unable to read log file: {$suricata_rules_upd_log}"); } +if ($_POST['hide']) + $contents = ""; + $pgtitle = gettext("Suricata: Update Rules Set Files"); include_once("head.inc"); ?> @@ -174,15 +177,20 @@ include_once("head.inc");
+ + " name="hide" id="hide" class="formbtn" + title=""/> + " name="view" id="view" class="formbtn" - title=""/> -            + title=""/> + +          " name="clear" id="clear" class="formbtn" - title="" onClick="return confirm('Are you sure?\nOK to confirm, or CANCEL to quit');"/> + title="" onClick="return confirm('Are you sure?\nOK to confirm, or CANCEL to quit');"/>

-    
+




@@ -201,7 +209,7 @@ include_once("head.inc"); -

+
  " . gettext(" and ") . "" . gettext("EmergingThreats.net") . "" . diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index 3a677d3a..6d5134c3 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -28,7 +28,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); @@ -37,16 +36,19 @@ global $g, $rebuild_rules; $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; -if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); - exit; -} +if (is_null($id)) + $id=0; if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); +// Initialize required array variables as necessary +if (!is_array($config['aliases']['alias'])) + $config['aliases']['alias'] = array(); +$a_aliases = $config['aliases']['alias']; + // Initialize Host-OS Policy engine arrays if necessary if (!is_array($config['installedpackages']['suricata']['rule'][$id]['host_os_policy']['item'])) $config['installedpackages']['suricata']['rule'][$id]['host_os_policy']['item'] = array(); @@ -55,6 +57,12 @@ $a_nat = &$config['installedpackages']['suricata']['rule']; $host_os_policy_engine_next_id = count($a_nat[$id]['host_os_policy']['item']); +// Build a lookup array of currently used engine 'bind_to' Aliases +// so we can screen matching Alias names from the list. +$used = array(); +foreach ($a_nat[$id]['host_os_policy']['item'] as $v) + $used[$v['bind_to']] = true; + $pconfig = array(); if (isset($id) && $a_nat[$id]) { /* Get current values from config for page form fields */ @@ -76,29 +84,32 @@ if (isset($id) && $a_nat[$id]) { $pconfig['host_os_policy'] = $a_nat[$id]['host_os_policy']; } -// Check for returned "selected alias" if action is import -if ($_GET['act'] == "import" && isset($_GET['varname']) && !empty($_GET['varvalue'])) { - $pconfig[$_GET['varname']] = $_GET['varvalue']; +// Check for "import alias mode" and set flag if TRUE +if ($_POST['import_alias']) { + $importalias = true; + $title = "Host Operating System Policy"; } +else + $importalias = false; -if ($_GET['act'] && isset($_GET['eng_id'])) { - +if ($_POST['add_os_policy']) { + header("Location: suricata_os_policy_engine.php?id={$id}&eng_id={$host_os_policy_engine_next_id}"); + exit; +} +elseif ($_POST['del_os_policy']) { $natent = array(); $natent = $pconfig; - if ($_GET['act'] == "del_host_os_policy") - unset($natent['host_os_policy']['item'][$_GET['eng_id']]); - + if ($_POST['eng_id'] != "") { + unset($natent['host_os_policy']['item'][$_POST['eng_id']]); + $pconfig = $natent; + } if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config(); } - - header("Location: /suricata/suricata_flow_stream.php?id=$id"); - exit; } - -if ($_POST['ResetAll']) { +elseif ($_POST['ResetAll']) { /* Reset all the settings to defaults */ $pconfig['ip_max_frags'] = "65535"; @@ -143,7 +154,7 @@ if ($_POST['ResetAll']) { /* Log a message at the top of the page to inform the user */ $savemsg = gettext("All flow and stream settings have been reset to their defaults."); } -elseif ($_POST['Submit']) { +elseif ($_POST['save']) { $natent = array(); $natent = $pconfig; @@ -211,6 +222,54 @@ elseif ($_POST['Submit']) { exit; } } +elseif ($_POST['save_import_alias']) { + $engine = array( "name" => "", "bind_to" => "", "policy" => "bsd" ); + + // See if anything was checked to import + if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { + foreach ($_POST['aliastoimport'] as $item) { + $engine['name'] = strtolower($item); + $engine['bind_to'] = $item; + $a_nat[$id]['host_os_policy']['item'][] = $engine; + } + } + else { + $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); + $importalias = true; + } + + // if no errors, write new entry to conf + if (!$input_errors) { + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom if + // the array contains more than one entry. + if (count($a_nat[$id]['host_os_policy']['item']) > 1) { + $i = -1; + foreach ($a_nat[$id]['host_os_policy']['item'] as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + // Only relocate the entry if we + // found it, and it's not already + // at the end. + if ($i > -1 && ($i < (count($a_nat[$id]['host_os_policy']['item']) - 1))) { + $tmp = $a_nat[$id]['host_os_policy']['item'][$i]; + unset($a_nat[$id]['host_os_policy']['item'][$i]); + $a_nat[$id]['host_os_policy']['item'][] = $tmp; + } + $pconfig['host_os_policy']['item'] = $a_nat[$id]['host_os_policy']['item']; + } + + // Write the new engine array to config file + write_config(); + $importalias = false; + } +} +elseif ($_POST['cancel_import_alias']) { + $importalias = false; +} $if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); $pgtitle = gettext("Suricata: Interface {$if_friendly} - Flow and Stream"); @@ -218,29 +277,21 @@ include_once("head.inc"); ?> - -' . $pgtitle . '

';} - - - /* Display Alert message */ + - - +
+ + -
+ + + + + @@ -284,12 +340,10 @@ include_once("head.inc"); - + $v): ?> @@ -300,9 +354,9 @@ include_once("head.inc"); "> "all") : ?> - - "> + "/> "> @@ -314,7 +368,6 @@ include_once("head.inc"); - @@ -603,7 +656,7 @@ include_once("head.inc");
- "> - - ">"/> + "/>
  - ">     
+ + +
diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index f6b5d83d..3ba84736 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -28,7 +28,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); @@ -59,7 +58,6 @@ if (empty($pconfig['suricataloglimitsize'])) // Set limit to 20% of slice that is unused */ $pconfig['suricataloglimitsize'] = round(exec('df -k /var | grep -v "Filesystem" | awk \'{print $4}\'') * .20 / 1024); - if ($_POST['autoruleupdatetime']) { if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['autoruleupdatetime'])) $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; @@ -73,7 +71,7 @@ if ($_POST['enable_etpro_rules'] == "on" && empty($_POST['etprocode'])) /* if no errors move foward with save */ if (!$input_errors) { - if ($_POST["Submit"]) { + if ($_POST["save"]) { $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules'] = $_POST['enable_vrt_rules'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; @@ -388,14 +386,10 @@ if ($input_errors) >  - - - - + -   -   +   diff --git a/config/suricata/suricata_import_aliases.php b/config/suricata/suricata_import_aliases.php index c16ac65d..a93d2d64 100644 --- a/config/suricata/suricata_import_aliases.php +++ b/config/suricata/suricata_import_aliases.php @@ -1,5 +1,4 @@ system global variables array + $config --> global variable pointing to configuration information + $a_aliases --> $config['aliases']['alias'] array + $title --> title string for import alias engine type + $used --> array of currently used engine 'bind_to' Alias names -// Used to track if any selectable Aliases are found -$selectablealias = false; - -// Initialize required array variables as necessary -if (!is_array($config['aliases']['alias'])) - $config['aliases']['alias'] = array(); -$a_aliases = $config['aliases']['alias']; -if (!is_array($config['installedpackages']['suricata']['rule'])) - $config['installedpackages']['suricata']['rule'] = array(); - -// The $eng variable points to the specific Suricata config section -// engine we are importing values into. Initialize the config.xml -// array if necessary. -if (!is_array($config['installedpackages']['suricata']['rule'][$id][$eng]['item'])) - $config['installedpackages']['suricata']['rule'][$id][$eng]['item'] = array(); - -// Initialize a pointer to the Suricata config section engine we are -// importing values into. -$a_nat = &$config['installedpackages']['suricata']['rule'][$id][$eng]['item']; - -// Build a lookup array of currently used engine 'bind_to' Aliases -// so we can screen matching Alias names from the list. -$used = array(); -foreach ($a_nat as $v) - $used[$v['bind_to']] = true; - -// Construct the correct return URL based on the Suricata config section -// engine we were called with. This lets us return to the page we were -// called from. -switch ($eng) { - case "host_os_policy": - $returl = "/suricata/suricata_flow_stream.php"; - $multi_ip = true; - $title = "Host Operating System Policy"; - break; - case "libhtp_policy": - $returl = "/suricata/suricata_app_parsers.php"; - $multi_ip = true; - $title = "HTTP Server Policy"; - break; - default: - $returl = "/suricata/suricata_interface_edit"; - $multi_ip = true; - $title = ""; -} - -if ($_POST['cancel']) { - header("Location: {$returl}?id={$id}"); - exit; -} - -if ($_POST['save']) { - - // Define default engine configurations for each of the supported engines. - $def_os_policy = array( "name" => "", "bind_to" => "", "policy" => "bsd" ); - - $def_libhtp_policy = array( "name" => "default", "bind_to" => "all", "personality" => "IDS", - "request-body-limit" => 4096, "response-body-limit" => 4096, - "double-decode-path" => "no", "double-decode-query" => "no" ); - - // Figure out which engine type we are importing and set up default engine array - $engine = array(); - switch ($eng) { - case "host_os_policy": - $engine = $def_os_policy; - break; - case "libhtp_policy": - $engine = $def_libhtp_policy; - break; - default: - $engine = ""; - $input_errors[] = gettext("Invalid ENGINE TYPE passed in query string. Aborting operation."); - } - - // See if anything was checked to import - if (is_array($_POST['toimport']) && count($_POST['toimport']) > 0) { - foreach ($_POST['toimport'] as $item) { - $engine['name'] = strtolower($item); - $engine['bind_to'] = $item; - $a_nat[] = $engine; - } - } - else - $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); - - // if no errors, write new entry to conf - if (!$input_errors) { - // Reorder the engine array to ensure the - // 'bind_to=all' entry is at the bottom if - // the array contains more than one entry. - if (count($a_nat) > 1) { - $i = -1; - foreach ($a_nat as $f => $v) { - if ($v['bind_to'] == "all") { - $i = $f; - break; - } - } - // Only relocate the entry if we - // found it, and it's not already - // at the end. - if ($i > -1 && ($i < (count($a_nat) - 1))) { - $tmp = $a_nat[$i]; - unset($a_nat[$i]); - $a_nat[] = $tmp; - } - } - - // Now write the new engine array to conf and return - write_config(); - - header("Location: {$returl}?id={$id}"); - exit; - } -} - -$pgtitle = gettext("Suricata: Import Host/Network Alias for {$title}"); -include("head.inc"); + Information is returned from this page via the following form fields: + aliastoimport[] --> checkbox array containing selected alias names + save_import_alias --> Submit button for save operation and exit + cancel_import_alias --> Submit button to cancel operation and exit + ************************************************************************************/ ?> - - -
- - - -
- + +
- - + @@ -723,15 +718,13 @@ include_once("head.inc"); - - - - @@ -849,11 +842,11 @@ function enable_change(enable_change) { document.iform.alertsystemlog.disabled = endis; document.iform.externallistname.disabled = endis; document.iform.homelistname.disabled = endis; - document.iform.whitelistname.disabled=endis; +// document.iform.whitelistname.disabled=endis; document.iform.suppresslistname.disabled = endis; document.iform.configpassthru.disabled = endis; document.iform.btnHomeNet.disabled=endis; - document.iform.btnWhitelist.disabled=endis; +// document.iform.btnWhitelist.disabled=endis; document.iform.btnSuppressList.disabled=endis; } diff --git a/config/suricata/suricata_libhtp_policy_engine.php b/config/suricata/suricata_libhtp_policy_engine.php index e7cf4135..ec00bbb2 100644 --- a/config/suricata/suricata_libhtp_policy_engine.php +++ b/config/suricata/suricata_libhtp_policy_engine.php @@ -43,6 +43,10 @@ if (is_null($id)) { header("Location: /suricata/suricata_interfaces.php"); exit; } +if (is_null($eng_id)) { + header("Location: /suricata/suricata_app_parsers.php?id={$id}"); + exit; +} if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); @@ -71,7 +75,7 @@ else { $pconfig['personality'] = "IDS"; } -if ($_POST['Cancel']) { +if ($_POST['cancel']) { header("Location: /suricata/suricata_app_parsers.php?id={$id}"); exit; } @@ -82,7 +86,7 @@ if ($_GET['act'] == "import") { $pconfig[$_GET['varname']] = $_GET['varvalue']; } -if ($_POST['Submit']) { +if ($_POST['save']) { /* Grab all the POST values and save in new temp array */ $engine = array(); @@ -279,10 +283,10 @@ if ($savemsg)

+
+ @@ -221,7 +99,7 @@ include("head.inc"); - + - + - - -
@@ -244,29 +122,26 @@ include("head.inc");
- "/> + + "/>
- "/>    - "/> + + "/>   + "/>
+
- - - - - + + diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 20deb885..6dbf9412 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -44,10 +44,8 @@ if ($_GET['id'] && is_numeric($_GET['id'])); $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); if ($_POST['id'] && is_numeric($_POST['id'])) $id = $_POST['id']; -if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); - exit; -} +if (is_null($id)) + $id = 0; $pconfig = array(); if (empty($suricataglob['rule'][$id]['uuid'])) { @@ -128,7 +126,7 @@ if (empty($pconfig['max_pcap_log_size'])) if (empty($pconfig['max_pcap_log_files'])) $pconfig['max_pcap_log_files'] = "1000"; -if ($_POST["Submit"]) { +if ($_POST["save"]) { if (!$_POST['interface']) $input_errors[] = gettext("Choosing an Interface is mandatory!"); @@ -255,7 +253,7 @@ if ($_POST["Submit"]) { $natent['libhtp_policy']['item'][] = $default; // Enable the basic default rules for the interface - $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events"; + $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules"; // Adding a new interface, so set flag to build new rules $rebuild_rules = true; @@ -301,19 +299,14 @@ include_once("head.inc"); - - -' . $pgtitle . '

';}?> - -
" method="post" name="iform" id="iform"> @@ -654,6 +647,7 @@ include_once("head.inc"); "setting at default. Create an Alias for custom External Net settings."); ?>
"/>
 " . + " . gettext("Please save your settings before you attempt to start Suricata."); ?>
  - ">      - ">
diff --git a/config/suricata/suricata_os_policy_engine.php b/config/suricata/suricata_os_policy_engine.php index 61918e65..ae5a9348 100644 --- a/config/suricata/suricata_os_policy_engine.php +++ b/config/suricata/suricata_os_policy_engine.php @@ -43,6 +43,10 @@ if (is_null($id)) { header("Location: /suricata/suricata_interfaces.php"); exit; } +if (is_null($eng_id)) { + header("Location: /suricata/suricata_flow_stream.php?id={$id}"); + exit; +} if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); @@ -68,7 +72,7 @@ else { $pconfig['policy'] = "bsd"; } -if ($_POST['Cancel']) { +if ($_POST['cancel']) { header("Location: /suricata/suricata_flow_stream.php?id={$id}"); exit; } @@ -79,7 +83,7 @@ if ($_GET['act'] == "import") { $pconfig[$_GET['varname']] = $_GET['varvalue']; } -if ($_POST['Submit']) { +if ($_POST['save']) { /* Grab all the POST values and save in new temp array */ $engine = array(); @@ -225,10 +229,10 @@ if ($savemsg)   - ">      - "> diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index 428bc9be..f6457f19 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -27,7 +27,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ - require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); @@ -35,23 +34,26 @@ global $g, $rebuild_rules; $suricatadir = SURICATADIR; $rules_map = array(); +$pconfig = array(); if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; -if (is_numeric($_GET['id'])) +log_error(print_r($_POST, true)); + +if ($_GET['id']) $id = $_GET['id']; -if (isset($_POST['id'])) +if ($_POST['id']) $id = $_POST['id']; if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); - exit; + $id = 0; } if (isset($id) && $a_rule[$id]) { $pconfig['interface'] = $a_rule[$id]['interface']; $pconfig['rulesets'] = $a_rule[$id]['rulesets']; + $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); } function truncate($string, $length) { @@ -110,7 +112,9 @@ $categories = explode("||", $pconfig['rulesets']); if ($_GET['openruleset']) $currentruleset = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401); -else if ($_POST['openruleset']) +elseif ($_POST['selectbox']) + $currentruleset = $_POST['selectbox']; +elseif ($_POST['openruleset']) $currentruleset = $_POST['openruleset']; else $currentruleset = $categories[0]; @@ -147,13 +151,11 @@ if ($currentruleset != 'custom.rules') { $enablesid = suricata_load_sid_mods($a_rule[$id]['rule_sid_on']); $disablesid = suricata_load_sid_mods($a_rule[$id]['rule_sid_off']); -if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { - - // Get the GID tag embedded in the clicked rule icon. - $gid = $_GET['gid']; +if ($_POST['toggle'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid']) && !empty($rules_map)) { - // Get the SID tag embedded in the clicked rule icon. - $sid= $_GET['ids']; + // Get the GID:SID tags embedded in the clicked rule icon. + $gid = $_POST['gid']; + $sid = $_POST['sid']; // See if the target SID is in our list of modified SIDs, // and toggle it back to default if present; otherwise, @@ -197,11 +199,9 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { /* Update the config.xml file. */ write_config(); - $_GET['openruleset'] = $currentruleset; $anchor = "rule_{$gid}_{$sid}"; } - -if ($_GET['act'] == "disable_all" && !empty($rules_map)) { +elseif ($_POST['disable_all'] && !empty($rules_map)) { // Mark all rules in the currently selected category "disabled". foreach (array_keys($rules_map) as $k1) { @@ -238,13 +238,8 @@ if ($_GET['act'] == "disable_all" && !empty($rules_map)) { unset($a_rule[$id]['rule_sid_off']); write_config(); - - $_GET['openruleset'] = $currentruleset; - header("Location: /suricata/suricata_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; } - -if ($_GET['act'] == "enable_all" && !empty($rules_map)) { +elseif ($_POST['enable_all'] && !empty($rules_map)) { // Mark all rules in the currently selected category "enabled". foreach (array_keys($rules_map) as $k1) { @@ -280,13 +275,8 @@ if ($_GET['act'] == "enable_all" && !empty($rules_map)) { unset($a_rule[$id]['rule_sid_off']); write_config(); - - $_GET['openruleset'] = $currentruleset; - header("Location: /suricata/suricata_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; } - -if ($_GET['act'] == "resetcategory" && !empty($rules_map)) { +elseif ($_POST['resetcategory'] && !empty($rules_map)) { // Reset any modified SIDs in the current rule category to their defaults. foreach (array_keys($rules_map) as $k1) { @@ -324,13 +314,8 @@ if ($_GET['act'] == "resetcategory" && !empty($rules_map)) { unset($a_rule[$id]['rule_sid_off']); write_config(); - - $_GET['openruleset'] = $currentruleset; - header("Location: /suricata/suricata_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; } - -if ($_GET['act'] == "resetall" && !empty($rules_map)) { +elseif ($_POST['resetall'] && !empty($rules_map)) { // Remove all modified SIDs from config.xml and save the changes. unset($a_rule[$id]['rule_sid_on']); @@ -338,23 +323,20 @@ if ($_GET['act'] == "resetall" && !empty($rules_map)) { /* Update the config.xml file. */ write_config(); - - $_GET['openruleset'] = $currentruleset; - header("Location: /suricata/suricata_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; } - -if ($_POST['clear']) { +elseif ($_POST['clear']) { unset($a_rule[$id]['customrules']); write_config(); $rebuild_rules = true; suricata_generate_yaml($a_rule[$id]); $rebuild_rules = false; - header("Location: /suricata/suricata_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; + $pconfig['customrules'] = ''; } - -if ($_POST['customrules']) { +elseif ($_POST['cancel']) { + $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); +} +elseif ($_POST['save']) { + $pconfig['customrules'] = $_POST['customrules']; if ($_POST['customrules']) $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); else @@ -363,24 +345,21 @@ if ($_POST['customrules']) { $rebuild_rules = true; suricata_generate_yaml($a_rule[$id]); $rebuild_rules = false; - $output = ""; - $retcode = ""; - exec("/usr/local/bin/suricata -T --init-errors-fatal -c {$suricatacfgdir}/suricata.yaml 2>&1", $output, $retcode); - if (intval($retcode) != 0) { - $error = ""; - $start = count($output); - $end = $start - 4; - for($i = $start; $i > $end; $i--) - $error .= $output[$i]; - $input_errors[] = "Custom rules have errors:\n {$error}"; - } - else { - header("Location: /suricata/suricata_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; - } + /* Signal Suricata to "live reload" the rules */ + suricata_reload_config($a_rule[$id]); +// $output = ""; +// $retcode = ""; +// exec("/usr/local/bin/suricata -T --init-errors-fatal -c {$suricatacfgdir}/suricata.yaml 2>&1", $output, $retcode); +// if (intval($retcode) != 0) { +// $error = ""; +// $start = count($output); +// $end = $start - 4; +// for($i = $start; $i > $end; $i--) +// $error .= $output[$i]; +// $input_errors[] = "Custom rules have errors:\n {$error}"; +// } } - -else if ($_POST['apply']) { +elseif ($_POST['apply']) { /* Save new configuration */ write_config(); @@ -395,16 +374,6 @@ else if ($_POST['apply']) { /* Signal Suricata to "live reload" the rules */ suricata_reload_config($a_rule[$id]); - - /* Return to this same page */ - header("Location: /suricata/suricata_rules.php?id={$id}&openruleset={$currentruleset}"); - exit; -} -else if ($_POST['cancel']) { - - /* Return to this same page */ - header("Location: /suricata/suricata_rules.php?id={$id}"); - exit; } require_once("guiconfig.inc"); @@ -417,9 +386,7 @@ $pgtitle = gettext("Suricata: Interface {$if_friendly} - Rules: {$currentruleset ' . $pgtitle . '

';} - -/* Display message */ +/* Display error or save messages if present */ if ($input_errors) { print_input_errors($input_errors); // TODO: add checks } @@ -430,7 +397,11 @@ if ($savemsg) { ?> - + + + + + - - @@ -497,15 +468,13 @@ if ($savemsg) { @@ -518,43 +487,40 @@ if ($savemsg) {
     +    
- -
- " title=" "/>   - " title=""/>   + " title=" "/>   + " title=""/>   " onclick="return confirm('')" title=""/>
- - - - - - @@ -579,7 +544,6 @@ if ($savemsg) {
" class="formbtn" - title=""/> - -

+ title=""/>

" . gettext("Suricata must be restarted to activate any SID enable/disable changes made on this tab."); ?>
- "?> + title='" . gettext("Click to remove enable/disable changes for rules in the selected category only") . "'/>"?>   
- "?> + title='" . gettext("Click to remove all enable/disable changes for rules in all categories") . "'/>"?>   
- "?> + title='" . gettext("Click to disable all rules in the selected category") . "'/>"?>   
- "?> + title='" . gettext("Click to enable all rules in the selected category") . "'/>"?>   
@@ -564,7 +530,6 @@ if ($savemsg) { title="" width="17" height="17" border="0">   
 
- @@ -587,7 +551,7 @@ if ($savemsg) { - + @@ -668,11 +632,11 @@ if ($savemsg) { $message = suricata_get_msg($v['rule']); $sid_tooltip = gettext("View the raw text for this rule"); - echo "
{$textss} - - {$textse} + echo "
{$textss} + {$textse} {$textss}{$gid}{$textse} @@ -753,15 +717,14 @@ if ($savemsg) {
- - + + diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php index a1609d6c..e15818d5 100644 --- a/config/suricata/suricata_rulesets.php +++ b/config/suricata/suricata_rulesets.php @@ -43,10 +43,8 @@ $a_nat = &$config['installedpackages']['suricata']['rule']; $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; -if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); - exit; -} +if (is_null($id)) + $id = 0; if (isset($id) && $a_nat[$id]) { $pconfig['enable'] = $a_nat[$id]['enable']; @@ -117,9 +115,7 @@ if ($a_nat[$id]['ips_policy_enable'] == 'on') { else $disable_vrt_rules = ""; -/* alert file */ -if ($_POST["Submit"]) { - +if ($_POST["save"]) { if ($_POST['ips_policy_enable'] == "on") { $a_nat[$id]['ips_policy_enable'] = 'on'; $a_nat[$id]['ips_policy'] = $_POST['ips_policy']; @@ -129,11 +125,12 @@ if ($_POST["Submit"]) { unset($a_nat[$id]['ips_policy']); } - $enabled_items = ""; + // Always start with the default events and files rules + $enabled_items = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules"; if (is_array($_POST['toenable'])) - $enabled_items = implode("||", $_POST['toenable']); + $enabled_items .= "||" . implode("||", $_POST['toenable']); else - $enabled_items = $_POST['toenable']; + $enabled_items .= "||{$_POST['toenable']}"; $a_nat[$id]['rulesets'] = $enabled_items; @@ -155,12 +152,12 @@ if ($_POST["Submit"]) { suricata_generate_yaml($a_nat[$id]); $rebuild_rules = false; - header("Location: /suricata/suricata_rulesets.php?id=$id"); - exit; + /* Signal Suricata to "live reload" the rules */ + suricata_reload_config($a_nat[$id]); } - -if ($_POST['unselectall']) { - $a_nat[$id]['rulesets'] = ""; +elseif ($_POST['unselectall']) { + // Remove all but the default events and files rules + $a_nat[$id]['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules"; if ($_POST['ips_policy_enable'] == "on") { $a_nat[$id]['ips_policy_enable'] = 'on'; @@ -173,13 +170,10 @@ if ($_POST['unselectall']) { write_config(); sync_suricata_package_config(); - - header("Location: /suricata/suricata_rulesets.php?id=$id"); - exit; } - -if ($_POST['selectall']) { - $rulesets = array(); +elseif ($_POST['selectall']) { + // Start with the required default events and files rules + $rulesets = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" ); if ($_POST['ips_policy_enable'] == "on") { $a_nat[$id]['ips_policy_enable'] = 'on'; @@ -218,9 +212,6 @@ if ($_POST['selectall']) { write_config(); sync_suricata_package_config(); - - header("Location: /suricata/suricata_rulesets.php?id=$id"); - exit; } $enabled_rulesets_array = explode("||", $a_nat[$id]['rulesets']); @@ -234,7 +225,6 @@ include_once("head.inc"); ' . $pgtitle . '

';} /* Display message */ if ($input_errors) { @@ -282,9 +272,8 @@ if ($savemsg) { $isrulesfolderempty = glob("{$suricatadir}rules/*.rules"); $iscfgdirempty = array(); if (file_exists("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/custom.rules")) - $iscfgdirempty = (array)("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/custom.rules"); - if (empty($isrulesfolderempty)): -?> + $iscfgdirempty = (array)("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/custom.rules"); ?> +
',$suricatadir,''); ?>

@@ -294,14 +283,7 @@ if ($savemsg) { '' . gettext(" tab."); ?> - + - +
"/> "/>"/>"/>
@@ -531,7 +513,7 @@ if ($savemsg) { - "/> + "/> @@ -581,7 +563,7 @@ function enable_change() for (var i = 0; i < document.iform.elements.length; i++) { if (document.iform.elements[i].type == 'checkbox') { var str = document.iform.elements[i].value; - if (str.substr(0,6) == "suricata_") + if (str.substr(0,6) == "snort_") document.iform.elements[i].disabled = !(endis); } } -- cgit v1.2.3 From 348de1c7372ec0b1d7a21955939373df5eb675ba Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 24 Feb 2014 20:32:57 -0500 Subject: Add temp fix in post-install to add default rules back to enabled rules. --- config/suricata/suricata_post_install.php | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'config') diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 653f47fd..6603d5ab 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -87,6 +87,17 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = foreach ($suriconf as $value) { $if_real = get_real_interface($value['interface']); + // ## BETA pkg bug fix-up -- be sure default rules enabled ## + $rules = explode("||", $value['rulesets']); + foreach (array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" ) as $r){ + if (!in_array($r, $rules)) + $rules[] = $r; + } + natcasesort($rules); + $value['rulesets'] = implode("||", $rules); + write_config(); + // ## end of BETA pkg bug fix-up ## + // create a suricata.yaml file for interface suricata_generate_yaml($value); -- cgit v1.2.3 From 729d5f667c2d658586b634c074eca1400e34e0be Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 24 Feb 2014 20:38:03 -0500 Subject: Some bug fixes and replace $_GET with $_POST in parameter passing. --- config/suricata/suricata_app_parsers.php | 294 +++++++++++++++++----- config/suricata/suricata_flow_stream.php | 262 ++++++++++++++----- config/suricata/suricata_import_aliases.php | 18 +- config/suricata/suricata_libhtp_policy_engine.php | 210 +++------------- config/suricata/suricata_os_policy_engine.php | 186 +++----------- 5 files changed, 512 insertions(+), 458 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php index 1706f04a..eddf273d 100644 --- a/config/suricata/suricata_app_parsers.php +++ b/config/suricata/suricata_app_parsers.php @@ -60,7 +60,7 @@ $libhtp_engine_next_id = count($a_nat[$id]['libhtp_policy']['item']); // Build a lookup array of currently used engine 'bind_to' Aliases // so we can screen matching Alias names from the list. $used = array(); -foreach ($a_nat[$id]['host_os_policy']['item'] as $v) +foreach ($a_nat[$id]['libhtp_policy']['item'] as $v) $used[$v['bind_to']] = true; $pconfig = array(); @@ -86,17 +86,125 @@ if (isset($id) && $a_nat[$id]) { $pconfig['libhtp_policy'] = $a_nat[$id]['libhtp_policy']; } -// Check for "import alias mode" and set flag if TRUE +// Check for "import or select alias mode" and set flags if TRUE. +// "selectalias", when true, displays radio buttons to limit +// multiple selections. if ($_POST['import_alias']) { $importalias = true; + $selectalias = false; $title = "HTTP Server Policy"; } -else - $importalias = false; +elseif ($_POST['select_alias']) { + $importalias = true; + $selectalias = true; + $title = "HTTP Server Policy"; + + // Preserve current Libhtp Policy Engine settings + $eng_id = $_POST['eng_id']; + $eng_name = $_POST['policy_name']; + $eng_bind = $_POST['policy_bind_to']; + $eng_personality = $_POST['personality']; + $eng_req_body_limit = $_POST['req_body_limit']; + $eng_resp_body_limit = $_POST['resp_body_limit']; + $eng_enable_double_decode_path = $_POST['enable_double_decode_path']; + $eng_enable_double_decode_query = $_POST['enable_double_decode_query']; + $mode = "add_edit_libhtp_policy"; +} +if ($_POST['save_libhtp_policy']) { + if ($_POST['eng_id'] != "") { + $eng_id = $_POST['eng_id']; + + // Grab all the POST values and save in new temp array + $engine = array(); + $policy_name = trim($_POST['policy_name']); + if ($policy_name) { + $engine['name'] = $policy_name; + } + else + $input_errors[] = gettext("The 'Policy Name' value cannot be blank."); + + if ($_POST['policy_bind_to']) { + if (is_alias($_POST['policy_bind_to'])) + $engine['bind_to'] = $_POST['policy_bind_to']; + elseif (strtolower(trim($_POST['policy_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + } + else + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + + if ($_POST['personality']) { $engine['personality'] = $_POST['personality']; } else { $engine['personality'] = "bsd"; } + + if (is_numeric($_POST['req_body_limit']) && $_POST['req_body_limit'] >= 0) + $engine['request-body-limit'] = $_POST['req_body_limit']; + else + $input_errors[] = gettext("The value for 'Request Body Limit' must be all numbers and greater than or equal to zero."); + + if (is_numeric($_POST['resp_body_limit']) && $_POST['resp_body_limit'] >= 0) + $engine['response-body-limit'] = $_POST['resp_body_limit']; + else + $input_errors[] = gettext("The value for 'Response Body Limit' must be all numbers and greater than or equal to zero."); -if ($_POST['add_libhtp_policy']) { - header("Location: suricata_libhtp_policy_engine.php?id={$id}&eng_id={$libhtp_engine_next_id}"); - exit; + if ($_POST['enable_double_decode_path']) { $engine['double-decode-path'] = 'yes'; }else{ $engine['double-decode-path'] = 'no'; } + if ($_POST['enable_double_decode_query']) { $engine['double-decode-query'] = 'yes'; }else{ $engine['double-decode-query'] = 'no'; } + + // Can only have one "all" Bind_To address + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") + $input_errors[] = gettext("Only one default OS-Policy Engine can be bound to all addresses."); + + // if no errors, write new entry to conf + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$id]['libhtp_policy']['item'][$eng_id]) { + $a_nat[$id]['libhtp_policy']['item'][$eng_id] = $engine; + } + else + $a_nat[$id]['libhtp_policy']['item'][] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat[$id]['libhtp_policy']['item']) > 1) { + $i = -1; + foreach ($a_nat[$id]['libhtp_policy']['item'] as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat[$id]['libhtp_policy']['item']) - 1))) { + $tmp = $a_nat[$id]['libhtp_policy']['item'][$i]; + unset($a_nat[$id]['libhtp_policy']['item'][$i]); + $a_nat[$id]['libhtp_policy']['item'][] = $tmp; + } + } + + // Now write the new engine array to conf + write_config(); + $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; + } + else { + $add_edit_libhtp_policy = true; + $pengcfg = $engine; + } + } +} +elseif ($_POST['add_libhtp_policy']) { + $add_edit_libhtp_policy = true; + $pengcfg = array( "name" => "engine_{$libhtp_engine_next_id}", "bind_to" => "", "personality" => "IDS", + "request-body-limit" => "4096", "response-body-limit" => "4096", + "double-decode-path" => "no", "double-decode-query" => "no" ); + $eng_id = $libhtp_engine_next_id; +} +elseif ($_POST['edit_libhtp_policy']) { + if ($_POST['eng_id'] != "") { + $add_edit_libhtp_policy = true; + $eng_id = $_POST['eng_id']; + $pengcfg = $a_nat[$id]['libhtp_policy']['item'][$eng_id]; + } } elseif ($_POST['del_libhtp_policy']) { $natent = array(); @@ -111,6 +219,9 @@ elseif ($_POST['del_libhtp_policy']) { write_config(); } } +elseif ($_POST['cancel_libhtp_policy']) { + $add_edit_libhtp_policy = false; +} elseif ($_POST['ResetAll']) { /* Reset all the settings to defaults */ @@ -120,54 +231,108 @@ elseif ($_POST['ResetAll']) { $savemsg = gettext("All flow and stream settings have been reset to their defaults."); } elseif ($_POST['save_import_alias']) { - $engine = array( "name" => "", "bind_to" => "", "personality" => "IDS", - "request-body-limit" => "4096", "response-body-limit" => "4096", - "double-decode-path" => "no", "double-decode-query" => "no" ); - - // See if anything was checked to import - if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { - foreach ($_POST['aliastoimport'] as $item) { - $engine['name'] = strtolower($item); - $engine['bind_to'] = $item; - $a_nat[$id]['libhtp_policy']['item'][] = $engine; + // If saving out of "select alias" mode, + // then return to Libhtp Policy Engine edit + // page. + if ($_POST['mode'] == 'add_edit_libhtp_policy') { + $pengcfg = array(); + $eng_id = $_POST['eng_id']; + $pengcfg['name'] = $_POST['eng_name']; + $pengcfg['bind_to'] = $_POST['eng_bind']; + $pengcfg['personality'] = $_POST['eng_personality']; + $pengcfg['request-body-limit'] = $_POST['eng_req_body_limit']; + $pengcfg['response-body-limit'] = $_POST['eng_resp_body_limit']; + $pengcfg['double-decode-path'] = $_POST['eng_enable_double_decode_path']; + $pengcfg['double-decode-query'] = $_POST['eng_enable_double_decode_query']; + $add_edit_libhtp_policy = true; + $mode = "add_edit_libhtp_policy"; + + if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) == 1) { + $pengcfg['bind_to'] = $_POST['aliastoimport'][0]; + $importalias = false; + $selectalias = false; + } + else { + $input_errors[] = gettext("No Alias is selected for import. Nothing to SAVE."); + $importalias = true; + $selectalias = true; + $eng_id = $_POST['eng_id']; + $eng_name = $_POST['eng_name']; + $eng_bind = $_POST['eng_bind']; + $eng_personality = $_POST['eng_personality']; + $eng_req_body_limit = $_POST['eng_req_body_limit']; + $eng_resp_body_limit = $_POST['eng_resp_body_limit']; + $eng_enable_double_decode_path = $_POST['eng_enable_double_decode_path']; + $eng_enable_double_decode_query = $_POST['eng_enable_double_decode_query']; } } else { - $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); - $importalias = true; - } + $engine = array( "name" => "", "bind_to" => "", "personality" => "IDS", + "request-body-limit" => "4096", "response-body-limit" => "4096", + "double-decode-path" => "no", "double-decode-query" => "no" ); + + // See if anything was checked to import + if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { + foreach ($_POST['aliastoimport'] as $item) { + $engine['name'] = strtolower($item); + $engine['bind_to'] = $item; + $a_nat[$id]['libhtp_policy']['item'][] = $engine; + } + } + else { + $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); + $importalias = true; + } - // if no errors, write new entry to conf - if (!$input_errors) { - // Reorder the engine array to ensure the - // 'bind_to=all' entry is at the bottom if - // the array contains more than one entry. - if (count($a_nat[$id]['libhtp_policy']['item']) > 1) { - $i = -1; - foreach ($a_nat[$id]['libhtp_policy']['item'] as $f => $v) { - if ($v['bind_to'] == "all") { - $i = $f; - break; + // if no errors, write new entry to conf + if (!$input_errors) { + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom if + // the array contains more than one entry. + if (count($a_nat[$id]['libhtp_policy']['item']) > 1) { + $i = -1; + foreach ($a_nat[$id]['libhtp_policy']['item'] as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } } + // Only relocate the entry if we + // found it, and it's not already + // at the end. + if ($i > -1 && ($i < (count($a_nat[$id]['libhtp_policy']['item']) - 1))) { + $tmp = $a_nat[$id]['libhtp_policy']['item'][$i]; + unset($a_nat[$id]['libhtp_policy']['item'][$i]); + $a_nat[$id]['libhtp_policy']['item'][] = $tmp; + } + $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; } - // Only relocate the entry if we - // found it, and it's not already - // at the end. - if ($i > -1 && ($i < (count($a_nat[$id]['libhtp_policy']['item']) - 1))) { - $tmp = $a_nat[$id]['libhtp_policy']['item'][$i]; - unset($a_nat[$id]['libhtp_policy']['item'][$i]); - $a_nat[$id]['libhtp_policy']['item'][] = $tmp; - } - $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; - } - // Write the new engine array to config file - write_config(); - $importalias = false; + // Write the new engine array to config file + write_config(); + $importalias = false; + } } } elseif ($_POST['cancel_import_alias']) { $importalias = false; + $selectalias = false; + $eng_id = $_POST['eng_id']; + + // If cancelling out of "select alias" mode, + // then return to Libhtp Policy Engine edit + // page. + if ($_POST['mode'] == 'add_edit_libhtp_policy') { + $pengcfg = array(); + $pengcfg['name'] = $_POST['eng_name']; + $pengcfg['bind_to'] = $_POST['eng_bind']; + $pengcfg['personality'] = $_POST['eng_personality']; + $pengcfg['request-body-limit'] = $_POST['eng_req_body_limit']; + $pengcfg['response-body-limit'] = $_POST['eng_resp_body_limit']; + $pengcfg['double-decode-path'] = $_POST['eng_enable_double_decode_path']; + $pengcfg['double-decode-query'] = $_POST['eng_enable_double_decode_query']; + $add_edit_libhtp_policy = true; + } } elseif ($_POST['save']) { $natent = array(); @@ -222,7 +387,7 @@ include_once("head.inc");
- +
- + '; + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + echo ''; + } + ?> + + + + @@ -297,9 +476,9 @@ include_once("head.inc"); -
- "> + "/> "all") : ?>
- diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index 6d5134c3..6c081fa8 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -84,17 +84,111 @@ if (isset($id) && $a_nat[$id]) { $pconfig['host_os_policy'] = $a_nat[$id]['host_os_policy']; } -// Check for "import alias mode" and set flag if TRUE +// Check for "import or select alias mode" and set flags if TRUE. +// "selectalias", when true, displays radio buttons to limit +// multiple selections. if ($_POST['import_alias']) { $importalias = true; + $selectalias = false; $title = "Host Operating System Policy"; } -else - $importalias = false; +elseif ($_POST['select_alias']) { + $importalias = true; + $selectalias = true; + $title = "Host Operating System Policy"; + + // Preserve current OS Policy Engine settings + $eng_id = $_POST['eng_id']; + $eng_name = $_POST['policy_name']; + $eng_bind = $_POST['policy_bind_to']; + $eng_policy = $_POST['policy']; + $mode = "add_edit_os_policy"; +} + +if ($_POST['save_os_policy']) { + if ($_POST['eng_id'] != "") { + $eng_id = $_POST['eng_id']; + + // Grab all the POST values and save in new temp array + $engine = array(); + $policy_name = trim($_POST['policy_name']); + if ($policy_name) { + $engine['name'] = $policy_name; + } + else { + $input_errors[] = gettext("The 'Policy Name' value cannot be blank."); + $add_edit_os_policy = true; + } + if ($_POST['policy_bind_to']) { + if (is_alias($_POST['policy_bind_to'])) + $engine['bind_to'] = $_POST['policy_bind_to']; + elseif (strtolower(trim($_POST['policy_bind_to'])) == "all") + $engine['bind_to'] = "all"; + else { + $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); + $add_edit_os_policy = true; + } + } + else { + $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); + $add_edit_os_policy = true; + } + + if ($_POST['policy']) { $engine['policy'] = $_POST['policy']; } else { $engine['policy'] = "bsd"; } + + // Can only have one "all" Bind_To address + if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { + $input_errors[] = gettext("Only one default OS-Policy Engine can be bound to all addresses."); + $add_edit_os_policy = true; + $pengcfg = $engine; + } + + // if no errors, write new entry to conf + if (!$input_errors) { + if (isset($eng_id) && $a_nat[$id]['host_os_policy']['item'][$eng_id]) { + $a_nat[$id]['host_os_policy']['item'][$eng_id] = $engine; + } + else + $a_nat[$id]['host_os_policy']['item'][] = $engine; + + /* Reorder the engine array to ensure the */ + /* 'bind_to=all' entry is at the bottom */ + /* if it contains more than one entry. */ + if (count($a_nat[$id]['host_os_policy']['item']) > 1) { + $i = -1; + foreach ($a_nat[$id]['host_os_policy']['item'] as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } + } + /* Only relocate the entry if we */ + /* found it, and it's not already */ + /* at the end. */ + if ($i > -1 && ($i < (count($a_nat[$id]['host_os_policy']['item']) - 1))) { + $tmp = $a_nat[$id]['host_os_policy']['item'][$i]; + unset($a_nat[$id]['host_os_policy']['item'][$i]); + $a_nat[$id]['host_os_policy']['item'][] = $tmp; + } + } -if ($_POST['add_os_policy']) { - header("Location: suricata_os_policy_engine.php?id={$id}&eng_id={$host_os_policy_engine_next_id}"); - exit; + // Now write the new engine array to conf + write_config(); + $pconfig['host_os_policy']['item'] = $a_nat[$id]['host_os_policy']['item']; + } + } +} +elseif ($_POST['add_os_policy']) { + $add_edit_os_policy = true; + $pengcfg = array( "name" => "engine_{$host_os_policy_engine_next_id}", "bind_to" => "", "policy" => "bsd" ); + $eng_id = $host_os_policy_engine_next_id; +} +elseif ($_POST['edit_os_policy']) { + if ($_POST['eng_id'] != "") { + $add_edit_os_policy = true; + $eng_id = $_POST['eng_id']; + $pengcfg = $a_nat[$id]['host_os_policy']['item'][$eng_id]; + } } elseif ($_POST['del_os_policy']) { $natent = array(); @@ -109,6 +203,9 @@ elseif ($_POST['del_os_policy']) { write_config(); } } +elseif ($_POST['cancel_os_policy']) { + $add_edit_os_policy = false; +} elseif ($_POST['ResetAll']) { /* Reset all the settings to defaults */ @@ -223,52 +320,97 @@ elseif ($_POST['save']) { } } elseif ($_POST['save_import_alias']) { - $engine = array( "name" => "", "bind_to" => "", "policy" => "bsd" ); - - // See if anything was checked to import - if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { - foreach ($_POST['aliastoimport'] as $item) { - $engine['name'] = strtolower($item); - $engine['bind_to'] = $item; - $a_nat[$id]['host_os_policy']['item'][] = $engine; + // If saving out of "select alias" mode, + // then return to Host OS Policy Engine edit + // page. + if ($_POST['mode'] =='add_edit_os_policy') { + $pengcfg = array(); + $eng_id = $_POST['eng_id']; + $pengcfg['name'] = $_POST['eng_name']; + $pengcfg['bind_to'] = $_POST['eng_bind']; + $pengcfg['policy'] = $_POST['eng_policy']; + $add_edit_os_policy = true; + $mode = "add_edit_os_policy"; + + if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) == 1) { + $pengcfg['bind_to'] = $_POST['aliastoimport'][0]; + $importalias = false; + $selectalias = false; + } + else { + $input_errors[] = gettext("No Alias is selected for import. Nothing to SAVE."); + $importalias = true; + $selectalias = true; + $eng_id = $_POST['eng_id']; + $eng_name = $_POST['eng_name']; + $eng_bind = $_POST['eng_bind']; + $eng_policy = $_POST['eng_policy']; } } else { - $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); - $importalias = true; - } + // Assume we are importing one or more aliases + // for use in new Host OS Policy engines. + $engine = array( "name" => "", "bind_to" => "", "policy" => "bsd" ); + + // See if anything was checked to import + if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { + foreach ($_POST['aliastoimport'] as $item) { + $engine['name'] = strtolower($item); + $engine['bind_to'] = $item; + $a_nat[$id]['host_os_policy']['item'][] = $engine; + } + } + else { + $input_errors[] = gettext("No entries were selected for import. Please select one or more Aliases for import and click SAVE."); + $importalias = true; + } - // if no errors, write new entry to conf - if (!$input_errors) { - // Reorder the engine array to ensure the - // 'bind_to=all' entry is at the bottom if - // the array contains more than one entry. - if (count($a_nat[$id]['host_os_policy']['item']) > 1) { - $i = -1; - foreach ($a_nat[$id]['host_os_policy']['item'] as $f => $v) { - if ($v['bind_to'] == "all") { - $i = $f; - break; + // if no errors, write new entry to conf + if (!$input_errors) { + // Reorder the engine array to ensure the + // 'bind_to=all' entry is at the bottom if + // the array contains more than one entry. + if (count($a_nat[$id]['host_os_policy']['item']) > 1) { + $i = -1; + foreach ($a_nat[$id]['host_os_policy']['item'] as $f => $v) { + if ($v['bind_to'] == "all") { + $i = $f; + break; + } } + // Only relocate the entry if we + // found it, and it's not already + // at the end. + if ($i > -1 && ($i < (count($a_nat[$id]['host_os_policy']['item']) - 1))) { + $tmp = $a_nat[$id]['host_os_policy']['item'][$i]; + unset($a_nat[$id]['host_os_policy']['item'][$i]); + $a_nat[$id]['host_os_policy']['item'][] = $tmp; + } + $pconfig['host_os_policy']['item'] = $a_nat[$id]['host_os_policy']['item']; } - // Only relocate the entry if we - // found it, and it's not already - // at the end. - if ($i > -1 && ($i < (count($a_nat[$id]['host_os_policy']['item']) - 1))) { - $tmp = $a_nat[$id]['host_os_policy']['item'][$i]; - unset($a_nat[$id]['host_os_policy']['item'][$i]); - $a_nat[$id]['host_os_policy']['item'][] = $tmp; - } - $pconfig['host_os_policy']['item'] = $a_nat[$id]['host_os_policy']['item']; - } - // Write the new engine array to config file - write_config(); - $importalias = false; + // Write the new engine array to config file + write_config(); + $importalias = false; + $selectalias = false; + } } } elseif ($_POST['cancel_import_alias']) { $importalias = false; + $selectalias = false; + $eng_id = $_POST['eng_id']; + + // If cancelling out of "select alias" mode, + // then return to Host OS Policy Engine edit + // page. + if ($_POST['mode'] == 'add_edit_os_policy') { + $pengcfg = array(); + $pengcfg['name'] = $_POST['eng_name']; + $pengcfg['bind_to'] = $_POST['eng_bind']; + $pengcfg['policy'] = $_POST['eng_policy']; + $add_edit_os_policy = true; + } } $if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); @@ -289,7 +431,7 @@ include_once("head.inc"); ?>
- + @@ -320,7 +462,17 @@ include_once("head.inc");
- + '; + echo ''; + echo ''; + } + ?> + + + + @@ -350,9 +502,9 @@ include_once("head.inc"); -
- "> + "/> "all") : ?>
- diff --git a/config/suricata/suricata_import_aliases.php b/config/suricata/suricata_import_aliases.php index a93d2d64..ccaaf29d 100644 --- a/config/suricata/suricata_import_aliases.php +++ b/config/suricata/suricata_import_aliases.php @@ -39,6 +39,8 @@ $a_aliases --> $config['aliases']['alias'] array $title --> title string for import alias engine type $used --> array of currently used engine 'bind_to' Alias names + $selectalias --> boolean to display radio buttons instead of checkboxes + $mode --> string value to indicate current operation mode Information is returned from this page via the following form fields: @@ -51,11 +53,21 @@ "") + echo ''; + if ($selectalias == true) { + $fieldtype = "radio"; + $header = gettext("Select an Alias to use as {$title} target from the list below."); + } + else { + $fieldtype = "checkbox"; + $header = gettext("Select one or more Aliases to use as {$title} targets from the list below."); + } ?> + - + - +
-
@@ -99,7 +111,7 @@
diff --git a/config/suricata/suricata_libhtp_policy_engine.php b/config/suricata/suricata_libhtp_policy_engine.php index ec00bbb2..01f6b9e8 100644 --- a/config/suricata/suricata_libhtp_policy_engine.php +++ b/config/suricata/suricata_libhtp_policy_engine.php @@ -26,160 +26,33 @@ * POSSIBILITY OF SUCH DAMAGE. */ -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/suricata/suricata.inc"); - -global $g; - -// Grab the incoming QUERY STRING or POST variables -$id = $_GET['id']; -$eng_id = $_GET['eng_id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (isset($_POST['eng_id'])) - $eng_id = $_POST['eng_id']; - -if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); - exit; -} -if (is_null($eng_id)) { - header("Location: /suricata/suricata_app_parsers.php?id={$id}"); - exit; -} - -if (!is_array($config['installedpackages']['suricata']['rule'])) - $config['installedpackages']['suricata']['rule'] = array(); -if (!is_array($config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item'])) - $config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item'] = array(); -$a_nat = &$config['installedpackages']['suricata']['rule'][$id]['libhtp_policy']['item']; - -$pconfig = array(); -if (empty($a_nat[$eng_id])) { - $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "personality" => "IDS", - "request-body-limit" => "4096", "response-body-limit" => "4096", - "double-decode-path" => "no", "double-decode-query" => "no" ); - - // See if this is initial entry and set to "default" if true - if ($eng_id < 1) { - $def['name'] = "default"; - $def['bind_to'] = "all"; - } - $pconfig = $def; -} -else { - $pconfig = $a_nat[$eng_id]; - - // Check for any empty values and set sensible defaults - if (empty($pconfig['personality'])) - $pconfig['personality'] = "IDS"; -} - -if ($_POST['cancel']) { - header("Location: /suricata/suricata_app_parsers.php?id={$id}"); - exit; -} - -// Check for returned "selected alias" if action is import -if ($_GET['act'] == "import") { - if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue'])) - $pconfig[$_GET['varname']] = $_GET['varvalue']; -} - -if ($_POST['save']) { - - /* Grab all the POST values and save in new temp array */ - $engine = array(); - if ($_POST['policy_name']) { $engine['name'] = trim($_POST['policy_name']); } else { $engine['name'] = "default"; } - if ($_POST['policy_bind_to']) { - if (is_alias($_POST['policy_bind_to'])) - $engine['bind_to'] = $_POST['policy_bind_to']; - elseif (strtolower(trim($_POST['policy_bind_to'])) == "all") - $engine['bind_to'] = "all"; - else - $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); - } - else { - $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); - } - - if ($_POST['personality']) { $engine['personality'] = $_POST['personality']; } else { $engine['personality'] = "IDS"; } - if (is_numeric($_POST['req_body_limit']) && $_POST['req_body_limit'] >= 0) - $engine['request-body-limit'] = $_POST['req_body_limit']; - else - $input_errors[] = gettext("The value for 'Request Body Limit' must be all numbers and greater than or equal to zero."); - - if (is_numeric($_POST['resp_body_limit']) && $_POST['resp_body_limit'] >= 0) - $engine['response-body-limit'] = $_POST['resp_body_limit']; - else - $input_errors[] = gettext("The value for 'Response Body Limit' must be all numbers and greater than or equal to zero."); - - if ($_POST['enable_double_decode_path']) { $engine['double-decode-path'] = 'yes'; }else{ $engine['double-decode-path'] = 'no'; } - if ($_POST['enable_double_decode_query']) { $engine['double-decode-query'] = 'yes'; }else{ $engine['double-decode-query'] = 'no'; } - - /* Can only have one "all" Bind_To address */ - if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { - $input_errors[] = gettext("Only one default HTTP Server Policy Engine can be bound to all addresses."); - $pconfig = $engine; - } - - /* if no errors, write new entry to conf */ - if (!$input_errors) { - if (isset($eng_id) && $a_nat[$eng_id]) { - $a_nat[$eng_id] = $engine; - } - else - $a_nat[] = $engine; - - /* Reorder the engine array to ensure the */ - /* 'bind_to=all' entry is at the bottom */ - /* if it contains more than one entry. */ - if (count($a_nat) > 1) { - $i = -1; - foreach ($a_nat as $f => $v) { - if ($v['bind_to'] == "all") { - $i = $f; - break; - } - } - /* Only relocate the entry if we */ - /* found it, and it's not already */ - /* at the end. */ - if ($i > -1 && ($i < (count($a_nat) - 1))) { - $tmp = $a_nat[$i]; - unset($a_nat[$i]); - $a_nat[] = $tmp; - } - } - - /* Now write the new engine array to conf */ - write_config(); - - header("Location: /suricata/suricata_app_parsers.php?id={$id}"); - exit; - } -} - -$if_friendly = convert_friendly_interface_to_friendly_descr($config['installedpackages']['suricata']['rule'][$id]['interface']); -$pgtitle = gettext("Suricata: Interface {$if_friendly} HTTP Server Policy Engine"); -include_once("head.inc"); - -?> - - - - system global variables array + $config --> global variable pointing to configuration information + $pengcfg --> array containing current Libhtp Policy engine configuration + + Information is returned from this page via the following form fields: + + policy_name --> Unique Name for the Libhtp Policy Engine + policy_bind_to --> Alias name representing "bind_to" IP address for engine + personality --> Operating system chosen for engine policy + select_alias --> Submit button for select alias operation + req_body_limit --> Request Body Limit size + resp_body_limit --> Response Body Limit size + enable_double_decode_path --> double-decode path part of URI + enable_double_decode_query --> double-decode query string part of URI + save_libhtp_policy --> Submit button for save operation and exit + cancel_libhtp_policy --> Submit button to cancel operation and exit + **************************************************************************************/ ?> -
- - -
-
@@ -190,8 +63,8 @@ if ($savemsg) -
>  - "default") + value="">  + "default") echo gettext("Name or description for this engine. (Max 25 characters)"); else echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
@@ -202,13 +75,13 @@ if ($savemsg)
- "default") : ?> + "default") : ?> - @@ -218,7 +91,7 @@ if ($savemsg)
" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>   + value="" autocomplete="off" readonly>  " . gettext("IP List for the default engine is read-only and must be 'all'.") . "";?>

@@ -232,7 +105,7 @@ if ($savemsg) $profile = array( 'Apache', 'Apache_2_2', 'Generic', 'IDS', 'IIS_4_0', 'IIS_5_0', 'IIS_5_1', 'IIS_6_0', 'IIS_7_0', 'IIS_7_5', 'Minimal' ); foreach ($profile as $val): ?>   
- -
  + value="" title="" autocomplete="off">  "/>
  + value="">  " . gettext("4,096") . "" . gettext(" bytes."); ?>

  + value="">  " . gettext("4,096") . "" . gettext(" bytes."); ?>

> + > " . gettext("Not Checked") . "."; ?>
> + > " . gettext("Not Checked") . "."; ?>
  - ">      - ">
- - - - + - diff --git a/config/suricata/suricata_os_policy_engine.php b/config/suricata/suricata_os_policy_engine.php index ae5a9348..ea539e92 100644 --- a/config/suricata/suricata_os_policy_engine.php +++ b/config/suricata/suricata_os_policy_engine.php @@ -26,157 +26,41 @@ * POSSIBILITY OF SUCH DAMAGE. */ -require_once("guiconfig.inc"); -require_once("/usr/local/pkg/suricata/suricata.inc"); - -global $g; - -// Grab the incoming QUERY STRING or POST variables -$id = $_GET['id']; -$eng_id = $_GET['eng_id']; -if (isset($_POST['id'])) - $id = $_POST['id']; -if (isset($_POST['eng_id'])) - $eng_id = $_POST['eng_id']; - -if (is_null($id)) { - header("Location: /suricata/suricata_interfaces.php"); - exit; -} -if (is_null($eng_id)) { - header("Location: /suricata/suricata_flow_stream.php?id={$id}"); - exit; -} - -if (!is_array($config['installedpackages']['suricata']['rule'])) - $config['installedpackages']['suricata']['rule'] = array(); -if (!is_array($config['installedpackages']['suricata']['rule'][$id]['host_os_policy']['item'])) - $config['installedpackages']['suricata']['rule'][$id]['host_os_policy']['item'] = array(); -$a_nat = &$config['installedpackages']['suricata']['rule'][$id]['host_os_policy']['item']; - -$pconfig = array(); -if (empty($a_nat[$eng_id])) { - $def = array( "name" => "engine_{$eng_id}", "bind_to" => "", "policy" => "bsd" ); - // See if this is initial entry and set to "default" if true - if ($eng_id < 1) { - $def['name'] = "default"; - $def['bind_to'] = "all"; - } - $pconfig = $def; -} -else { - $pconfig = $a_nat[$eng_id]; - - // Check for any empty values and set sensible defaults - if (empty($pconfig['policy'])) - $pconfig['policy'] = "bsd"; -} - -if ($_POST['cancel']) { - header("Location: /suricata/suricata_flow_stream.php?id={$id}"); - exit; -} - -// Check for returned "selected alias" if action is import -if ($_GET['act'] == "import") { - if ($_GET['varname'] == "bind_to" && !empty($_GET['varvalue'])) - $pconfig[$_GET['varname']] = $_GET['varvalue']; -} - -if ($_POST['save']) { - - /* Grab all the POST values and save in new temp array */ - $engine = array(); - if ($_POST['policy_name']) { $engine['name'] = trim($_POST['policy_name']); } else { $engine['name'] = "default"; } - if ($_POST['policy_bind_to']) { - if (is_alias($_POST['policy_bind_to'])) - $engine['bind_to'] = $_POST['policy_bind_to']; - elseif (strtolower(trim($_POST['policy_bind_to'])) == "all") - $engine['bind_to'] = "all"; - else - $input_errors[] = gettext("You must provide a valid Alias or the reserved keyword 'all' for the 'Bind-To IP Address' value."); - } - else { - $input_errors[] = gettext("The 'Bind-To IP Address' value cannot be blank. Provide a valid Alias or the reserved keyword 'all'."); - } - - if ($_POST['policy']) { $engine['policy'] = $_POST['policy']; } else { $engine['policy'] = "bsd"; } - - /* Can only have one "all" Bind_To address */ - if ($engine['bind_to'] == "all" && $engine['name'] <> "default") { - $input_errors[] = gettext("Only one default OS-Policy Engine can be bound to all addresses."); - $pconfig = $engine; - } - - /* if no errors, write new entry to conf */ - if (!$input_errors) { - if (isset($eng_id) && $a_nat[$eng_id]) { - $a_nat[$eng_id] = $engine; - } - else - $a_nat[] = $engine; - - /* Reorder the engine array to ensure the */ - /* 'bind_to=all' entry is at the bottom */ - /* if it contains more than one entry. */ - if (count($a_nat) > 1) { - $i = -1; - foreach ($a_nat as $f => $v) { - if ($v['bind_to'] == "all") { - $i = $f; - break; - } - } - /* Only relocate the entry if we */ - /* found it, and it's not already */ - /* at the end. */ - if ($i > -1 && ($i < (count($a_nat) - 1))) { - $tmp = $a_nat[$i]; - unset($a_nat[$i]); - $a_nat[] = $tmp; - } - } - - /* Now write the new engine array to conf */ - write_config(); - - header("Location: /suricata/suricata_flow_stream.php?id={$id}"); - exit; - } -} - -$if_friendly = convert_friendly_interface_to_friendly_descr($config['installedpackages']['suricata']['rule'][$id]['interface']); -$pgtitle = gettext("Suricata: Interface {$if_friendly} Operating System Policy Engine"); -include_once("head.inc"); - +/************************************************************************************** + This file contains code for adding/editing an existing Host OS Policy Engine. + It is included and injected inline as needed into the suricata_stream_flow.php + page to provide the edit functionality for Host OS Policy Engines. + + The following variables are assumed to exist and must be initialized + as necessary in order to utilize this page. + + $g --> system global variables array + $config --> global variable pointing to configuration information + $pengcfg --> array containing current Host OS Policy engine configuration + + Information is returned from this page via the following form fields: + + policy_name --> Unique Name for the Host OS Policy Engine + policy_bind_to --> Alias name representing "bind_to" IP address for engine + policy --> Operating system chosen for engine policy + select_alias --> Submit button for select alias operation + save_os_policy --> Submit button for save operation and exit + cancel_os_policy --> Submit button to cancel operation and exit + **************************************************************************************/ ?> - - - - -
- - -
-
- + - + -
>  - "default") + value=""/>  + "default") echo gettext("Name or description for this engine. (Max 25 characters)"); else echo "" . gettext("The name for the 'default' engine is read-only.") . "";?>
@@ -187,13 +71,13 @@ if ($savemsg)
- "default") : ?> + "default") : ?> - @@ -204,7 +88,7 @@ if ($savemsg)        + value="" autocomplete="off" readonly>  " . gettext("IP List for the default engine is read-only and must be 'all'.") . "";?>

@@ -218,7 +102,7 @@ if ($savemsg) $profile = array( 'BSD', 'BSD-Right', 'HPUX10', 'HPUX11', 'Irix', 'Linux', 'Mac-OS', 'Old-Linux', 'Old-Solaris', 'Solaris', 'Vista', 'Windows', 'Windows2k3' ); foreach ($profile as $val): ?>   
  + value="" title="" autocomplete="off"/>  "/>
  - ">      - ">
- - - - - -- cgit v1.2.3 From 5287063d4ad240bb76ebafe716c762b005bdac6a Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 24 Feb 2014 20:40:46 -0500 Subject: Some bug fixes and replace $_GET with $_POST where possible. --- config/suricata/suricata_interfaces.php | 127 +++++++++++++----------------- config/suricata/suricata_logs_browser.php | 2 +- 2 files changed, 56 insertions(+), 73 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php index 364abe62..88b426ba 100644 --- a/config/suricata/suricata_interfaces.php +++ b/config/suricata/suricata_interfaces.php @@ -27,7 +27,6 @@ * POSSIBILITY OF SUCH DAMAGE. */ -$nocsrf = true; require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); @@ -37,16 +36,17 @@ $suricatadir = SURICATADIR; $suricatalogdir = SURICATALOGDIR; $rcdir = RCFILEPREFIX; -$id = $_GET['id']; -if (isset($_POST['id'])) +if ($_POST['id'] && is_numeric($_POST['id'])) $id = $_POST['id']; +else + $id = ""; if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_nat = &$config['installedpackages']['suricata']['rule']; $id_gen = count($config['installedpackages']['suricata']['rule']); -if (isset($_POST['del_x'])) { +if ($_POST['del_x']) { /* delete selected rules */ if (is_array($_POST['rule'])) { conf_mount_rw(); @@ -103,11 +103,10 @@ if (isset($_POST['del_x'])) { header("Location: /suricata/suricata_interfaces.php"); exit; } - } /* start/stop Barnyard2 */ -if ($_GET['act'] == 'bartoggle' && is_numeric($id)) { +if ($_POST['bartoggle'] && is_numeric($id)) { $suricatacfg = $config['installedpackages']['suricata']['rule'][$id]; $if_real = get_real_interface($suricatacfg['interface']); $if_friendly = convert_friendly_interface_to_friendly_descr($suricatacfg['interface']); @@ -127,7 +126,7 @@ if ($_GET['act'] == 'bartoggle' && is_numeric($id)) { } /* start/stop Suricata */ -if ($_GET['act'] == 'toggle' && is_numeric($id)) { +if ($_POST['toggle'] && is_numeric($id)) { $suricatacfg = $config['installedpackages']['suricata']['rule'][$id]; $if_real = get_real_interface($suricatacfg['interface']); $if_friendly = convert_friendly_interface_to_friendly_descr($suricatacfg['interface']); @@ -159,17 +158,14 @@ include_once("head.inc"); ?> -' . $pgtitle . '

'; -?> +
+
+ + + + + + + + + + + + - - - - - - - - + + + + + + + + - - @@ -363,19 +358,13 @@ if ($pfsense_stable == 'yes') @@ -449,12 +438,6 @@ if ($pfsense_stable == 'yes') + + + + +
  - - - - - -
-
  + + +
- "; + echo gettext("ENABLED") . " "; + echo ""; echo ($no_rules) ? " " : ""; } else echo gettext("DISABLED"); ?> - "; + echo gettext("ENABLED") . " "; + echo ""; } else echo gettext("DISABLED"); ?> @@ -343,14 +343,9 @@ if ($pfsense_stable == 'yes')   - - - - -
-
+ +
- - - - -
- - " - onclick="return intf_del()"> -
+ + + + " + onclick="return intf_del()"> +
+ + + + + + + + + + + + "); + $counter++; + if($counter >= $nentries) + break; + } + } + ?> + +
IF/DateSrc/DstDetails
" . $alert['instanceid'] . " " . $alert['dateonly'] . "
" . $alert['timeonly'] . "
" . $alert['src'] . ":" . $alert['srcport'] . "
" . $alert['dst'] . ":" . $alert['dstport'] . "
Priority: " . $alert['priority'] . "
" . $alert['category'] . "
+ + + + diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 6603d5ab..72257325 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -89,7 +89,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = // ## BETA pkg bug fix-up -- be sure default rules enabled ## $rules = explode("||", $value['rulesets']); - foreach (array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" ) as $r){ + foreach (array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ) as $r){ if (!in_array($r, $rules)) $rules[] = $r; } @@ -117,6 +117,12 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = // Add the recurring jobs created above to crontab configure_cron(); + // Restore the Dashboard Widget if it was previously enabled and saved + if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget']) && !empty($config['widgets']['sequence'])) + $config['widgets']['sequence'] .= "," . $config['installedpackages']['suricata']['config'][0]['dashboard_widget']; + if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']) && !empty($config['widgets'])) + $config['widgets']['widget_suricata_display_lines'] = $config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']; + $rebuild_rules = false; update_output_window(gettext("Finished rebuilding Suricata configuration files...")); log_error(gettext("[Suricata] Finished rebuilding installation from saved settings...")); @@ -132,7 +138,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = } // Update Suricata package version in configuration -$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "0.1-BETA"; +$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "v0.2-BETA"; write_config(); // Done with post-install, so clear flag diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php index 0a7f8d5a..b8ea6097 100644 --- a/config/suricata/suricata_uninstall.php +++ b/config/suricata/suricata_uninstall.php @@ -76,6 +76,31 @@ if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on') mwexec("/bin/rm -rf /usr/local/pkg/suricata"); mwexec("/bin/rm -rf /usr/local/www/suricata"); +/* Remove our associated Dashboard widget config and files. */ +/* If "save settings" is enabled, then save old widget */ +/* container settings so we can restore them later. */ +$widgets = $config['widgets']['sequence']; +if (!empty($widgets)) { + $widgetlist = explode(",", $widgets); + foreach ($widgetlist as $key => $widget) { + if (strstr($widget, "suricata_alerts-container")) { + if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') { + $config['installedpackages']['suricata']['config'][0]['dashboard_widget'] = $widget; + if ($config['widgets']['widget_suricata_display_lines']) { + $config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows'] = $config['widgets']['widget_suricata_display_lines']; + unset($config['widgets']['widget_suricata_display_lines']); + } + } + unset($widgetlist[$key]); + } + } + $config['widgets']['sequence'] = implode(",", $widgetlist); + write_config(); +} +@unlink("/usr/local/www/widgets/include/widget-suricata.inc"); +@unlink("/usr/local/www/widgets/widgets/suricata_alerts.widget.php"); +@unlink("/usr/local/www/widgets/javascript/suricata_alerts.js"); + /* Keep this as a last step */ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] != 'on') { log_error(gettext("Not saving settings... all Suricata configuration info and logs deleted...")); diff --git a/config/suricata/widget-suricata.inc b/config/suricata/widget-suricata.inc new file mode 100644 index 00000000..48424588 --- /dev/null +++ b/config/suricata/widget-suricata.inc @@ -0,0 +1,8 @@ + -- cgit v1.2.3 From 6fba00332aec40c41d99141adcaabb080d0d0c88 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:22:53 -0500 Subject: Add new Dashboard Widget files now included in package. --- config/suricata/suricata.priv.inc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata.priv.inc b/config/suricata/suricata.priv.inc index 7f5f1825..a17a307b 100644 --- a/config/suricata/suricata.priv.inc +++ b/config/suricata/suricata.priv.inc @@ -41,5 +41,7 @@ $priv_list['page-services-suricata']['match'][] = "suricata/suricata.inc*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_post_install.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_uninstall.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_generate_yaml.php*"; - +$priv_list['page-services-suricata']['match'][] = "widgets/javascript/suricata_alerts.js*"; +$priv_list['page-services-suricata']['match'][] = "widgets/widgets/suricata_alerts.widget.php*"; +$priv_list['page-services-suricata']['match'][] = "widgets/include/widget-suricata.inc*"; ?> \ No newline at end of file -- cgit v1.2.3 From 8d584b1d31a75662ec83a9668822157ee8b95294 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:25:08 -0500 Subject: Add installation paths for Dashboard Widget files. --- config/suricata/suricata.xml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index f2b94d3b..46baa50c 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -42,7 +42,7 @@ Suricata IDS/IPS Package None suricata - 1.4.6 pkg v0.1-BETA + 1.4.6 pkg v0.2-BETA Services: Suricata IDS /usr/local/pkg/suricata/suricata.inc @@ -207,6 +207,21 @@ /usr/local/www/suricata/ 0755 + + /usr/local/www/widgets/javascript/ + 0644 + http://www.pfsense.com/packages/config/suricata/suricata_alerts.js + + + /usr/local/www/widgets/widgets/ + 0644 + http://www.pfsense.com/packages/config/suricata/suricata_alerts.widget.php + + + /usr/local/www/widgets/include/ + 0644 + http://www.pfsense.com/packages/config/suricata/widget-suricata.inc + ['installedpackages']['suricata'] -- cgit v1.2.3 From 9a7842704430cf8d2af118df85efa156d85f950f Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:26:59 -0500 Subject: Match standard GUI style and add a 'force update' feature. --- config/suricata/suricata_download_updates.php | 118 ++++++++++++++++++++------ 1 file changed, 90 insertions(+), 28 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php index 200bc834..6cc585c6 100644 --- a/config/suricata/suricata_download_updates.php +++ b/config/suricata/suricata_download_updates.php @@ -35,9 +35,6 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); $suricatadir = SURICATADIR; $suricata_rules_upd_log = RULES_UPD_LOGFILE; -/* load only javascript that is needed */ -$suricata_load_jquery = 'yes'; -$suricata_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules']; $emergingthreats = $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules']; $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; @@ -52,21 +49,48 @@ if ($etpro == "on") { } else { $emergingthreats_filename = ET_DNLD_FILENAME; - $et_name = "EMERGING THREATS RULES"; + $et_name = "EMERGING THREATS OPEN RULES"; } /* quick md5 chk of downloaded rules */ -$snort_org_sig_chk_local = 'N/A'; -if (file_exists("{$suricatadir}{$snort_rules_file}.md5")) +if ($snortdownload == 'on') { + $snort_org_sig_chk_local = 'Not Downloaded'; + $snort_org_sig_date = 'Not Downloaded'; +} +else { + $snort_org_sig_chk_local = 'Not Enabled'; + $snort_org_sig_date = 'Not Enabled'; +} +if (file_exists("{$suricatadir}{$snort_rules_file}.md5")){ $snort_org_sig_chk_local = file_get_contents("{$suricatadir}{$snort_rules_file}.md5"); + $snort_org_sig_date = date(DATE_RFC850, filemtime("{$suricatadir}{$snort_rules_file}.md5")); +} -$emergingt_net_sig_chk_local = 'N/A'; -if (file_exists("{$suricatadir}{$emergingthreats_filename}.md5")) +if ($etpro == "on" || $emergingthreats == "on") { + $emergingt_net_sig_chk_local = 'Not Downloaded'; + $emergingt_net_sig_date = 'Not Downloaded'; +} +else { + $emergingt_net_sig_chk_local = 'Not Enabled'; + $emergingt_net_sig_date = 'Not Enabled'; +} +if (file_exists("{$suricatadir}{$emergingthreats_filename}.md5")) { $emergingt_net_sig_chk_local = file_get_contents("{$suricatadir}{$emergingthreats_filename}.md5"); + $emergingt_net_sig_date = date(DATE_RFC850, filemtime("{$suricatadir}{$emergingthreats_filename}.md5")); +} -$snort_community_sig_chk_local = 'N/A'; -if (file_exists("{$suricatadir}{$snort_community_rules_filename}.md5")) +if ($snortcommunityrules == 'on') { + $snort_community_sig_chk_local = 'Not Downloaded'; + $snort_community_sig_sig_date = 'Not Downloaded'; +} +else { + $snort_community_sig_chk_local = 'Not Enabled'; + $snort_community_sig_sig_date = 'Not Enabled'; +} +if (file_exists("{$suricatadir}{$snort_community_rules_filename}.md5")) { $snort_community_sig_chk_local = file_get_contents("{$suricatadir}{$snort_community_rules_filename}.md5"); + $snort_community_sig_sig_date = date(DATE_RFC850, filemtime("{$suricatadir}{$snort_community_rules_filename}.md5")); +} /* Check for postback to see if we should clear the update log file. */ if ($_POST['clear']) { @@ -74,7 +98,28 @@ if ($_POST['clear']) { mwexec("/bin/rm -f {$suricata_rules_upd_log}"); } -if ($_POST['update']) { +if ($_POST['check']) { + // Go see if new updates for rule sets are available + header("Location: /suricata/suricata_download_rules.php"); + exit; +} + +if ($_POST['force']) { + // Mount file system R/W since we need to remove files + conf_mount_rw(); + + // Remove the existing MD5 signature files to force a download + if (file_exists("{$suricatadir}{$emergingthreats_filename}.md5")) + @unlink("{$suricatadir}{$emergingthreats_filename}.md5"); + if (file_exists("{$suricatadir}{$snort_community_rules_filename}.md5")) + @unlink("{$suricatadir}{$snort_community_rules_filename}.md5"); + if (file_exists("{$suricatadir}{$snort_rules_file}.md5")) + @unlink("{$suricatadir}{$snort_rules_file}.md5"); + + // Revert file system to R/O. + conf_mount_ro(); + + // Go download the updates header("Location: /suricata/suricata_download_rules.php"); exit; } @@ -131,21 +176,32 @@ include_once("head.inc");
- + @@ -156,16 +212,22 @@ include_once("head.inc"); @@ -178,15 +240,15 @@ include_once("head.inc");
- " name="hide" id="hide" class="formbtn" + " name="hide" id="hide" class="formbtn" title=""/> - " name="view" id="view" class="formbtn" + " name="view" id="view" class="formbtn" title=""/> -          - " name="clear" id="clear" class="formbtn" - title="" onClick="return confirm('Are you sure?\nOK to confirm, or CANCEL to quit');"/> +      + " name="clear" id="clear" class="formbtn" + title="" onClick="return confirm('Are you sure you want to delete the log contents?\nOK to confirm, or CANCEL to quit');"/>

@@ -211,7 +273,7 @@ include_once("head.inc"); -- cgit v1.2.3 From 16117ee018a4c59bd82766ad91cff013b022dbd5 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:29:41 -0500 Subject: Prevent deleting of Suppress Lists in active use. --- config/suricata/suricata_suppress.php | 141 ++++++++++++++++++++++------------ 1 file changed, 93 insertions(+), 48 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php index 58839dce..e97006dc 100644 --- a/config/suricata/suricata_suppress.php +++ b/config/suricata/suricata_suppress.php @@ -61,6 +61,28 @@ function suricata_suppresslist_used($supplist) { return false; } +function suricata_find_suppresslist_interface($supplist) { + + /****************************************************************/ + /* This function finds the first (if more than one) interface */ + /* configured to use the passed Suppress List and returns the */ + /* index of the interface in the ['rule'] config array. */ + /* */ + /* Returns: index of interface in ['rule'] config array or */ + /* FALSE if no interface found. */ + /****************************************************************/ + + global $config; + $suricataconf = $config['installedpackages']['suricata']['rule']; + if (empty($suricataconf)) + return false; + foreach ($suricataconf as $rule => $value) { + if ($value['suppresslistname'] == $supplist) + return $rule; + } + return false; +} + if ($_GET['act'] == "del") { if ($a_suppress[$_GET['id']]) { // make sure list is not being referenced by any Suricata-configured interface @@ -108,54 +130,74 @@ if ($input_errors) { @@ -163,7 +205,10 @@ if ($input_errors) {



+ "take effect."); ?>

+ " . + gettext("You must first unassign the Suppress List on the Interface Edit tab."); ?> +


- +
+ + + + + + + - + + - + + + - + +
  --->
SNORT VRT RULES  --->
SNORT GPLv2 COMMUNITY RULES  --->

-

-

-    +
     + +
+

+   Global Settings Tab' . gettext(' to select rule types.'); ?> -

+


- " name="update" id="submit" class="formbtn" - title=""/>

+ " name="check" id="check" class="formbtn" + title=""/>     + " name="force" id="force" class="formbtn" + title="" + onclick="return confirm('');"/> +


-   " . +  " . gettext(" and ") . "" . gettext("EmergingThreats.net") . "" . gettext(" will go down from time to time. Please be patient."); ?>

- - - - - - - - - - - - - - - - - - -
- -   - - - - - - +
">')">">
+ + + + + + + + + + "; + } + else + $icon = ""; + ?> + + + + + + + + + + +
+   +   + + + + + + + + + + + + +
">"/> + "/> + ')">"> 
+
+ + + + + +
 ">
+
-
- - - - - -
 ">
-
-- cgit v1.2.3 From 9e7d630ecf8377ec58606895c077918e4cf37ff8 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:31:38 -0500 Subject: Add new output option for Bro-IDS destination for Barnyard2. --- config/suricata/suricata_barnyard.php | 161 ++++++++++++++++++++++++++-------- 1 file changed, 126 insertions(+), 35 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index f0bdbd17..e1ae892e 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -46,8 +46,8 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $a_nat = &$config['installedpackages']['suricata']['rule']; $pconfig = array(); + if (isset($id) && $a_nat[$id]) { - /* old options */ $pconfig = $a_nat[$id]; if (!empty($a_nat[$id]['barnconfigpassthru'])) $pconfig['barnconfigpassthru'] = base64_decode($a_nat[$id]['barnconfigpassthru']); @@ -69,28 +69,20 @@ if (isset($id) && $a_nat[$id]) { $pconfig['barnyard_syslog_facility'] = "LOG_USER"; if (empty($a_nat[$id]['barnyard_syslog_priority'])) $pconfig['barnyard_syslog_priority'] = "LOG_INFO"; + if (empty($a_nat[$id]['barnyard_bro_ids_dport'])) + $pconfig['barnyard_bro_ids_dport'] = "47760"; if (empty($a_nat[$id]['barnyard_sensor_name'])) $pconfig['barnyard_sensor_name'] = php_uname("n"); } -if (isset($_GET['dup'])) - unset($id); - -if ($_POST) { - - foreach ($a_nat as $natent) { - if (isset($id) && ($a_nat[$id]) && ($a_nat[$id] === $natent)) - continue; - if ($natent['interface'] != $_POST['interface']) - $input_error[] = "This interface has already an instance defined"; - } - +if ($_POST['save']) { // Check that at least one output plugin is enabled - if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on') + if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on' && + $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on") $input_errors[] = gettext("You must enable at least one output option when using Barnyard2."); // Validate inputs if MySQL database loggging enabled - if ($_POST['barnyard_mysql_enable'] == 'on') { + if ($_POST['barnyard_mysql_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_dbhost'])) $input_errors[] = gettext("Please provide a valid hostname or IP address for the MySQL database host."); if (empty($_POST['barnyard_dbname'])) @@ -100,13 +92,22 @@ if ($_POST) { } // Validate inputs if syslog output enabled - if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on') { + if ($_POST['barnyard_syslog_enable'] == 'on' && $_POST['barnyard_syslog_local'] <> 'on' && + $_POST['barnyard_enable'] == "on") { if (empty($_POST['barnyard_syslog_dport']) || !is_numeric($_POST['barnyard_syslog_dport'])) $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Syslog Remote Port."); if (empty($_POST['barnyard_syslog_rhost'])) $input_errors[] = gettext("Please provide a valid hostname or IP address for the Syslog Remote Host."); } + // Validate inputs if Bro-IDS output enabled + if ($_POST['barnyard_bro_ids_enable'] == 'on' && $_POST['barnyard_enable'] == "on") { + if (empty($_POST['barnyard_bro_ids_dport']) || !is_numeric($_POST['barnyard_bro_ids_dport'])) + $input_errors[] = gettext("Please provide a valid number between 1 and 65535 for the Bro-IDS Remote Port."); + if (empty($_POST['barnyard_bro_ids_rhost'])) + $input_errors[] = gettext("Please provide a valid hostname or IP address for the Bro-IDS Remote Host."); + } + // if no errors write to conf if (!$input_errors) { $natent = array(); @@ -121,6 +122,7 @@ if ($_POST) { $natent['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable'] ? 'on' : 'off'; $natent['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable'] ? 'on' : 'off'; $natent['barnyard_syslog_local'] = $_POST['barnyard_syslog_local'] ? 'on' : 'off'; + $natent['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable'] ? 'on' : 'off'; $natent['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; @@ -133,23 +135,30 @@ if ($_POST) { if ($_POST['barnyard_syslog_dport']) $natent['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; else $natent['barnyard_syslog_dport'] = '514'; if ($_POST['barnyard_syslog_facility']) $natent['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; else $natent['barnyard_syslog_facility'] = 'LOG_USER'; if ($_POST['barnyard_syslog_priority']) $natent['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; else $natent['barnyard_syslog_priority'] = 'LOG_INFO'; + if ($_POST['barnyard_bro_ids_rhost']) $natent['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; else unset($natent['barnyard_bro_ids_rhost']); + if ($_POST['barnyard_bro_ids_dport']) $natent['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; else $natent['barnyard_bro_ids_dport'] = '47760'; if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']); else unset($natent['barnconfigpassthru']); - if (isset($id) && $a_nat[$id]) - $a_nat[$id] = $natent; - else { - $a_nat[] = $natent; - } - + $a_nat[$id] = $natent; write_config(); - // No need to rebuild rules if just toggling Barnyard2 on or off + // No need to rebuild rules for Barnyard2 changes $rebuild_rules = false; sync_suricata_package_config(); - // Signal any running barnyard2 instance on this interface to - // reload its configuration to pick up any changes made. - suricata_barnyard_reload_config($a_nat[$id], "HUP"); + // If disabling Barnyard2 on the interface, stop any + // currently running instance. If an instance is + // running, signal it to reload the configuration. + // If Barnyard2 is enabled but not running, start it. + if ($a_nat[$id]['barnyard_enable'] == "off") { + suricata_barnyard_stop($a_nat[$id], get_real_interface($a_nat[$id]['interface'])); + } + elseif ($a_nat[$id]['barnyard_enable'] == "on") { + if (suricata_is_running($a_nat[$id]['uuid'], get_real_interface($a_nat[$id]['interface']), "barnyard2")) + suricata_barnyard_reload_config($a_nat[$id], "HUP"); + else + suricata_barnyard_start($a_nat[$id], get_real_interface($a_nat[$id]['interface'])); + } // after click go to this page header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -160,6 +169,33 @@ if ($_POST) { header("Location: suricata_barnyard.php?id=$id"); exit; } + else { + // We had errors, so save incoming field data to prevent retyping + $pconfig['barnyard_enable'] = $_POST['barnyard_enable']; + $pconfig['barnyard_show_year'] = $_POST['barnyard_show_year']; + $pconfig['barnyard_archive_enable'] = $_POST['barnyard_archive_enable']; + $pconfig['barnyard_dump_payload'] = $_POST['barnyard_dump_payload']; + $pconfig['barnyard_obfuscate_ip'] = $_POST['barnyard_obfuscate_ip']; + $pconfig['barnyard_mysql_enable'] = $_POST['barnyard_mysql_enable']; + $pconfig['barnyard_syslog_enable'] = $_POST['barnyard_syslog_enable']; + $pconfig['barnyard_syslog_local'] = $_POST['barnyard_syslog_local']; + $pconfig['barnyard_syslog_opmode'] = $_POST['barnyard_syslog_opmode']; + $pconfig['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; + $pconfig['barnyard_bro_ids_enable'] = $_POST['barnyard_bro_ids_enable']; + + $pconfig['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; + $pconfig['barnyard_dbhost'] = $_POST['barnyard_dbhost']; + $pconfig['barnyard_dbname'] = $_POST['barnyard_dbname']; + $pconfig['barnyard_dbuser'] = $_POST['barnyard_dbuser']; + $pconfig['barnyard_dbpwd'] = $_POST['barnyard_dbpwd']; + $pconfig['barnyard_syslog_rhost'] = $_POST['barnyard_syslog_rhost']; + $pconfig['barnyard_syslog_dport'] = $_POST['barnyard_syslog_dport']; + $pconfig['barnyard_syslog_facility'] = $_POST['barnyard_syslog_facility']; + $pconfig['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; + $pconfig['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; + $pconfig['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; + $pconfig['barnconfigpassthru'] = $_POST['barnconfigpassthru']; + } } $if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); @@ -169,10 +205,8 @@ include_once("head.inc"); ?> - -' . $pgtitle . '

';}?> + +?> -
+ '; echo ' - @@ -272,6 +304,7 @@ include_once("head.inc"); onClick="toggle_mySQL()"/>
+ + @@ -315,6 +349,7 @@ include_once("head.inc");
+ + + + + + + + + + + + + + + + + + + @@ -410,7 +475,7 @@ include_once("head.inc"); @@ -435,6 +500,11 @@ function toggle_mySQL() { document.iform.barnyard_dbname.disabled = endis; document.iform.barnyard_dbuser.disabled = endis; document.iform.barnyard_dbpwd.disabled = endis; + + if (endis) + document.getElementById("mysql_config_rows").style.display = "none"; + else + document.getElementById("mysql_config_rows").style.display = ""; } function toggle_syslog() { @@ -449,6 +519,11 @@ function toggle_syslog() { document.iform.barnyard_syslog_proto_tcp.disabled = endis; document.iform.barnyard_syslog_facility.disabled = endis; document.iform.barnyard_syslog_priority.disabled = endis; + + if (endis) + document.getElementById("syslog_config_rows").style.display = "none"; + else + document.getElementById("syslog_config_rows").style.display = ""; } function toggle_local_syslog() { @@ -464,6 +539,18 @@ function toggle_local_syslog() { } } +function toggle_bro_ids() { + var endis = !document.iform.barnyard_bro_ids_enable.checked; + + document.iform.barnyard_bro_ids_rhost.disabled = endis; + document.iform.barnyard_bro_ids_dport.disabled = endis; + + if (endis) + document.getElementById("bro_ids_config_rows").style.display = "none"; + else + document.getElementById("bro_ids_config_rows").style.display = ""; +} + function enable_change(enable_change) { endis = !(document.iform.barnyard_enable.checked || enable_change); // make sure a default answer is called if this is invoked. @@ -488,6 +575,9 @@ function enable_change(enable_change) { document.iform.barnyard_syslog_proto_tcp.disabled = endis; document.iform.barnyard_syslog_facility.disabled = endis; document.iform.barnyard_syslog_priority.disabled = endis; + document.iform.barnyard_bro_ids_enable.disabled = endis; + document.iform.barnyard_bro_ids_rhost.disabled = endis; + document.iform.barnyard_bro_ids_dport.disabled = endis; document.iform.barnconfigpassthru.disabled = endis; } @@ -495,6 +585,7 @@ enable_change(false); toggle_mySQL(); toggle_syslog(); toggle_local_syslog(); +toggle_bro_ids(); -- cgit v1.2.3 From 5f19d9dbc9d3ecc8ae541d80a4309baa95afcc1b Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:33:56 -0500 Subject: Remove last of custom wrapper funcs and incorporate Bro-IDS for Barnyard2. --- config/suricata/suricata.inc | 52 +++++++++++++++++++------------------------- 1 file changed, 22 insertions(+), 30 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index b87e2f6a..1b6f5eb3 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -39,6 +39,10 @@ global $g, $config; if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); +// Define the binary and package build versions +define('SURICATA_VER', '1.4.6'); +define('SURICATA_PKG_VER', 'v0.2-BETA'); + // Create some other useful defines define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/etc/suricata/'); define('SURICATALOGDIR', '/var/log/suricata/'); @@ -76,9 +80,9 @@ function suricata_is_running($suricata_uuid, $if_real, $type = 'suricata') { global $config, $g; if (isvalidpid("{$g['varrun_path']}/{$type}_{$if_real}{$suricata_uuid}.pid")) - return 'yes'; + return true; else - return 'no'; + return false; } function suricata_barnyard_stop($suricatacfg, $if_real) { @@ -154,7 +158,7 @@ function suricata_reload_config($suricatacfg, $signal="USR2") { $suricatadir = SURICATADIR; $suricata_uuid = $suricatacfg['uuid']; - $if_real = suricata_get_real_interface($suricatacfg['interface']); + $if_real = get_real_interface($suricatacfg['interface']); /******************************************************/ /* Only send the SIGUSR2 if Suricata is running and */ @@ -183,7 +187,7 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { $suricatadir = SURICATADIR; $suricata_uuid = $suricatacfg['uuid']; - $if_real = suricata_get_real_interface($suricatacfg['interface']); + $if_real = get_real_interface($suricatacfg['interface']); /******************************************************/ /* Only send the SIGHUP if Barnyard2 is running and */ @@ -196,22 +200,6 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { } } -function suricata_get_friendly_interface($interface) { - - // Pass this directly to the system for now. - // Later, this wrapper will be removed and all - // the Suricata code changed to use the system call. - return convert_friendly_interface_to_friendly_descr($interface); -} - -function suricata_get_real_interface($interface) { - - // Pass this directly to the system for now. - // Later, this wrapper will be removed and all - // the Suricata code changed to use the system call. - return get_real_interface($interface); -} - function suricata_get_blocked_ips() { // This is a placeholder function for later use. @@ -517,7 +505,7 @@ function sync_suricata_package_config() { $suricataconf = $config['installedpackages']['suricata']['rule']; foreach ($suricataconf as $value) { - $if_real = suricata_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); // create a suricata.yaml file for interface suricata_generate_yaml($value); @@ -669,7 +657,7 @@ function suricata_post_delete_logs($suricata_uuid = 0) { foreach ($config['installedpackages']['suricata']['rule'] as $value) { if ($value['uuid'] != $suricata_uuid) continue; - $if_real = suricata_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); $suricata_log_dir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}"; if ($if_real != '') { @@ -1508,7 +1496,7 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { return; // Log a message for rules rebuild in progress - log_error(gettext("[Suricata] Updating rules configuration for: " . suricata_get_friendly_interface($suricatacfg['interface']) . " ...")); + log_error(gettext("[Suricata] Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . " ...")); // Only rebuild rules if some are selected or an IPS Policy is enabled if (!empty($suricatacfg['rulesets']) || $suricatacfg['ips_policy_enable'] == 'on') { @@ -1581,7 +1569,7 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { // If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. if ($suricatacfg['autoflowbitrules'] == 'on') { - log_error('[Suricata] Enabling any flowbit-required rules for: ' . suricata_get_friendly_interface($suricatacfg['interface']) . '...'); + log_error('[Suricata] Enabling any flowbit-required rules for: ' . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . '...'); $fbits = suricata_resolve_flowbits($all_rules, $enabled_rules); // Check for and disable any flowbit-required rules the user has @@ -1606,11 +1594,11 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { // Log a warning if the interface has no rules defined or enabled if ($no_rules_defined) - log_error(gettext("[Suricata] Warning - no text rules selected for: " . suricata_get_friendly_interface($suricatacfg['interface']) . " ...")); + log_error(gettext("[Suricata] Warning - no text rules selected for: " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . " ...")); // Build a new sid-msg.map file from the enabled // rules and copy it to the interface directory. - log_error(gettext("[Suricata] Building new sig-msg.map file for " . suricata_get_friendly_interface($suricatacfg['interface']) . "...")); + log_error(gettext("[Suricata] Building new sig-msg.map file for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "...")); suricata_build_sid_msg_map("{$suricatacfgdir}/rules/", "{$suricatacfgdir}/sid-msg.map"); } @@ -1695,7 +1683,7 @@ function suricata_create_rc() { // the shell script. foreach ($suricataconf as $value) { $suricata_uuid = $value['uuid']; - $if_real = suricata_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); $start_barnyard = << Date: Fri, 28 Feb 2014 20:37:09 -0500 Subject: Remove use of SESSION vars and convert to $_POST to save return page. --- config/suricata/suricata_rules_flowbits.php | 90 +++++++++++++---------------- 1 file changed, 41 insertions(+), 49 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_rules_flowbits.php b/config/suricata/suricata_rules_flowbits.php index ca424344..53019894 100644 --- a/config/suricata/suricata_rules_flowbits.php +++ b/config/suricata/suricata_rules_flowbits.php @@ -41,34 +41,34 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) { } $a_nat = &$config['installedpackages']['suricata']['rule']; -// Set who called us so we can return to the correct page with -// the RETURN button. We will just trust this User-Agent supplied -// string for now. -session_start(); -if(!isset($_SESSION['org_referer'])) - $_SESSION['org_referer'] = $_SERVER['HTTP_REFERER']; -$referrer = $_SESSION['org_referer']; - -if ($_POST['cancel']) { - session_start(); - unset($_SESSION['org_referer']); - session_write_close(); - header("Location: {$referrer}"); - exit; -} - -$id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; +elseif (isset($_GET['id'])) + $id = $_GET['id']; + if (is_null($id)) { - session_start(); - unset($_SESSION['org_referer']); - session_write_close(); header("Location: /suricata/suricata_interfaces.php"); exit; } -$if_real = suricata_get_real_interface($a_nat[$id]['interface']); +// Set who called us so we can return to the correct page with +// the RETURN ('cancel') button. +if ($_POST['referrer']) + $referrer = $_POST['referrer']; +else + $referrer = $_SERVER['HTTP_REFERER']; + +// Make sure a rule index ID is appended to the return URL +if (strpos($referrer, "?id={$id}") === FALSE) + $referrer .= "?id={$id}"; + +// If RETURN button clicked, exit to original calling page +if ($_POST['cancel']) { + header("Location: {$referrer}"); + exit; +} + +$if_real = get_real_interface($a_nat[$id]['interface']); $suricata_uuid = $a_nat[$id]['uuid']; /* We should normally never get to this page if Auto-Flowbits are disabled, but just in case... */ @@ -83,12 +83,13 @@ if ($a_nat[$id]['autoflowbitrules'] == 'on') { else $input_errors[] = gettext("Auto-Flowbit rule generation is disabled for this interface!"); -if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_GET['gen_id'])) { - $descr = suricata_get_msg($rules_map[$_GET['gen_id']][$_GET['sidid']]['rule']); +if ($_POST['addsuppress'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid'])) { + $descr = suricata_get_msg($rules_map[$_POST['gid']][$_POST['sid']]['rule']); + $suppress = gettext("## -- This rule manually suppressed from the Auto-Flowbits list. -- ##\n"); if (empty($descr)) - $suppress = "suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + $suppress .= "suppress gen_id {$_POST['gid']}, sig_id {$_POST['sid']}\n"; else - $suppress = "# {$descr}\nsuppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}\n"; + $suppress .= "# {$descr}\nsuppress gen_id {$_POST['gid']}, sig_id {$_POST['sid']}\n"; if (!is_array($config['installedpackages']['suricata']['suppress'])) $config['installedpackages']['suricata']['suppress'] = array(); if (!is_array($config['installedpackages']['suricata']['suppress']['item'])) @@ -128,7 +129,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ $rebuild_rules = false; sync_suricata_package_config(); suricata_reload_config($a_nat[$id]); - $savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'."); + $savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_POST['gid']}, sig_id {$_POST['sid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'."); } else { /* We did not find the defined list, so notify the user with an error */ @@ -136,23 +137,10 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ } } -function truncate($string, $length) { - - /******************************** - * This function truncates the * - * passed string to the length * - * specified adding ellipsis if * - * truncation was necessary. * - ********************************/ - if (strlen($string) > $length) - $string = substr($string, 0, ($length - 3)) . "..."; - return $string; -} - /* Load up an array with the current Suppression List GID,SID values */ $supplist = suricata_load_suppress_sigs($a_nat[$id]); -$if_friendly = suricata_get_friendly_interface($a_nat[$id]['interface']); +$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']); $pgtitle = gettext("Suricata: Interface {$if_friendly} - Flowbit Rules"); include_once("head.inc"); @@ -162,12 +150,15 @@ include_once("head.inc"); ' . $pgtitle . '

';} if ($input_errors) print_input_errors($input_errors); if ($savemsg) print_info_box($savemsg); ?> + + + +
'; @@ -261,7 +294,6 @@ include_once("head.inc");  
@@ -304,6 +337,7 @@ include_once("head.inc");  
@@ -395,6 +430,36 @@ include_once("head.inc"); " . gettext("LOG_INFO") . "."; ?>
+ + onClick="toggle_bro_ids()"/> +
+
+ +   +
+ +  " . gettext("47760") . "."; ?> +
  - +
@@ -248,18 +239,19 @@ if ($savemsg) $rule_content = preg_split('/[\s]+/', $tmp); $protocol = $rule_content[1]; //protocol - $source = truncate($rule_content[2], 14); //source - $destination = truncate($rule_content[5], 14); //destination + $source = $rule_content[2]; //source + $destination = $rule_content[5]; //destination $message = suricata_get_msg($v['rule']); $flowbits = implode("; ", suricata_get_flowbits($v['rule'])); if (strstr($flowbits, "noalert")) $supplink = ""; else { if (!isset($supplist[$gid][$sid])) { - $supplink = ""; - $supplink .= ""; + $supplink .= gettext("Click to add to Suppress List") . "'/>"; } else { $supplink = "" . - "" . + "" . "" . - "" . - "" . + "" . + "" . "" . "" . ""; -- cgit v1.2.3 From 3d4247441ec7b090ee4340c3e78e42a9b31632fd Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:39:15 -0500 Subject: Allow passing of interface index for opening associated logs. --- config/suricata/suricata_logs_browser.php | 2 ++ 1 file changed, 2 insertions(+) (limited to 'config') diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index 38310b9f..9fc24927 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -32,6 +32,8 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); if ($_POST['instance']) $instanceid = $_POST['instance']; +if ($_GET['instance']) + $instanceid = $_GET['instance']; if (empty($instanceid)) $instanceid = 0; -- cgit v1.2.3 From af5566164c9b0b412962c26b831e78c499f53281 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 28 Feb 2014 20:41:37 -0500 Subject: Bug fixes and enhancements for v0.2-BETA in Suricata pkg. --- config/suricata/suricata_alerts.php | 33 ++++++----- config/suricata/suricata_app_parsers.php | 15 +++-- config/suricata/suricata_check_cron_misc.inc | 2 +- .../suricata/suricata_check_for_rule_updates.php | 51 ++++++++++++----- config/suricata/suricata_define_vars.php | 2 +- config/suricata/suricata_flow_stream.php | 9 ++- config/suricata/suricata_global.php | 66 ++++++++++++---------- config/suricata/suricata_interfaces.php | 42 +++++--------- config/suricata/suricata_interfaces_edit.php | 38 ++++--------- config/suricata/suricata_libhtp_policy_engine.php | 6 +- config/suricata/suricata_os_policy_engine.php | 6 +- config/suricata/suricata_rules.php | 61 +++++--------------- config/suricata/suricata_rules_edit.php | 23 ++++---- config/suricata/suricata_rulesets.php | 36 +++++++----- 14 files changed, 178 insertions(+), 212 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 3fc39f36..75f21333 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -274,12 +274,10 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen } if ($_POST['delete']) { - conf_mount_rw(); suricata_post_delete_logs($suricata_uuid); $fd = @fopen("{$suricatalogdir}suricata_{$if_real}{$suricata_uuid}/alerts.log", "w+"); if ($fd) fclose($fd); - conf_mount_ro(); /* XXX: This is needed if suricata is run as suricata user */ mwexec('/bin/chmod 660 {$suricatalogdir}*', true); sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", "HUP"); @@ -375,7 +373,7 @@ if ($savemsg) { $selected = ""; if ($id == $instanceid) $selected = "selected"; - echo "\n"; + echo "\n"; } ?>    @@ -386,7 +384,7 @@ if ($savemsg) {    + onclick="return confirm('Do you really want to remove all instance logs?');"> @@ -439,21 +437,30 @@ if ($savemsg) { /* make sure alert file exists */ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log")) { - exec("tail -{$anentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/alerts_{$suricata_uuid}"); - if (file_exists("/tmp/alerts_{$suricata_uuid}")) { + exec("tail -{$anentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/alerts_suricata{$suricata_uuid}"); + if (file_exists("/tmp/alerts_suricata{$suricata_uuid}")) { $tmpblocked = array_flip(suricata_get_blocked_ips()); $counter = 0; /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */ - $fd = fopen("/tmp/alerts_{$suricata_uuid}", "r"); + $fd = fopen("/tmp/alerts_suricata{$suricata_uuid}", "r"); while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { if(count($fields) < 12) continue; + // Create a DateTime object from the event timestamp that + // we can use to easily manipulate output formats. + $event_tm = date_create_from_format("m/d/Y-H:i:s.u", $fields[0]); + + // Check the 'CATEGORY' field for the text "(null)" and + // substitute "Not Assigned". + if ($fields[6] == "(null)") + $fields[6] = "Not Assigned"; + /* Time */ - $alert_time = substr($fields[0], strpos($fields[0], '-')+1, -7); + $alert_time = date_format($event_tm, "H:i:s"); /* Date */ - $alert_date = trim(substr($fields[0], 0, strpos($fields[0], '-'))); + $alert_date = date_format($event_tm, "m/d/Y"); /* Description */ $alert_descr = $fields[5]; $alert_descr_url = urlencode($fields[5]); @@ -462,7 +469,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* Protocol */ $alert_proto = $fields[8]; /* IP SRC */ - $alert_ip_src = $fields[9]; + $alert_ip_src = inet_ntop(inet_pton($fields[9])); /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); /* Add Reverse DNS lookup icons */ @@ -491,7 +498,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo /* IP SRC Port */ $alert_src_p = $fields[10]; /* IP Destination */ - $alert_ip_dst = $fields[11]; + $alert_ip_dst = inet_ntop(inet_pton($fields[11])); /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); /* Add Reverse DNS lookup icons */ @@ -538,7 +545,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo } else { $sid_dsbl_link = ""; } /* DESCRIPTION */ @@ -560,7 +567,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo $counter++; } fclose($fd); - @unlink("/tmp/alerts_{$suricata_uuid}"); + @unlink("/tmp/alerts_suricata{$suricata_uuid}"); } } ?> diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php index eddf273d..e8f20226 100644 --- a/config/suricata/suricata_app_parsers.php +++ b/config/suricata/suricata_app_parsers.php @@ -348,15 +348,14 @@ elseif ($_POST['save']) { /**************************************************/ /* If we have a valid rule ID, save configuration */ - /* then update the suricata.conf file and rebuild */ - /* the rules for this interface. */ + /* then update the suricata.conf file for this */ + /* interface. */ /**************************************************/ if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config(); - $rebuild_rules = true; - suricata_generate_yaml($natent); $rebuild_rules = false; + suricata_generate_yaml($natent); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -385,7 +384,7 @@ include_once("head.inc"); } ?> - +
{$sid} {$supplink}{$sid} {$supplink}{$protocol}{$source}{$destination}{$source}{$destination}{$flowbits}{$message}
@@ -397,7 +396,7 @@ include_once("head.inc"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); - $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); + $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}"); display_top_tabs($tab_array); echo ''; echo ' + height="17" border="0" title=""> $v): ?> @@ -482,7 +481,7 @@ include_once("head.inc"); "all") : ?> "> + title=""> "> diff --git a/config/suricata/suricata_check_cron_misc.inc b/config/suricata/suricata_check_cron_misc.inc index 88dfd5ff..2fdc7832 100644 --- a/config/suricata/suricata_check_cron_misc.inc +++ b/config/suricata/suricata_check_cron_misc.inc @@ -68,7 +68,7 @@ if ($suricatalogdirsizeKB > 0 && $suricatalogdirsizeKB > $suricataloglimitsizeKB /* Clean-up the logs for each configured Suricata instance */ foreach ($config['installedpackages']['suricata']['rule'] as $value) { - $if_real = suricata_get_real_interface($value['interface']); + $if_real = get_real_interface($value['interface']); $suricata_uuid = $value['uuid']; $suricata_log_dir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}"; log_error(gettext("[Suricata] Truncating logs for {$value['descr']} ({$if_real})...")); diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 280add7a..3cf6b84b 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -434,7 +434,7 @@ if ($emergingthreats == 'on') { // The code below renames ET files with a prefix, so we // skip renaming the Suricata default events rule files // that are also bundled in the ET rules. - $default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules" ); + $default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ); $files = glob("{$tmpfname}/emerging/rules/*.rules"); // Determine the correct prefix to use based on which // Emerging Threats rules package is enabled. @@ -656,17 +656,38 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = $rebuild_rules = false; /* Restart Suricata if already running and we are not rebooting to pick up the new rules. */ - if (is_process_running("suricata") && !$g['booting']) { - if ($pkg_interface <> "console") { - update_status(gettext('Restarting Suricata to activate the new set of rules...')); - update_output_window(gettext("Please wait ... restarting Suricata will take some time...")); + if (is_process_running("suricata") && !$g['booting'] && + !empty($config['installedpackages']['suricata']['rule'])) { + + // See if "Live Reload" is configured and signal each Suricata instance + // if enabled, else just do a hard restart of all the instances. + if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates'] == 'on') { + if ($pkg_interface <> "console") { + update_status(gettext('Signalling Suricata to live-load the new set of rules...')); + update_output_window(gettext("Please wait ... the process should complete in a few seconds...")); + } + log_error(gettext("[Suricata] Live-Reload of rules from auto-update is enabled...")); + error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, $suricata_rules_upd_log); + foreach ($config['installedpackages']['suricata']['rule'] as $value) { + $if_real = get_real_interface($value['interface']); + suricata_reload_config($value); + error_log(gettext("\tLive swap of updated rules requested for " . convert_friendly_interface_to_friendly_descr($value['interface']) . ".\n"), 3, $suricata_rules_upd_log); + } + log_error(gettext("[Suricata] Live-Reload of updated rules completed...")); + error_log(gettext("\tLive-Reload of the updated rules is complete.\n"), 3, $suricata_rules_upd_log); + } + else { + if ($pkg_interface <> "console") { + update_status(gettext('Restarting Suricata to activate the new set of rules...')); + update_output_window(gettext("Please wait ... restarting Suricata will take some time...")); + } + error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, $suricata_rules_upd_log); + restart_service("suricata"); + if ($pkg_interface <> "console") + update_output_window(gettext("Suricata has restarted with your new set of rules...")); + log_error(gettext("[Suricata] Suricata has restarted with your new set of rules...")); + error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, $suricata_rules_upd_log); } - error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, $suricata_rules_upd_log); - restart_service("suricata"); - if ($pkg_interface <> "console") - update_output_window(gettext("Suricata has restarted with your new set of rules...")); - log_error(gettext("[Suricata] Suricata has restarted with your new set of rules...")); - error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, $suricata_rules_upd_log); } else { if ($pkg_interface <> "console") @@ -676,13 +697,17 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules = // Remove old $tmpfname files if (is_dir("{$tmpfname}")) { - if ($pkg_interface <> "console") + if ($pkg_interface <> "console") { update_status(gettext("Cleaning up after rules extraction...")); + update_output_window(gettext("Removing {$tmpfname} directory...")); + } exec("/bin/rm -r {$tmpfname}"); } -if ($pkg_interface <> "console") +if ($pkg_interface <> "console") { update_status(gettext("The Rules update has finished...")); + update_output_window(""); +} log_error(gettext("[Suricata] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $suricata_rules_upd_log); conf_mount_ro(); diff --git a/config/suricata/suricata_define_vars.php b/config/suricata/suricata_define_vars.php index b1cbfee9..e130e555 100644 --- a/config/suricata/suricata_define_vars.php +++ b/config/suricata/suricata_define_vars.php @@ -162,7 +162,7 @@ if ($savemsg) $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); - $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); + $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}"); display_top_tabs($tab_array); echo ''; echo ''; echo ' - + - + - + diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php index 88b426ba..50ca99c1 100644 --- a/config/suricata/suricata_interfaces.php +++ b/config/suricata/suricata_interfaces.php @@ -36,10 +36,10 @@ $suricatadir = SURICATADIR; $suricatalogdir = SURICATALOGDIR; $rcdir = RCFILEPREFIX; -if ($_POST['id'] && is_numeric($_POST['id'])) +if ($_POST['id']) $id = $_POST['id']; else - $id = ""; + $id = 0; if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); @@ -47,32 +47,15 @@ $a_nat = &$config['installedpackages']['suricata']['rule']; $id_gen = count($config['installedpackages']['suricata']['rule']); if ($_POST['del_x']) { - /* delete selected rules */ + /* delete selected interfaces */ if (is_array($_POST['rule'])) { conf_mount_rw(); foreach ($_POST['rule'] as $rulei) { - /* convert fake interfaces to real */ $if_real = get_real_interface($a_nat[$rulei]['interface']); $suricata_uuid = $a_nat[$rulei]['uuid']; suricata_stop($a_nat[$rulei], $if_real); exec("/bin/rm -r {$suricatalogdir}suricata_{$if_real}{$suricata_uuid}"); exec("/bin/rm -r {$suricatadir}suricata_{$suricata_uuid}_{$if_real}"); - - // If interface had auto-generated Suppress List, then - // delete that along with the interface - $autolist = "{$a_nat[$rulei]['interface']}" . "suppress"; - if (is_array($config['installedpackages']['suricata']['suppress']) && - is_array($config['installedpackages']['suricata']['suppress']['item'])) { - $a_suppress = &$config['installedpackages']['suricata']['suppress']['item']; - foreach ($a_suppress as $k => $i) { - if ($i['name'] == $autolist) { - unset($config['installedpackages']['suricata']['suppress']['item'][$k]); - break; - } - } - } - - // Finally delete the interface's config entry entirely unset($a_nat[$rulei]); } conf_mount_ro(); @@ -106,12 +89,12 @@ if ($_POST['del_x']) { } /* start/stop Barnyard2 */ -if ($_POST['bartoggle'] && is_numeric($id)) { +if ($_POST['bartoggle']) { $suricatacfg = $config['installedpackages']['suricata']['rule'][$id]; $if_real = get_real_interface($suricatacfg['interface']); $if_friendly = convert_friendly_interface_to_friendly_descr($suricatacfg['interface']); - if (suricata_is_running($suricatacfg['uuid'], $if_real, 'barnyard2') == 'no') { + if (!suricata_is_running($suricatacfg['uuid'], $if_real, 'barnyard2')) { log_error("Toggle (barnyard starting) for {$if_friendly}({$suricatacfg['descr']})..."); sync_suricata_package_config(); suricata_barnyard_start($suricatacfg, $if_real); @@ -126,12 +109,12 @@ if ($_POST['bartoggle'] && is_numeric($id)) { } /* start/stop Suricata */ -if ($_POST['toggle'] && is_numeric($id)) { +if ($_POST['toggle']) { $suricatacfg = $config['installedpackages']['suricata']['rule'][$id]; $if_real = get_real_interface($suricatacfg['interface']); $if_friendly = convert_friendly_interface_to_friendly_descr($suricatacfg['interface']); - if (suricata_is_running($suricatacfg['uuid'], $if_real) == 'yes') { + if (suricata_is_running($suricatacfg['uuid'], $if_real)) { log_error("Toggle (suricata stopping) for {$if_friendly}({$suricatacfg['descr']})..."); suricata_stop($suricatacfg, $if_real); } else { @@ -151,8 +134,9 @@ if ($_POST['toggle'] && is_numeric($id)) { header("Location: /suricata/suricata_interfaces.php"); exit; } - -$pgtitle = "Services: Suricata Intrusion Detection System"; +$suri_bin_ver = SURICATA_VER; +$suri_pkg_ver = SURICATA_PKG_VER; +$pgtitle = "Services: Suricata {$suri_bin_ver} pkg {$suri_pkg_ver} - Intrusion Detection System"; include_once("head.inc"); ?> @@ -203,7 +187,7 @@ include_once("head.inc"); - @@ -240,7 +224,7 @@ include_once("head.inc"); $if_real = get_real_interface($natent['interface']); $natend_friendly= convert_friendly_interface_to_friendly_descr($natent['interface']); $suricata_uuid = $natent['uuid']; - if (suricata_is_running($suricata_uuid, $if_real) == 'no'){ + if (!suricata_is_running($suricata_uuid, $if_real)){ $iconfn = 'block'; $iconfn_msg1 = 'Suricata is not running on '; $iconfn_msg2 = '. Click to start.'; @@ -250,7 +234,7 @@ include_once("head.inc"); $iconfn_msg1 = 'Suricata is running on '; $iconfn_msg2 = '. Click to stop.'; } - if (suricata_is_running($suricata_uuid, $if_real, 'barnyard2') == 'no'){ + if (!suricata_is_running($suricata_uuid, $if_real, 'barnyard2')){ $biconfn = 'block'; $biconfn_msg1 = 'Barnyard2 is not running on '; $biconfn_msg2 = '. Click to start.'; diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 6dbf9412..d7b5a8cb 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -40,9 +40,9 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; -if ($_GET['id'] && is_numeric($_GET['id'])); +if ($_GET['id']); $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); -if ($_POST['id'] && is_numeric($_POST['id'])) +if ($_POST['id']) $id = $_POST['id']; if (is_null($id)) $id = 0; @@ -130,8 +130,8 @@ if ($_POST["save"]) { if (!$_POST['interface']) $input_errors[] = gettext("Choosing an Interface is mandatory!"); - if ($_POST['max_pending_packets'] < 1 || $_POST['max_pending_packets'] > 65535) - $input_errors[] = gettext("The value for Maximum-Pending-Packets must be between 1 and 65,535!"); + if ($_POST['max_pending_packets'] < 1 || $_POST['max_pending_packets'] > 65000) + $input_errors[] = gettext("The value for Maximum-Pending-Packets must be between 1 and 65,000!"); if (!empty($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size'])) $input_errors[] = gettext("The value for 'Max Packet Log Size' must be numbers only. Do not include any alphabetic characters."); @@ -146,15 +146,6 @@ if ($_POST["save"]) { $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; - // See if the HOME_NET, EXTERNAL_NET, or SUPPRESS LIST values were changed - $suricata_reload = false; - if ($_POST['homelistname'] && ($_POST['homelistname'] <> $natent['homelistname'])) - $suricata_reload = true; - if ($_POST['externallistname'] && ($_POST['externallistname'] <> $natent['externallistname'])) - $suricata_reload = true; - if ($_POST['suppresslistname'] && ($_POST['suppresslistname'] <> $natent['suppresslistname'])) - $suricata_reload = true; - if ($_POST['descr']) $natent['descr'] = $_POST['descr']; else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['max_pcap_log_size']) $natent['max_pcap_log_size'] = $_POST['max_pcap_log_size']; else unset($natent['max_pcap_log_size']); if ($_POST['max_pcap_log_files']) $natent['max_pcap_log_files'] = $_POST['max_pcap_log_files']; else unset($natent['max_pcap_log_files']); @@ -253,7 +244,7 @@ if ($_POST["save"]) { $natent['libhtp_policy']['item'][] = $default; // Enable the basic default rules for the interface - $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules"; + $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules"; // Adding a new interface, so set flag to build new rules $rebuild_rules = true; @@ -272,15 +263,6 @@ if ($_POST["save"]) { // Update suricata.conf and suricata.sh files for this interface sync_suricata_package_config(); - /*******************************************************/ - /* Signal Suricata to reload configuration if we changed */ - /* HOME_NET, EXTERNAL_NET or Suppress list values. */ - /* The function only signals a running Suricata instance */ - /* to safely reload these parameters. */ - /*******************************************************/ - if ($suricata_reload == true) - suricata_reload_config($natent, "USR2"); - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); @@ -319,7 +301,7 @@ if ($savemsg) { $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); - $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); + $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}"); display_top_tabs($tab_array); echo ''; echo ' + gettext("1024") . "."; ?>

" . + gettext("Warning: ") . "" . gettext("Setting this too high can lead to degradation and a possible system crash by exhausting available memory.") ?> @@ -557,7 +541,7 @@ if ($savemsg) {    " . gettext("Default") . "" . gettext(" is ") . "" . gettext("AC") . ""; ?>.

- +
@@ -587,7 +571,7 @@ if ($savemsg) { gettext("3000") . "."; ?>

- + diff --git a/config/suricata/suricata_libhtp_policy_engine.php b/config/suricata/suricata_libhtp_policy_engine.php index 01f6b9e8..1a3c7455 100644 --- a/config/suricata/suricata_libhtp_policy_engine.php +++ b/config/suricata/suricata_libhtp_policy_engine.php @@ -53,9 +53,7 @@ **************************************************************************************/ ?> - - - diff --git a/config/suricata/suricata_os_policy_engine.php b/config/suricata/suricata_os_policy_engine.php index ea539e92..c9360901 100644 --- a/config/suricata/suricata_os_policy_engine.php +++ b/config/suricata/suricata_os_policy_engine.php @@ -49,9 +49,7 @@ **************************************************************************************/ ?> - - -
'; @@ -469,7 +468,7 @@ include_once("head.inc"); "/> ">
'; diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index 6c081fa8..1a65ddfd 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -299,15 +299,14 @@ elseif ($_POST['save']) { /**************************************************/ /* If we have a valid rule ID, save configuration */ - /* then update the suricata.conf file and rebuild */ - /* the rules for this interface. */ + /* then update the suricata.conf file for this */ + /* interface. */ /**************************************************/ if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; write_config(); - $rebuild_rules = true; - suricata_generate_yaml($natent); $rebuild_rules = false; + suricata_generate_yaml($natent); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -443,7 +442,7 @@ include_once("head.inc"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); - $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); + $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php?instance={$id}"); display_top_tabs($tab_array); echo '
'; diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 3ba84736..99abc49b 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -45,6 +45,7 @@ $pconfig['suricataloglimit'] = $config['installedpackages']['suricata']['config' $pconfig['suricataloglimitsize'] = $config['installedpackages']['suricata']['config'][0]['suricataloglimitsize']; $pconfig['autoruleupdate'] = $config['installedpackages']['suricata']['config'][0]['autoruleupdate']; $pconfig['autoruleupdatetime'] = $config['installedpackages']['suricata']['config'][0]['autoruleupdatetime']; +$pconfig['live_swap_updates'] = $config['installedpackages']['suricata']['config'][0]['live_swap_updates']; $pconfig['log_to_systemlog'] = $config['installedpackages']['suricata']['config'][0]['log_to_systemlog']; $pconfig['clearlogs'] = $config['installedpackages']['suricata']['config'][0]['clearlogs']; $pconfig['forcekeepsettings'] = $config['installedpackages']['suricata']['config'][0]['forcekeepsettings']; @@ -137,6 +138,7 @@ if (!$input_errors) { } $config['installedpackages']['suricata']['config'][0]['autoruleupdatetime'] = str_pad($_POST['autoruleupdatetime'], 4, "0", STR_PAD_LEFT); $config['installedpackages']['suricata']['config'][0]['log_to_systemlog'] = $_POST['log_to_systemlog'] ? 'on' : 'off'; + $config['installedpackages']['suricata']['config'][0]['live_swap_updates'] = $_POST['live_swap_updates'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['clearlogs'] = $_POST['clearlogs'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off'; @@ -185,7 +187,7 @@ if ($input_errors) $tab_array[] = array(gettext("Suricata Interfaces"), false, "/suricata/suricata_interfaces.php"); $tab_array[] = array(gettext("Global Settings"), true, "/suricata/suricata_global.php"); $tab_array[] = array(gettext("Update Rules"), false, "/suricata/suricata_download_updates.php"); - $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$instanceid}"); + $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php"); $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php"); $tab_array[] = array(gettext("Logs Browser"), false, "/suricata/suricata_logs_browser.php"); display_top_tabs($tab_array); @@ -204,13 +206,13 @@ if ($input_errors) + /> + /> @@ -232,9 +234,8 @@ if ($input_errors) -
>
>

+

@@ -246,7 +247,7 @@ if ($input_errors) + /> @@ -264,9 +265,8 @@ if ($input_errors) -
>
 

+

@@ -277,7 +277,7 @@ if ($input_errors) + /> + " . gettext("Hint: ") . "" . gettext("in most cases, every 12 hours is a good choice."); ?> + + + + @@ -328,12 +335,12 @@ if ($input_errors)
>

" . gettext("Note: ") . "" . @@ -300,19 +300,26 @@ if ($input_errors) > -     " . gettext("NEVER") . "" . gettext(" disables auto-updates."); ?>

- " . gettext("Hint: ") . "
" . gettext("in most cases, every 12 hours is a good choice."); ?>
>   - " . - gettext("Default") . " " . gettext("is ") . "" . gettext("00:03") . ""; ?>.

+ maxlength="5" value="" />   + " . gettext("00:03") . ""; ?>.

/> +  " . gettext("Not Checked") . ""; ?>

+
> + /> ()
> + />

" . gettext("MB:") . "";?>  - +  " . gettext("20%") . "" . gettext(" of available space.");?>
@@ -366,24 +373,21 @@ if ($input_errors)
- > />  +
- > />  +
- > />  +
  +  
'; @@ -521,7 +503,9 @@ if ($savemsg) {   " . - gettext("1024") . "."; ?>

- +
@@ -163,8 +161,6 @@ gettext("Cancel changes and return to App Parsers tab"); ?>">
-
- +
@@ -120,8 +118,6 @@ gettext("Cancel changes and return to Flow/Stream tab"); ?>">
-