From 6c0d365bdb5f4e4fdc2bf57561178573be5a36cc Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 26 Aug 2014 21:39:21 -0400 Subject: Upgrade Suricata to 2.0.3 and GUI package to v2.0 --- config/suricata/disablesid-sample.conf | 43 + config/suricata/enablesid-sample.conf | 39 + config/suricata/modifysid-sample.conf | 23 + config/suricata/suricata.inc | 1337 +++++++++++++++++++- config/suricata/suricata.priv.inc | 1 + config/suricata/suricata.xml | 133 +- config/suricata/suricata_alerts.php | 445 +++++-- config/suricata/suricata_alerts.widget.php | 72 +- config/suricata/suricata_app_parsers.php | 343 ++++- config/suricata/suricata_barnyard.php | 26 +- config/suricata/suricata_blocked.php | 80 +- config/suricata/suricata_check_cron_misc.inc | 31 +- .../suricata/suricata_check_for_rule_updates.php | 19 +- config/suricata/suricata_define_vars.php | 20 +- config/suricata/suricata_download_rules.php | 2 +- config/suricata/suricata_download_updates.php | 33 +- config/suricata/suricata_flow_stream.php | 59 +- config/suricata/suricata_generate_yaml.php | 171 ++- config/suricata/suricata_global.php | 124 +- config/suricata/suricata_import_aliases.php | 4 +- config/suricata/suricata_interfaces.php | 22 +- config/suricata/suricata_interfaces_edit.php | 404 ++++-- config/suricata/suricata_libhtp_policy_engine.php | 22 +- config/suricata/suricata_logs_browser.php | 63 +- config/suricata/suricata_logs_mgmt.php | 198 ++- config/suricata/suricata_migrate_config.php | 339 +++++ config/suricata/suricata_os_policy_engine.php | 6 +- config/suricata/suricata_passlist.php | 44 +- config/suricata/suricata_passlist_edit.php | 144 ++- config/suricata/suricata_post_install.php | 99 +- config/suricata/suricata_rules.php | 196 ++- config/suricata/suricata_rules_edit.php | 4 + config/suricata/suricata_rules_flowbits.php | 5 +- config/suricata/suricata_rulesets.php | 267 ++-- config/suricata/suricata_select_alias.php | 4 +- config/suricata/suricata_sid_mgmt.php | 597 +++++++++ config/suricata/suricata_suppress.php | 16 +- config/suricata/suricata_suppress_edit.php | 10 +- config/suricata/suricata_sync.xml | 216 ++++ config/suricata/suricata_uninstall.php | 18 +- config/suricata/suricata_yaml_template.inc | 78 +- 41 files changed, 5004 insertions(+), 753 deletions(-) create mode 100644 config/suricata/disablesid-sample.conf create mode 100644 config/suricata/enablesid-sample.conf create mode 100644 config/suricata/modifysid-sample.conf create mode 100644 config/suricata/suricata_migrate_config.php create mode 100644 config/suricata/suricata_sid_mgmt.php create mode 100644 config/suricata/suricata_sync.xml (limited to 'config') diff --git a/config/suricata/disablesid-sample.conf b/config/suricata/disablesid-sample.conf new file mode 100644 index 00000000..026f4d94 --- /dev/null +++ b/config/suricata/disablesid-sample.conf @@ -0,0 +1,43 @@ +# example disablesid.conf + +# Example of modifying state for individual rules +# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 + +# Example of modifying state for rule ranges +# 1:220-1:3264,3:13010-3:13013 + +# Comments are allowed in this file, and can also be on the same line +# As the modify state syntax, as long as it is a trailing comment +# 1:1011 # I Disabled this rule because I could! + +# Example of modifying state for MS and cve rules, note the use of the : +# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, +# and all MS00 and all cve 2000 related sids! These support regular expression +# matching only after you have specified what you are looking for, i.e. +# MS00- or cve:, the first section CANNOT contain a regular +# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) +# for this. +# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ + +# Example of using the pcre: keyword to modify rulestate. the pcre keyword +# allows for full use of regular expression syntax, you do not need to designate +# with / and all pcre searches are treated as case insensitive. For more information +# about regular expression syntax: http://www.regular-expressions.info/ +# The following example modifies state for all MS07 through MS10 +# pcre:MS(0[7-9]|10)-\d+ +# pcre:"Joomla" + +# Example of modifying state for specific categories entirely. +# "snort_" limits to Snort VRT rules, "emerging-" limits to +# Emerging Threats Open rules, "etpro-" limits to ET-PRO rules. +# "shellcode" with no prefix would match in any vendor set. +# snort_web-iis,emerging-shellcode,etpro-imap,shellcode + +# Any of the above values can be on a single line or multiple lines, when +# on a single line they simply need to be separated by a , +# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 + +# The modifications in this file are for sample/example purposes only and +# should not actively be used, you need to modify this file to fit your +# environment. + diff --git a/config/suricata/enablesid-sample.conf b/config/suricata/enablesid-sample.conf new file mode 100644 index 00000000..4cccc5dd --- /dev/null +++ b/config/suricata/enablesid-sample.conf @@ -0,0 +1,39 @@ +# example enablesid.conf + +# Example of modifying state for individual rules +# 1:1034,1:9837,1:1270,1:3390,1:710,1:1249,3:13010 + +# Example of modifying state for rule ranges +# 1:220-1:3264,3:13010-3:13013 + +# Comments are allowed in this file, and can also be on the same line +# As the modify state syntax, as long as it is a trailing comment +# 1:1011 # I Disabled this rule because I could! + +# Example of modifying state for MS and cve rules, note the use of the : +# in cve. This will modify MS09-008, cve 2009-0233, bugtraq 21301, +# and all MS00 and all cve 2000 related sids! These support regular expression +# matching only after you have specified what you are looking for, i.e. +# MS00- or cve:, the first section CANNOT contain a regular +# expression (MS\d{2}-\d+) will NOT work, use the pcre: keyword (below) +# for this. +# MS09-008,cve:2009-0233,bugtraq:21301,MS00-\d+,cve:2000-\d+ + +# Example of using the pcre: keyword to modify rulestate. the pcre keyword +# allows for full use of regular expression syntax, you do not need to designate +# with / and all pcre searches are treated as case insensitive. For more information +# about regular expression syntax: http://www.regular-expressions.info/ +# The following example modifies state for all MS07 through MS10 +# pcre:MS(0[7-9]|10)-\d+ +# pcre:"Joomla" + +# Example of modifying state for specific categories entirely. +# "snort_" limits to Snort VRT rules, "emerging-" limits to +# Emerging Threats Open rules, "etpro-" limits to ET-PRO rules. +# "shellcode" with no prefix would match in any vendor set. +# snort_web-iis,emerging-shellcode,etpro-imap,shellcode + +# Any of the above values can be on a single line or multiple lines, when +# on a single line they simply need to be separated by a , +# 1:9837,1:220-1:3264,3:13010-3:13013,pcre:MS(0[0-7])-\d+,MS09-008,cve:2009-0233 + diff --git a/config/suricata/modifysid-sample.conf b/config/suricata/modifysid-sample.conf new file mode 100644 index 00000000..d59f84ba --- /dev/null +++ b/config/suricata/modifysid-sample.conf @@ -0,0 +1,23 @@ +# example modifysid.conf +# +# formatting is simple +# "what I'm replacing" "what I'm replacing it with" +# +# Note that this will only work with GID:1 rules, simply because modifying +# GID:3 SO stub rules would not actually affect the rule. +# +# If you are attempting to change rulestate (enable,disable) from here +# then you are doing it wrong. Do this from within the respective +# rulestate modification configuration files. + +# the following applies to sid 10010 only and represents what would normally +# be s/to_client/from_server/ +# 10010 "to_client" "from_server" + +# the following would replace HTTP_PORTS with HTTPS_PORTS for ALL GID:1 +# rules +# "HTTP_PORTS" "HTTPS_PORTS" + +# multiple sids can be specified as noted below: +# 302,429,1821 "\$EXTERNAL_NET" "\$HOME_NET" + diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 89bb572f..2626f70a 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -47,6 +47,9 @@ require_once("filter.inc"); global $g, $config; +// Suricata GUI needs some extra PHP memory space to manipulate large rules arrays +ini_set("memory_limit", "256M"); + if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); @@ -70,11 +73,12 @@ define('SURICATALOGDIR', '/var/log/suricata/'); define('RULES_UPD_LOGFILE', SURICATALOGDIR . 'suricata_rules_update.log'); define('ENFORCING_RULES_FILENAME', 'suricata.rules'); define('FLOWBITS_FILENAME', 'flowbit-required.rules'); +define('SID_MODS_PATH', '/var/db/suricata/sidmods/'); +define('IPREP_PATH', '/var/db/suricata/iprep/'); // Rule set download filenames and prefixes define('ET_DNLD_FILENAME', 'emerging.rules.tar.gz'); define('ETPRO_DNLD_FILENAME', 'etpro.rules.tar.gz'); -define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz'); define('GPLV2_DNLD_FILENAME', 'community-rules.tar.gz'); define('VRT_FILE_PREFIX', 'snort_'); define('GPL_FILE_PREFIX', 'GPLv2_'); @@ -183,7 +187,6 @@ function suricata_reload_config($suricatacfg, $signal="USR2") { /******************************************************/ if (isvalidpid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Suricata LIVE RULE RELOAD initiated for {$suricatacfg['descr']} ({$if_real})..."); -// sigkillbypid("{$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid", $signal); mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid"); } } @@ -212,7 +215,6 @@ function suricata_barnyard_reload_config($suricatacfg, $signal="HUP") { /******************************************************/ if (isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid")) { log_error("[Suricata] Barnyard2 CONFIG RELOAD initiated for {$suricatacfg['descr']} ({$if_real})..."); -// sigkillbypid("{$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid", $signal); mwexec_bg("/bin/pkill -{$signal} -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid"); } } @@ -284,17 +286,19 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { // Always add loopback to HOME_NET and passlist (ftphelper) if (!in_array("127.0.0.1", $home_net)) $home_net[] = "127.0.0.1"; + if (!in_array("::1", $home_net)) + $home_net[] = "::1"; /********************************************************************/ /* Always put the interface running Suricata in HOME_NET and */ - /* whitelist unless it's the WAN. WAN options are handled further */ + /* pass list unless it's the WAN. WAN options are handled further */ /* down. If the user specifically chose not to include LOCAL_NETS */ /* in the PASS LIST, then do not include the Suricata interface */ /* subnet in the PASS LIST. We do include the actual LAN interface */ /* IP for Suricata, though, to prevent locking out the firewall. */ /********************************************************************/ $suricataip = get_interface_ip($suricatacfg['interface']); - if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + if (!$passlist || $localnet == 'yes' || empty($localnet)) { if (is_ipaddr($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnet($suricatacfg['interface']); @@ -312,7 +316,10 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { } $suricataip = get_interface_ipv6($suricatacfg['interface']); - if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + // Trim off the interface designation (e.g., %em1) if present + if (strpos($suricataip, "%") !== FALSE) + $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); + if (!$passlist || $localnet == 'yes' || empty($localnet)) { if (is_ipaddrv6($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnetv6($suricatacfg['interface']); @@ -329,7 +336,17 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { } } - if (!$whitelist || $localnet == 'yes' || empty($localnet)) { + // Add link-local address + $suricataip = get_interface_linklocal($suricatacfg['interface']); + if (!empty($suricataip)) { + // Trim off the interface designation (e.g., %em1) if present + if (strpos($suricataip, "%") !== FALSE) + $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); + if (!in_array($suricataip, $home_net)) + $home_net[] = $suricataip; + } + + if (!$passlist || $localnet == 'yes' || empty($localnet)) { /*************************************************************************/ /* Iterate through the interface list and write out pass list items and */ /* also compile a HOME_NET list of all local interfaces for suricata. */ @@ -347,15 +364,27 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { if (!in_array($ip, $home_net)) $home_net[] = $ip; } - if ($int == "wan") - continue; + $subnet = get_interface_ipv6($int); + // Trim off the interface designation (e.g., %em1) if present + if (strpos($subnet, "%") !== FALSE) + $subnet = substr($subnet, 0, strpos($subnet, "%")); if (is_ipaddrv6($subnet)) { $sn = get_interface_subnetv6($int); $ip = gen_subnetv6($subnet, $sn). "/{$sn}"; if (!in_array($ip, $home_net)) $home_net[] = $ip; } + + // Add link-local address + $suricataip = get_interface_linklocal($int); + if (!empty($suricataip)) { + // Trim off the interface designation (e.g., %em1) if present + if (strpos($suricataip, "%") !== FALSE) + $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); + if (!in_array($suricataip, $home_net)) + $home_net[] = $suricataip; + } } } @@ -366,10 +395,22 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { $home_net[] = $ip; } $ip = get_interface_ipv6("wan"); + // Trim off the interface designation (e.g., %em1) if present + if (strpos($ip, "%") !== FALSE) + $ip = substr($ip, 0, strpos($ip, "%")); if (is_ipaddrv6($ip)) { if (!in_array($ip, $home_net)) $home_net[] = $ip; } + // Explicitly grab the WAN Link-Local address + $ip = get_interface_linklocal("wan"); + if (!empty($ip)) { + // Trim off the interface designation (e.g., %em1) if present + if (strpos($ip, "%") !== FALSE) + $ip = substr($ip, 0, strpos($ip, "%")); + if (!in_array($ip, $home_net)) + $home_net[] = $ip; + } } if ($wangw == 'yes') { @@ -385,12 +426,15 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { if (is_ipaddr($gw) && !in_array($gw, $home_net)) $home_net[] = $gw; $gw = get_interface_gateway_v6($suricatacfg['interface']); + // Trim off the interface designation (e.g., %em1) if present + if (strpos($gw, "%") !== FALSE) + $gw = substr($gw, 0, strpos($gw, "%")); if (is_ipaddrv6($gw) && !in_array($gw, $home_net)) $home_net[] = $gw; } if ($wandns == 'yes') { - // Add DNS server for WAN interface to whitelist + // Add DNS server for WAN interface to Pass List $dns_servers = get_dns_servers(); foreach ($dns_servers as $dns) { if ($dns && !in_array($dns, $home_net)) @@ -443,7 +487,14 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { function suricata_rules_up_install_cron($should_install=true) { global $config, $g; - $command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/suricata/suricata_check_for_rule_updates.php"; + // Remove any existing job first + install_cron_job("suricata_check_for_rule_updates.php", false); + + // If called with FALSE as argument, then we're done + if ($should_install == FALSE) + return; + + $command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_check_for_rule_updates.php"; // Get auto-rule update parameter from configuration $suricata_rules_up_info_ck = $config['installedpackages']['suricata']['config'][0]['autoruleupdate']; @@ -606,12 +657,12 @@ function suricata_rm_blocked_install_cron($should_install) { } // First, remove any existing cron task for "rm_blocked" hosts - install_cron_job("pfctl -t {$suri_pf_table} -T expire" , false); + install_cron_job("{$suri_pf_table}", false); // Now add or update the cron task for "rm_blocked" hosts // if enabled. if ($should_install) { - $command = "/usr/bin/nice -n20 /sbin/pfctl -t {$suri_pf_table} -T expire {$suricata_rm_blocked_expire}"; + $command = "/usr/bin/nice -n20 /sbin/pfctl -q -t {$suri_pf_table} -T expire {$suricata_rm_blocked_expire}"; install_cron_job($command, $should_install, $suricata_rm_blocked_min, $suricata_rm_blocked_hr, $suricata_rm_blocked_mday, $suricata_rm_blocked_month, $suricata_rm_blocked_wday, "root"); } } @@ -626,7 +677,7 @@ function sync_suricata_package_config() { // Do not start config build if there are no Suricata-configured interfaces if (!is_array($config['installedpackages']['suricata']) || !is_array($config['installedpackages']['suricata']['rule'])) { - @unlink("{$rcdir}/suricata.sh"); + @unlink("{$rcdir}suricata.sh"); conf_mount_ro(); return; } @@ -646,7 +697,6 @@ function sync_suricata_package_config() { // create suricata bootup file suricata.sh suricata_create_rc(); - $suricataglob = $config['installedpackages']['suricata']['config'][0]; // setup the log directory size check job if enabled suricata_loglimit_install_cron(true); // setup the suricata rules update job if enabled @@ -654,12 +704,11 @@ function sync_suricata_package_config() { // set the suricata blocked hosts time suricata_rm_blocked_install_cron($config['installedpackages']['suricata']['config'][0]['rm_blocked'] != "never_b" ? true : false); - write_config(); configure_cron(); // Do not attempt package sync if reinstalling package or booting -// if (!$g['suricata_postinstall'] && !$g['booting']) -// suricata_sync_on_changes(); + if (!isset($g['suricata_postinstall']) && !$g['booting']) + suricata_sync_on_changes(); conf_mount_ro(); } @@ -1052,11 +1101,11 @@ function suricata_load_rules_map($rules_path) { if (empty($rules_path)) return $map_ref; - /*************************************************************** + /************************************************************************************ * Read all the rules into the map array. * The structure of the map array is: * - * map[gid][sid]['rule']['category']['disabled']['flowbits'] + * map[gid][sid]['rule']['category']['action']['disabled']['managed']['flowbits'] * * where: * gid = Generator ID from rule, or 1 if general text @@ -1067,9 +1116,11 @@ function suricata_load_rules_map($rules_path) { * action = alert, drop, reject or pass * disabled = 1 if rule is disabled (commented out), 0 if * rule is enabled + * managed = 1 if rule is auto-managed by SID MGMT process, + * 0 if not auto-managed * flowbits = Array of applicable flowbits if rule contains * flowbits options - ***************************************************************/ + ************************************************************************************/ // First check if we were passed a directory, a single file // or an array of filenames to read. Set our $rule_files @@ -1542,6 +1593,854 @@ function suricata_load_vrt_policy($policy, $all_rules=null) { return $vrt_policy_rules; } +function suricata_parse_sidconf_file($sidconf_file) { + + /**********************************************/ + /* This function loads and processes the file */ + /* specified by '$sidconf_file'. The file is */ + /* assumed to contain valid instructions for */ + /* matching rule SIDs as supported by the */ + /* Oinkmaster and PulledPork utilities. */ + /* */ + /* $sidconf_file ==> full path and name of */ + /* file to process */ + /* */ + /* Returns ==> an array containing */ + /* SID modifier tokens */ + /**********************************************/ + + $buf = ""; + $sid_mods = array(); + + $fd = fopen("{$sidconf_file}", "r"); + if ($fd == FALSE) { + log_error("[Suricata] Failed to open SID MGMT file '{$sidconf_file}' for processing."); + return $sid_mods; + } + + // Read and parse the conf file line-by-line + while (($buf = fgets($fd)) !== FALSE) { + $line = array(); + + // Skip any lines that may be just spaces. + if (trim($buf, " \r\n") == "") + continue; + + // Skip line with leading "#" since it's a comment + if (preg_match('/^\s*#/', $buf)) + continue; + + // Trim off any trailing comment + $line = explode("#", $buf); + + // Trim leading and trailing spaces plus newline and any carriage returns + $buf = trim($line[0], ' \r\n'); + + // Now split the SID mod arguments at the commas, if more than one + // per line, and add to our $sid_mods array. + $line = explode(",", $buf); + foreach ($line as $ent) + $sid_mods[] = trim($ent); + } + + // Close the file, release unneeded memory and return + // the array of SID mod tokens parsed from the file. + fclose($fd); + unset($line, $buf); + return $sid_mods; +} + +function suricata_sid_mgmt_auto_categories($suricatacfg, $log_results = FALSE) { + + /****************************************************/ + /* This function parses any auto-SID conf files */ + /* configured for the interface and returns an */ + /* array of rule categories adjusted from the */ + /* ['enabled_rulesets'] element in the config for */ + /* the interface in accordance with the contents */ + /* of the SID Mgmt conf files. */ + /* */ + /* The returned array shows which files should be */ + /* removed and which should be added to the list */ + /* used when building the enforcing ruleset. */ + /* */ + /* $suricatacfg ==> pointer to interface */ + /* configuration info */ + /* $log_results ==> [optional] log results to */ + /* 'sid_changes.log' in the */ + /* interface directory in */ + /* /var/log/suricata when TRUE */ + /* */ + /* Returns ==> array of category file names */ + /* for the interface. The keys */ + /* are category file names and */ + /* the corresponding values show */ + /* if the file should be added */ + /* or removed from the enabled */ + /* rulesets list. */ + /* */ + /* Example - */ + /* $changes[file] = 'enabled' */ + /* */ + /****************************************************/ + + global $config; + $suricata_sidmods_dir = SID_MODS_PATH; + $sid_mods = array(); + $enables = array(); + $disables = array(); + + // Check if auto-mgmt of SIDs is enabled, exit if not + if ($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] != 'on') + return array(); + if (empty($suricatacfg['disable_sid_file']) && empty($suricatacfg['enable_sid_file'])) + return array(); + + // Configure the interface's logging subdirectory if log results is enabled + if ($log_results == TRUE) + $log_file = SURICATALOGDIR . $suricatalogdir . "suricata_" . get_real_interface($suricatacfg['interface']) . "{$suricatacfg['uuid']}/sid_changes.log"; + else + $log_file = NULL; + + // Get the list of currently enabled categories for the interface + if (!empty($suricatacfg['rulesets'])) + $enabled_cats = explode("||", $suricatacfg['rulesets']); + + if ($log_results == TRUE) { + error_log(gettext("********************************************************\n"), 3, $log_file); + error_log(gettext("Starting auto RULE CATEGORY management for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) ."\n"), 3, $log_file); + error_log(gettext("Start Time: " . date("Y-m-d H:i:s") . "\n"), 3, $log_file); + } + + switch ($suricatacfg['sid_state_order']) { + case "disable_enable": + if (!empty($suricatacfg['disable_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing disable_sid file: {$suricatacfg['disable_sid_file']}\n"), 3, $log_file); + + // Attempt to open the 'disable_sid_file' for the interface + if (!file_exists("{$suricata_sidmods_dir}{$suricatacfg['disable_sid_file']}")) { + log_error(gettext("[Suricata] Error - unable to open 'disable_sid_file' \"{$suricatacfg['disable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + if ($log_results == TRUE) + error_log(gettext("Unable to open disable_sid file \"{$suricatacfg['disable_sid_file']}\".\n"), 3, $log_file); + } + else + $sid_mods = suricata_parse_sidconf_file("{$suricata_sidmods_dir}{$suricatacfg['disable_sid_file']}"); + + if (!empty($sid_mods)) + $disables = suricata_get_auto_category_mods($enabled_cats, $sid_mods, "disable", $log_results, $log_file); + elseif ($log_results == TRUE && !empty($log_file)) { + error_log(gettext("WARNING: no valid SID match tokens found in file \"{$suricatacfg['disable_sid_file']}\".\n"), 3, $log_file); + } + } + if (!empty($suricatacfg['enable_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing enable_sid file: {$suricatacfg['enable_sid_file']}\n"), 3, $log_file); + + // Attempt to open the 'enable_sid_file' for the interface + if (!file_exists("{$suricata_sidmods_dir}{$suricatacfg['enable_sid_file']}")) { + log_error(gettext("[Suricata] Error - unable to open 'enable_sid_file' \"{$suricatacfg['enable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + if ($log_results == TRUE) + error_log(gettext("Unable to open enable_sid file \"{$suricatacfg['enable_sid_file']}\".\n"), 3, $log_file); + } + else + $sid_mods = suricata_parse_sidconf_file("{$suricata_sidmods_dir}{$suricatacfg['enable_sid_file']}"); + + if (!empty($sid_mods)) + $enables = suricata_get_auto_category_mods($enabled_cats, $sid_mods, "enable", $log_results, $log_file); + elseif ($log_results == TRUE && !empty($log_file)) { + error_log(gettext("WARNING: no valid SID match tokens found in file \"{$suricatacfg['enable_sid_file']}\".\n"), 3, $log_file); + } + } + break; + + case "enable_disable": + if (!empty($suricatacfg['enable_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing enable_sid file: {$suricatacfg['enable_sid_file']}\n"), 3, $log_file); + + // Attempt to open the 'enable_sid_file' for the interface + if (!file_exists("{$suricata_sidmods_dir}{$suricatacfg['enable_sid_file']}")) { + log_error(gettext("[Suricata] Error - unable to open 'enable_sid_file' \"{$suricatacfg['enable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + if ($log_results == TRUE) + error_log(gettext("Unable to open enable_sid file \"{$suricatacfg['enable_sid_file']}\".\n"), 3, $log_file); + } + else + $sid_mods = suricata_parse_sidconf_file("{$suricata_sidmods_dir}{$suricatacfg['enable_sid_file']}"); + + if (!empty($sid_mods)) + $enables = suricata_get_auto_category_mods($enabled_cats, $sid_mods, "enable", $log_results, $log_file); + elseif ($log_results == TRUE && !empty($log_file)) { + error_log(gettext("WARNING: no valid SID match tokens found in file \"{$suricatacfg['enable_sid_file']}\".\n"), 3, $log_file); + } + } + if (!empty($suricatacfg['disable_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing disable_sid file: {$suricatacfg['disable_sid_file']}\n"), 3, $log_file); + + // Attempt to open the 'disable_sid_file' for the interface + if (!file_exists("{$suricata_sidmods_dir}{$suricatacfg['disable_sid_file']}")) { + log_error(gettext("[Suricata] Error - unable to open 'disable_sid_file' \"{$suricatacfg['disable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + if ($log_results == TRUE) + error_log(gettext("Unable to open disable_sid file \"{$suricatacfg['disable_sid_file']}\".\n"), 3, $log_file); + } + else + $sid_mods = suricata_parse_sidconf_file("{$suricata_sidmods_dir}{$suricatacfg['disable_sid_file']}"); + + if (!empty($sid_mods)) + $disables = suricata_get_auto_category_mods($enabled_cats, $sid_mods, "disable", $log_results, $log_file); + elseif ($log_results == TRUE && !empty($log_file)) { + error_log(gettext("WARNING: no valid SID match tokens found in file \"{$suricatacfg['disable_sid_file']}\".\n"), 3, $log_file); + } + } + break; + + default: + log_error(gettext("[Suricata] Unrecognized 'sid_state_order' value. Skipping auto CATEGORY mgmt step for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + if ($log_results == TRUE) { + error_log(gettext("ERROR: unrecognized 'sid_state_order' value. Skipping auto CATEGORY mgmt step for ") . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']). ".\n", 3, $log_file); + } + } + + if ($log_results == TRUE) { + error_log(gettext("End Time: " . date("Y-m-d H:i:s") . "\n"), 3, $log_file); + error_log(gettext("********************************************************\n\n"), 3, $log_file); + } + + // Return the required rule category modifications as an array; + return array_merge($enables, $disables); +} + +function suricata_get_auto_category_mods($categories, $sid_mods, $action, $log_results = FALSE, $log_file = NULL) { + + /****************************************************/ + /* This function parses the provided SID mod tokens */ + /* in $sid_mods and returns an array of category */ + /* files that must be added ('enabled') or removed */ + /* ('disabled') from the provided $categories list */ + /* of enabled rule categories as determined by the */ + /* content of the SID Mgmt tokens in $sid_mods. */ + /* */ + /* The returned array shows which files should be */ + /* removed and which should be added to the list */ + /* used when building the enforcing ruleset. */ + /* */ + /* $categories ==> array of currently enabled */ + /* ruleset categories */ + /* $sid_mods ==> array of SID modification */ + /* tokens */ + /* $action ==> modification action for */ + /* matching category targets: */ + /* 'enable' or 'disable' */ + /* $log_results ==> [optional] 'yes' to log */ + /* results to $log_file */ + /* $log_file ==> full path and filename of log */ + /* file to write to */ + /* */ + /* Returns ==> array of category file names */ + /* for the interface. The keys */ + /* are category file names and */ + /* the corresponding values show */ + /* if the file should be added */ + /* or removed from the enabled */ + /* rulesets list. */ + /* */ + /* Example - */ + /* $changes[file] = 'enabled' */ + /* */ + /****************************************************/ + + $suricatadir = SURICATADIR; + $all_cats = array(); + $changes = array(); + $counter = 0; + $matchcount = 0; + + // Get a list of all possible categories by loading all rules files + foreach (array( VRT_FILE_PREFIX, ET_OPEN_FILE_PREFIX, ET_PRO_FILE_PREFIX, GPL_FILE_PREFIX ) as $prefix) { + $files = glob("{$suricatadir}rules/{$prefix}*.rules"); + foreach ($files as $file) + $all_cats[] = basename($file); + } + + // Walk the SID mod tokens and decode looking for rule + // category enable/disable changes. + foreach ($sid_mods as $tok) { + $matches = array(); + // Test the SID token for a GID:SID range and skip if true + if (preg_match('/^(\d+):(\d+)-\1:(\d+)/', $tok)) + continue; + // Test the token for a single GID:SID and skip if true + elseif (preg_match('/^(\d+):(\d+)$/', $tok)) + continue; + // Test the token for the PCRE: keyword and skip if true + elseif (preg_match('/(^pcre\:)(.+)/i', $tok)) + continue; + // Test the token for the MS reference keyword and skip if true + elseif (preg_match('/^MS\d+-.+/i', $tok)) + continue; + // Test the token for other keywords delimited with a colon and skip if true + elseif (preg_match('/^[a-xA-X]+\:.+/', $tok)) + continue; + // Test the SID token for a rule category name. Anything that + // failed to match above is considered a potential category name. + elseif (preg_match('/[a-xA-X]+(-|\w).*/', $tok, $matches)) { + $counter++; + $regex = "/" . preg_quote(trim($matches[0]), '/') . "/i"; + // Search through the $all_cats array for any matches to the regex + $matches = preg_grep($regex, $all_cats); + + // See if any matches are in the $categories array + foreach ($matches as $cat) { + switch ($action) { + case 'enable': + if (!isset($changes[$cat])) { + $changes[$cat] = 'enabled'; + if ($log_results == TRUE && !empty($log_file)) + error_log(gettext(" Enabled rule category: {$cat}\n"), 3, $log_file); + $matchcount++; + } + break; + + case 'disable': + if (!isset($changes[$cat])) { + $changes[$cat] = 'disabled'; + if ($log_results == TRUE && !empty($log_file)) + error_log(gettext(" Disabled rule category: {$cat}\n"), 3, $log_file); + $matchcount++; + } + break; + + default: + break; + } + } + } + else { + if ($log_results == TRUE && !empty($log_file)) + error_log(gettext("WARNING: unrecognized token '{$tok}' encountered while processing an automatic SID MGMT file.\n"), 3, $log_file); + } + } + + if ($log_results == TRUE && !empty($log_file)) { + error_log(gettext(" Parsed {$counter} potential Rule Categories to match from the list of tokens.\n"), 3, $log_file); + error_log(gettext(" " . ucfirst($action) . "d {$matchcount} matching Rule Categories.\n"), 3, $log_file); + } + + // Release memory no longer needed + unset($all_cats, $matches); + + // Return array of rule category file changes + return $changes; +} + +function suricata_modify_sid_state(&$rule_map, $sid_mods, $action, $log_results = FALSE, $log_file = NULL) { + + /**********************************************/ + /* This function walks the provided array of */ + /* SID modification tokens and locates the */ + /* target SID or SIDs in the $rule_map array. */ + /* It then performs the change specified by */ + /* $action on the target SID or SIDs. */ + /* */ + /* $rule_map ==> reference to array of */ + /* current rules */ + /* $sid_mods ==> array of SID modification */ + /* tokens */ + /* $action ==> modification action for */ + /* matching SID targets: */ + /* 'enable' or 'disable' */ + /* $log_results ==> [optional] 'yes' to log */ + /* results to $log_file */ + /* $log_file ==> full path and filename */ + /* of log file to write to */ + /* */ + /* On Return ==> $rule_map array modified */ + /* by changing state for */ + /* matching SIDs. */ + /* */ + /* Returns a two-dimension */ + /* array of matching GID:SID */ + /* pairs. */ + /**********************************************/ + + $sids = array(); + + // If no rules in $rule_map or mods in $sid_mods, + // then nothing to do. + if (empty($rule_map) || empty($sid_mods)) + return $sids; + + // Validate the action keyword as we only accept + // 'enable' and 'disable' as valid. + switch ($action) { + + case "enable": + break; + + case "disable": + break; + + default: + log_error(gettext("[Suricata] Error - unknown action '{$action}' supplied to suricata_modify_sid_state() function...no SIDs modified.")); + return $sids; + } + + // Walk the SID mod tokens and decode each one + foreach ($sid_mods as $tok) { + $matches = array(); + // Test the SID token for a GID:SID range + if (preg_match('/^(\d+):(\d+)-\1:(\d+)/', $tok, $matches)) { + // It was a range, so find all the intervening SIDs + $gid = trim($matches[1]); + $lsid = trim($matches[2]); + $usid = trim($matches[3]); + $sids[$gid][$lsid] = $action; + while ($lsid < $usid) { + $lsid++; + $sids[$gid][$lsid] = $action; + } + } + // Test the SID token for a single GID:SID + elseif (preg_match('/^(\d+):(\d+)$/', $tok, $matches)) { + // It's a single GID:SID, so grab it + $sids[$matches[1]][$matches[2]] = $action; + } + // Test the SID token for the PCRE: keyword + elseif (preg_match('/(^pcre\:)(.+)/i', $tok, $matches)) { + $regex = '/' . preg_quote($matches[2], '/') . '/i'; + + // Now search through the $rule_map in the 'rule' + // element for any matches to the regex and get + // the GID:SID. + foreach ($rule_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (preg_match($regex, $v['rule'])) { + $sids[$k1][$k2] = $action; + } + } + } + } + // Test the SID token for the MS reference keyword + elseif (preg_match('/^MS\d+-.+/i', $tok, $matches)) { + $regex = "/" . preg_quote($matches[0], '/') . "/i"; + + // Now search through the $rule_map in the 'rule' + // element for any matches to the regex and get + // the GID:SID. + foreach ($rule_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (preg_match($regex, $v['rule'])) { + $sids[$k1][$k2] = $action; + } + } + } + } + // Test the SID token for other keywords delimited with a colon + elseif (preg_match('/^[a-xA-X]+\:.+/', $tok, $matches)) { + $regex = "/" . str_replace(':', ",", preg_quote($matches[0], '/')) . "/i"; + + // Now search through the $rule_map in the 'rule' + // element for any matches to the regex and get + // the GID:SID. + foreach ($rule_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (preg_match($regex, $v['rule'])) { + $sids[$k1][$k2] = $action; + } + } + } + } + // Test the SID token for a rule category name. Anything that + // failed to match above is considered a potential category name. + elseif (preg_match('/[a-xA-X]+(-|\w).*/', $tok, $matches)) { + $regex = "/" . preg_quote(trim($matches[0]), '/') . "/i"; + // Now search through the $rule_map in the 'category' + // element for any matches to the regex and get + // the GID:SID. + foreach ($rule_map as $k1 => $rulem) { + foreach ($rulem as $k2 => $v) { + if (preg_match($regex, $v['category'] . ".rules")) { + $sids[$k1][$k2] = $action; + } + } + } + } + else { + if ($log_results == TRUE && !empty($log_file)) + error_log(gettext("WARNING: unrecognized token '{$tok}' encountered while processing an automatic SID MGMT file.\n"), 3, $log_file); + } + } + + // Change state of all the matching GID:SID pairs we found + // above in the $rule_map array passed to us. + $modcount = $changecount = 0; + $counter = count($sids, COUNT_RECURSIVE) - count($sids); + + if ($log_results == TRUE && !empty($log_file)) + error_log(gettext(" Parsed {$counter} potential SIDs to match from the provided list of tokens.\n"), 3, $log_file); + + foreach (array_keys($sids) as $k1) { + foreach (array_keys($sids[$k1]) as $k2) { + if (isset($rule_map[$k1][$k2])) { + if ($action == 'enable' && $rule_map[$k1][$k2]['disabled'] == 1) { + $rule_map[$k1][$k2]['rule'] = ltrim($rule_map[$k1][$k2]['rule'], " \t#"); + $rule_map[$k1][$k2]['disabled'] = 0; + $rule_map[$k1][$k2]['managed'] = 1; + $changecount++; + $modcount++; + } + elseif ($action == 'disable' && $rule_map[$k1][$k2]['disabled'] == 0) { + $rule_map[$k1][$k2]['rule'] = "# " . $rule_map[$k1][$k2]['rule']; + $rule_map[$k1][$k2]['disabled'] = 1; + $rule_map[$k1][$k2]['managed'] = 1; + $changecount++; + $modcount++; + } + } + } + } + + if ($log_results == TRUE && !empty($log_file)) { + error_log(gettext(" Found {$modcount} matching SIDs in the active rules.\n"), 3, $log_file); + error_log(gettext(" Changed state for {$changecount} SIDs to '{$action}d'.\n"), 3, $log_file); + } + + // Return the array of matching SIDs + return $sids; +} + +function suricata_modify_sid_content(&$rule_map, $sid_mods, $log_results = FALSE, $log_file = NULL) { + + /************************************************/ + /* This function walks the provided array of */ + /* SID modification tokens and locates the */ + /* target SID or SIDs in the $rule_map array. */ + /* It then modifies the content of the target */ + /* SID or SIDs. Modifications are only valid */ + /* for normal GID=1 text rules. */ + /* */ + /* $rule_map ==> reference to array of */ + /* current rules */ + /* $sid_mods ==> array of SID modification */ + /* tokens */ + /* $log_results ==> [optional] 'yes' to log */ + /* results to $log_file */ + /* $log_file ==> full path and filename */ + /* of log file to write to */ + /* */ + /* On Return ==> $rule_map array modified */ + /* by changing content for */ + /* matching SIDs. */ + /* */ + /* Returns a two-dimension */ + /* array of matching */ + /* GID:SID pairs. */ + /************************************************/ + + $sids = array(); + $tokencounter = $modcount = $modifiedcount = 0; + + // If no rules in $rule_map or mods in $sid_mods, + // then nothing to do. + if (empty($rule_map) || empty($sid_mods)) + return $sids; + + // Walk the SID mod tokens and decode each one + foreach ($sid_mods as $tok) { + $matches = array(); + if (preg_match('/([\d+|,|\*]*)\s+"(.+)"\s+"(.*)"/', $tok, $matches)) { + $tokencounter++; + $sidlist = explode(",", $matches[1]); + $from = '/' . preg_quote($matches[2], '/') . '/'; + $to = $matches[3]; + $count = 0; + + // Now walk the provided rule map and make the modifications + if ($matches[1] == "*") { + // If wildcard '*' provided for SID, then check them all + foreach ($rule_map[1] as $rulem) { + foreach ($rulem as $k2 => $v) { + $modcount++; + $rule_map[1][$k2]['rule'] = preg_replace($from, $to, $v['rule'], -1, $count); + if ($count > 0) { + $rule_map[1][$k2]['managed'] = 1; + $sids[1][$k2] = 'modify'; + $modifiedcount++; + } + } + } + } + else { + // Otherwise just check the provided SIDs + foreach ($sidlist as $sid) { + if (isset($rule_map[1][$sid])) { + $modcount++; + $rule_map[1][$sid]['rule'] = preg_replace($from, $to, $rule_map[1][$sid]['rule'], -1, $count); + if ($count > 0) { + $rule_map[1][$sid]['managed'] = 1; + $sids[1][$sid] = 'modify'; + $modifiedcount++; + } + } + } + } + } + else { + if ($log_results == TRUE && !empty($log_file)) + error_log(gettext("WARNING: unrecognized token '{$tok}' encountered while processing an automatic SID MGMT file.\n"), 3, $log_file); + } + } + + if ($log_results == TRUE && !empty($log_file)) { + error_log(gettext(" Parsed {$tokencounter} potential SIDs to match from the provided list of tokens.\n"), 3, $log_file); + error_log(gettext(" Found {$modcount} matching SIDs in the active rules.\n"), 3, $log_file); + error_log(gettext(" Modified rule text for {$modifiedcount} SIDs.\n"), 3, $log_file); + } + + // Return the array of matching SIDs + return $sids; +} + +function suricata_process_enablesid(&$rule_map, $suricatacfg, $log_results = FALSE, $log_file = NULL) { + + /**********************************************/ + /* This function loads and processes the file */ + /* specified by 'enable_sid_file' for the */ + /* interface. The file is assumed to be a */ + /* valid enablesid.conf file containing */ + /* instructions for enabling matching rule */ + /* SIDs. */ + /* */ + /* $rule_map ==> reference to array of */ + /* current rules */ + /* $suricatacfg ==> interface config params */ + /* $log_results ==> [optional] 'yes' to log */ + /* results to $log_file */ + /* $log_file ==> full path and filename */ + /* of log file to write to */ + /* */ + /* On Return ==> suitably modified */ + /* $rule_map array */ + /**********************************************/ + + $suricata_sidmods_dir = SID_MODS_PATH; + $suricatalogdir = SURICATALOGDIR; + $sid_mods = array(); + + // If no rules in $rule_map, then nothing to do + if (empty($rule_map)) + return; + + // Attempt to open the 'enable_sid_file' for the interface + if (!file_exists("{$suricata_sidmods_dir}{$suricatacfg['enable_sid_file']}")) { + log_error(gettext("[Suricata] Error - unable to open 'enable_sid_file' \"{$suricatacfg['enable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + return; + } + else + $sid_mods = suricata_parse_sidconf_file("{$suricata_sidmods_dir}{$suricatacfg['enable_sid_file']}"); + + if (!empty($sid_mods)) + suricata_modify_sid_state($rule_map, $sid_mods, "enable", $log_results, $log_file); + elseif ($log_results == TRUE && !empty($log_file)) { + error_log(gettext("WARNING: no valid SID match tokens found in file \"{$suricatacfg['enable_sid_file']}\".\n"), 3, $log_file); + } + + unset($sid_mods); +} + +function suricata_process_disablesid(&$rule_map, $suricatacfg, $log_results = FALSE, $log_file = NULL) { + + /**********************************************/ + /* This function loads and processes the file */ + /* specified by 'disable_sid_file' for the */ + /* interface. The file is assumed to be a */ + /* valid disablesid.conf file containing */ + /* instructions for disabling matching rule */ + /* SIDs. */ + /* */ + /* $rule_map ==> reference to array of */ + /* current rules */ + /* $suricatacfg ==> interface config params */ + /* $log_results ==> [optional] 'yes' to log */ + /* results to $log_file */ + /* $log_file ==> full path and filename */ + /* of log file to write to */ + /* */ + /* On Return ==> suitably modified */ + /* $rule_map array */ + /**********************************************/ + + $suricata_sidmods_dir = SID_MODS_PATH; + $suricatalogdir = SURICATALOGDIR; + $sid_mods = array(); + + // If no rules in $rule_map, then nothing to do + if (empty($rule_map)) + return; + + // Attempt to open the 'disable_sid_file' for the interface + if (!file_exists("{$suricata_sidmods_dir}{$suricatacfg['disable_sid_file']}")) { + log_error(gettext("[Suricata] Error - unable to open 'disable_sid_file' \"{$suricatacfg['disable_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + return; + } + else + $sid_mods = suricata_parse_sidconf_file("{$suricata_sidmods_dir}{$suricatacfg['disable_sid_file']}"); + + if (!empty($sid_mods)) + suricata_modify_sid_state($rule_map, $sid_mods, "disable", $log_results, $log_file); + elseif ($log_results == TRUE && !empty($log_file)) { + error_log(gettext("WARNING: no valid SID match tokens found in file \"{$suricatacfg['disable_sid_file']}\".\n"), 3, $log_file); + } + + unset($sid_mods); +} + +function suricata_process_modifysid(&$rule_map, $suricatacfg, $log_results = FALSE, $log_file = NULL) { + + /**********************************************/ + /* This function loads and processes the file */ + /* specified by 'modify_sid_file' for the */ + /* interface. The file is assumed to be a */ + /* valid modifysid.conf file containing */ + /* instructions for modifying matching rule */ + /* SIDs. */ + /* */ + /* $rule_map ==> reference to array of */ + /* current rules */ + /* $suricatacfg ==> interface config params */ + /* $log_results ==> [optional] 'yes' to log */ + /* results to $log_file */ + /* $log_file ==> full path and filename */ + /* of log file to write to */ + /* */ + /* On Return ==> suitably modified */ + /* $rule_map array */ + /**********************************************/ + + $suricata_sidmods_dir = SID_MODS_PATH; + $suricatalogdir = SURICATALOGDIR; + $sid_mods = array(); + + // If no rules in $rule_map, then nothing to do + if (empty($rule_map)) + return; + + // Attempt to open the 'modify_sid_file' for the interface + if (!file_exists("{$suricata_sidmods_dir}{$suricatacfg['modify_sid_file']}")) { + log_error(gettext("[Suricata] Error - unable to open 'modify_sid_file' \"{$suricatacfg['modify_sid_file']}\" specified for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + return; + } + else + $sid_mods = suricata_parse_sidconf_file("{$suricata_sidmods_dir}{$suricatacfg['modify_sid_file']}"); + + if (!empty($sid_mods)) + suricata_modify_sid_content($rule_map, $sid_mods, $log_results, $log_file); + elseif ($log_results == TRUE && !empty($log_file)) { + error_log(gettext("WARNING: no valid SID match tokens found in file \"{$suricatacfg['modify_sid_file']}\".\n"), 3, $log_file); + } + + unset($sid_mods); +} + +function suricata_auto_sid_mgmt(&$rule_map, $suricatacfg, $log_results = FALSE) { + + /**************************************************/ + /* This function modifies the rules in the */ + /* passed rule_map array based on values in the */ + /* files 'enable_sid_file', 'disable_sid_file' */ + /* and 'modify_sid_file' for the interface. */ + /* */ + /* If auto-mgmt of SIDs is enabled via the */ + /* settings on the UPDATE RULES tab, then the */ + /* rules are processed against these settings. */ + /* */ + /* $rule_map ==> array of current rules */ + /* $suricatacfg ==> interface config settings */ + /* $log_results ==> [optional] log results to */ + /* 'sid_changes.log' in the */ + /* interface directory in */ + /* /var/log/suricata when TRUE */ + /* */ + /* Returns ==> TRUE if rules were changed; */ + /* otherwise FALSE */ + /**************************************************/ + + global $config; + $result = FALSE; + + // Configure the interface's logging subdirectory if log results is enabled + if ($log_results == TRUE) + $log_file = SURICATALOGDIR . $suricatalogdir . "suricata_" . get_real_interface($suricatacfg['interface']) . "{$suricatacfg['uuid']}/sid_changes.log"; + else + $log_file = NULL; + + // Check if auto-mgmt of SIDs is enabled and files are specified + // for the interface. + if ($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] == 'on' && + (!empty($suricatacfg['disable_sid_file']) || !empty($suricatacfg['enable_sid_file']) || + !empty($suricatacfg['modify_sid_file']))) { + if ($log_results == TRUE) { + error_log(gettext("********************************************************\n"), 3, $log_file); + error_log(gettext("Starting auto SID management for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) ."\n"), 3, $log_file); + error_log(gettext("Start Time: " . date("Y-m-d H:i:s") . "\n"), 3, $log_file); + } + + switch ($suricatacfg['sid_state_order']) { + case "disable_enable": + if (!empty($suricatacfg['disable_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing disable_sid file: {$suricatacfg['disable_sid_file']}\n"), 3, $log_file); + suricata_process_disablesid($rule_map, $suricatacfg, $log_results, $log_file); + } + if (!empty($suricatacfg['enable_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing enable_sid file: {$suricatacfg['enable_sid_file']}\n"), 3, $log_file); + suricata_process_enablesid($rule_map, $suricatacfg, $log_results, $log_file); + } + if (!empty($suricatacfg['modify_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing modify_sid file: {$suricatacfg['modify_sid_file']}\n"), 3, $log_file); + suricata_process_modifysid($rule_map, $suricatacfg, $log_results, $log_file); + } + $result = TRUE; + break; + + case "enable_disable": + if (!empty($suricatacfg['enable_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing enable_sid file: {$suricatacfg['enable_sid_file']}\n"), 3, $log_file); + suricata_process_enablesid($rule_map, $suricatacfg, $log_results, $log_file); + } + if (!empty($suricatacfg['disable_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing disable_sid file: {$suricatacfg['disable_sid_file']}\n"), 3, $log_file); + suricata_process_disablesid($rule_map, $suricatacfg, $log_results, $log_file); + } + if (!empty($suricatacfg['modify_sid_file'])) { + if ($log_results == TRUE) + error_log(gettext("Processing modify_sid file: {$suricatacfg['modify_sid_file']}\n"), 3, $log_file); + suricata_process_modifysid($rule_map, $suricatacfg, $log_results, $log_file); + } + $result = TRUE; + break; + + default: + log_error(gettext("[Suricata] Unrecognized 'sid_state_order' value. Skipping auto SID mgmt step for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']))); + if ($log_results == TRUE) { + error_log(gettext("ERROR: unrecognized 'sid_state_order' value. Skipping auto SID mgmt step for ") . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']). ".\n", 3, $log_file); + } + $result = FALSE; + } + + if ($log_results == TRUE) { + error_log(gettext("End Time: " . date("Y-m-d H:i:s") . "\n"), 3, $log_file); + error_log(gettext("********************************************************\n\n"), 3, $log_file); + } + } + return $result; +} + function suricata_load_sid_mods($sids) { /*****************************************/ @@ -1577,15 +2476,15 @@ function suricata_load_sid_mods($sids) { function suricata_modify_sids(&$rule_map, $suricatacfg) { - /*****************************************/ - /* This function modifies the rules in */ - /* the passed rules_map array based on */ - /* values in the enablesid/disablesid */ - /* configuration parameters. */ - /* */ - /* $rule_map = array of current rules */ - /* $suricatacfg = config settings */ - /*****************************************/ + /***********************************************/ + /* This function modifies the rules in the */ + /* passed rules_map array based on values in */ + /* the enablesid/disablesid configuration */ + /* parameters for the interface. */ + /* */ + /* $rule_map = array of current rules */ + /* $suricatacfg = interface config settings */ + /***********************************************/ if (!isset($suricatacfg['rule_sid_on']) && !isset($suricatacfg['rule_sid_off'])) @@ -1639,11 +2538,15 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { /* to be written. */ /***********************************************************/ - global $rebuild_rules; + global $config, $rebuild_rules; $suricatadir = SURICATADIR; $flowbit_rules_file = FLOWBITS_FILENAME; $suricata_enforcing_rules_file = ENFORCING_RULES_FILENAME; + $enabled_rules = array(); + $enabled_files = array(); + $all_rules = array(); + $cat_mods = array(); $no_rules_defined = true; // If there is no reason to rebuild the rules, exit to save time. @@ -1653,11 +2556,12 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { // Log a message for rules rebuild in progress log_error(gettext("[Suricata] Updating rules configuration for: " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . " ...")); + // Get any automatic rule category enable/disable modifications + // if auto-SID Mgmt is enabled and conf files exist for the interface. + $cat_mods = suricata_sid_mgmt_auto_categories($suricatacfg, TRUE); + // Only rebuild rules if some are selected or an IPS Policy is enabled - if (!empty($suricatacfg['rulesets']) || $suricatacfg['ips_policy_enable'] == 'on') { - $enabled_rules = array(); - $enabled_files = array(); - $all_rules = array(); + if (!empty($suricatacfg['rulesets']) || $suricatacfg['ips_policy_enable'] == 'on' || !empty($cat_mods)) { $no_rules_defined = false; // Load up all the rules into a Rules Map array. @@ -1665,12 +2569,37 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { // Create an array with the filenames of the enabled // rule category files if we have any. - if (!empty($suricatacfg['rulesets'])) { - foreach (explode("||", $suricatacfg['rulesets']) as $file){ - $category = basename($file, ".rules"); - if (!is_array($enabled_files[$category])) - $enabled_files[$category] = array(); - $enabled_files[$category] = $file; + if (!empty($suricatacfg['rulesets']) || !empty($cat_mods)) { + // First get all the user-enabled category files + if (!empty($suricatacfg['rulesets'])) { + foreach (explode("||", $suricatacfg['rulesets']) as $file){ + $category = basename($file, ".rules"); + if (!is_array($enabled_files[$category])) + $enabled_files[$category] = array(); + $enabled_files[$category] = $file; + } + } + + // Now adjust the list using any required changes as + // determined by auto-SID Mgmt policy files. + if (!empty($cat_mods)) { + foreach ($cat_mods as $k => $action) { + $key = basename($k, ".rules"); + switch ($action) { + case 'enabled': + if (!isset($enabled_files[$key])) + $enabled_files[$key] = $k; + break; + + case 'disabled': + if (isset($enabled_files[$key])) + unset($enabled_files[$key]); + break; + + default: + break; + } + } } /****************************************************/ @@ -1694,7 +2623,7 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { } // Release memory we no longer need. - unset($enabled_files, $rulem, $v); + unset($enabled_files, $cat_mods, $rulem, $v); } // Check if a pre-defined Snort VRT policy is selected. If so, @@ -1717,6 +2646,8 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { } // Process any enablesid or disablesid modifications for the selected rules. + // Do the auto-SID managment first, if enabled, then do any manual SID state changes. + suricata_auto_sid_mgmt($enabled_rules, $suricatacfg, TRUE); suricata_modify_sids($enabled_rules, $suricatacfg); // Write the enforcing rules file to the Suricata interface's "rules" directory. @@ -1735,7 +2666,45 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { } else // Just put an empty file to always have the file present suricata_write_flowbit_rules_file(array(), "{$suricatacfgdir}/rules/{$flowbit_rules_file}"); - } else { + unset($all_rules); + } + // If no rule categories were enabled, then use auto-SID management if enabled, since it may enable some rules + elseif ($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] == 'on' && + (!empty($suricatacfg['disable_sid_file']) || !empty($suricatacfg['enable_sid_file']) || + !empty($suricatacfg['modify_sid_file']))) { + + suricata_auto_sid_mgmt($enabled_rules, $suricatacfg, TRUE); + if (!empty($enabled_rules)) { + // Auto-SID management generated some rules, so use them + $no_rules_defined = false; + suricata_modify_sids($enabled_rules, $suricatacfg); + + // Write the enforcing rules file to the Suricata interface's "rules" directory. + suricata_write_enforcing_rules_file($enabled_rules, "{$suricatacfgdir}/rules/{$suricata_enforcing_rules_file}"); + + // If auto-flowbit resolution is enabled, generate the dependent flowbits rules file. + if ($suricatacfg['autoflowbitrules'] == 'on') { + log_error('[Suricata] Enabling any flowbit-required rules for: ' . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . '...'); + + // Load up all rules into a Rules Map array for flowbits assessment + $all_rules = suricata_load_rules_map("{$suricatadir}rules/"); + $fbits = suricata_resolve_flowbits($all_rules, $enabled_rules); + + // Check for and disable any flowbit-required rules the + // user has manually forced to a disabled state. + suricata_modify_sids($fbits, $suricatacfg); + suricata_write_flowbit_rules_file($fbits, "{$suricatacfgdir}/rules/{$flowbit_rules_file}"); + unset($all_rules, $fbits); + } else + // Just put an empty file to always have the file present + suricata_write_flowbit_rules_file(array(), "{$suricatacfgdir}/rules/{$flowbit_rules_file}"); + } + else { + suricata_write_enforcing_rules_file(array(), "{$suricatacfgdir}/rules/{$suricata_enforcing_rules_file}"); + suricata_write_flowbit_rules_file(array(), "{$suricatacfgdir}/rules/{$flowbit_rules_file}"); + } + } + else { suricata_write_enforcing_rules_file(array(), "{$suricatacfgdir}/rules/{$suricata_enforcing_rules_file}"); suricata_write_flowbit_rules_file(array(), "{$suricatacfgdir}/rules/{$flowbit_rules_file}"); } @@ -1753,7 +2722,7 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) { // Build a new sid-msg.map file from the enabled // rules and copy it to the interface directory. - log_error(gettext("[Suricata] Building new sig-msg.map file for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "...")); + log_error(gettext("[Suricata] Building new sid-msg.map file for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "...")); suricata_build_sid_msg_map("{$suricatacfgdir}/rules/", "{$suricatacfgdir}/sid-msg.map"); } @@ -1994,8 +2963,8 @@ esac EOD; // Write out the suricata.sh script file - @file_put_contents("{$rcdir}/suricata.sh", $suricata_sh_text); - @chmod("{$rcdir}/suricata.sh", 0755); + @file_put_contents("{$rcdir}suricata.sh", $suricata_sh_text); + @chmod("{$rcdir}suricata.sh", 0755); unset($suricata_sh_text); } @@ -2056,7 +3025,7 @@ function suricata_generate_barnyard2_conf($suricatacfg, $if_real) { $suricatabarnyardlog_output_plugins .= "# syslog_full: log to a syslog receiver\n"; $suricatabarnyardlog_output_plugins .= "output alert_syslog_full: sensor_name {$suricatabarnyardlog_hostname_info_chk}, "; if ($suricatacfg['barnyard_syslog_local'] == 'on') - $suricatabarnyardlog_output_plugins .= "local, log_facility LOG_AUTH, log_priority LOG_INFO\n\n"; + $suricatabarnyardlog_output_plugins .= "local, log_facility {$suricatacfg['barnyard_syslog_facility']}, log_priority {$suricatacfg['barnyard_syslog_priority']}\n\n"; else { $suricatabarnyardlog_output_plugins .= "server {$suricatacfg['barnyard_syslog_rhost']}, protocol {$suricatacfg['barnyard_syslog_proto']}, "; $suricatabarnyardlog_output_plugins .= "port {$suricatacfg['barnyard_syslog_dport']}, operation_mode {$suricatacfg['barnyard_syslog_opmode']}, "; @@ -2136,25 +3105,289 @@ function suricata_generate_yaml($suricatacfg) { $suricata_uuid = $suricatacfg['uuid']; $suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}"; - conf_mount_rw(); - if (!is_array($config['installedpackages']['suricata']['rule'])) return; // Pull in the PHP code that generates the suricata.yaml file // variables that will be substitued further down below. - include("/usr/local/www/suricata/suricata_generate_yaml.php"); + include("/usr/local/pkg/suricata/suricata_generate_yaml.php"); // Pull in the boilerplate template for the suricata.yaml // configuration file. The contents of the template along - // with substituted variables is stored in $suricata_conf_text + // with substituted variables are stored in $suricata_conf_text // (which is defined in the included file). include("/usr/local/pkg/suricata/suricata_yaml_template.inc"); // Now write out the conf file using $suricata_conf_text contents @file_put_contents("{$suricatacfgdir}/suricata.yaml", $suricata_conf_text); unset($suricata_conf_text); - conf_mount_ro(); +} + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function suricata_sync_on_changes() { + global $config, $g; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || $g['suricata_postinstall'] == TRUE) { + log_error("[suricata] No xmlrpc sync to CARP targets when booting up or during package reinstallation."); + return; + } + + if (is_array($config['installedpackages']['suricatasync']['config'])){ + $suricata_sync=$config['installedpackages']['suricatasync']['config'][0]; + $synconchanges = $suricata_sync['varsynconchanges']; + $synctimeout = $suricata_sync['varsynctimeout']; + $syncdownloadrules = $suricata_sync['vardownloadrules']; + switch ($synconchanges){ + case "manual": + if (is_array($suricata_sync[row])){ + $rs=$suricata_sync[row]; + } + else{ + log_error("[suricata] xmlrpc CARP sync is enabled but there are no hosts configured as replication targets."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; + $rs[0]['varsyncusername']=$system_carp['username']; + $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncsuricatastart']="no"; + if ($system_carp['synchronizetoip'] ==""){ + log_error("[suricata] xmlrpc CARP sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + } + else{ + log_error("[suricata] xmlrpc CARP sync is enabled but there are no system backup hosts configured as replication targets."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[suricata] Suricata pkg xmlrpc CARP sync is starting."); + foreach($rs as $sh){ + if ($sh['varsyncsuricatastart']) + $syncstartsuricata = $sh['varsyncsuricatastart']; + else + $syncstartsuricata = "OFF"; + $sync_to_ip = $sh['varsyncipaddress']; + $port = $sh['varsyncport']; + $password = $sh['varsyncpassword']; + if($sh['varsyncusername']) + $username = $sh['varsyncusername']; + else + $username = 'admin'; + if($password && $sync_to_ip) + suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, $password, $synctimeout, $syncstartsuricata); + } + log_error("[suricata] Suricata pkg xmlrpc CARP sync completed."); + } + } +} + +/* Do the actual XMLRPC sync */ +function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $username, $password, $synctimeout = 150, $syncstartsuricata) { + global $config, $g; + + /* Do not attempt a package sync while booting up or installing package */ + if ($g['booting'] || isset($g['suricata_postinstall'])) { + log_error("[suricata] No xmlrpc sync to CARP targets when booting up or during package reinstallation."); + return; + } + + if($username == "" || $password == "" || $sync_to_ip == "") { + log_error("[suricata] A required XMLRPC CARP sync parameter (user, host IP or password) is empty ... aborting pkg sync"); + return; + } + + /* Test key variables and set defaults if empty */ + if(!$synctimeout) + $synctimeout=150; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + $url = $synchronizetoip; + + /*************************************************/ + /* Send over any auto-SID management files */ + /*************************************************/ + $sid_files = glob(SID_MODS_PATH . '*'); + foreach ($sid_files as $file) { + $content = base64_encode(file_get_contents($file)); + $payload = "@file_put_contents('{$file}', base64_decode('{$content}'));"; + + /* assemble xmlrpc payload */ + $method = 'pfsense.exec_php'; + $params = array( XML_RPC_encode($password), XML_RPC_encode($payload) ); + + log_error("[suricata] Suricata XMLRPC CARP sync sending auto-SID conf files to {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + $error = ""; + if(!$resp) { + $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file); + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port}. Failed to transfer file: " . basename($file) . " - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } + } + + if (!empty($sid_files) && $error == "") + log_error("[suricata] Suricata pkg XMLRPC CARP sync auto-SID conf files success with {$url}:{$port} (pfsense.exec_php)."); + + /**************************************************/ + /* Send over the portion of config.xml */ + /* $xml will hold the section to sync. */ + /**************************************************/ + $xml = array(); + $xml['suricata'] = $config['installedpackages']['suricata']; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + log_error("[suricata] Beginning Suricata pkg configuration XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } else { + log_error("[suricata] Suricata pkg configuration XMLRPC CARP sync successfully completed with {$url}:{$port}."); + } + + $downloadrulescmd = ""; + if ($syncdownloadrules == "yes") { + $downloadrulescmd = "log_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Update of downloaded rule sets requested...\"));\n"; + $downloadrulescmd .= "\tinclude_once(\"/usr/local/pkg/suricata/suricata_check_for_rule_updates.php\");\n"; + } + $suricatastart = ""; + if ($syncstartsuricata == "ON") { + $suricatastart = "log_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Checking Suricata status...\"));\n"; + $suricatastart .= "\tif (!is_process_running(\"suricata\")) {\n"; + $suricatastart .= "\t\tlog_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Suricata not running. Sending a start command...\"));\n"; + $suricatastart .= "\t\t\$sh_script = RCFILEPREFIX . \"suricata.sh\";\n"; + $suricatastart .= "\t\tmwexec_bg(\"{\$sh_script} start\");\n\t}\n"; + $suricatastart .= "\telse {\n\t\tlog_error(gettext(\"[suricata] XMLRPC pkg CARP sync: Suricata is running...\"));\n\t}\n"; + } + + /*************************************************/ + /* Build a series of commands as a PHP file for */ + /* the secondary host to execute to load the new */ + /* settings. */ + /*************************************************/ + $suricata_sync_cmd = << + +EOD; + + /*************************************************/ + /* First, have target host write the commands */ + /* to a PHP file in the /tmp directory. */ + /*************************************************/ + $execcmd = "file_put_contents('/tmp/suricata_sync_cmds.php', '{$suricata_sync_cmd}');"; + + /* assemble xmlrpc payload */ + $method = 'pfsense.exec_php'; + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("[suricata] Suricata XMLRPC CARP sync sending reload configuration cmd set as a file to {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } else { + log_error("[suricata] Suricata pkg XMLRPC CARP sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + } + + /*************************************************/ + /* Now assemble a command to execute the */ + /* previously sent PHP file in the background. */ + /*************************************************/ + $execcmd = "exec(\"/usr/local/bin/php -f '/tmp/suricata_sync_cmds.php' > /dev/null 2>&1 &\");"; + $params2 = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + log_error("[suricata] Suricata XMLRPC CARP sync sending {$url}:{$port} cmd to execute configuration reload."); + $msg2 = new XML_RPC_Message($method, $params2); + $resp = $cli->send($msg2, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting Suricata XMLRPC CARP sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } elseif($resp->faultCode()) { + $error = "An error code was received while attempting Suricata XMLRPC CARP sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "Suricata Settings Sync", ""); + } else { + log_error("[suricata] Suricata pkg XMLRPC CARP sync reload configuration success with {$url}:{$port} (pfsense.exec_php)."); + } } ?> diff --git a/config/suricata/suricata.priv.inc b/config/suricata/suricata.priv.inc index 3bbee55a..efa71366 100644 --- a/config/suricata/suricata.priv.inc +++ b/config/suricata/suricata.priv.inc @@ -25,6 +25,7 @@ $priv_list['page-services-suricata']['match'][] = "suricata/suricata_select_alia $priv_list['page-services-suricata']['match'][] = "suricata/suricata_list_view.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_logs_browser.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_logs_mgmt.php*"; +$priv_list['page-services-suricata']['match'][] = "suricata/suricata_sid_mgmt.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_passlist.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_passlist_edit.php*"; $priv_list['page-services-suricata']['match'][] = "suricata/suricata_post_install.php*"; diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index 6aae2d93..d5ea59ad 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -9,49 +9,40 @@ /* suricata.xml part of the Suricata package for pfSense + Copyright (C) 2014 Bill meeks - Significant portions are based on original work done for the Snort - package for pfSense from the following contributors: - - Copyright (C) 2005 Bill Marquette . - Copyright (C) 2003-2004 Manuel Kasper . - Copyright (C) 2006 Scott Ullrich - Copyright (C) 2009 Robert Zelaya Sr. Developer - Copyright (C) 2012 Ermal Luci - All rights reserved. - - Adapted for Suricata by: - Copyright (C) 2014 Bill Meeks - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. + All rights reserved. */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ /* ========================================================================== */ ]]> Suricata IDS/IPS Package None suricata - 1.4.6 pkg v1.0.6 + 2.0.3 pkg v2.0 Services: Suricata IDS /usr/local/pkg/suricata/suricata.inc @@ -76,11 +67,21 @@ /usr/local/pkg/suricata/ 0755 + + https://packages.pfsense.org/packages/config/suricata/suricata_sync.xml + /usr/local/pkg/suricata/ + 0755 + https://packages.pfsense.org/packages/config/suricata/suricata_check_cron_misc.inc /usr/local/pkg/suricata/ 0755 + + https://packages.pfsense.org/packages/config/suricata/suricata_check_for_rule_updates.php + /usr/local/pkg/suricata/ + 0755 + https://packages.pfsense.org/packages/config/suricata/suricata_yaml_template.inc /usr/local/pkg/suricata/ @@ -88,7 +89,22 @@ https://packages.pfsense.org/packages/config/suricata/suricata_generate_yaml.php - /usr/local/www/suricata/ + /usr/local/pkg/suricata/ + 0755 + + + https://packages.pfsense.org/packages/config/suricata/suricata_migrate_config.php + /usr/local/pkg/suricata/ + 0755 + + + https://packages.pfsense.org/packages/config/suricata/suricata_post_install.php + /usr/local/pkg/suricata/ + 0755 + + + https://packages.pfsense.org/packages/config/suricata/suricata_uninstall.php + /usr/local/pkg/suricata/ 0755 @@ -121,11 +137,6 @@ /usr/local/www/suricata/ 0755 - - https://packages.pfsense.org/packages/config/suricata/suricata_check_for_rule_updates.php - /usr/local/www/suricata/ - 0755 - https://packages.pfsense.org/packages/config/suricata/suricata_rules.php /usr/local/www/suricata/ @@ -182,22 +193,22 @@ 0755 - https://packages.pfsense.org/packages/config/suricata/suricata_list_view.php + https://packages.pfsense.org/packages/config/suricata/suricata_sid_mgmt.php /usr/local/www/suricata/ 0755 - https://packages.pfsense.org/packages/config/suricata/suricata_app_parsers.php + https://packages.pfsense.org/packages/config/suricata/suricata_list_view.php /usr/local/www/suricata/ 0755 - https://packages.pfsense.org/packages/config/suricata/suricata_libhtp_policy_engine.php + https://packages.pfsense.org/packages/config/suricata/suricata_app_parsers.php /usr/local/www/suricata/ 0755 - https://packages.pfsense.org/packages/config/suricata/suricata_uninstall.php + https://packages.pfsense.org/packages/config/suricata/suricata_libhtp_policy_engine.php /usr/local/www/suricata/ 0755 @@ -212,9 +223,19 @@ 0755 - https://packages.pfsense.org/packages/config/suricata/suricata_post_install.php - /usr/local/www/suricata/ - 0755 + /usr/local/www/widgets/javascript/ + 0644 + https://packages.pfsense.org/packages/config/suricata/suricata_alerts.js + + + /usr/local/www/widgets/widgets/ + 0644 + https://packages.pfsense.org/packages/config/suricata/suricata_alerts.widget.php + + + /usr/local/www/widgets/include/ + 0644 + https://packages.pfsense.org/packages/config/suricata/widget-suricata.inc /usr/local/www/suricata/ @@ -237,19 +258,19 @@ https://packages.pfsense.org/packages/config/suricata/suricata_select_alias.php - /usr/local/www/widgets/javascript/ + /var/db/suricata/sidmods/ 0644 - https://packages.pfsense.org/packages/config/suricata/suricata_alerts.js + https://packages.pfsense.org/packages/config/suricata/disablesid-sample.conf - /usr/local/www/widgets/widgets/ + /var/db/suricata/sidmods/ 0644 - https://packages.pfsense.org/packages/config/suricata/suricata_alerts.widget.php + https://packages.pfsense.org/packages/config/suricata/enablesid-sample.conf - /usr/local/www/widgets/include/ + /var/db/suricata/sidmods/ 0644 - https://packages.pfsense.org/packages/config/suricata/widget-suricata.inc + https://packages.pfsense.org/packages/config/suricata/modifysid-sample.conf ['installedpackages']['suricata'] @@ -259,12 +280,12 @@ diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 2f0f114f..60a506ae 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -11,6 +11,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya Sr. Developer * Copyright (C) 2012 Ermal Luci + * Copyright (C) 2014 Jim Pingle jim@pingle.org * All rights reserved. * * Adapted for Suricata by: @@ -44,6 +45,7 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); $supplist = array(); $suri_pf_table = SURICATA_PF_TABLE; +$filterlogentries = FALSE; function suricata_is_alert_globally_suppressed($list, $gid, $sid) { @@ -132,6 +134,31 @@ function suricata_add_supplist_entry($suppress) { return false; } +function suricata_escape_filter_regex($filtertext) { + /* If the caller (user) has not already put a backslash before a slash, to escape it in the regex, */ + /* then this will do it. Take out any "\/" already there, then turn all ordinary "/" into "\/". */ + return str_replace('/', '\/', str_replace('\/', '/', $filtertext)); +} + +function suricata_match_filter_field($flent, $fields) { + foreach ($fields as $key => $field) { + if ($field == null) + continue; + if ((strpos($field, '!') === 0)) { + $field = substr($field, 1); + $field_regex = suricata_escape_filter_regex($field); + if (@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + else { + $field_regex = suricata_escape_filter_regex($field); + if (!@preg_match("/{$field_regex}/i", $flent[$key])) + return false; + } + } + return true; +} + if (isset($_POST['instance']) && is_numericint($_POST['instance'])) $instanceid = $_POST['instance']; // This is for the auto-refresh so we can stay on the same interface @@ -164,6 +191,49 @@ if (empty($pconfig['arefresh'])) $pconfig['arefresh'] = 'off'; $anentries = $pconfig['alertnumber']; +# --- AJAX REVERSE DNS RESOLVE Start --- +if (isset($_POST['resolve'])) { + $ip = strtolower($_POST['resolve']); + $res = (is_ipaddr($ip) ? gethostbyaddr($ip) : ''); + + if ($res && $res != $ip) + $response = array('resolve_ip' => $ip, 'resolve_text' => $res); + else + $response = array('resolve_ip' => $ip, 'resolve_text' => gettext("Cannot resolve")); + + echo json_encode(str_replace("\\","\\\\", $response)); // single escape chars can break JSON decode + exit; +} +# --- AJAX REVERSE DNS RESOLVE End --- + +if ($_POST['filterlogentries_submit']) { + // Set flag for filtering alert entries + $filterlogentries = TRUE; + + // -- IMPORTANT -- + // Note the order of these fields must match the order decoded from the alerts log + $filterfieldsarray = array(); + $filterfieldsarray['time'] = $_POST['filterlogentries_time'] ? $_POST['filterlogentries_time'] : null; + $filterfieldsarray['action'] = null; + $filterfieldsarray['gid'] = $_POST['filterlogentries_gid'] ? $_POST['filterlogentries_gid'] : null; + $filterfieldsarray['sid'] = $_POST['filterlogentries_sid'] ? $_POST['filterlogentries_sid'] : null; + $filterfieldsarray['rev'] = null; + $filterfieldsarray['msg'] = $_POST['filterlogentries_description'] ? $_POST['filterlogentries_description'] : null; + $filterfieldsarray['class'] = $_POST['filterlogentries_classification'] ? $_POST['filterlogentries_classification'] : null; + $filterfieldsarray['priority'] = $_POST['filterlogentries_priority'] ? $_POST['filterlogentries_priority'] : null; + $filterfieldsarray['proto'] = $_POST['filterlogentries_protocol'] ? $_POST['filterlogentries_protocol'] : null; + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray['src'] = $_POST['filterlogentries_sourceipaddress'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_sourceipaddress']) : null; + $filterfieldsarray['sport'] = $_POST['filterlogentries_sourceport'] ? $_POST['filterlogentries_sourceport'] : null; + // Remove any zero-length spaces added to the IP address that could creep in from a copy-paste operation + $filterfieldsarray['dst'] = $_POST['filterlogentries_destinationipaddress'] ? str_replace("\xE2\x80\x8B", "", $_POST['filterlogentries_destinationipaddress']) : null; + $filterfieldsarray['dport'] = $_POST['filterlogentries_destinationport'] ? $_POST['filterlogentries_destinationport'] : null; +} + +if ($_POST['filterlogentries_clear']) { + $filterfieldsarray = array(); +} + if ($_POST['save']) { if (!is_array($config['installedpackages']['suricata']['alertsblocks'])) $config['installedpackages']['suricata']['alertsblocks'] = array(); @@ -277,7 +347,9 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); suricata_generate_yaml($a_instance[$instanceid]); + conf_mount_ro(); $rebuild_rules = false; /* Signal Suricata to live-load the new rules */ @@ -334,7 +406,6 @@ include_once("head.inc"); ?> - + - +
+ @@ -416,6 +491,87 @@ if ($savemsg) {  ', '', '', ''); ?> + + + + "> + + + + "> + + @@ -436,7 +592,7 @@ if ($savemsg) { - + @@ -445,7 +601,7 @@ if ($savemsg) { - + @@ -458,95 +614,175 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo if (file_exists("/tmp/alerts_suricata{$suricata_uuid}")) { $tmpblocked = array_flip(suricata_get_blocked_ips()); $counter = 0; - /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ - /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */ + + /*************** FORMAT without CSV patch -- ALERT -- ***********************************************************************************/ + /* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} src:srcport -> dst:dstport */ + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ + /****************************************************************************************************************************************/ + + /**************** FORMAT without CSV patch -- DECODER EVENT -- **************************************************************************/ + /* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] [**] [Raw pkt: ...] */ + /* 0 1 2 3 4 5 6 7 */ + /************** *************************************************************************************************************************/ + $fd = fopen("/tmp/alerts_suricata{$suricata_uuid}", "r"); - while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { - if(count($fields) < 13) - continue; + $buf = ""; + while (($buf = fgets($fd)) !== FALSE) { + $fields = array(); + $tmp = array(); + $decoder_event = FALSE; + + /**************************************************************/ + /* Parse alert log entry to find the parts we want to display */ + /**************************************************************/ + + // Field 0 is the event timestamp + $fields['time'] = substr($buf, 0, strpos($buf, ' ')); + + // Field 1 is currently not used, so set to NULL + $fields['action'] = null; + + // The regular expression match below returns an array as follows: + // [2] => GID, [3] => SID, [4] => REV, [5] => MSG, [6] => CLASSIFICATION, [7] = PRIORITY + preg_match('/\[\*{2}\]\s\[((\d+):(\d+):(\d+))\]\s(.*)\[\*{2}\]\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp); + $fields['gid'] = trim($tmp[2]); + $fields['sid'] = trim($tmp[3]); + $fields['rev'] = trim($tmp[4]); + $fields['msg'] = trim($tmp[5]); + $fields['class'] = trim($tmp[6]); + $fields['priority'] = trim($tmp[7]); + + // The regular expression match below looks for the PROTO, SRC and DST fields + // and returns an array as follows: + // [1] = PROTO, [2] => SRC:SPORT [3] => DST:DPORT + if (preg_match('/\{(.*)\}\s(.*)\s->\s(.*)/', $buf, $tmp)) { + // Get PROTO + $fields['proto'] = trim($tmp[1]); + + // Get SRC + $fields['src'] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':'))); + if (is_ipaddrv6($fields['src'])) + $fields['src'] = inet_ntop(inet_pton($fields['src'])); + + // Get SPORT + $fields['sport'] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1)); + + // Get DST + $fields['dst'] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':'))); + if (is_ipaddrv6($fields['dst'])) + $fields['dst'] = inet_ntop(inet_pton($fields['dst'])); + + // Get DPORT + $fields['dport'] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1)); + } + else { + // If no PROTO nor IP ADDR, then this is a DECODER EVENT + $decoder_event = TRUE; + $fields['proto'] = gettext("n/a"); + $fields['sport'] = gettext("n/a"); + $fields['dport'] = gettext("n/a"); + } // Create a DateTime object from the event timestamp that // we can use to easily manipulate output formats. - $event_tm = date_create_from_format("m/d/Y-H:i:s.u", $fields[0]); + $event_tm = date_create_from_format("m/d/Y-H:i:s.u", $fields['time']); // Check the 'CATEGORY' field for the text "(null)" and // substitute "Not Assigned". - if ($fields[6] == "(null)") - $fields[6] = "Not Assigned"; + if ($fields['class'] == "(null)") + $fields['class'] = gettext("Not Assigned"); + + $fields['time'] = date_format($event_tm, "m/d/Y") . " " . date_format($event_tm, "H:i:s"); + if ($filterlogentries && !suricata_match_filter_field($fields, $filterfieldsarray)) { + continue; + } /* Time */ $alert_time = date_format($event_tm, "H:i:s"); /* Date */ $alert_date = date_format($event_tm, "m/d/Y"); /* Description */ - $alert_descr = $fields[5]; - $alert_descr_url = urlencode($fields[5]); + $alert_descr = $fields['msg']; + $alert_descr_url = urlencode($fields['msg']); /* Priority */ - $alert_priority = $fields[7]; + $alert_priority = $fields['priority']; /* Protocol */ - $alert_proto = $fields[8]; + $alert_proto = $fields['proto']; + /* IP SRC */ - $alert_ip_src = $fields[9]; - /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ - $alert_ip_src = str_replace(":", ":​", $alert_ip_src); - /* Add Reverse DNS lookup icons */ - $alert_ip_src .= "
"; - $alert_ip_src .= " "; - $alert_ip_src .= ""; - $alert_ip_src .= ""; - /* Add icons for auto-adding to Suppress List if appropriate */ - if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3]) && - !isset($supplist[$fields[2]][$fields[3]]['by_src'][$fields[9]])) { - $alert_ip_src .= "  "; - } - elseif (isset($supplist[$fields[2]][$fields[3]]['by_src'][$fields[9]])) { - $alert_ip_src .= "  "; + if ($decoder_event == FALSE) { + $alert_ip_src = $fields['src']; + /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ + $alert_ip_src = str_replace(":", ":​", $alert_ip_src); + /* Add Reverse DNS lookup icon */ + $alert_ip_src .= "
\"Icon"; + /* Add icons for auto-adding to Suppress List if appropriate */ + if (!suricata_is_alert_globally_suppressed($supplist, $fields['gid'], $fields['sid']) && + !isset($supplist[$fields['gid']][$fields['sid']]['by_src'][$fields['src']])) { + $alert_ip_src .= "  "; + } + elseif (isset($supplist[$fields['gid']][$fields['sid']]['by_src'][$fields['src']])) { + $alert_ip_src .= "  "; + } + /* Add icon for auto-removing from Blocked Table if required */ + if (isset($tmpblocked[$fields['src']])) { + $alert_ip_src .= " "; + } } - /* Add icon for auto-removing from Blocked Table if required */ - if (isset($tmpblocked[$fields[9]])) { - $alert_ip_src .= " "; + else { + if (preg_match('/\s\[Raw pkt:(.*)\]/', $buf, $tmp)) + $alert_ip_src = "
" . gettext("Decoder Event") . "
"; + else + $alert_ip_src = gettext("Decoder Event"); } + /* IP SRC Port */ - $alert_src_p = $fields[10]; - /* IP Destination */ - $alert_ip_dst = $fields[11]; - /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ - $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); - /* Add Reverse DNS lookup icons */ - $alert_ip_dst .= "
"; - $alert_ip_dst .= " "; - $alert_ip_dst .= ""; - $alert_ip_dst .= ""; - /* Add icons for auto-adding to Suppress List if appropriate */ - if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3]) && - !isset($supplist[$fields[2]][$fields[3]]['by_dst'][$fields[11]])) { - $alert_ip_dst .= "  "; - } - elseif (isset($supplist[$fields[2]][$fields[3]]['by_dst'][$fields[11]])) { - $alert_ip_dst .= "  "; + $alert_src_p = $fields['sport']; + + /* IP DST */ + if ($decoder_event == FALSE) { + $alert_ip_dst = $fields['dst']; + /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ + $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); + /* Add Reverse DNS lookup icons */ + $alert_ip_dst .= "
\"Icon"; + /* Add icons for auto-adding to Suppress List if appropriate */ + if (!suricata_is_alert_globally_suppressed($supplist, $fields['gid'], $fields['sid']) && + !isset($supplist[$fields['gid']][$fields['sid']]['by_dst'][$fields['dst']])) { + $alert_ip_dst .= "  "; + } + elseif (isset($supplist[$fields['gid']][$fields['sid']]['by_dst'][$fields['dst']])) { + $alert_ip_dst .= "  "; + } + + /* Add icon for auto-removing from Blocked Table if required */ + if (isset($tmpblocked[$fields['dst']])) { + $alert_ip_dst .= " "; + } } - /* Add icon for auto-removing from Blocked Table if required */ - if (isset($tmpblocked[$fields[11]])) { - $alert_ip_dst .= " "; + else { + $alert_ip_dst = gettext("n/a"); } + /* IP DST Port */ - $alert_dst_p = $fields[12]; + $alert_dst_p = $fields['dport']; + /* SID */ - $alert_sid_str = "{$fields[2]}:{$fields[3]}"; - if (!suricata_is_alert_globally_suppressed($supplist, $fields[2], $fields[3])) { - $sidsupplink = ""; } @@ -555,34 +791,35 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo $sidsupplink .= "title='" . gettext("This alert is already in the Suppress List") . "'/>"; } /* Add icon for toggling rule state */ - if (isset($disablesid[$fields[2]][$fields[3]])) { - $sid_dsbl_link = ""; } else { - $sid_dsbl_link = ""; } /* DESCRIPTION */ - $alert_class = $fields[6]; + $alert_class = $fields['class']; echo " - + - + - + \n"; $counter++; } + unset($fields, $buf, $tmp); fclose($fd); @unlink("/tmp/alerts_suricata{$suricata_uuid}"); } @@ -591,10 +828,10 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
+ " onclick="enable_showFilter();" /> +    +
+ + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+ 		+
+
+ 		+
+
+ 		+
+
+ 		+
+
+
+
+
+ 		+
+
+ 		+
+
+ 		+
+
+ 		+
+
+
+
+
+ 		+ + +
" title="" /> +    " title="" /> +    " onclick="enable_hideFilter();" title="" />
+
+  ', '');?>   +    +
+
  
{$alert_date}
{$alert_time}		 {$alert_priority} {$alert_proto} {$alert_class}{$alert_ip_src}{$alert_ip_src} {$alert_src_p}{$alert_ip_dst}{$alert_ip_dst} {$alert_dst_p}{$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link}		{$alert_sid_str}
{$sidsupplink}  {$sid_dsbl_link}		 {$alert_descr}
- + + + + + + diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index 21fad03d..776cead9 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -42,8 +42,8 @@ if (!is_array($config['installedpackages']['suricata']['rule'])) $a_instance = &$config['installedpackages']['suricata']['rule']; /* array sorting */ -function sksort(&$array, $subkey="id", $sort_ascending=false) { - /* an empty array causes sksort to fail - this test alleviates the error */ +function suricata_sksort(&$array, $subkey="id", $sort_ascending=false) { + /* an empty array causes suricata_sksort to fail - this test alleviates the error */ if(empty($array)) return false; if (count($array)){ @@ -114,12 +114,58 @@ function suricata_widget_get_alerts() { exec("tail -{$suri_nentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/surialerts_{$suricata_uuid}"); if (file_exists("/tmp/surialerts_{$suricata_uuid}")) { - /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ - /* File format: timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,src,srcport,dst,dstport */ + /*************** FORMAT without CSV patch -- ALERT -- ***********************************************************************************/ + /* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} src:srcport -> dst:dstport */ + /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */ + /****************************************************************************************************************************************/ + + /**************** FORMAT without CSV patch -- DECODER EVENT -- **************************************************************************/ + /* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] [**] [Raw pkt: ...] */ + /* 0 1 2 3 4 5 6 7 */ + /************** *************************************************************************************************************************/ + $fd = fopen("/tmp/surialerts_{$suricata_uuid}", "r"); - while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { - if(count($fields) < 13) - continue; + $buf = ""; + while (($buf = fgets($fd)) !== FALSE) { + $fields = array(); + $tmp = array(); + + // Parse alert log entry to find the parts we want to display + $fields[0] = substr($buf, 0, strpos($buf, ' ')); + + // The regular expression match below returns an array as follows: + // [1] => CLASSIFICATION, [2] = PRIORITY + preg_match('/\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp); + $fields[6] = trim($tmp[1]); + $fields[7] = trim($tmp[2]); + + // The regular expression match below looks for the PROTO, SRC and DST fields + // and returns an array as follows: + // [1] = PROTO, [2] => SRC:SPORT [3] => DST:DPORT + if (preg_match('/\{(.*)\}\s(.*)\s->\s(.*)/', $buf, $tmp)) { + // Get SRC + $fields[9] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':'))); + if (is_ipaddrv6($fields[9])) + $fields[9] = inet_ntop(inet_pton($fields[9])); + + // Get SPORT + $fields[10] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1)); + + // Get DST + $fields[11] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':'))); + if (is_ipaddrv6($fields[11])) + $fields[11] = inet_ntop(inet_pton($fields[11])); + + // Get DPORT + $fields[12] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1)); + } + else { + // If no PROTO and IP ADDR, then this is a DECODER EVENT + $fields[9] = gettext("Decoder Event"); + $fields[10] = ""; + $fields[11] = ""; + $fields[12] = ""; + } // Create a DateTime object from the event timestamp that // we can use to easily manipulate output formats. @@ -130,7 +176,7 @@ function suricata_widget_get_alerts() { if ($fields[6] == "(null)") $fields[6] = "No classtype assigned"; - $suricata_alerts[$counter]['instanceid'] = strtoupper($a_instance[$instanceid]['interface']); + $suricata_alerts[$counter]['instanceid'] = strtoupper(convert_friendly_interface_to_friendly_descr($a_instance[$instanceid]['interface'])); $suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm)); $suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s"); $suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d"); @@ -140,15 +186,15 @@ function suricata_widget_get_alerts() { else $suricata_alerts[$counter]['src'] = $fields[9]; // Add the SRC PORT if not null - if (!empty($fields[10])) + if (!empty($fields[10]) || $fields[10] == '0') $suricata_alerts[$counter]['src'] .= ":" . $fields[10]; // Add square brackets around any IPv6 address if (is_ipaddrv6($fields[11])) $suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]"; else $suricata_alerts[$counter]['dst'] = $fields[11]; - // Add the SRC PORT if not null - if (!empty($fields[12])) + // Add the DST PORT if not null + if (!empty($fields[12]) || $fields[12] == '0') $suricata_alerts[$counter]['dst'] .= ":" . $fields[12]; $suricata_alerts[$counter]['priority'] = $fields[7]; $suricata_alerts[$counter]['category'] = $fields[6]; @@ -162,9 +208,9 @@ function suricata_widget_get_alerts() { // Sort the alerts array if (isset($config['syslog']['reverse'])) { - sksort($suricata_alerts, 'timestamp', false); + suricata_sksort($suricata_alerts, 'timestamp', false); } else { - sksort($suricata_alerts, 'timestamp', true); + suricata_sksort($suricata_alerts, 'timestamp', true); } return $suricata_alerts; diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php index c28b99d1..16927092 100644 --- a/config/suricata/suricata_app_parsers.php +++ b/config/suricata/suricata_app_parsers.php @@ -86,13 +86,14 @@ if (isset($id) && $a_nat[$id]) { if (empty($pconfig['libhtp_policy']['item'])) { $default = array( "name" => "default", "bind_to" => "all", "personality" => "IDS", "request-body-limit" => 4096, "response-body-limit" => 4096, - "double-decode-path" => "no", "double-decode-query" => "no" ); + "double-decode-path" => "no", "double-decode-query" => "no", + "uri-include-all" => "no" ); $pconfig['libhtp_policy']['item'] = array(); $pconfig['libhtp_policy']['item'][] = $default; if (!is_array($a_nat[$id]['libhtp_policy']['item'])) $a_nat[$id]['libhtp_policy']['item'] = array(); $a_nat[$id]['libhtp_policy']['item'][] = $default; - write_config(); + write_config("Suricata pkg: created a new default HTTP server configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); $libhtp_engine_next_id++; } else @@ -121,6 +122,7 @@ elseif ($_POST['select_alias']) { $eng_resp_body_limit = $_POST['resp_body_limit']; $eng_enable_double_decode_path = $_POST['enable_double_decode_path']; $eng_enable_double_decode_query = $_POST['enable_double_decode_query']; + $eng_enable_uri_include_all = $_POST['enable_uri_include_all']; $mode = "add_edit_libhtp_policy"; } if ($_POST['save_libhtp_policy']) { @@ -161,6 +163,7 @@ if ($_POST['save_libhtp_policy']) { if ($_POST['enable_double_decode_path']) { $engine['double-decode-path'] = 'yes'; }else{ $engine['double-decode-path'] = 'no'; } if ($_POST['enable_double_decode_query']) { $engine['double-decode-query'] = 'yes'; }else{ $engine['double-decode-query'] = 'no'; } + if ($_POST['enable_uri_include_all']) { $engine['uri-include-all'] = 'yes'; }else{ $engine['uri-include-all'] = 'no'; } // Can only have one "all" Bind_To address if ($engine['bind_to'] == "all" && $engine['name'] <> "default") @@ -196,7 +199,7 @@ if ($_POST['save_libhtp_policy']) { } // Now write the new engine array to conf - write_config(); + write_config("Suricata pkg: saved updated HTTP server configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); $pconfig['libhtp_policy']['item'] = $a_nat[$id]['libhtp_policy']['item']; } else { @@ -209,7 +212,7 @@ elseif ($_POST['add_libhtp_policy']) { $add_edit_libhtp_policy = true; $pengcfg = array( "name" => "engine_{$libhtp_engine_next_id}", "bind_to" => "", "personality" => "IDS", "request-body-limit" => "4096", "response-body-limit" => "4096", - "double-decode-path" => "no", "double-decode-query" => "no" ); + "double-decode-path" => "no", "double-decode-query" => "no", "uri-include-all" => "no" ); $eng_id = $libhtp_engine_next_id; } elseif ($_POST['edit_libhtp_policy']) { @@ -229,7 +232,7 @@ elseif ($_POST['del_libhtp_policy']) { } if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; - write_config(); + write_config("Suricata pkg: deleted a HTTP server configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); } } elseif ($_POST['cancel_libhtp_policy']) { @@ -239,9 +242,24 @@ elseif ($_POST['ResetAll']) { /* Reset all the settings to defaults */ $pconfig['asn1_max_frames'] = "256"; + $pconfig['dns_global_memcap'] = "16777216"; + $pconfig['dns_state_memcap'] = "524288"; + $pconfig['dns_request_flood_limit'] = "500"; + $pconfig['http_parser_memcap'] = "67108864"; + $pconfig['dns_parser_udp'] = "yes"; + $pconfig['dns_parser_tcp'] = "yes"; + $pconfig['http_parser'] = "yes"; + $pconfig['tls_parser'] = "yes"; + $pconfig['smtp_parser'] = "yes"; + $pconfig['imap_parser'] = "detection-only"; + $pconfig['ssh_parser'] = "yes"; + $pconfig['ftp_parser'] = "yes"; + $pconfig['dcerpc_parser'] = "yes"; + $pconfig['smb_parser'] = "yes"; + $pconfig['msn_parser'] = "detection-only"; /* Log a message at the top of the page to inform the user */ - $savemsg = gettext("All flow and stream settings have been reset to their defaults."); + $savemsg = gettext("All flow and stream settings on this page have been reset to their defaults. Click APPLY if you wish to keep these new settings."); } elseif ($_POST['save_import_alias']) { // If saving out of "select alias" mode, @@ -257,6 +275,7 @@ elseif ($_POST['save_import_alias']) { $pengcfg['response-body-limit'] = $_POST['eng_resp_body_limit']; $pengcfg['double-decode-path'] = $_POST['eng_enable_double_decode_path']; $pengcfg['double-decode-query'] = $_POST['eng_enable_double_decode_query']; + $pengcfg['uri-include-all'] = $_POST['eng_enable_uri_include_all']; $add_edit_libhtp_policy = true; $mode = "add_edit_libhtp_policy"; @@ -277,12 +296,13 @@ elseif ($_POST['save_import_alias']) { $eng_resp_body_limit = $_POST['eng_resp_body_limit']; $eng_enable_double_decode_path = $_POST['eng_enable_double_decode_path']; $eng_enable_double_decode_query = $_POST['eng_enable_double_decode_query']; + $eng_enable_uri_include_all = $_POST['eng_enable_uri_include_all']; } } else { $engine = array( "name" => "", "bind_to" => "", "personality" => "IDS", "request-body-limit" => "4096", "response-body-limit" => "4096", - "double-decode-path" => "no", "double-decode-query" => "no" ); + "double-decode-path" => "no", "double-decode-query" => "no", "uri-include-all" => "no" ); // See if anything was checked to import if (is_array($_POST['aliastoimport']) && count($_POST['aliastoimport']) > 0) { @@ -322,7 +342,7 @@ elseif ($_POST['save_import_alias']) { } // Write the new engine array to config file - write_config(); + write_config("Suricata pkg: saved an updated HTTP server configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); $importalias = false; } } @@ -344,10 +364,11 @@ elseif ($_POST['cancel_import_alias']) { $pengcfg['response-body-limit'] = $_POST['eng_resp_body_limit']; $pengcfg['double-decode-path'] = $_POST['eng_enable_double_decode_path']; $pengcfg['double-decode-query'] = $_POST['eng_enable_double_decode_query']; + $pengcfg['uri-include-all'] = $_POST['eng_enable_uri_include_all']; $add_edit_libhtp_policy = true; } } -elseif ($_POST['save']) { +elseif ($_POST['save'] || $_POST['apply']) { $natent = array(); $natent = $pconfig; @@ -355,9 +376,37 @@ elseif ($_POST['save']) { if (!is_numeric($_POST['asn1_max_frames'] ) || $_POST['asn1_max_frames'] < 1) $input_errors[] = gettext("The value for 'ASN1 Max Frames' must be all numbers and greater than 0."); + if (!is_numeric($_POST['dns_global_memcap'] ) || $_POST['dns_global_memcap'] < 1) + $input_errors[] = gettext("The value for 'DNS Global Memcap' must be all numbers and greater than 0."); + + if (!is_numeric($_POST['dns_state_memcap'] ) || $_POST['dns_state_memcap'] < 1) + $input_errors[] = gettext("The value for 'DNS Flow/State Memcap' must be all numbers and greater than 0."); + + if (!is_numeric($_POST['dns_request_flood_limit'] ) || $_POST['dns_request_flood_limit'] < 1) + $input_errors[] = gettext("The value for 'DNS Request Flood Limit' must be all numbers and greater than 0."); + + if (!is_numeric($_POST['http_parser_memcap'] ) || $_POST['http_parser_memcap'] < 1) + $input_errors[] = gettext("The value for 'HTTP Memcap' must be all numbers and greater than 0."); + /* if no errors write to conf */ if (!$input_errors) { if ($_POST['asn1_max_frames'] != "") { $natent['asn1_max_frames'] = $_POST['asn1_max_frames']; }else{ $natent['asn1_max_frames'] = "256"; } + if ($_POST['dns_global_memcap'] != ""){ $natent['dns_global_memcap'] = $_POST['dns_global_memcap']; }else{ $natent['dns_global_memcap'] = "16777216"; } + if ($_POST['dns_state_memcap'] != ""){ $natent['dns_state_memcap'] = $_POST['dns_state_memcap']; }else{ $natent['dns_state_memcap'] = "524288"; } + if ($_POST['dns_request_flood_limit'] != ""){ $natent['dns_request_flood_limit'] = $_POST['dns_request_flood_limit']; }else{ $natent['dns_request_flood_limit'] = "500"; } + if ($_POST['http_parser_memcap'] != ""){ $natent['http_parser_memcap'] = $_POST['http_parser_memcap']; }else{ $natent['http_parser_memcap'] = "67108864"; } + + $natent['dns_parser_udp'] = $_POST['dns_parser_udp']; + $natent['dns_parser_tcp'] = $_POST['dns_parser_tcp']; + $natent['http_parser'] = $_POST['http_parser']; + $natent['tls_parser'] = $_POST['tls_parser']; + $natent['smtp_parser'] = $_POST['smtp_parser']; + $natent['imap_parser'] = $_POST['imap_parser']; + $natent['ssh_parser'] = $_POST['ssh_parser']; + $natent['ftp_parser'] = $_POST['ftp_parser']; + $natent['dcerpc_parser'] = $_POST['dcerpc_parser']; + $natent['smb_parser'] = $_POST['smb_parser']; + $natent['msn_parser'] = $_POST['msn_parser']; /**************************************************/ /* If we have a valid rule ID, save configuration */ @@ -366,9 +415,11 @@ elseif ($_POST['save']) { /**************************************************/ if (isset($id) && $a_nat[$id]) { $a_nat[$id] = $natent; - write_config(); + write_config("Suricata pkg: saved updated app-layer parser configuration for " . convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface'])); $rebuild_rules = false; + conf_mount_rw(); suricata_generate_yaml($natent); + conf_mount_ro(); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -382,37 +433,45 @@ elseif ($_POST['save']) { } $if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); -$pgtitle = gettext("Suricata: Interface {$if_friendly} - Layer 7 Application Parsers"); +$pgtitle = gettext("Suricata: Interface {$if_friendly} - Application Layer Parsers"); include_once("head.inc"); ?>
+ + + +'; echo '
'; @@ -440,6 +499,7 @@ include_once("head.inc"); echo ''; echo ''; echo ''; + echo ''; } ?> @@ -449,6 +509,7 @@ include_once("head.inc"); + @@ -465,11 +526,103 @@ include_once("head.inc"); gettext("H.323 (VoIP), and SNMP, use ASN.1 to describe the protocol data units (PDUs) they exchange."); ?> + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + "');\""; ?>/> @@ -525,12 +819,13 @@ include_once("head.inc"); +
+   + " . gettext("16777216") . "" . gettext(" bytes (16MB)."); ?> +
+   + " . gettext("524288") . "" . gettext(" bytes (512KB)."); ?> +
+   + " . gettext("500") . "" . gettext(" requests."); ?>
+ +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
+   + " . gettext("67108864") . "" . gettext(" bytes (64MB)."); ?> +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
@@ -487,6 +640,7 @@ include_once("head.inc"); height="17" border="0" title=""> + $v): ?> @@ -505,19 +659,159 @@ include_once("head.inc"); +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
+    + " . gettext("detection-only") . "" . gettext("."); ?>
+ +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
+    + " . gettext("yes") . "" . gettext("."); ?>
+ +
+    + " . gettext("detection-only") . "" . gettext("."); ?>
+ +
  "> + gettext("Save flow and stream settings"); ?>"/>      >
 
-
+
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index c7488fe4..630a3c35 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -79,7 +79,7 @@ if (isset($id) && $a_nat[$id]) { if (empty($a_nat[$id]['barnyard_syslog_opmode'])) $pconfig['barnyard_syslog_opmode'] = "default"; if (empty($a_nat[$id]['barnyard_syslog_facility'])) - $pconfig['barnyard_syslog_facility'] = "LOG_USER"; + $pconfig['barnyard_syslog_facility'] = "LOG_LOCAL1"; if (empty($a_nat[$id]['barnyard_syslog_priority'])) $pconfig['barnyard_syslog_priority'] = "LOG_INFO"; if (empty($a_nat[$id]['barnyard_bro_ids_dport'])) @@ -213,18 +213,21 @@ include_once("head.inc");
+'; echo ' +
'; @@ -243,6 +246,7 @@ include_once("head.inc");
+ @@ -414,8 +418,8 @@ include_once("head.inc"); @@ -431,7 +435,7 @@ include_once("head.inc"); +
   - " . gettext("LOG_USER") . "."; ?> + " . gettext("LOG_LOCAL1") . "."; ?>
@@ -547,8 +553,6 @@ function toggle_local_syslog() { document.iform.barnyard_syslog_dport.disabled = endis; document.iform.barnyard_syslog_proto_udp.disabled = endis; document.iform.barnyard_syslog_proto_tcp.disabled = endis; - document.iform.barnyard_syslog_facility.disabled = endis; - document.iform.barnyard_syslog_priority.disabled = endis; } } diff --git a/config/suricata/suricata_blocked.php b/config/suricata/suricata_blocked.php index 96171c1e..c29d5745 100644 --- a/config/suricata/suricata_blocked.php +++ b/config/suricata/suricata_blocked.php @@ -10,6 +10,7 @@ * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya Sr. Developer * Copyright (C) 2012 Ermal Luci + * Copyright (C) 2014 Jim Pingle jim@pingle.org * All rights reserved. * * Adapted for Suricata by: @@ -55,6 +56,21 @@ if (empty($pconfig['blertnumber'])) else $bnentries = $pconfig['blertnumber']; +# --- AJAX REVERSE DNS RESOLVE Start --- +if (isset($_POST['resolve'])) { + $ip = strtolower($_POST['resolve']); + $res = (is_ipaddr($ip) ? gethostbyaddr($ip) : ''); + + if ($res && $res != $ip) + $response = array('resolve_ip' => $ip, 'resolve_text' => $res); + else + $response = array('resolve_ip' => $ip, 'resolve_text' => gettext("Cannot resolve")); + + echo json_encode(str_replace("\\","\\\\", $response)); // single escape chars can break JSON decode + exit; +} +# --- AJAX REVERSE DNS RESOLVE End --- + if ($_POST['todelete']) { $ip = ""; if ($_POST['ip']) @@ -138,8 +154,6 @@ include_once("head.inc"); ?> - - + @@ -181,6 +198,7 @@ if ($savemsg) { +
+ @@ -219,11 +237,11 @@ if ($savemsg) { - + - + @@ -274,18 +292,15 @@ if ($savemsg) { $tmp_ip = str_replace(":", ":​", $block_ip_str); /* Add reverse DNS lookup icons */ $rdns_link = ""; - $rdns_link .= ""; - $rdns_link .= " "; - $rdns_link .= ""; - $rdns_link .= ""; + $rdns_link .= "\"Icon"; /* use one echo to do the magic*/ echo " - \n"; @@ -310,14 +325,49 @@ if ($savemsg) { ?> +
#
{$counter} {$tmp_ip}
{$rdns_link}		 {$blocked_desc} +
+ + + + + diff --git a/config/suricata/suricata_check_cron_misc.inc b/config/suricata/suricata_check_cron_misc.inc index f750c530..a488d9a9 100644 --- a/config/suricata/suricata_check_cron_misc.inc +++ b/config/suricata/suricata_check_cron_misc.inc @@ -72,7 +72,7 @@ function suricata_check_dir_size_limit($suricataloglimitsize) { } // Initialize an array of the log files we want to prune - $logs = array ( "alerts.log", "http.log", "files-json.log", "tls.log", "stats.log" ); + $logs = array ( "alerts.log", "block.log", "dns.log", "eve.json", "http.log", "files-json.log", "sid_changes.log" "stats.log", "tls.log" ); // Clean-up the logs for each configured Suricata instance foreach ($config['installedpackages']['suricata']['rule'] as $value) { @@ -126,8 +126,10 @@ function suricata_check_rotate_log($log_file, $log_limit, $retention) { // Check the current log to see if it needs rotating. // If it does, rotate it and put the current time // on the end of the filename as UNIX timestamp. + if (!file_exists($log_file)) + return; if (($log_limit > 0) && (filesize($log_file) >= $log_limit)) { - $newfile = $log_file . "." . strval(time()); + $newfile = $log_file . "." . date('Y_md_Hi'); try { copy($log_file, $newfile); file_put_contents($log_file, ""); @@ -168,10 +170,18 @@ $logs = array (); // Build an arry of files to check and limits to check them against from our saved configuration $logs['alerts.log']['limit'] = $config['installedpackages']['suricata']['config'][0]['alert_log_limit_size']; $logs['alerts.log']['retention'] = $config['installedpackages']['suricata']['config'][0]['alert_log_retention']; +$logs['block.log']['limit'] = $config['installedpackages']['suricata']['config'][0]['block_log_limit_size']; +$logs['block.log']['retention'] = $config['installedpackages']['suricata']['config'][0]['block_log_retention']; +$logs['dns.log']['limit'] = $config['installedpackages']['suricata']['config'][0]['dns_log_limit_size']; +$logs['dns.log']['retention'] = $config['installedpackages']['suricata']['config'][0]['dns_log_retention']; +$logs['eve.json']['limit'] = $config['installedpackages']['suricata']['config'][0]['eve_log_limit_size']; +$logs['eve.json']['retention'] = $config['installedpackages']['suricata']['config'][0]['eve_log_retention']; $logs['files-json.log']['limit'] = $config['installedpackages']['suricata']['config'][0]['files_json_log_limit_size']; $logs['files-json.log']['retention'] = $config['installedpackages']['suricata']['config'][0]['files_json_log_retention']; $logs['http.log']['limit'] = $config['installedpackages']['suricata']['config'][0]['http_log_limit_size']; $logs['http.log']['retention'] = $config['installedpackages']['suricata']['config'][0]['http_log_retention']; +$logs['sid_changes.log']['limit'] = $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size']; +$logs['sid_changes.log']['retention'] = $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention']; $logs['stats.log']['limit'] = $config['installedpackages']['suricata']['config'][0]['stats_log_limit_size']; $logs['stats.log']['retention'] = $config['installedpackages']['suricata']['config'][0]['stats_log_retention']; $logs['tls.log']['limit'] = $config['installedpackages']['suricata']['config'][0]['tls_log_limit_size']; @@ -190,12 +200,17 @@ if ($config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] == $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] > 0) { $now = time(); $files = glob("{$suricata_log_dir}/barnyard2/archive/unified2.alert.*"); + $prune_count = 0; foreach ($files as $f) { - if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] * 3600)) + if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] * 3600)) { + $prune_count++; unlink_if_exists($f); + } } + if ($prune_count > 0) + log_error(gettext("[Suricata] Barnyard2 archived logs cleanup job removed {$prune_count} file(s) from {$suricata_log_dir}/barnyard2/archive/...")); + unset($files); } - unset($files); // Prune aged-out File Store files if any exist if (is_dir("{$suricata_log_dir}/files") && @@ -203,11 +218,15 @@ if ($config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] == $now = time(); $files = glob("{$suricata_log_dir}/files/file.*"); foreach ($files as $f) { - if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['file_store_retention'] * 3600)) + if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['file_store_retention'] * 3600)) { + $prune_count++; unlink_if_exists($f); + } } + if ($prune_count > 0) + log_error(gettext("[Suricata] File Store cleanup job removed {$prune_count} file(s) from {$suricata_log_dir}/files/...")); + unset($files); } - unset($files); } } diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index bb29078f..5e977f36 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -45,7 +45,7 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules; if (!defined("VRT_DNLD_URL")) - define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); + define("VRT_DNLD_URL", "https://www.snort.org/rules/"); if (!defined("ET_VERSION")) define("ET_VERSION", "2.9.0"); if (!defined("ET_BASE_DNLD_URL")) @@ -56,8 +56,6 @@ if (!defined("ET_DNLD_FILENAME")) define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); if (!defined("ETPRO_DNLD_FILENAME")) define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); -if (!defined("VRT_DNLD_FILENAME")) - define("VRT_DNLD_FILENAME", "snortrules-snapshot-edge.tar.gz"); if (!defined("GPLV2_DNLD_FILENAME")) define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); if (!defined("GPLV2_DNLD_URL")) @@ -86,6 +84,7 @@ else /* define checks */ $oinkid = $config['installedpackages']['suricata']['config'][0]['oinkcode']; +$snort_filename = $config['installedpackages']['suricata']['config'][0]['snort_rules_file']; $etproid = $config['installedpackages']['suricata']['config'][0]['etprocode']; $snortdownload = $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules'] == 'on' ? 'on' : 'off'; $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'] == 'on' ? 'on' : 'off'; @@ -96,8 +95,7 @@ $snortcommunityrules = $config['installedpackages']['suricata']['config'][0]['sn /* Working directory for downloaded rules tarballs */ $tmpfname = "/tmp/suricata_rules_up"; -/* Snort Edge VRT Rules filenames and URL */ -$snort_filename = VRT_DNLD_FILENAME; +/* Snort VRT Rules filenames and URL */ $snort_filename_md5 = "{$snort_filename}.md5"; $snort_rule_url = VRT_DNLD_URL; @@ -439,10 +437,15 @@ if ($emergingthreats == 'on') { /* Check for and download any new Snort VRT sigs */ if ($snortdownload == 'on') { - if (suricata_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { + if (empty($snort_filename)) { + log_error(gettext("No snortrules-snapshot filename has been set on Snort pkg GLOBAL SETTINGS tab. Snort VRT rules cannot be updated.")); + error_log(gettext("\tWARNING-- No snortrules-snapshot filename set on GLOBAL SETTINGS tab. Snort VRT rules cannot be updated!\n"), 3, $suricata_rules_upd_log); + $snortdownload = 'off'; + } + elseif (suricata_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) { /* download snortrules file */ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")); - if (!suricata_fetch_new_rules("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) + if (!suricata_fetch_new_rules("{$snort_rule_url}{$snort_filename}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename}", $file_md5, "Snort VRT rules")) $snortdownload = 'off'; } else @@ -770,6 +773,6 @@ if ($update_errors) else $config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("success"); $config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'] = time(); -write_config(); +write_config("Suricata pkg: updated status for updated rules package(s) check."); ?> diff --git a/config/suricata/suricata_define_vars.php b/config/suricata/suricata_define_vars.php index d072ff42..3fe5de0d 100644 --- a/config/suricata/suricata_define_vars.php +++ b/config/suricata/suricata_define_vars.php @@ -64,7 +64,7 @@ $suricata_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", - "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); @@ -74,6 +74,7 @@ if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port']) else $ssh_port = "22"; $suricata_ports = array( + "ftp_ports" => "21", "http_ports" => "80", "oracle_ports" => "1521", "ssh_ports" => $ssh_port, @@ -127,7 +128,9 @@ if ($_POST) { /* Update the suricata.yaml file for this interface. */ $rebuild_rules = false; + conf_mount_rw(); suricata_generate_yaml($a_nat[$id]); + conf_mount_ro(); /* Soft-restart Suricaa to live-load new variables. */ suricata_reload_config($a_nat[$id]); @@ -166,18 +169,21 @@ if ($savemsg)
+'; echo ' +
'; @@ -196,6 +202,7 @@ if ($savemsg)
+ @@ -254,9 +261,10 @@ if ($savemsg) +
-
"; diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php index b5377351..89e959c9 100644 --- a/config/suricata/suricata_download_updates.php +++ b/config/suricata/suricata_download_updates.php @@ -50,6 +50,7 @@ $snortdownload = $config['installedpackages']['suricata']['config'][0]['enable_v $emergingthreats = $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules']; $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; $snortcommunityrules = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules']; +$snort_rules_file = $config['installedpackages']['suricata']['config'][0]['snort_rules_file']; /* Get last update information if available */ if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'])) @@ -61,7 +62,6 @@ if (!empty($config['installedpackages']['suricata']['config'][0]['last_rule_upd_ else $last_rule_upd_status = gettext("Unknown"); -$snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; if ($etpro == "on") { @@ -82,7 +82,7 @@ else { $snort_org_sig_chk_local = 'Not Enabled'; $snort_org_sig_date = 'Not Enabled'; } -if (file_exists("{$suricatadir}{$snort_rules_file}.md5")){ +if ($snortdownload == 'on' && file_exists("{$suricatadir}{$snort_rules_file}.md5")){ $snort_org_sig_chk_local = file_get_contents("{$suricatadir}{$snort_rules_file}.md5"); $snort_org_sig_date = date(DATE_RFC850, filemtime("{$suricatadir}{$snort_rules_file}.md5")); } @@ -95,7 +95,7 @@ else { $emergingt_net_sig_chk_local = 'Not Enabled'; $emergingt_net_sig_date = 'Not Enabled'; } -if (file_exists("{$suricatadir}{$emergingthreats_filename}.md5")) { +if (($etpro == "on" || $emergingthreats == "on") && file_exists("{$suricatadir}{$emergingthreats_filename}.md5")) { $emergingt_net_sig_chk_local = file_get_contents("{$suricatadir}{$emergingthreats_filename}.md5"); $emergingt_net_sig_date = date(DATE_RFC850, filemtime("{$suricatadir}{$emergingthreats_filename}.md5")); } @@ -108,7 +108,7 @@ else { $snort_community_sig_chk_local = 'Not Enabled'; $snort_community_sig_sig_date = 'Not Enabled'; } -if (file_exists("{$suricatadir}{$snort_community_rules_filename}.md5")) { +if ($snortcommunityrules == 'on' && file_exists("{$suricatadir}{$snort_community_rules_filename}.md5")) { $snort_community_sig_chk_local = file_get_contents("{$suricatadir}{$snort_community_rules_filename}.md5"); $snort_community_sig_sig_date = date(DATE_RFC850, filemtime("{$suricatadir}{$snort_community_rules_filename}.md5")); } @@ -119,7 +119,7 @@ if ($_POST['clear']) { mwexec("/bin/rm -f {$suricata_rules_upd_log}"); } -if ($_POST['check']) { +if ($_POST['update']) { // Go see if new updates for rule sets are available header("Location: /suricata/suricata_download_rules.php"); exit; @@ -177,21 +177,24 @@ include_once("head.inc"); print_info_box($savemsg); } ?> -
+ + @@ -199,6 +202,7 @@ include_once("head.inc"); @@ -262,8 +268,8 @@ include_once("head.inc");


- " name="check" id="check" class="formbtn" - title=""/>     + " name="update" id="update" class="formbtn" + title=""/>     " name="force" id="force" class="formbtn" title="" onclick="return confirm('');"/> @@ -271,7 +277,6 @@ include_once("head.inc"); - @@ -318,10 +323,12 @@ include_once("head.inc"); gettext(" will go down from time to time. Please be patient."); ?>
+
+ @@ -212,6 +216,7 @@ include_once("head.inc"); + @@ -227,6 +232,7 @@ include_once("head.inc"); +

+
diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index ba594d55..fa9edc16 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -251,7 +251,6 @@ elseif ($_POST['ResetAll']) { $pconfig['flow_icmp_emerg_established_timeout'] = '100'; $pconfig['stream_memcap'] = '33554432'; - $pconfig['stream_max_sessions'] = '262144'; $pconfig['stream_prealloc_sessions'] = '32768'; $pconfig['reassembly_memcap'] = '67108864'; $pconfig['reassembly_depth'] = '1048576'; @@ -261,9 +260,9 @@ elseif ($_POST['ResetAll']) { $pconfig['enable_async_sessions'] = 'off'; /* Log a message at the top of the page to inform the user */ - $savemsg = gettext("All flow and stream settings have been reset to their defaults."); + $savemsg = gettext("All flow and stream settings have been reset to their defaults. Click APPLY to save the changes."); } -elseif ($_POST['save']) { +elseif ($_POST['save'] || $_POST['apply']) { $natent = array(); $natent = $pconfig; @@ -300,7 +299,6 @@ elseif ($_POST['save']) { if ($_POST['flow_icmp_emerg_established_timeout'] != "") { $natent['flow_icmp_emerg_established_timeout'] = $_POST['flow_icmp_emerg_established_timeout']; }else{ $natent['flow_icmp_emerg_established_timeout'] = "100"; } if ($_POST['stream_memcap'] != "") { $natent['stream_memcap'] = $_POST['stream_memcap']; }else{ $natent['stream_memcap'] = "33554432"; } - if ($_POST['stream_max_sessions'] != "") { $natent['stream_max_sessions'] = $_POST['stream_max_sessions']; }else{ $natent['stream_max_sessions'] = "262144"; } if ($_POST['stream_prealloc_sessions'] != "") { $natent['stream_prealloc_sessions'] = $_POST['stream_prealloc_sessions']; }else{ $natent['stream_prealloc_sessions'] = "32768"; } if ($_POST['enable_midstream_sessions'] == "on") { $natent['enable_midstream_sessions'] = 'on'; }else{ $natent['enable_midstream_sessions'] = 'off'; } if ($_POST['enable_async_sessions'] == "on") { $natent['enable_async_sessions'] = 'on'; }else{ $natent['enable_async_sessions'] = 'off'; } @@ -318,7 +316,9 @@ elseif ($_POST['save']) { $a_nat[$id] = $natent; write_config(); $rebuild_rules = false; + conf_mount_rw(); suricata_generate_yaml($natent); + conf_mount_ro(); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -431,32 +431,39 @@ include_once("head.inc");
+ + +'; echo ' @@ -633,6 +643,7 @@ include_once("head.inc"); @@ -676,6 +688,7 @@ include_once("head.inc"); @@ -707,6 +721,7 @@ include_once("head.inc"); @@ -747,16 +763,6 @@ include_once("head.inc"); - - - - +
'; @@ -489,6 +496,7 @@ include_once("head.inc"); + @@ -511,6 +519,7 @@ include_once("head.inc"); height="17" border="0" title=""/> + $v): ?> @@ -529,6 +538,7 @@ include_once("head.inc"); +
+ +
  @@ -669,6 +680,7 @@ include_once("head.inc"); " . gettext("20") . "."; ?>
+ +
  @@ -700,6 +713,7 @@ include_once("head.inc"); " . gettext("100") . "."; ?>
+ +
  @@ -731,6 +746,7 @@ include_once("head.inc"); " . gettext("100") . "."; ?>
-   - " . gettext("262,144") . "" . gettext(" sessions."); ?>

- -
@@ -835,12 +841,13 @@ include_once("head.inc");
- +
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index bd3ce368..91dc06a5 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -85,7 +85,7 @@ $suricata_servers = array ( "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", - "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); $addr_vars = ""; @@ -102,6 +102,7 @@ if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port']) else $ssh_port = "22"; $suricata_ports = array( + "ftp_ports" => "21", "http_ports" => "80", "oracle_ports" => "1521", "ssh_ports" => $ssh_port, @@ -184,6 +185,26 @@ if ($suricatacfg['alertsystemlog'] == 'on') else $alert_syslog = "no"; +if (!empty($suricatacfg['alertsystemlog_facility'])) + $alert_syslog_facility = $suricatacfg['alertsystemlog_facility']; +else + $alert_syslog_facility = "local5"; + +if (!empty($suricatacfg['alertsystemlog_priority'])) + $alert_syslog_priority = $suricatacfg['alertsystemlog_priority']; +else + $alert_syslog_priority = "Info"; + +if ($suricatacfg['enable_dns_log'] == 'on') + $dns_log_enabled = "yes"; +else + $dns_log_enabled = "no"; + +if ($suricatacfg['append_dns_log'] == 'on') + $dns_log_append = "yes"; +else + $dns_log_append = "no"; + if ($suricatacfg['enable_stats_log'] == 'on') $stats_log_enabled = "yes"; else @@ -209,6 +230,11 @@ if ($suricatacfg['append_http_log'] == 'on') else $http_log_append = "no"; +if ($suricatacfg['http_log_extended'] == 'on') + $http_log_extended = "yes"; +else + $http_log_extended = "no"; + if ($suricatacfg['enable_tls_log'] == 'on') $tls_log_enabled = "yes"; else @@ -277,6 +303,66 @@ if (isset($suricatacfg['barnyard_sensor_id'])) else $unified2_sensor_id = "0"; +// EVE JSON log output settings +if ($suricatacfg['enable_eve_log'] == 'on') + $enable_eve_log = "yes"; +else + $enable_eve_log = "no"; + +if ($suricatacfg['eve_output_type'] == 'syslog') + $eve_output_type = "syslog"; +else + $eve_output_type = "file"; + +if (!empty($suricatacfg['eve_systemlog_facility'])) + $eve_systemlog_facility = $suricatacfg['eve_systemlog_facility']; +else + $eve_systemlog_facility = "local1"; + +if (!empty($suricatacfg['eve_systemlog_priority'])) + $eve_systemlog_priority = $suricatacfg['eve_systemlog_priority']; +else + $eve_systemlog_priority = "info"; + +// EVE log output included information +$eve_out_types = ""; +if ($suricatacfg['eve_log_alerts'] == 'on') + $eve_out_types .= "\n - alert"; + +if ($suricatacfg['eve_log_http'] == 'on') { + $eve_out_types .= "\n - http:"; + if ($suricatacfg['http_log_extended'] == 'on') + $eve_out_types .= "\n extended: yes"; + else + $eve_out_types .= "\n extended: no"; +} + +if ($suricatacfg['eve_log_dns'] == 'on') + $eve_out_types .= "\n - dns"; + +if ($suricatacfg['eve_log_tls'] == 'on') { + $eve_out_types .= "\n - tls:"; + if ($suricatacfg['tls_log_extended'] == 'on') + $eve_out_types .= "\n extended: yes"; + else + $eve_out_types .= "\n extended: no"; +} + +if ($suricatacfg['eve_log_files'] == 'on') { + $eve_out_types .= "\n - files:"; + if ($suricatacfg['enable_tracked_files_magic'] == 'on') + $eve_out_types .= "\n force-magic: yes"; + else + $eve_out_types .= "\n force-magic: no"; + if ($suricatacfg['enable_tracked_files_md5'] == 'on') + $eve_out_types .= "\n force-md5: yes"; + else + $eve_out_types .= "\n force-md5: no"; +} + +if ($suricatacfg['eve_log_ssh'] == 'on') + $eve_out_types .= "\n - ssh"; + // Add interface-specific IP defrag settings if (!empty($suricatacfg['frag_memcap'])) $frag_memcap = $suricatacfg['frag_memcap']; @@ -406,11 +492,6 @@ if (!empty($suricatacfg['stream_memcap'])) else $stream_memcap = "33554432"; -if (!empty($suricatacfg['stream_max_sessions'])) - $stream_max_sessions = $suricatacfg['stream_max_sessions']; -else - $stream_max_sessions = "262144"; - if (!empty($suricatacfg['stream_prealloc_sessions'])) $stream_prealloc_sessions = $suricatacfg['stream_prealloc_sessions']; else @@ -492,7 +573,7 @@ if (!is_array($suricatacfg['libhtp_policy']['item'])) $suricatacfg['libhtp_policy']['item'] = array(); if (empty($suricatacfg['libhtp_policy']['item'])) { $http_hosts_default_policy = "default-config:\n personality: IDS\n request-body-limit: 4096\n response-body-limit: 4096\n"; - $http_hosts_default_policy .= " double-decode-path: no\n double-decode-query: no\n"; + $http_hosts_default_policy .= " double-decode-path: no\n double-decode-query: no\n uri-include-all: no\n"; } else { foreach ($suricatacfg['libhtp_policy']['item'] as $k => $v) { @@ -519,6 +600,7 @@ else { $engine .= " response-body-limit: {$v['response-body-limit']}\n"; $engine .= " double-decode-path: {$v['double-decode-path']}\n"; $engine .= " double-decode-query: {$v['double-decode-query']}\n"; + $engine .= " uri-include-all: {$v['uri-include-all']}\n"; $http_hosts_policy .= " {$engine}\n"; } else { @@ -531,6 +613,7 @@ else { $http_hosts_default_policy .= " response-body-limit: {$v['response-body-limit']}\n"; $http_hosts_default_policy .= " double-decode-path: {$v['double-decode-path']}\n"; $http_hosts_default_policy .= " double-decode-query: {$v['double-decode-query']}\n"; + $http_hosts_default_policy .= " uri-include-all: {$v['uri-include-all']}\n"; } } // Remove trailing newline @@ -544,6 +627,75 @@ if (!empty($suricatacfg['asn1_max_frames'])) else $asn1_max_frames = "256"; +// Configure App-Layer Parsers/Detection +if (!empty($suricatacfg['tls_parser'])) + $tls_parser = $suricatacfg['tls_parser']; +else + $tls_parser = "yes"; +if (!empty($suricatacfg['dcerpc_parser'])) + $dcerpc_parser = $suricatacfg['dcerpc_parser']; +else + $dcerpc_parser = "yes"; +if (!empty($suricatacfg['ftp_parser'])) + $ftp_parser = $suricatacfg['ftp_parser']; +else + $ftp_parser = "yes"; +if (!empty($suricatacfg['ssh_parser'])) + $ssh_parser = $suricatacfg['ssh_parser']; +else + $ssh_parser = "yes"; +if (!empty($suricatacfg['smtp_parser'])) + $smtp_parser = $suricatacfg['smtp_parser']; +else + $smtp_parser = "yes"; +if (!empty($suricatacfg['imap_parser'])) + $imap_parser = $suricatacfg['imap_parser']; +else + $imap_parser = "detection-only"; +if (!empty($suricatacfg['msn_parser'])) + $msn_parser = $suricatacfg['msn_parser']; +else + $msn_parser = "detection-only"; +if (!empty($suricatacfg['smb_parser'])) + $smb_parser = $suricatacfg['smb_parser']; +else + $smb_parser = "yes"; + +/* DNS Parser */ +if (!empty($suricatacfg['dns_parser_tcp'])) + $dns_parser_tcp = $suricatacfg['dns_parser_tcp']; +else + $dns_parser_tcp = "yes"; +if (!empty($suricatacfg['dns_parser_udp'])) + $dns_parser_udp = $suricatacfg['dns_parser_udp']; +else + $dns_parser_udp = "yes"; +if (!empty($suricatacfg['dns_global_memcap'])) + $dns_global_memcap = $suricatacfg['dns_global_memcap']; +else + $dns_global_memcap = "16777216"; +if (!empty($suricatacfg['dns_state_memcap'])) + $dns_state_memcap = $suricatacfg['dns_state_memcap']; +else + $dns_state_memcap = "524288"; +if (!empty($suricatacfg['dns_request_flood_limit'])) + $dns_request_flood_limit = $suricatacfg['dns_request_flood_limit']; +else + $dns_request_flood_limit = "500"; + +/* HTTP Parser */ +if (!empty($suricatacfg['http_parser'])) + $http_parser = $suricatacfg['http_parser']; +else + $http_parser = "yes"; +if (!empty($suricatacfg['http_parser_memcap'])) + $http_parser_memcap = $suricatacfg['http_parser_memcap']; +else + $http_parser_memcap = "67108864"; + +/* Configure the IP REP section */ +$iprep_path = rtrim(IPREP_PATH, '/'); + // Create the rules files and save in the interface directory suricata_prepare_rule_files($suricatacfg, $suricatacfgdir); @@ -563,4 +715,9 @@ if ($config['installedpackages']['suricata']['config'][0]['log_to_systemlog'] == else $suricata_use_syslog = "no"; +if (!empty($config['installedpackages']['suricata']['config'][0]['log_to_systemlog'])) + $suricata_use_syslog_facility = $config['installedpackages']['suricata']['config'][0]['log_to_systemlog']; +else + $suricata_use_syslog_facility = "local1"; + ?> diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php index 9c932222..5f01a660 100644 --- a/config/suricata/suricata_global.php +++ b/config/suricata/suricata_global.php @@ -45,29 +45,45 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); global $g; $suricatadir = SURICATADIR; +$pconfig = array(); -$pconfig['enable_vrt_rules'] = $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules']; -$pconfig['oinkcode'] = $config['installedpackages']['suricata']['config'][0]['oinkcode']; -$pconfig['etprocode'] = $config['installedpackages']['suricata']['config'][0]['etprocode']; -$pconfig['enable_etopen_rules'] = $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules']; -$pconfig['enable_etpro_rules'] = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; -$pconfig['rm_blocked'] = $config['installedpackages']['suricata']['config'][0]['rm_blocked']; -$pconfig['autoruleupdate'] = $config['installedpackages']['suricata']['config'][0]['autoruleupdate']; -$pconfig['autoruleupdatetime'] = $config['installedpackages']['suricata']['config'][0]['autoruleupdatetime']; -$pconfig['live_swap_updates'] = $config['installedpackages']['suricata']['config'][0]['live_swap_updates']; -$pconfig['log_to_systemlog'] = $config['installedpackages']['suricata']['config'][0]['log_to_systemlog']; -$pconfig['forcekeepsettings'] = $config['installedpackages']['suricata']['config'][0]['forcekeepsettings']; -$pconfig['snortcommunityrules'] = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules']; +// If doing a postback, used typed values, else load from stored config +if (!empty($_POST)) { + $pconfig = $_POST; +} +else { + $pconfig['enable_vrt_rules'] = $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules']; + $pconfig['oinkcode'] = $config['installedpackages']['suricata']['config'][0]['oinkcode']; + $pconfig['etprocode'] = $config['installedpackages']['suricata']['config'][0]['etprocode']; + $pconfig['enable_etopen_rules'] = $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules']; + $pconfig['enable_etpro_rules'] = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; + $pconfig['rm_blocked'] = $config['installedpackages']['suricata']['config'][0]['rm_blocked']; + $pconfig['autoruleupdate'] = $config['installedpackages']['suricata']['config'][0]['autoruleupdate']; + $pconfig['autoruleupdatetime'] = $config['installedpackages']['suricata']['config'][0]['autoruleupdatetime']; + $pconfig['live_swap_updates'] = $config['installedpackages']['suricata']['config'][0]['live_swap_updates']; + $pconfig['log_to_systemlog'] = $config['installedpackages']['suricata']['config'][0]['log_to_systemlog']; + $pconfig['log_to_systemlog_facility'] = $config['installedpackages']['suricata']['config'][0]['log_to_systemlog_facility']; + $pconfig['forcekeepsettings'] = $config['installedpackages']['suricata']['config'][0]['forcekeepsettings']; + $pconfig['snortcommunityrules'] = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules']; + $pconfig['snort_rules_file'] = $config['installedpackages']['suricata']['config'][0]['snort_rules_file']; +} +// Do input validation on parameters if (empty($pconfig['autoruleupdatetime'])) $pconfig['autoruleupdatetime'] = '00:30'; +if (empty($pconfig['log_to_systemlog_facility'])) + $pconfig['log_to_systemlog_facility'] = "local1"; + if ($_POST['autoruleupdatetime']) { if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['autoruleupdatetime'])) $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; } -if ($_POST['suricatadownload'] == "on" && empty($_POST['oinkcode'])) +if ($_POST['enable_vrt_rules'] == "on" && empty($_POST['snort_rules_file'])) + $input_errors[] = "You must supply a snort rules tarball filename in the box provided in order to enable Snort VRT rules!"; + +if ($_POST['enable_vrt_rules'] == "on" && empty($_POST['oinkcode'])) $input_errors[] = "You must supply an Oinkmaster code in the box provided in order to enable Snort VRT rules!"; if ($_POST['enable_etpro_rules'] == "on" && empty($_POST['etprocode'])) @@ -117,6 +133,7 @@ if (!$input_errors) { } } + $config['installedpackages']['suricata']['config'][0]['snort_rules_file'] = $_POST['snort_rules_file']; $config['installedpackages']['suricata']['config'][0]['oinkcode'] = $_POST['oinkcode']; $config['installedpackages']['suricata']['config'][0]['etprocode'] = $_POST['etprocode']; $config['installedpackages']['suricata']['config'][0]['rm_blocked'] = $_POST['rm_blocked']; @@ -130,6 +147,7 @@ if (!$input_errors) { } $config['installedpackages']['suricata']['config'][0]['autoruleupdatetime'] = str_pad($_POST['autoruleupdatetime'], 4, "0", STR_PAD_LEFT); $config['installedpackages']['suricata']['config'][0]['log_to_systemlog'] = $_POST['log_to_systemlog'] ? 'on' : 'off'; + $config['installedpackages']['suricata']['config'][0]['log_to_systemlog_facility'] = $_POST['log_to_systemlog_facility']; $config['installedpackages']['suricata']['config'][0]['live_swap_updates'] = $_POST['live_swap_updates'] ? 'on' : 'off'; $config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = $_POST['forcekeepsettings'] ? 'on' : 'off'; @@ -138,7 +156,7 @@ if (!$input_errors) { /* create passlist and homenet file, then sync files */ sync_suricata_package_config(); - write_config(); + write_config("Suricata pkg: modified global settings."); /* forces page to reload new settings */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); @@ -161,9 +179,6 @@ include_once("head.inc"); ' . $pgtitle . '

'; - /* Display Alert message, under form tag or no refresh */ if ($input_errors) print_input_errors($input_errors); @@ -172,25 +187,29 @@ if ($input_errors)
+ +
+ @@ -198,6 +217,7 @@ if ($input_errors) @@ -239,36 +262,45 @@ if ($input_errors) @@ -334,10 +367,29 @@ if ($input_errors) - + + + + + + +
" . gettext("Emerging Threats") . "" . gettext(" rules");?> + @@ -218,8 +238,10 @@ if ($input_errors) +
/>" . gettext("Note:") . "" . " " . gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?>
+ @@ -232,6 +254,7 @@ if ($input_errors) value=""/>
+
 
" . gettext("Snort VRT") . "" . gettext(" rules");?> + - +
/>
 
- +
+
+ - + - + + - + +
 
 
+ +
" . gettext("snortrules-snapshot-2962.tar.gz");?>
 
" . gettext("Snort Community") . "" . gettext(" rules");?> + @@ -278,6 +310,7 @@ if ($input_errors) gettext("If you are a Snort VRT Paid Subscriber, the community ruleset is already built into your download of the ") . gettext("Snort VRT rules, and there is no benefit in adding this rule set.");?>
+
/>
/> 
+    + " . gettext("local1") . "."; ?> +
 

-
@@ -396,11 +449,20 @@ function enable_change_rules_upd() { document.iform.autoruleupdatetime.disabled=""; } +function toggle_log_to_systemlog() { + var endis = !document.iform.log_to_systemlog.checked; + if (endis) + document.getElementById("log_to_systemlog_rows").style.display="none"; + else + document.getElementById("log_to_systemlog_rows").style.display=""; +} + // Initialize the form controls state based on saved settings enable_snort_vrt(); enable_et_rules(); enable_pro_rules(); enable_change_rules_upd(); +toggle_log_to_systemlog(); //--> diff --git a/config/suricata/suricata_import_aliases.php b/config/suricata/suricata_import_aliases.php index ccaaf29d..e2fa4f40 100644 --- a/config/suricata/suricata_import_aliases.php +++ b/config/suricata/suricata_import_aliases.php @@ -79,8 +79,8 @@ - - + + diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php index 205a872b..3d093d45 100644 --- a/config/suricata/suricata_interfaces.php +++ b/config/suricata/suricata_interfaces.php @@ -60,7 +60,6 @@ $id_gen = count($config['installedpackages']['suricata']['rule']); // Get list of configured firewall interfaces $ifaces = get_configured_interface_list(); - if ($_POST['del_x']) { /* delete selected interfaces */ if (is_array($_POST['rule'])) { @@ -79,7 +78,7 @@ if ($_POST['del_x']) { if (empty($a_nat)) unset($a_nat); - write_config(); + write_config("Suricata pkg: deleted one or more Suricata interfaces."); sleep(2); /* if there are no ifaces remaining do not create suricata.sh */ @@ -87,7 +86,7 @@ if ($_POST['del_x']) { suricata_create_rc(); else { conf_mount_rw(); - @unlink("{$rcdir}/suricata.sh"); + @unlink("{$rcdir}suricata.sh"); conf_mount_ro(); } @@ -170,19 +169,22 @@ include_once("head.inc"); ?> + @@ -191,7 +193,6 @@ include_once("head.inc"); +
- @@ -230,6 +231,7 @@ include_once("head.inc"); +   +
+ +

" . gettext("Suricata Menu ") . @@ -456,14 +459,17 @@ include_once("head.inc"); delete an interface and settings.
 
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index dcf6fe3f..1bef338a 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -59,8 +59,10 @@ if (isset($_POST['id']) && is_numericint($_POST['id'])) elseif (isset($_GET['id']) && is_numericint($_GET['id'])); $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); -if (is_null($id)) - $id = 0; +if (is_null($id)) { + header("Location: /suricata/suricata_interfaces.php"); + exit; +} if (isset($_POST['action'])) $action = htmlspecialchars($_POST['action'], ENT_QUOTES | ENT_HTML401); @@ -87,14 +89,15 @@ $interfaces = get_configured_interface_with_descr(); // See if interface is already configured, and use its values if (isset($id) && $a_rule[$id]) { + /* old options */ $pconfig = $a_rule[$id]; if (!empty($pconfig['configpassthru'])) $pconfig['configpassthru'] = base64_decode($pconfig['configpassthru']); if (empty($pconfig['uuid'])) $pconfig['uuid'] = $suricata_uuid; } +// Must be a new interface, so try to pick next available physical interface to use elseif (isset($id) && !isset($a_rule[$id])) { - // Must be a new interface, so try to pick next available physical interface to use $ifaces = get_configured_interface_list(); $ifrules = array(); foreach($a_rule as $r) @@ -130,24 +133,42 @@ if (empty($pconfig['enable_http_log'])) $pconfig['enable_http_log'] = "on"; if (empty($pconfig['append_http_log'])) $pconfig['append_http_log'] = "on"; -if (empty($pconfig['enable_tls_log'])) - $pconfig['enable_tls_log'] = "off"; +if (empty($pconfig['http_log_extended'])) + $pconfig['http_log_extended'] = "on"; if (empty($pconfig['tls_log_extended'])) $pconfig['tls_log_extended'] = "on"; -if (empty($pconfig['enable_stats_log'])) - $pconfig['enable_stats_log'] = "off"; if (empty($pconfig['stats_upd_interval'])) $pconfig['stats_upd_interval'] = "10"; -if (empty($pconfig['append_stats_log'])) - $pconfig['append_stats_log'] = "off"; +if (empty($pconfig['append_dns_log'])) + $pconfig['append_dns_log'] = "on"; if (empty($pconfig['append_json_file_log'])) $pconfig['append_json_file_log'] = "on"; -if (empty($pconfig['enable_pcap_log'])) - $pconfig['enable_pcap_log'] = "off"; if (empty($pconfig['max_pcap_log_size'])) $pconfig['max_pcap_log_size'] = "32"; if (empty($pconfig['max_pcap_log_files'])) $pconfig['max_pcap_log_files'] = "1000"; +if (empty($pconfig['alertsystemlog_facility'])) + $pconfig['alertsystemlog_facility'] = "local1"; +if (empty($pconfig['alertsystemlog_priority'])) + $pconfig['alertsystemlog_priority'] = "notice"; +if (empty($pconfig['eve_output_type'])) + $pconfig['eve_output_type'] = "file"; +if (empty($pconfig['eve_systemlog_facility'])) + $pconfig['eve_systemlog_facility'] = "local1"; +if (empty($pconfig['eve_systemlog_priority'])) + $pconfig['eve_systemlog_priority'] = "notice"; +if (empty($pconfig['eve_log_alerts'])) + $pconfig['eve_log_alerts'] = "on"; +if (empty($pconfig['eve_log_http'])) + $pconfig['eve_log_http'] = "on"; +if (empty($pconfig['eve_log_dns'])) + $pconfig['eve_log_dns'] = "on"; +if (empty($pconfig['eve_log_tls'])) + $pconfig['eve_log_tls'] = "on"; +if (empty($pconfig['eve_log_files'])) + $pconfig['eve_log_files'] = "on"; +if (empty($pconfig['eve_log_ssh'])) + $pconfig['eve_log_ssh'] = "on"; // See if creating a new interface by duplicating an existing one if (strcasecmp($action, 'dup') == 0) { @@ -180,35 +201,37 @@ if (strcasecmp($action, 'dup') == 0) { } if ($_POST["save"] && !$input_errors) { - // If the interface is not enabled, stop any running Suricata - // instance on it, save the new state and exit. - if (!isset($_POST['enable'])) { - if (isset($id) && $a_rule[$id]) { - $a_rule[$id]['enable'] = 'off'; - $a_rule[$id]['interface'] = htmlspecialchars($_POST['interface']); - $a_rule[$id]['descr'] = htmlspecialchars($_POST['descr']); - suricata_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface'])); - - // Save configuration changes - write_config(); - - // Update suricata.conf and suricata.sh files for this interface - sync_suricata_package_config(); - - header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); - header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); - header( 'Cache-Control: no-store, no-cache, must-revalidate' ); - header( 'Cache-Control: post-check=0, pre-check=0', false ); - header( 'Pragma: no-cache' ); - header("Location: /suricata/suricata_interfaces.php"); - exit; + if (!isset($_POST['interface'])) + $input_errors[] = gettext("Choosing an Interface is mandatory!"); + + /* See if assigned interface is already in use */ + if (isset($_POST['interface'])) { + foreach ($a_rule as $k => $v) { + if (($v['interface'] == $_POST['interface']) && ($id <> $k)) { + $input_errors[] = gettext("The '{$_POST['interface']}' interface is already assigned to another Suricata instance."); + break; + } } } - // Validate inputs - if (!isset($_POST['interface'])) - $input_errors[] = gettext("Choosing an Interface is mandatory!"); + // If Suricata is disabled on this interface, stop any running instance, + // save the change and exit. + if ($_POST['enable'] != 'on') { + $a_rule[$id]['enable'] = $_POST['enable'] ? 'on' : 'off'; + suricata_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface'])); + write_config("Suricata pkg: disabled Suricata on " . convert_friendly_interface_to_friendly_descr($a_rule[$id]['interface'])); + $rebuild_rules = false; + sync_suricata_package_config(); + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /suricata/suricata_interfaces.php"); + exit; + } + // Validate inputs if (isset($_POST['stats_upd_interval']) && !is_numericint($_POST['stats_upd_interval'])) $input_errors[] = gettext("The value for Stats Update Interval must contain only digits and evaluate to an integer."); @@ -224,16 +247,6 @@ if ($_POST["save"] && !$input_errors) { if (!empty($_POST['inspect_recursion_limit']) && !is_numeric($_POST['inspect_recursion_limit'])) $input_errors[] = gettext("The value for Inspect Recursion Limit can either be blank or contain only digits evaluating to an integer greater than or equal to 0."); - /* See if assigned interface is already in use */ - if (isset($_POST['interface'])) { - foreach ($a_rule as $k => $v) { - if (($v['interface'] == $_POST['interface']) && ($id <> $k)) { - $input_errors[] = gettext("The '{$_POST['interface']}' interface is already assigned to another Suricata instance."); - break; - } - } - } - // if no errors write to suricata.yaml if (!$input_errors) { $natent = $a_rule[$id]; @@ -250,6 +263,7 @@ if ($_POST["save"] && !$input_errors) { if ($_POST['enable_http_log'] == "on") { $natent['enable_http_log'] = 'on'; }else{ $natent['enable_http_log'] = 'off'; } if ($_POST['append_http_log'] == "on") { $natent['append_http_log'] = 'on'; }else{ $natent['append_http_log'] = 'off'; } if ($_POST['enable_tls_log'] == "on") { $natent['enable_tls_log'] = 'on'; }else{ $natent['enable_tls_log'] = 'off'; } + if ($_POST['http_log_extended'] == "on") { $natent['http_log_extended'] = 'on'; }else{ $natent['http_log_extended'] = 'off'; } if ($_POST['tls_log_extended'] == "on") { $natent['tls_log_extended'] = 'on'; }else{ $natent['tls_log_extended'] = 'off'; } if ($_POST['enable_pcap_log'] == "on") { $natent['enable_pcap_log'] = 'on'; }else{ $natent['enable_pcap_log'] = 'off'; } if ($_POST['enable_json_file_log'] == "on") { $natent['enable_json_file_log'] = 'on'; }else{ $natent['enable_json_file_log'] = 'off'; } @@ -257,6 +271,7 @@ if ($_POST["save"] && !$input_errors) { if ($_POST['enable_tracked_files_magic'] == "on") { $natent['enable_tracked_files_magic'] = 'on'; }else{ $natent['enable_tracked_files_magic'] = 'off'; } if ($_POST['enable_tracked_files_md5'] == "on") { $natent['enable_tracked_files_md5'] = 'on'; }else{ $natent['enable_tracked_files_md5'] = 'off'; } if ($_POST['enable_file_store'] == "on") { $natent['enable_file_store'] = 'on'; }else{ $natent['enable_file_store'] = 'off'; } + if ($_POST['enable_eve_log'] == "on") { $natent['enable_eve_log'] = 'on'; }else{ $natent['enable_eve_log'] = 'off'; } if ($_POST['max_pending_packets']) $natent['max_pending_packets'] = $_POST['max_pending_packets']; else unset($natent['max_pending_packets']); if ($_POST['inspect_recursion_limit'] >= '0') $natent['inspect_recursion_limit'] = $_POST['inspect_recursion_limit']; else unset($natent['inspect_recursion_limit']); if ($_POST['detect_eng_profile']) $natent['detect_eng_profile'] = $_POST['detect_eng_profile']; else unset($natent['detect_eng_profile']); @@ -270,6 +285,20 @@ if ($_POST["save"] && !$input_errors) { if ($_POST['externallistname']) $natent['externallistname'] = $_POST['externallistname']; else unset($natent['externallistname']); if ($_POST['suppresslistname']) $natent['suppresslistname'] = $_POST['suppresslistname']; else unset($natent['suppresslistname']); if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } + if ($_POST['alertsystemlog_facility']) $natent['alertsystemlog_facility'] = $_POST['alertsystemlog_facility']; + if ($_POST['alertsystemlog_priority']) $natent['alertsystemlog_priority'] = $_POST['alertsystemlog_priority']; + if ($_POST['enable_dns_log'] == "on") { $natent['enable_dns_log'] = 'on'; }else{ $natent['enable_dns_log'] = 'off'; } + if ($_POST['append_dns_log'] == "on") { $natent['append_dns_log'] = 'on'; }else{ $natent['append_dns_log'] = 'off'; } + if ($_POST['enable_eve_log'] == "on") { $natent['enable_eve_log'] = 'on'; }else{ $natent['enable_eve_log'] = 'off'; } + if ($_POST['eve_output_type']) $natent['eve_output_type'] = $_POST['eve_output_type']; + if ($_POST['eve_systemlog_facility']) $natent['eve_systemlog_facility'] = $_POST['eve_systemlog_facility']; + if ($_POST['eve_systemlog_priority']) $natent['eve_systemlog_priority'] = $_POST['eve_systemlog_priority']; + if ($_POST['eve_log_alerts'] == "on") { $natent['eve_log_alerts'] = 'on'; }else{ $natent['eve_log_alerts'] = 'off'; } + if ($_POST['eve_log_http'] == "on") { $natent['eve_log_http'] = 'on'; }else{ $natent['eve_log_http'] = 'off'; } + if ($_POST['eve_log_dns'] == "on") { $natent['eve_log_dns'] = 'on'; }else{ $natent['eve_log_dns'] = 'off'; } + if ($_POST['eve_log_tls'] == "on") { $natent['eve_log_tls'] = 'on'; }else{ $natent['eve_log_tls'] = 'off'; } + if ($_POST['eve_log_files'] == "on") { $natent['eve_log_files'] = 'on'; }else{ $natent['eve_log_files'] = 'off'; } + if ($_POST['eve_log_ssh'] == "on") { $natent['eve_log_ssh'] = 'on'; }else{ $natent['eve_log_ssh'] = 'off'; } if ($_POST['delayed_detect'] == "on") { $natent['delayed_detect'] = 'on'; }else{ $natent['delayed_detect'] = 'off'; } if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode($_POST['configpassthru']); else unset($natent['configpassthru']); @@ -330,7 +359,6 @@ if ($_POST["save"] && !$input_errors) { $natent['flow_icmp_emerg_established_timeout'] = '100'; $natent['stream_memcap'] = '33554432'; - $natent['stream_max_sessions'] = '262144'; $natent['stream_prealloc_sessions'] = '32768'; $natent['reassembly_memcap'] = '67108864'; $natent['reassembly_depth'] = '1048576'; @@ -341,6 +369,21 @@ if ($_POST["save"] && !$input_errors) { $natent['delayed_detect'] = 'off'; $natent['asn1_max_frames'] = '256'; + $natent['dns_global_memcap'] = "16777216"; + $natent['dns_state_memcap'] = "524288"; + $natent['dns_request_flood_limit'] = "500"; + $natent['http_parser_memcap'] = "67108864"; + $natent['dns_parser_udp'] = "yes"; + $natent['dns_parser_tcp'] = "yes"; + $natent['http_parser'] = "yes"; + $natent['tls_parser'] = "yes"; + $natent['smtp_parser'] = "yes"; + $natent['imap_parser'] = "detection-only"; + $natent['ssh_parser'] = "yes"; + $natent['ftp_parser'] = "yes"; + $natent['dcerpc_parser'] = "yes"; + $natent['smb_parser'] = "yes"; + $natent['msn_parser'] = "detection-only"; $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd" ); if (!is_array($natent['host_os_policy']['item'])) @@ -349,7 +392,8 @@ if ($_POST["save"] && !$input_errors) { $default = array( "name" => "default", "bind_to" => "all", "personality" => "IDS", "request-body-limit" => 4096, "response-body-limit" => 4096, - "double-decode-path" => "no", "double-decode-query" => "no" ); + "double-decode-path" => "no", "double-decode-query" => "no", + "uri-include-all" => "no" ); if (!is_array($natent['libhtp_policy']['item'])) $natent['libhtp_policy']['item'] = array(); $natent['libhtp_policy']['item'][] = $default; @@ -369,7 +413,7 @@ if ($_POST["save"] && !$input_errors) { suricata_stop($natent, $if_real); // Save configuration changes - write_config(); + write_config("Suricata pkg: modified interface configuration for " . convert_friendly_interface_to_friendly_descr($natent['interface'])); // Update suricata.conf and suricata.sh files for this interface sync_suricata_package_config(); @@ -407,18 +451,21 @@ if ($savemsg) { +'; echo ' +
'; @@ -436,6 +483,7 @@ if ($savemsg) {
+ @@ -471,9 +519,57 @@ if ($savemsg) { - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -604,7 +798,7 @@ if ($savemsg) { ?>   
-  " . gettext("Choosing BOTH is suggested, and it is the default value."); ?>
+  " . gettext("Choosing BOTH is suggested, and it is the default value."); ?>
 @@ -643,8 +837,8 @@ if ($savemsg) { @@ -730,9 +925,9 @@ if ($savemsg) { "/>
-

+

 
  @@ -828,14 +1023,32 @@ if ($savemsg) { gettext("Please save your settings before you attempt to start Suricata."); ?> +
/> - /> +
+    + " . gettext("local1") . "."; ?> +
+    + " . gettext("notice") . "."; ?> +
+ onClick="toggle_dns_log();" id="enable_dns_log"/> + " . gettext("Not Checked") . "."; ?> +
/> + " . gettext("Checked") . "."; ?>
@@ -505,6 +601,11 @@ if ($savemsg) { /> " . gettext("Checked") . "."; ?>
/> + " . gettext("Checked") . "."; ?>
@@ -572,6 +673,99 @@ if ($savemsg) { " . gettext("1000") . "."; ?>
+ onClick="toggle_eve_log()"/> + " . gettext("Not Checked") . "."; ?> + +
+    +
+  " . gettext("Choosing FILE is suggested, and it is the default value."); ?>
+
+    + " . gettext("local1") . "."; ?> +
+    + " . gettext("notice") . "."; ?> +
" . gettext("All Checked") . "."; ?>
+ + + + + + + + + + + + + +
/>Alerts + />HTTP Traffic + />DNS Requests/Replies +
/>TLS Handshakes + />Tracked Files + />SSH Handshakes +
+
default"; - /* find whitelist names and filter by type */ - if (is_array($suricataglob['whitelist']['item'])) { - foreach ($suricataglob['whitelist']['item'] as $value) { + /* find Pass List names and filter by type */ + if (is_array($suricataglob['passlist']['item'])) { + foreach ($suricataglob['passlist']['item'] as $value) { $ilistname = $value['name']; if ($ilistname == $pconfig['homelistname']) echo "
diff --git a/config/suricata/suricata_libhtp_policy_engine.php b/config/suricata/suricata_libhtp_policy_engine.php index 7e6ffd6d..248f4c74 100644 --- a/config/suricata/suricata_libhtp_policy_engine.php +++ b/config/suricata/suricata_libhtp_policy_engine.php @@ -60,12 +60,14 @@ resp_body_limit --> Response Body Limit size enable_double_decode_path --> double-decode path part of URI enable_double_decode_query --> double-decode query string part of URI + enable_uri_include_all --> inspect all of URI save_libhtp_policy --> Submit button for save operation and exit cancel_libhtp_policy --> Submit button to cancel operation and exit **************************************************************************************/ ?> + @@ -73,7 +75,7 @@ @@ -155,14 +159,21 @@ - - + + + + +
>  + value="" "default") echo gettext("Name or description for this engine. (Max 25 characters)"); else @@ -87,6 +89,7 @@ "default") : ?> + +
  @@ -97,6 +100,7 @@

" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?> @@ -112,7 +116,7 @@ 		  " . gettext("IDS") . ""; ?>.

-
+
> + > " . gettext("Not Checked") . "."; ?>
> + > " . gettext("Not Checked") . "."; ?>
> + " . gettext("Not Checked") . "."; ?>

+
  @@ -172,6 +183,7 @@ ">
@@ -134,18 +136,21 @@ if ($input_errors) { + @@ -153,6 +158,7 @@ if ($input_errors) { +
+ @@ -176,7 +182,7 @@ if ($input_errors) { +
- - + + + + + + + +
+ + + + +
+ +
- +
diff --git a/config/suricata/suricata_logs_mgmt.php b/config/suricata/suricata_logs_mgmt.php index 16376c5b..fec2d149 100644 --- a/config/suricata/suricata_logs_mgmt.php +++ b/config/suricata/suricata_logs_mgmt.php @@ -67,6 +67,12 @@ $pconfig['tls_log_retention'] = $config['installedpackages']['suricata']['config $pconfig['unified2_log_limit'] = $config['installedpackages']['suricata']['config'][0]['unified2_log_limit']; $pconfig['u2_archive_log_retention'] = $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention']; $pconfig['file_store_retention'] = $config['installedpackages']['suricata']['config'][0]['file_store_retention']; +$pconfig['dns_log_limit_size'] = $config['installedpackages']['suricata']['config'][0]['dns_log_limit_size']; +$pconfig['dns_log_retention'] = $config['installedpackages']['suricata']['config'][0]['dns_log_retention']; +$pconfig['eve_log_limit_size'] = $config['installedpackages']['suricata']['config'][0]['eve_log_limit_size']; +$pconfig['eve_log_retention'] = $config['installedpackages']['suricata']['config'][0]['eve_log_retention']; +$pconfig['sid_changes_log_limit_size'] = $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size']; +$pconfig['sid_changes_log_retention'] = $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention']; // Load up some arrays with selection values (we use these later). // The keys in the $retentions array are the retention period @@ -88,40 +94,97 @@ if (empty($pconfig['suricataloglimitsize'])) { } // Set default retention periods for rotated logs -if (empty($pconfig['alert_log_retention'])) +if (!isset($pconfig['alert_log_retention'])) $pconfig['alert_log_retention'] = "336"; -if (empty($pconfig['block_log_retention'])) +if (!isset($pconfig['block_log_retention'])) $pconfig['block_log_retention'] = "336"; -if (empty($pconfig['files_json_log_retention'])) +if (!isset($pconfig['files_json_log_retention'])) $pconfig['files_json_log_retention'] = "168"; -if (empty($pconfig['http_log_retention'])) +if (!isset($pconfig['http_log_retention'])) $pconfig['http_log_retention'] = "168"; -if (empty($pconfig['stats_log_retention'])) +if (!isset($pconfig['dns_log_retention'])) + $pconfig['dns_log_retention'] = "168"; +if (!isset($pconfig['stats_log_retention'])) $pconfig['stats_log_retention'] = "168"; -if (empty($pconfig['tls_log_retention'])) +if (!isset($pconfig['tls_log_retention'])) $pconfig['tls_log_retention'] = "336"; -if (empty($pconfig['u2_archive_log_retention'])) +if (!isset($pconfig['u2_archive_log_retention'])) $pconfig['u2_archive_log_retention'] = "168"; -if (empty($pconfig['file_store_retention'])) +if (!isset($pconfig['file_store_retention'])) $pconfig['file_store_retention'] = "168"; +if (!isset($pconfig['eve_log_retention'])) + $pconfig['eve_log_retention'] = "168"; +if (!isset($pconfig['sid_changes_log_retention'])) + $pconfig['sid_changes_log_retention'] = "336"; // Set default log file size limits -if (empty($pconfig['alert_log_limit_size'])) +if (!isset($pconfig['alert_log_limit_size'])) $pconfig['alert_log_limit_size'] = "500"; -if (empty($pconfig['block_log_limit_size'])) +if (!isset($pconfig['block_log_limit_size'])) $pconfig['block_log_limit_size'] = "500"; -if (empty($pconfig['files_json_log_limit_size'])) +if (!isset($pconfig['files_json_log_limit_size'])) $pconfig['files_json_log_limit_size'] = "1000"; -if (empty($pconfig['http_log_limit_size'])) +if (!isset($pconfig['http_log_limit_size'])) $pconfig['http_log_limit_size'] = "1000"; -if (empty($pconfig['stats_log_limit_size'])) +if (!isset($pconfig['dns_log_limit_size'])) + $pconfig['dns_log_limit_size'] = "750"; +if (!isset($pconfig['stats_log_limit_size'])) $pconfig['stats_log_limit_size'] = "500"; -if (empty($pconfig['tls_log_limit_size'])) +if (!isset($pconfig['tls_log_limit_size'])) $pconfig['tls_log_limit_size'] = "500"; -if (empty($pconfig['unified2_log_limit'])) +if (!isset($pconfig['unified2_log_limit'])) $pconfig['unified2_log_limit'] = "32"; +if (!isset($pconfig['eve_log_limit_size'])) + $pconfig['eve_log_limit_size'] = "5000"; +if (!isset($pconfig['sid_changes_log_limit_size'])) + $pconfig['sid_changes_log_limit_size'] = "250"; + +if ($_POST['ResetAll']) { + + // Reset all settings to their defaults + $pconfig['alert_log_retention'] = "336"; + $pconfig['block_log_retention'] = "336"; + $pconfig['files_json_log_retention'] = "168"; + $pconfig['http_log_retention'] = "168"; + $pconfig['dns_log_retention'] = "168"; + $pconfig['stats_log_retention'] = "168"; + $pconfig['tls_log_retention'] = "336"; + $pconfig['u2_archive_log_retention'] = "168"; + $pconfig['file_store_retention'] = "168"; + $pconfig['eve_log_retention'] = "168"; + $pconfig['sid_changes_log_retention'] = "336"; + + $pconfig['alert_log_limit_size'] = "500"; + $pconfig['block_log_limit_size'] = "500"; + $pconfig['files_json_log_limit_size'] = "1000"; + $pconfig['http_log_limit_size'] = "1000"; + $pconfig['dns_log_limit_size'] = "750"; + $pconfig['stats_log_limit_size'] = "500"; + $pconfig['tls_log_limit_size'] = "500"; + $pconfig['unified2_log_limit'] = "32"; + $pconfig['eve_log_limit_size'] = "5000"; + $pconfig['sid_changes_log_limit_size'] = "250"; + + /* Log a message at the top of the page to inform the user */ + $savemsg = gettext("All log management settings on this page have been reset to their defaults. Click APPLY if you wish to keep these new settings."); +} + +if ($_POST["save"] || $_POST['apply']) { + if ($_POST['enable_log_mgmt'] != 'on') { + $config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] = $_POST['enable_log_mgmt'] ? 'on' :'off'; + write_config("Suricata pkg: saved updated configuration for LOGS MGMT."); + sync_suricata_package_config(); + + /* forces page to reload new settings */ + header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); + header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); + header( 'Cache-Control: no-store, no-cache, must-revalidate' ); + header( 'Cache-Control: post-check=0, pre-check=0', false ); + header( 'Pragma: no-cache' ); + header("Location: /suricata/suricata_logs_mgmt.php"); + exit; + } -if ($_POST["save"]) { if ($_POST['suricataloglimit'] == 'on') { if (!is_numericint($_POST['suricataloglimitsize']) || $_POST['suricataloglimitsize'] < 1) $input_errors[] = gettext("The 'Log Directory Size Limit' must be an integer value greater than zero."); @@ -151,8 +214,14 @@ if ($_POST["save"]) { $config['installedpackages']['suricata']['config'][0]['unified2_log_limit'] = $_POST['unified2_log_limit']; $config['installedpackages']['suricata']['config'][0]['u2_archive_log_retention'] = $_POST['u2_archive_log_retention']; $config['installedpackages']['suricata']['config'][0]['file_store_retention'] = $_POST['file_store_retention']; + $config['installedpackages']['suricata']['config'][0]['dns_log_limit_size'] = $_POST['dns_log_limit_size']; + $config['installedpackages']['suricata']['config'][0]['dns_log_retention'] = $_POST['dns_log_retention']; + $config['installedpackages']['suricata']['config'][0]['eve_log_limit_size'] = $_POST['eve_log_limit_size']; + $config['installedpackages']['suricata']['config'][0]['eve_log_retention'] = $_POST['eve_log_retention']; + $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size'] = $_POST['sid_changes_log_limit_size']; + $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = $_POST['sid_changes_log_retention']; - write_config(); + write_config("Suricata pkg: saved updated configuration for LOGS MGMT."); sync_suricata_package_config(); /* forces page to reload new settings */ @@ -179,23 +248,32 @@ include_once("fbegin.inc"); /* Display Alert message, under form tag or no refresh */ if ($input_errors) print_input_errors($input_errors); - ?>
+ + + @@ -267,7 +345,7 @@ if ($input_errors) - + @@ -319,6 +397,46 @@ if ($input_errors) + + + + + + + + + + + + + + + + + + + + - @@ -472,6 +616,12 @@ function enable_change() { document.iform.unified2_log_limit.disabled = endis; document.iform.u2_archive_log_retention.disabled = endis; document.iform.file_store_retention.disabled = endis; + document.iform.dns_log_retention.disabled = endis; + document.iform.dns_log_limit_size.disabled = endis; + document.iform.eve_log_retention.disabled = endis; + document.iform.eve_log_limit_size.disabled = endis; + document.iform.sid_changes_log_retention.disabled = endis; + document.iform.sid_changes_log_limit_size.disabled = endis; } function enable_change_dirSize() { diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php new file mode 100644 index 00000000..97e3cde6 --- /dev/null +++ b/config/suricata/suricata_migrate_config.php @@ -0,0 +1,339 @@ + elements in the Suricata configuration and */ +/* migrate relevant parameters to the new format. */ +/****************************************************************************/ + +$updated_cfg = false; +log_error("[Suricata] Checking configuration settings version..."); + +// Check the configuration version to see if XMLRPC Sync should +// auto-disabled as part of the upgrade due to config format changes. +if ($config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] < 2 && + ($config['installedpackages']['suricatasync']['config'][0]['varsynconchanges'] == 'auto' || + $config['installedpackages']['suricatasync']['config'][0]['varsynconchanges'] == 'manual')) { + $config['installedpackages']['suricatasync']['config'][0]['varsynconchanges'] = "disabled"; + log_error("[Suricata] Turning off Suricata Sync on this host due to configuration format changes in this update. Upgrade all Suricata Sync targets to this same Suricata package version before re-enabling Suricata Sync."); + $updated_cfg = true; +} + +/**********************************************************/ +/* Create new Auto SID Mgmt settings if not set */ +/**********************************************************/ + if (empty($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'])) { + $config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] = "off"; + $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size'] = "250"; + $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = "336"; + $updated_cfg = true; + } + +// Now process the interface-specific settings +foreach ($rule as &$r) { + + // Initialize arrays for supported preprocessors if necessary + if (!is_array($r['libhtp_policy']['item'])) + $r['libhtp_policy']['item'] = array(); + + $pconfig = array(); + $pconfig = $r; + + /***********************************************************/ + /* This setting is deprecated in Suricata 2.0 and higher, */ + /* so remove it from the configuration. */ + /***********************************************************/ + if (isset($pconfig['stream_max_sessions'])) { + unset($pconfig['stream_max_sessions']); + $updated_cfg = true; + } + + /***********************************************************/ + /* HTTP server personalities for "Apache" and "Apache_2_2" */ + /* are deprecated and replaced with "Apache_2" in Suricata */ + /* versions greater than 2.0. */ + /***********************************************************/ + $http_serv = &$pconfig['libhtp_policy']['item']; + foreach ($http_serv as &$policy) { + if ($policy['personality'] == "Apache" || $policy['personality'] == "Apache_2_2") { + $policy['personality'] = "Apache_2"; + $updated_cfg = true; + } + // Set new URI inspect option for Suricata 2.0 and higher + if (!isset($policy['uri-include-all'])) { + $policy['uri-include-all'] = "no"; + $updated_cfg = true; + } + } + + /***********************************************************/ + /* Add new HTTP Log Extended Info setting if not present */ + /***********************************************************/ + if (!isset($pconfig['http_log_extended'])) { + $pconfig['http_log_extended'] = "on"; + $updated_cfg = true; + } + + /***********************************************************/ + /* Add new EVE logging settings if not present */ + /***********************************************************/ + if (!isset($pconfig['eve_output_type'])) { + $pconfig['eve_output_type'] = "file"; + $updated_cfg = true; + } + if (empty($pconfig['eve_systemlog_facility'])) { + $pconfig['eve_systemlog_facility'] = "local1"; + $updated_cfg = true; + } + if (empty($pconfig['eve_systemlog_priority'])) { + $pconfig['eve_systemlog_priority'] = "info"; + $updated_cfg = true; + } + if (!isset($pconfig['eve_log_alerts'])) { + $pconfig['eve_log_alerts'] = "on"; + $updated_cfg = true; + } + if (!isset($pconfig['eve_log_http'])) { + $pconfig['eve_log_http'] = "on"; + $updated_cfg = true; + } + if (!isset($pconfig['eve_log_dns'])) { + $pconfig['eve_log_dns'] = "on"; + $updated_cfg = true; + } + if (!isset($pconfig['eve_log_tls'])) { + $pconfig['eve_log_tls'] = "on"; + $updated_cfg = true; + } + if (!isset($pconfig['eve_log_files'])) { + $pconfig['eve_log_files'] = "on"; + $updated_cfg = true; + } + if (!isset($pconfig['eve_log_ssh'])) { + $pconfig['eve_log_ssh'] = "on"; + $updated_cfg = true; + } + + /******************************************************************/ + /* Create default log size and retention limits if not set */ + /******************************************************************/ + if (!isset($pconfig['alert_log_retention']) && $pconfig['alert_log_retention'] != '0') { + $pconfig['alert_log_retention'] = "336"; + $updated_cfg = true; + } + if (!isset($pconfig['alert_log_limit_size']) && $pconfig['alert_log_limit_size'] != '0') { + $pconfig['alert_log_limit_size'] = "500"; + $updated_cfg = true; + } + + if (!isset($pconfig['block_log_retention']) && $pconfig['block_log_retention'] != '0') { + $pconfig['block_log_retention'] = "336"; + $updated_cfg = true; + } + if (!isset($pconfig['block_log_limit_size']) && $pconfig['block_log_limit_size'] != '0') { + $pconfig['block_log_limit_size'] = "500"; + $updated_cfg = true; + } + + if (!isset($pconfig['dns_log_retention']) && $pconfig['dns_log_retention'] != '0') { + $pconfig['dns_log_retention'] = "168"; + $updated_cfg = true; + } + if (!isset($pconfig['dns_log_limit_size']) && $pconfig['dns_log_limit_size'] != '0') { + $pconfig['dns_log_limit_size'] = "750"; + $updated_cfg = true; + } + + if (!isset($pconfig['eve_log_retention']) && $pconfig['eve_log_retention'] != '0') { + $pconfig['eve_log_retention'] = "168"; + $updated_cfg = true; + } + if (!isset($pconfig['eve_log_limit_size']) && $pconfig['eve_log_limit_size'] != '0') { + $pconfig['eve_log_limit_size'] = "5000"; + $updated_cfg = true; + } + + if (!isset($pconfig['files_json_log_retention']) && $pconfig['files_json_log_retention'] != '0') { + $pconfig['files_json_log_retention'] = "168"; + $updated_cfg = true; + } + if (!isset($pconfig['files_json_log_limit_size']) && $pconfig['files_json_log_limit_size'] != '0') { + $pconfig['files_json_log_limit_size'] = "1000"; + $updated_cfg = true; + } + + if (!isset($pconfig['http_log_retention']) && $pconfig['http_log_retention'] != '0') { + $pconfig['http_log_retention'] = "168"; + $updated_cfg = true; + } + if (!isset($pconfig['http_log_limit_size']) && $pconfig['http_log_limit_size'] != '0') { + $pconfig['http_log_limit_size'] = "1000"; + $updated_cfg = true; + } + + if (!isset($pconfig['stats_log_retention']) && $pconfig['stats_log_retention'] != '0') { + $pconfig['stats_log_retention'] = "168"; + $updated_cfg = true; + } + if (!isset($pconfig['stats_log_limit_size']) && $pconfig['stats_log_limit_size'] != '0') { + $pconfig['stats_log_limit_size'] = "500"; + $updated_cfg = true; + } + + if (!isset($pconfig['tls_log_retention']) && $pconfig['tls_log_retention'] != '0') { + $pconfig['tls_log_retention'] = "336"; + $updated_cfg = true; + } + if (!isset($pconfig['tls_log_limit_size']) && $pconfig['tls_log_limit_size'] != '0') { + $pconfig['tls_log_limit_size'] = "500"; + $updated_cfg = true; + } + + if (!isset($pconfig['file_store_retention']) && $pconfig['file_store_retention'] != '0') { + $pconfig['file_store_retention'] = "168"; + $updated_cfg = true; + } + + if (!isset($pconfig['u2_archive_log_retention']) && $pconfig['u2_archive_log_retention'] != '0') { + $pconfig['u2_archive_log_retention'] = "168"; + $updated_cfg = true; + } + + /************************************************************/ + /* Create new DNS App-Layer parser settings if not set */ + /************************************************************/ + if (empty($pconfig['dns_global_memcap'])) { + $pconfig['dns_global_memcap'] = "16777216"; + $updated_cfg = true; + } + if (empty($pconfig['dns_state_memcap'])) { + $pconfig['dns_state_memcap'] = "524288"; + $updated_cfg = true; + } + if (empty($pconfig['dns_request_flood_limit'])) { + $pconfig['dns_request_flood_limit'] = "500"; + $updated_cfg = true; + } + if (empty($pconfig['dns_parser_udp'])) { + $pconfig['dns_parser_udp'] = "yes"; + $updated_cfg = true; + } + if (empty($pconfig['dns_parser_tcp'])) { + $pconfig['dns_parser_tcp'] = "yes"; + $updated_cfg = true; + } + + /***********************************************************/ + /* Create new HTTP App-Layer parser settings if not set */ + /***********************************************************/ + if (empty($pconfig['http_parser'])) { + $pconfig['http_parser'] = "yes"; + $updated_cfg = true; + } + if (empty($pconfig['http_parser_memcap'])) { + $pconfig['http_parser_memcap'] = "67108864"; + $updated_cfg = true; + } + + /**********************************************************/ + /* Create other App-Layer parser settings if not set */ + /**********************************************************/ + if (empty($pconfig['tls_parser'])) { + $pconfig['tls_parser'] = "yes"; + $updated_cfg = true; + } + if (empty($pconfig['smtp_parser'])) { + $pconfig['smtp_parser'] = "yes"; + $updated_cfg = true; + } + if (empty($pconfig['imap_parser'])) { + $pconfig['imap_parser'] = "detection-only"; + $updated_cfg = true; + } + if (empty($pconfig['ssh_parser'])) { + $pconfig['ssh_parser'] = "yes"; + $updated_cfg = true; + } + if (empty($pconfig['ftp_parser'])) { + $pconfig['ftp_parser'] = "yes"; + $updated_cfg = true; + } + if (empty($pconfig['dcerpc_parser'])) { + $pconfig['dcerpc_parser'] = "yes"; + $updated_cfg = true; + } + if (empty($pconfig['smb_parser'])) { + $pconfig['smb_parser'] = "yes"; + $updated_cfg = true; + } + if (empty($pconfig['msn_parser'])) { + $pconfig['msn_parser'] = "detection-only"; + $updated_cfg = true; + } + + // Save the new configuration data into the $config array pointer + $r = $pconfig; +} +// Release reference to final array element +unset($r); + +// Write out the new configuration to disk if we changed anything +if ($updated_cfg) { + $config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0"; + log_error("[Suricata] Saving configuration settings in new format..."); + write_config("Suricata pkg: migrate existing settings to new format during package upgrade."); + log_error("[Suricata] Settings successfully migrated to new configuration format..."); +} +else + log_error("[Suricata] Configuration version is current..."); + +?> diff --git a/config/suricata/suricata_os_policy_engine.php b/config/suricata/suricata_os_policy_engine.php index 869d940c..9a881f3d 100644 --- a/config/suricata/suricata_os_policy_engine.php +++ b/config/suricata/suricata_os_policy_engine.php @@ -62,6 +62,7 @@ ?>
dns + +
eve-json + +
files-json
sid_changes + +
stats

+ 		+     />

 
+ @@ -69,7 +70,7 @@ +
/>  + value=""/>  "default") echo gettext("Name or description for this engine. (Max 25 characters)"); else @@ -83,6 +84,7 @@ "default") : ?> + +
  @@ -93,6 +95,7 @@
" . gettext("Supplied value must be a pre-configured Alias or the keyword 'all'.");?>      @@ -129,6 +132,7 @@ ">
diff --git a/config/suricata/suricata_passlist.php b/config/suricata/suricata_passlist.php index fc7c60e2..02aa4a3d 100644 --- a/config/suricata/suricata_passlist.php +++ b/config/suricata/suricata_passlist.php @@ -115,18 +115,21 @@ if ($savemsg) { + @@ -134,6 +137,7 @@ if ($savemsg) { +
+ @@ -142,19 +146,19 @@ if ($savemsg) { $list): ?> - - - + @@ -171,6 +176,7 @@ if ($savemsg) { +
List Name Assigned Alias
-   - + +
"> @@ -163,6 +167,7 @@ if ($savemsg) { src="/themes//images/icons/icon_x.gif" width="17" height="17" border="0" title=""/>
+ +
  @@ -178,27 +184,31 @@ if ($savemsg) { width="17" height="17" border="0" title=""/>

- +
+ - + - + +
-


-
-
-

+


+
+
+

diff --git a/config/suricata/suricata_passlist_edit.php b/config/suricata/suricata_passlist_edit.php index 437ae9a8..0a9a8132 100644 --- a/config/suricata/suricata_passlist_edit.php +++ b/config/suricata/suricata_passlist_edit.php @@ -63,15 +63,53 @@ if (is_null($id)) { exit; } +if (isset($id) && isset($a_passlist[$id])) { + /* Retrieve saved settings */ + $pconfig['name'] = $a_passlist[$id]['name']; + $pconfig['uuid'] = $a_passlist[$id]['uuid']; + $pconfig['address'] = $a_passlist[$id]['address']; + $pconfig['descr'] = html_entity_decode($a_passlist[$id]['descr']); + $pconfig['localnets'] = $a_passlist[$id]['localnets']; + $pconfig['wanips'] = $a_passlist[$id]['wanips']; + $pconfig['wangateips'] = $a_passlist[$id]['wangateips']; + $pconfig['wandnsips'] = $a_passlist[$id]['wandnsips']; + $pconfig['vips'] = $a_passlist[$id]['vips']; + $pconfig['vpnips'] = $a_passlist[$id]['vpnips']; +} + +// Check for returned "selected alias" if action is import +if ($_GET['act'] == "import") { + + // Retrieve previously typed values we passed to SELECT ALIAS page + $pconfig['name'] = htmlspecialchars($_GET['name']); + $pconfig['uuid'] = htmlspecialchars($_GET['uuid']); + $pconfig['address'] = htmlspecialchars($_GET['address']); + $pconfig['descr'] = htmlspecialchars($_GET['descr']); + $pconfig['localnets'] = htmlspecialchars($_GET['localnets'])? 'yes' : 'no'; + $pconfig['wanips'] = htmlspecialchars($_GET['wanips'])? 'yes' : 'no'; + $pconfig['wangateips'] = htmlspecialchars($_GET['wangateips'])? 'yes' : 'no'; + $pconfig['wandnsips'] = htmlspecialchars($_GET['wandnsips'])? 'yes' : 'no'; + $pconfig['vips'] = htmlspecialchars($_GET['vips'])? 'yes' : 'no'; + $pconfig['vpnips'] = htmlspecialchars($_GET['vpnips'])? 'yes' : 'no'; + + // Now retrieve the "selected alias" returned from SELECT ALIAS page + if ($_GET['varname'] == "address" && isset($_GET['varvalue'])) + $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); +} + /* If no entry for this passlist, then create a UUID and treat it like a new list */ -if (!isset($a_passlist[$id]['uuid'])) { +if (!isset($a_passlist[$id]['uuid']) && empty($pconfig['uuid'])) { $passlist_uuid = 0; while ($passlist_uuid > 65535 || $passlist_uuid == 0) { $passlist_uuid = mt_rand(1, 65535); $pconfig['uuid'] = $passlist_uuid; $pconfig['name'] = "passlist_{$passlist_uuid}"; } -} else +} +elseif (!empty($pconfig['uuid'])) { + $passlist_uuid = $pconfig['uuid']; +} +else $passlist_uuid = $a_passlist[$id]['uuid']; /* returns true if $name is a valid name for a pass list file name or ip */ @@ -85,28 +123,6 @@ function is_validpasslistname($name) { return false; } -if (isset($id) && $a_passlist[$id]) { - /* old settings */ - $pconfig = array(); - $pconfig['name'] = $a_passlist[$id]['name']; - $pconfig['uuid'] = $a_passlist[$id]['uuid']; - $pconfig['detail'] = $a_passlist[$id]['detail']; - $pconfig['address'] = $a_passlist[$id]['address']; - $pconfig['descr'] = html_entity_decode($a_passlist[$id]['descr']); - $pconfig['localnets'] = $a_passlist[$id]['localnets']; - $pconfig['wanips'] = $a_passlist[$id]['wanips']; - $pconfig['wangateips'] = $a_passlist[$id]['wangateips']; - $pconfig['wandnsips'] = $a_passlist[$id]['wandnsips']; - $pconfig['vips'] = $a_passlist[$id]['vips']; - $pconfig['vpnips'] = $a_passlist[$id]['vpnips']; -} - -// Check for returned "selected alias" if action is import -if ($_GET['act'] == "import") { - if ($_GET['varname'] == "address" && isset($_GET['varvalue'])) - $pconfig[$_GET['varname']] = htmlspecialchars($_GET['varvalue']); -} - if ($_POST['save']) { unset($input_errors); $pconfig = $_POST; @@ -128,11 +144,11 @@ if ($_POST['save']) { $input_errors[] = gettext("Pass List file name may only consist of the characters \"a-z, A-Z, 0-9 and _\". Note: No Spaces or dashes. Press Cancel to reset."); /* check for name conflicts */ - foreach ($a_passlist as $w_list) { - if (isset($id) && ($a_passlist[$id]) && ($a_passlist[$id] === $w_list)) + foreach ($a_passlist as $p_list) { + if (isset($id) && ($a_passlist[$id]) && ($a_passlist[$id] === $p_list)) continue; - if ($w_list['name'] == $_POST['name']) { + if ($p_list['name'] == $_POST['name']) { $input_errors[] = gettext("A Pass List file name with this name already exists."); break; } @@ -143,27 +159,27 @@ if ($_POST['save']) { $input_errors[] = gettext("A valid alias must be provided"); if (!$input_errors) { - $w_list = array(); + $p_list = array(); /* post user input */ - $w_list['name'] = $_POST['name']; - $w_list['uuid'] = $passlist_uuid; - $w_list['localnets'] = $_POST['localnets']? 'yes' : 'no'; - $w_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; - $w_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; - $w_list['wandnsips'] = $_POST['wandnsips']? 'yes' : 'no'; - $w_list['vips'] = $_POST['vips']? 'yes' : 'no'; - $w_list['vpnips'] = $_POST['vpnips']? 'yes' : 'no'; - - $w_list['address'] = $_POST['address']; - $w_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); - $w_list['detail'] = $final_address_details; + $p_list['name'] = $_POST['name']; + $p_list['uuid'] = $passlist_uuid; + $p_list['localnets'] = $_POST['localnets']? 'yes' : 'no'; + $p_list['wanips'] = $_POST['wanips']? 'yes' : 'no'; + $p_list['wangateips'] = $_POST['wangateips']? 'yes' : 'no'; + $p_list['wandnsips'] = $_POST['wandnsips']? 'yes' : 'no'; + $p_list['vips'] = $_POST['vips']? 'yes' : 'no'; + $p_list['vpnips'] = $_POST['vpnips']? 'yes' : 'no'; + + $p_list['address'] = $_POST['address']; + $p_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $p_list['detail'] = $final_address_details; if (isset($id) && $a_passlist[$id]) - $a_passlist[$id] = $w_list; + $a_passlist[$id] = $p_list; else - $a_passlist[] = $w_list; + $a_passlist[] = $p_list; - write_config("Snort pkg: modified PASS LIST {$w_list['name']}."); + write_config("Suricata pkg: modified PASS LIST {$p_list['name']}."); /* create pass list and homenet file, then sync files */ sync_suricata_package_config(); @@ -193,24 +209,28 @@ if ($savemsg)
+ +
+ @@ -286,8 +306,8 @@ if ($savemsg) @@ -298,9 +318,10 @@ if ($savemsg) +
-          + "/>
-
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index eb193d58..955751ad 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -51,7 +51,33 @@ require_once("/usr/local/pkg/suricata/suricata.inc"); global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include; +/**************************************** + * Define any new constants here that * + * may not be yet defined in the old * + * "suricata.inc" include file that * + * might be cached and used by the * + * package manager installation code. * + * * + * This is a hack to work around the * + * fact the old version of suricata.inc * + * is cached and used instead of the * + * updated version icluded with the * + * updated GUI package. * + ****************************************/ +if (!defined('SID_MODS_PATH')) + define('SID_MODS_PATH', '/var/db/suricata/sidmods/'); +if (!defined('IPREP_PATH')) + define('IPREP_PATH', '/var/db/suricata/iprep/'); + +/**************************************** + * End of PHP cachine workaround * + ****************************************/ + +// Initialize some common values from defined constants $suricatadir = SURICATADIR; +$suricatalogdir = SURICATALOGDIR; +$flowbit_rules_file = FLOWBITS_FILENAME; +$suricata_enforcing_rules_file = ENFORCING_RULES_FILENAME; $rcdir = RCFILEPREFIX; // Hard kill any running Suricata process that may have been started by any @@ -73,47 +99,59 @@ if(is_process_running("barnyard")) { // Set flag for post-install in progress $g['suricata_postinstall'] = true; +// Mount file system read/write so we can modify some files +conf_mount_rw(); + // Remove any previously installed script since we rebuild it -@unlink("{$rcdir}/suricata.sh"); +@unlink("{$rcdir}suricata.sh"); // Create the top-tier log directory safe_mkdir(SURICATALOGDIR); +// Create the IP Rep and SID Mods lists directory +safe_mkdir(SID_MODS_PATH); +safe_mkdir(IPREP_PATH); + // remake saved settings if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') { log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings...")); update_status(gettext("Saved settings detected...")); + /* Do one-time settings migration for new version configuration */ + update_output_window(gettext("Please wait... migrating settings to new configuration...")); + include('/usr/local/pkg/suricata/suricata_migrate_config.php'); update_output_window(gettext("Please wait... rebuilding installation with saved settings...")); log_error(gettext("[Suricata] Downloading and updating configured rule types...")); update_output_window(gettext("Please wait... downloading and updating configured rule types...")); if ($pkg_interface <> "console") $suricata_gui_include = true; - include('/usr/local/www/suricata/suricata_check_for_rule_updates.php'); + include('/usr/local/pkg/suricata/suricata_check_for_rule_updates.php'); update_status(gettext("Generating suricata.yaml configuration file from saved settings...")); $rebuild_rules = true; // Create the suricata.yaml files for each enabled interface $suriconf = $config['installedpackages']['suricata']['rule']; - foreach ($suriconf as $value) { - $if_real = get_real_interface($value['interface']); - - // ## BETA pkg bug fix-up -- be sure default rules enabled ## - $rules = explode("||", $value['rulesets']); - foreach (array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ) as $r){ - if (!in_array($r, $rules)) - $rules[] = $r; - } - natcasesort($rules); - $value['rulesets'] = implode("||", $rules); - write_config(); - // ## end of BETA pkg bug fix-up ## - - // create a suricata.yaml file for interface - suricata_generate_yaml($value); + foreach ($suriconf as $suricatacfg) { + $if_real = get_real_interface($suricatacfg['interface']); + $suricata_uuid = $suricatacfg['uuid']; + $suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}"; + + // Pull in the PHP code that generates the suricata.yaml file + // variables that will be substitued further down below. + include("/usr/local/pkg/suricata/suricata_generate_yaml.php"); + + // Pull in the boilerplate template for the suricata.yaml + // configuration file. The contents of the template along + // with substituted variables are stored in $suricata_conf_text + // (which is defined in the included file). + include("/usr/local/pkg/suricata/suricata_yaml_template.inc"); + + // Now write out the conf file using $suricata_conf_text contents + @file_put_contents("{$suricatacfgdir}/suricata.yaml", $suricata_conf_text); + unset($suricata_conf_text); // create barnyard2.conf file for interface - if ($value['barnyard_enable'] == 'on') - suricata_generate_barnyard2_conf($value, $if_real); + if ($suricatacfg['barnyard_enable'] == 'on') + suricata_generate_barnyard2_conf($suricatacfg, $if_real); } // create Suricata bootup file suricata.sh @@ -128,10 +166,14 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = configure_cron(); // Restore the Dashboard Widget if it was previously enabled and saved - if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget']) && !empty($config['widgets']['sequence'])) - $config['widgets']['sequence'] .= "," . $config['installedpackages']['suricata']['config'][0]['dashboard_widget']; - if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']) && !empty($config['widgets'])) - $config['widgets']['widget_suricata_display_lines'] = $config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']; + if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget']) && !empty($config['widgets']['sequence'])) { + if (strpos($config['widgets']['sequence'], "suricata_alerts-container") === FALSE) + $config['widgets']['sequence'] .= "," . $config['installedpackages']['suricata']['config'][0]['dashboard_widget']; + } + if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']) && !empty($config['widgets'])) { + if (empty($config['widgets']['widget_suricata_display_lines'])) + $config['widgets']['widget_suricata_display_lines'] = $config['installedpackages']['suricata']['config'][0]['dashboard_widget_rows']; + } $rebuild_rules = false; update_output_window(gettext("Finished rebuilding Suricata configuration files...")); @@ -142,14 +184,17 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = update_status(gettext("Starting Suricata using rebuilt configuration...")); update_output_window(gettext("Please wait... while Suricata is started...")); log_error(gettext("[Suricata] Starting Suricata using rebuilt configuration...")); - start_service("suricata"); + mwexec_bg("{$rcdir}suricata.sh start"); update_output_window(gettext("Suricata has been started using the rebuilt configuration...")); } } +// Finished with file system mods, so remount it read-only +conf_mount_ro(); + // Update Suricata package version in configuration -$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "v1.0.2"; -write_config(); +$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0"; +write_config("Suricata pkg: updated GUI package version number."); // Done with post-install, so clear flag unset($g['suricata_postinstall']); diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index 82bb33eb..f9d8fe07 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -41,7 +41,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); -global $g, $rebuild_rules; +global $g, $config, $rebuild_rules; $suricatadir = SURICATADIR; $rules_map = array(); @@ -107,9 +107,27 @@ $emergingdownload = $config['installedpackages']['suricata']['config'][0]['enabl $etpro = $config['installedpackages']['suricata']['config'][0]['enable_etpro_rules']; $categories = explode("||", $pconfig['rulesets']); -// Add any previously saved rules files to the categories array -if (!empty($pconfig['rulesets'])) - $categories = explode("||", $pconfig['rulesets']); +// Get any automatic rule category enable/disable modifications +// if auto-SID Mgmt is enabled, and adjust the available rulesets +// in the CATEGORY drop-down box as necessary. +$cat_mods = suricata_sid_mgmt_auto_categories($a_rule[$id], FALSE); +foreach ($cat_mods as $k => $v) { + switch ($v) { + case 'disabled': + if (($key = array_search($k, $categories)) !== FALSE) + unset($categories[$key]); + break; + + case 'enabled': + if (!in_array($k, $categories)) + $categories[] = $k; + break; + + default: + break; + } +} + if ($_GET['openruleset']) $currentruleset = htmlspecialchars($_GET['openruleset'], ENT_QUOTES | ENT_HTML401); @@ -148,7 +166,10 @@ if ($currentruleset != 'custom.rules') { $rules_map = suricata_load_rules_map($rulefile); } -/* Load up our enablesid and disablesid arrays with enabled or disabled SIDs */ +/* Process the current category rules through any auto SID MGMT changes if enabled */ +suricata_auto_sid_mgmt($rules_map, $a_rule[$id], FALSE); + +/* Load up our enablesid and disablesid arrays with manually enabled or disabled SIDs */ $enablesid = suricata_load_sid_mods($a_rule[$id]['rule_sid_on']); $disablesid = suricata_load_sid_mods($a_rule[$id]['rule_sid_off']); @@ -159,12 +180,16 @@ if ($_POST['toggle'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid']) & $sid = $_POST['sid']; // See if the target SID is in our list of modified SIDs, - // and toggle it back to default if present; otherwise, + // and toggle it opposite state if present; otherwise, // add it to the appropriate modified SID list. - if (isset($enablesid[$gid][$sid])) + if (isset($enablesid[$gid][$sid])) { unset($enablesid[$gid][$sid]); - elseif (isset($disablesid[$gid][$sid])) + $disablesid[$gid][$sid] = "disablesid"; + } + elseif (isset($disablesid[$gid][$sid])) { unset($disablesid[$gid][$sid]); + $enablesid[$gid][$sid] = "enablesid"; + } else { if ($rules_map[$gid][$sid]['disabled'] == 1) $enablesid[$gid][$sid] = "enablesid"; @@ -198,8 +223,12 @@ if ($_POST['toggle'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid']) & unset($a_rule[$id]['rule_sid_off']); /* Update the config.xml file. */ - write_config(); + write_config("Suricata pkg: modified state for rule {$gid}:{$sid} on {$a_rule[$id]['interface']}."); + // We changed a rule state, remind user to apply the changes + mark_subsystem_dirty('suricata_rules'); + + // Set a scroll-to anchor location $anchor = "rule_{$gid}_{$sid}"; } elseif ($_POST['disable_all'] && !empty($rules_map)) { @@ -238,7 +267,10 @@ elseif ($_POST['disable_all'] && !empty($rules_map)) { else unset($a_rule[$id]['rule_sid_off']); - write_config(); + // We changed a rule state, remind user to apply the changes + mark_subsystem_dirty('suricata_rules'); + + write_config("Suricata pkg: disabled all rules in category {$currentruleset} for {$a_rule[$id]['interface']}."); } elseif ($_POST['enable_all'] && !empty($rules_map)) { @@ -275,7 +307,10 @@ elseif ($_POST['enable_all'] && !empty($rules_map)) { else unset($a_rule[$id]['rule_sid_off']); - write_config(); + // We changed a rule state, remind user to apply the changes + mark_subsystem_dirty('suricata_rules'); + + write_config("Suricata pkg: enable all rules in category {$currentruleset} for {$a_rule[$id]['interface']}."); } elseif ($_POST['resetcategory'] && !empty($rules_map)) { @@ -314,7 +349,10 @@ elseif ($_POST['resetcategory'] && !empty($rules_map)) { else unset($a_rule[$id]['rule_sid_off']); - write_config(); + // We changed a rule state, remind user to apply the changes + mark_subsystem_dirty('suricata_rules'); + + write_config("Suricata pkg: remove enablesid/disablesid changes for category {$currentruleset} on {$a_rule[$id]['interface']}."); } elseif ($_POST['resetall'] && !empty($rules_map)) { @@ -322,19 +360,25 @@ elseif ($_POST['resetall'] && !empty($rules_map)) { unset($a_rule[$id]['rule_sid_on']); unset($a_rule[$id]['rule_sid_off']); + // We changed a rule state, remind user to apply the changes + mark_subsystem_dirty('suricata_rules'); + /* Update the config.xml file. */ - write_config(); + write_config("Suricata pkg: remove all enablesid/disablesid changes for {$a_rule[$id]['interface']}."); } elseif ($_POST['clear']) { unset($a_rule[$id]['customrules']); - write_config(); + write_config("Suricata pkg: clear all custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; + conf_mount_rw(); suricata_generate_yaml($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; $pconfig['customrules'] = ''; } elseif ($_POST['cancel']) { $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); + clear_subsystem_dirty('suricata_rules'); } elseif ($_POST['save']) { $pconfig['customrules'] = $_POST['customrules']; @@ -342,31 +386,38 @@ elseif ($_POST['save']) { $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); else unset($a_rule[$id]['customrules']); - write_config(); + write_config("Suricata pkg: save modified custom rules for {$a_rule[$id]['interface']}."); $rebuild_rules = true; + conf_mount_rw(); suricata_generate_yaml($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; /* Signal Suricata to "live reload" the rules */ suricata_reload_config($a_rule[$id]); + clear_subsystem_dirty('suricata_rules'); } elseif ($_POST['apply']) { /* Save new configuration */ - write_config(); + write_config("Suricata pkg: new rules configuration for {$a_rule[$id]['interface']}."); /*************************************************/ /* Update the suricata.yaml file and rebuild the */ /* rules for this interface. */ /*************************************************/ $rebuild_rules = true; + conf_mount_rw(); suricata_generate_yaml($a_rule[$id]); + conf_mount_ro(); $rebuild_rules = false; /* Signal Suricata to "live reload" the rules */ suricata_reload_config($a_rule[$id]); + + // We have saved changes and done a soft restart, so clear "dirty" flag + clear_subsystem_dirty('suricata_rules'); } -require_once("guiconfig.inc"); include_once("head.inc"); $if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); @@ -392,19 +443,27 @@ if ($savemsg) { + +

+" . gettext("Click APPLY when finished to send the changes to the running configuration."));?> + + + '; echo ' diff --git a/config/suricata/suricata_sync.xml b/config/suricata/suricata_sync.xml new file mode 100644 index 00000000..a85a3d63 --- /dev/null +++ b/config/suricata/suricata_sync.xml @@ -0,0 +1,216 @@ + + + + + +. +All rights reserved. +*/ +/* ========================================================================== */ +/* +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code MUST retain the above copyright notice, +this list of conditions and the following disclaimer. + +2. Redistributions in binary form MUST reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> + + Describe your package requirements here + Currently there are no FAQ items provided. + suricatasync + 1.0 + Suricata: XMLRPC Sync + /usr/local/pkg/suricata/suricata.inc + + + Interfaces + /suricata/suricata_interfaces.php + + + + Global Settings + /suricata/suricata_global.php + + + + Updates + /suricata/suricata_download_updates.php + + + + Alerts + /suricata/suricata_alerts.php + + + + Blocks + /suricata/suricata_blocked.php + + + + Pass Lists + /suricata/suricata_passlist.php + + + + Suppress + /suricata/suricata_suppress.php + + + + Logs View + /suricata/suricata_logs_browser.php + + + + Logs Mgmt + /suricata/suricata_logs_mgmt.php + + + + SID Mgmt + /suricata/suricata_sid_mgmt.php + + + + Sync + /pkg_edit.php?xml=suricata/suricata_sync.xml + + + + + + + Suricata Package XMLRPC Sync Settings + listtopic + + + Enable Sync + varsynconchanges +
+ Important: While using "Sync to hosts defined below", only sync from host A to B, A to C but do not enable XMLRPC sync to A. This will result in a loop!]]> + select + + disabled + + + + + + + + XMLRPC Timeout + varsynctimeout + + input + 150 + 5 + + + + Refresh Rule Sets + vardownloadrules +
+ During each Suricata package sync operation, ask the target remote host to check for + a new set of posted rule sets files and refresh the local copies if necessary. The default is + to refresh the files if newer versions have been posted.

+ Note: The sync process will wait for the rules download and rebuild to finish on the target remote host before returning.]]> + select + yes + + + + + + + + Replication Targets + none + rowhelper + + + Enable + varsyncdestinenable + + checkbox + + + Protocol + varsyncprotocol + http or https]]> + select + HTTP + + + + + + + IP-Address + varsyncipaddress + + input + 15 + + + Port + varsyncport + + input + 3 + + + Admin Password + varsyncpassword + + password + 20 + + + Start Suricata + varsyncsuricatastart + + checkbox + ON + + + + + + + + write_config("Suricata pkg: updating CARP sync info.");suricata_sync_on_changes(); + + diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php index 2a82e473..280e2394 100644 --- a/config/suricata/suricata_uninstall.php +++ b/config/suricata/suricata_uninstall.php @@ -44,6 +44,8 @@ global $config, $g; $suricatadir = SURICATADIR; $suricatalogdir = SURICATALOGDIR; +$sidmodspath = SID_MODS_PATH; +$iprep_path = IPREP_PATH; $rcdir = RCFILEPREFIX; $suricata_rules_upd_log = RULES_UPD_LOGFILE; $suri_pf_table = SURICATA_PF_TABLE; @@ -71,9 +73,9 @@ sleep(1); unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid"); /* Remove the Suricata cron jobs. */ -install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/www/suricata/suricata_check_for_rule_updates.php", false); -install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_check_cron_misc.inc", false); -install_cron_job("pfctl -t {$suri_pf_table} -T expire" , false); +install_cron_job("suricata_check_for_rule_updates.php", false); +install_cron_job("suricata_check_cron_misc.inc", false); +install_cron_job("{$suri_pf_table}" , false); /* See if we are to keep Suricata log files on uninstall */ if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on') { @@ -82,6 +84,9 @@ if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on') mwexec("/bin/rm -rf {$suricatalogdir}"); } +// Mount filesystem read-write to remove our files +conf_mount_rw(); + /* Remove the Suricata GUI app directories */ mwexec("/bin/rm -rf /usr/local/pkg/suricata"); mwexec("/bin/rm -rf /usr/local/www/suricata"); @@ -105,12 +110,15 @@ if (!empty($widgets)) { } } $config['widgets']['sequence'] = implode(",", $widgetlist); - write_config(); + write_config("Suricata pkg: remove Suricata Dashboard Widget on package deinstall."); } @unlink("/usr/local/www/widgets/include/widget-suricata.inc"); @unlink("/usr/local/www/widgets/widgets/suricata_alerts.widget.php"); @unlink("/usr/local/www/widgets/javascript/suricata_alerts.js"); +// Finished with filesystem mods so remount it read-only +conf_mount_ro(); + /* Keep this as a last step */ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] != 'on') { log_error(gettext("Not saving settings... all Suricata configuration info and logs deleted...")); @@ -118,6 +126,8 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] ! unset($config['installedpackages']['suricatasync']); @unlink("{$suricata_rules_upd_log}"); mwexec("/bin/rm -rf {$suricatalogdir}"); + mwexec("/bin/rm -rf {$sidmodspath}"); + mwexec("/bin/rm -rf {$iprep_path}"); log_error(gettext("[Suricata] The package has been removed from this system...")); } diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index 44fd1d5f..e75a1148 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -15,6 +15,10 @@ max-pending-packets: {$max_pend_pkts} # Runmode the engine should use. runmode: autofp +# If set to auto, the variable is internally switched to 'router' in IPS +# mode and 'sniffer-only' in IDS mode. +host-mode: auto + # Specifies the kind of flow load balancer used by the flow pinned autofp mode. autofp-scheduler: active-packets @@ -55,9 +59,7 @@ outputs: enabled: {$http_log_enabled} filename: http.log append: {$http_log_append} - #extended: yes # enable this for extended logging information - #custom: yes # enabled the custom logging format (defined by customformat) - #customformat: "%{%D-%H:%M:%S}t.%z %{X-Forwarded-For}i %H %m %h %u %s %B %a:%p -> %A:%P" + extended: {$http_log_extended} filetype: regular - pcap-log: @@ -82,8 +84,8 @@ outputs: - syslog: enabled: {$alert_syslog} identity: suricata - facility: auth - level: Info + facility: {$alert_syslog_facility} + level: {$alert_syslog_priority} - drop: enabled: no @@ -94,8 +96,8 @@ outputs: - file-store: enabled: {$file_store_enabled} log-dir: files - force-magic: no - force-md5: no + force-magic: {$json_log_magic} + force-md5: {$json_log_md5} waldo: file.waldo - file-log: @@ -106,6 +108,21 @@ outputs: force-magic: {$json_log_magic} force-md5: {$json_log_md5} + - dns-log: + enabled: {$dns_log_enabled} + filename: dns.log + append: {$dns_log_append} + filetype: regular + + - eve-log: + enabled: {$enable_eve_log} + type: {$eve_output_type} + filename: eve.json + identity: "suricata" + facility: {$eve_systemlog_facility} + level: {$eve_systemlog_priority} + types: {$eve_out_types} + # Magic file. The extension .mgc is added to the value here. magic-file: /usr/share/misc/magic @@ -233,7 +250,7 @@ logging: filename: {$suricatalogdir}suricata_{$if_real}{$suricata_uuid}/suricata.log - syslog: enabled: {$suricata_use_syslog} - facility: auth + facility: {$suricata_use_syslog_facility} format: "[%i] <%d> -- " pcap: @@ -276,8 +293,8 @@ action-order: - alert # IP Reputation -#reputation-categories-file: {$suricatacfgdir}/iprep/categories.txt -#default-reputation-path: {$suricatacfgdir}/iprep +#reputation-categories-file: {$iprep_path}/categories.txt +#default-reputation-path: {$iprep_path} #reputation-files: # - reputation.list @@ -293,6 +310,47 @@ pcre: match-limit: 3500 match-limit-recursion: 1500 +# Holds details on the app-layer. The protocols section details each protocol. +app-layer: + protocols: + tls: + enabled: {$tls_parser} + detection-ports: + dp: 443 + #no-reassemble: yes + dcerpc: + enabled: {$dcerpc_parser} + ftp: + enabled: {$ftp_parser} + ssh: + enabled: {$ssh_parser} + smtp: + enabled: {$smtp_parser} + imap: + enabled: {$imap_parser} + msn: + enabled: {$msn_parser} + smb: + enabled: {$smb_parser} + detection-ports: + dp: 139 + dns: + global-memcap: {$dns_global_memcap} + state-memcap: {$dns_state_memcap} + request-flood: {$dns_request_flood_limit} + + tcp: + enabled: {$dns_parser_tcp} + detection-ports: + dp: 53 + udp: + enabled: {$dns_parser_udp} + detection-ports: + dp: 53 + http: + enabled: {$http_parser} + memcap: {$http_parser_memcap} + ########################################################################### # Configure libhtp. libhtp: -- cgit v1.2.3 From c6c37ebc83e934fbdddae369435d7b92b94adb14 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 27 Aug 2014 11:07:32 -0400 Subject: Add missing comma between values in array declaration. --- config/suricata/suricata_check_cron_misc.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_check_cron_misc.inc b/config/suricata/suricata_check_cron_misc.inc index a488d9a9..70394a23 100644 --- a/config/suricata/suricata_check_cron_misc.inc +++ b/config/suricata/suricata_check_cron_misc.inc @@ -72,7 +72,7 @@ function suricata_check_dir_size_limit($suricataloglimitsize) { } // Initialize an array of the log files we want to prune - $logs = array ( "alerts.log", "block.log", "dns.log", "eve.json", "http.log", "files-json.log", "sid_changes.log" "stats.log", "tls.log" ); + $logs = array ( "alerts.log", "block.log", "dns.log", "eve.json", "http.log", "files-json.log", "sid_changes.log", "stats.log", "tls.log" ); // Clean-up the logs for each configured Suricata instance foreach ($config['installedpackages']['suricata']['rule'] as $value) { -- cgit v1.2.3 From 0d2f8f00a6a442f5672e5fe8f62a1f4d21da6a9b Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 27 Aug 2014 13:38:41 -0400 Subject: Improve security handling provided filename values. --- config/suricata/suricata_sid_mgmt.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_sid_mgmt.php b/config/suricata/suricata_sid_mgmt.php index 07a09178..c69a9fcd 100644 --- a/config/suricata/suricata_sid_mgmt.php +++ b/config/suricata/suricata_sid_mgmt.php @@ -96,7 +96,7 @@ function suricata_is_sidmodslist_active($sidlist) { if (isset($_POST['upload'])) { if ($_FILES["sidmods_fileup"]["error"] == UPLOAD_ERR_OK) { $tmp_name = $_FILES["sidmods_fileup"]["tmp_name"]; - $name = $_FILES["sidmods_fileup"]["name"]; + $name = basename($_FILES["sidmods_fileup"]["name"]); move_uploaded_file($tmp_name, "{$sidmods_path}{$name}"); } else @@ -104,8 +104,8 @@ if (isset($_POST['upload'])) { } if (isset($_POST['sidlist_delete']) && isset($_POST['sidlist_fname'])) { - if (!suricata_is_sidmodslist_active($_POST['sidlist_fname'])) - unlink_if_exists("{$sidmods_path}{$_POST['sidlist_fname']}"); + if (!suricata_is_sidmodslist_active(basename($_POST['sidlist_fname']))) + unlink_if_exists($sidmods_path . basename($_POST['sidlist_fname'])); else $input_errors[] = gettext("This SID Mods List is currently assigned to an interface and cannot be deleted."); } -- cgit v1.2.3 From ce07b15de33b4847df5498f9bbae93e2b1e893ca Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 27 Aug 2014 18:15:44 -0400 Subject: Improve HOME_NET and EXTERNAL_NET variable generation. --- config/suricata/suricata.inc | 36 ++++++++++++++++------------ config/suricata/suricata_generate_yaml.php | 6 ++--- config/suricata/suricata_interfaces_edit.php | 6 ++++- config/suricata/suricata_list_view.php | 5 ++++ 4 files changed, 34 insertions(+), 19 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 2626f70a..59c620b4 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -257,7 +257,7 @@ function suricata_find_list($find_name, $type = 'passlist') { return array(); } -function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { +function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $externallist = false) { /***********************************************************/ /* The default is to build a HOME_NET variable unless */ @@ -267,9 +267,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { global $config, $g, $aliastable, $filterdns; $home_net = array(); - if ($listname == 'default' || empty($listname)) { + if (!$externallist && ($listname == 'default' || empty($listname))) { $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; - } else { + } + elseif ($externallist && $listname == 'default') { + return array( "any" ); + } + else { $list = suricata_find_list($listname); if (empty($list)) return $list; @@ -283,11 +287,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { $home_net = explode(" ", trim(filter_expand_alias($list['address']))); } - // Always add loopback to HOME_NET and passlist (ftphelper) - if (!in_array("127.0.0.1", $home_net)) - $home_net[] = "127.0.0.1"; - if (!in_array("::1", $home_net)) - $home_net[] = "::1"; + // Always add loopback to HOME_NET and passlist + if (!externallist) { + if (!in_array("127.0.0.1", $home_net)) + $home_net[] = "127.0.0.1"; + if (!in_array("::1", $home_net)) + $home_net[] = "::1"; + } /********************************************************************/ /* Always put the interface running Suricata in HOME_NET and */ @@ -298,7 +304,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { /* IP for Suricata, though, to prevent locking out the firewall. */ /********************************************************************/ $suricataip = get_interface_ip($suricatacfg['interface']); - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddr($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnet($suricatacfg['interface']); @@ -308,7 +314,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { } } } - else { + elseif (!externallist && $localnet != 'yes') { if (is_ipaddr($suricataip)) { if (!in_array($suricataip, $home_net)) $home_net[] = $suricataip; @@ -319,7 +325,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddrv6($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnetv6($suricatacfg['interface']); @@ -329,16 +335,16 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { } } } - else { + elseif (!externallist && $localnet != 'yes') { if (is_ipaddrv6($suricataip)) { if (!in_array($suricataip, $home_net)) $home_net[] = $suricataip; } } - // Add link-local address + // Add link-local address if user included locally-attached networks $suricataip = get_interface_linklocal($suricatacfg['interface']); - if (!empty($suricataip)) { + if (!empty($suricataip) && $localnet == 'yes') { // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); @@ -346,7 +352,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false) { $home_net[] = $suricataip; } - if (!$passlist || $localnet == 'yes' || empty($localnet)) { + if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { /*************************************************************************/ /* Iterate through the interface list and write out pass list items and */ /* also compile a HOME_NET list of all local interfaces for suricata. */ diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 91dc06a5..05d6dea8 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -68,11 +68,11 @@ foreach ($suricata_files as $file) { $home_net_list = suricata_build_list($suricatacfg, $suricatacfg['homelistname']); $home_net = implode(",", $home_net_list); $home_net = trim($home_net); -$external_net = '!$HOME_NET'; +$external_net = 'any'; if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] != 'default') { - $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname']); + $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname'], false, true); $external_net = implode(",", $external_net_list); - $external_net = trim($external_net); + $external_net = '[' . trim($external_net) . ']'; } // Set the PASS LIST and write its contents to disk diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 1bef338a..55c97efc 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -937,7 +937,11 @@ if ($savemsg) { } } ?> -    + +      "/> +
 

  Date: Wed, 27 Aug 2014 20:22:48 -0400 Subject: Fix missing $ sign in front of variable name. --- config/suricata/suricata.inc | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 59c620b4..25321ddc 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -288,7 +288,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } // Always add loopback to HOME_NET and passlist - if (!externallist) { + if (!$externallist) { if (!in_array("127.0.0.1", $home_net)) $home_net[] = "127.0.0.1"; if (!in_array("::1", $home_net)) @@ -314,7 +314,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } } } - elseif (!externallist && $localnet != 'yes') { + elseif (!$externallist && $localnet != 'yes') { if (is_ipaddr($suricataip)) { if (!in_array($suricataip, $home_net)) $home_net[] = $suricataip; @@ -325,7 +325,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); - if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { + if (($externallist && $localnet == 'yes') || (!$externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddrv6($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnetv6($suricatacfg['interface']); @@ -335,7 +335,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } } } - elseif (!externallist && $localnet != 'yes') { + elseif (!$externallist && $localnet != 'yes') { if (is_ipaddrv6($suricataip)) { if (!in_array($suricataip, $home_net)) $home_net[] = $suricataip; @@ -352,7 +352,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e $home_net[] = $suricataip; } - if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { + if (($$externallist && $localnet == 'yes') || (!$externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { /*************************************************************************/ /* Iterate through the interface list and write out pass list items and */ /* also compile a HOME_NET list of all local interfaces for suricata. */ -- cgit v1.2.3 From 31359294a2566f2717b7431d393e92b900017476 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 29 Aug 2014 01:04:45 -0400 Subject: Fix another missed $ symbol in variable name. --- config/suricata/suricata.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 25321ddc..5a490f01 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -304,7 +304,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e /* IP for Suricata, though, to prevent locking out the firewall. */ /********************************************************************/ $suricataip = get_interface_ip($suricatacfg['interface']); - if (($externallist && $localnet == 'yes') || (!externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { + if (($externallist && $localnet == 'yes') || (!$externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { if (is_ipaddr($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnet($suricatacfg['interface']); -- cgit v1.2.3 From a23e600747047c0b94e0680141562f51d1f13f1f Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 29 Aug 2014 01:24:51 -0400 Subject: Revert $EXTERNAL_NET back to !$HOME_NET for now. --- config/suricata/suricata.inc | 2 +- config/suricata/suricata_generate_yaml.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 5a490f01..14b9ecd4 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -271,7 +271,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; } elseif ($externallist && $listname == 'default') { - return array( "any" ); + return array( "!\$HOME_NET" ); } else { $list = suricata_find_list($listname); diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 05d6dea8..7c0a7bdd 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -68,7 +68,7 @@ foreach ($suricata_files as $file) { $home_net_list = suricata_build_list($suricatacfg, $suricatacfg['homelistname']); $home_net = implode(",", $home_net_list); $home_net = trim($home_net); -$external_net = 'any'; +$external_net = '!$HOME_NET'; if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] != 'default') { $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname'], false, true); $external_net = implode(",", $external_net_list); -- cgit v1.2.3 From 93b31c59eaa2dbde1720fa85ee42c53b46db2cab Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sat, 30 Aug 2014 12:22:42 -0400 Subject: Suricata prefers CIDR masks on HOME_NET and EXTERNAL_NET addresses. --- config/suricata/suricata.inc | 70 +++++++++++++++--------------- config/suricata/suricata_generate_yaml.php | 10 ++++- config/suricata/suricata_list_view.php | 15 +++++-- 3 files changed, 56 insertions(+), 39 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc index 14b9ecd4..ca4ade1c 100644 --- a/config/suricata/suricata.inc +++ b/config/suricata/suricata.inc @@ -270,9 +270,6 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e if (!$externallist && ($listname == 'default' || empty($listname))) { $localnet = 'yes'; $wanip = 'yes'; $wangw = 'yes'; $wandns = 'yes'; $vips = 'yes'; $vpns = 'yes'; } - elseif ($externallist && $listname == 'default') { - return array( "!\$HOME_NET" ); - } else { $list = suricata_find_list($listname); if (empty($list)) @@ -289,10 +286,10 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Always add loopback to HOME_NET and passlist if (!$externallist) { - if (!in_array("127.0.0.1", $home_net)) - $home_net[] = "127.0.0.1"; - if (!in_array("::1", $home_net)) - $home_net[] = "::1"; + if (!in_array("127.0.0.1/32", $home_net)) + $home_net[] = "127.0.0.1/32"; + if (!in_array("::1/128", $home_net)) + $home_net[] = "::1/128"; } /********************************************************************/ @@ -305,7 +302,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e /********************************************************************/ $suricataip = get_interface_ip($suricatacfg['interface']); if (($externallist && $localnet == 'yes') || (!$externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { - if (is_ipaddr($suricataip)) { + if (is_ipaddrv4($suricataip)) { if ($suricatacfg['interface'] <> "wan") { $sn = get_interface_subnet($suricatacfg['interface']); $ip = gen_subnet($suricataip, $sn) . "/{$sn}"; @@ -315,12 +312,13 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } } elseif (!$externallist && $localnet != 'yes') { - if (is_ipaddr($suricataip)) { - if (!in_array($suricataip, $home_net)) - $home_net[] = $suricataip; + if (is_ipaddrv4($suricataip)) { + if (!in_array($suricataip . "/32", $home_net)) + $home_net[] = $suricataip . "/32"; } } + // Grab the IPv6 address if we have one assigned $suricataip = get_interface_ipv6($suricatacfg['interface']); // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) @@ -337,8 +335,8 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } elseif (!$externallist && $localnet != 'yes') { if (is_ipaddrv6($suricataip)) { - if (!in_array($suricataip, $home_net)) - $home_net[] = $suricataip; + if (!in_array($suricataip . "/128", $home_net)) + $home_net[] = $suricataip . "/128"; } } @@ -348,8 +346,8 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); - if (!in_array($suricataip, $home_net)) - $home_net[] = $suricataip; + if (!in_array($suricataip . "/128", $home_net)) + $home_net[] = $suricataip . "/128"; } if (($$externallist && $localnet == 'yes') || (!$externallist && (!$passlist || $localnet == 'yes' || empty($localnet)))) { @@ -364,7 +362,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e if ($int == "wan") continue; $subnet = get_interface_ip($int); - if (is_ipaddr($subnet)) { + if (is_ipaddrv4($subnet)) { $sn = get_interface_subnet($int); $ip = gen_subnet($subnet, $sn) . "/{$sn}"; if (!in_array($ip, $home_net)) @@ -388,25 +386,25 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Trim off the interface designation (e.g., %em1) if present if (strpos($suricataip, "%") !== FALSE) $suricataip = substr($suricataip, 0, strpos($suricataip, "%")); - if (!in_array($suricataip, $home_net)) - $home_net[] = $suricataip; + if (!in_array($suricataip . "/128", $home_net)) + $home_net[] = $suricataip . "/128"; } } } if ($wanip == 'yes') { $ip = get_interface_ip("wan"); - if (is_ipaddr($ip)) { - if (!in_array($ip, $home_net)) - $home_net[] = $ip; + if (is_ipaddrv4($ip)) { + if (!in_array($ip . "/32", $home_net)) + $home_net[] = $ip . "/32"; } $ip = get_interface_ipv6("wan"); // Trim off the interface designation (e.g., %em1) if present if (strpos($ip, "%") !== FALSE) $ip = substr($ip, 0, strpos($ip, "%")); if (is_ipaddrv6($ip)) { - if (!in_array($ip, $home_net)) - $home_net[] = $ip; + if (!in_array($ip . "/128", $home_net)) + $home_net[] = $ip . "/128"; } // Explicitly grab the WAN Link-Local address $ip = get_interface_linklocal("wan"); @@ -414,35 +412,39 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e // Trim off the interface designation (e.g., %em1) if present if (strpos($ip, "%") !== FALSE) $ip = substr($ip, 0, strpos($ip, "%")); - if (!in_array($ip, $home_net)) - $home_net[] = $ip; + if (!in_array($ip . "/128", $home_net)) + $home_net[] = $ip . "/128"; } } if ($wangw == 'yes') { // Grab the default gateway if set $default_gw = exec("/sbin/route -n get default |grep 'gateway:' | /usr/bin/awk '{ print $2 }'"); - if (is_ipaddr($default_gw) && !in_array($default_gw, $home_net)) - $home_net[] = $default_gw; - if (is_ipaddrv6($default_gw) && !in_array($default_gw, $home_net)) - $home_net[] = $default_gw; + if (is_ipaddrv4($default_gw) && !in_array($default_gw . "/32", $home_net)) + $home_net[] = $default_gw . "/32"; + if (is_ipaddrv6($default_gw) && !in_array($default_gw . "/128", $home_net)) + $home_net[] = $default_gw . "/128"; // Get any other interface gateway and put in $HOME_NET if not there already $gw = get_interface_gateway($suricatacfg['interface']); - if (is_ipaddr($gw) && !in_array($gw, $home_net)) - $home_net[] = $gw; + if (is_ipaddrv4($gw) && !in_array($gw . "/32", $home_net)) + $home_net[] = $gw . "/32"; $gw = get_interface_gateway_v6($suricatacfg['interface']); // Trim off the interface designation (e.g., %em1) if present if (strpos($gw, "%") !== FALSE) $gw = substr($gw, 0, strpos($gw, "%")); - if (is_ipaddrv6($gw) && !in_array($gw, $home_net)) - $home_net[] = $gw; + if (is_ipaddrv6($gw) && !in_array($gw . "/128", $home_net)) + $home_net[] = $gw . "/128"; } if ($wandns == 'yes') { // Add DNS server for WAN interface to Pass List $dns_servers = get_dns_servers(); foreach ($dns_servers as $dns) { + if (is_ipaddrv4($dns)) + $dns .= "/32"; + elseif (is_addrv6($dns)) + $dns .= "/128"; if ($dns && !in_array($dns, $home_net)) $home_net[] = $dns; } @@ -460,7 +462,7 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e } } - // grab a list of vpns and whitelist if user desires + // Grab a list of vpns enabled - these come back as CIDR mask networks if ($vpns == 'yes') { $vpns_list = filter_get_vpns_list(); if (!empty($vpns_list)) { diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 7c0a7bdd..0715471d 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -68,11 +68,17 @@ foreach ($suricata_files as $file) { $home_net_list = suricata_build_list($suricatacfg, $suricatacfg['homelistname']); $home_net = implode(",", $home_net_list); $home_net = trim($home_net); -$external_net = '!$HOME_NET'; +$external_net = ""; if (!empty($suricatacfg['externallistname']) && $suricatacfg['externallistname'] != 'default') { $external_net_list = suricata_build_list($suricatacfg, $suricatacfg['externallistname'], false, true); $external_net = implode(",", $external_net_list); - $external_net = '[' . trim($external_net) . ']'; + $external_net = "[" . trim($external_net) . "]"; +} +else { + $external_net = "["; + foreach ($home_net_list as $ip) + $external_net .= "!{$ip},"; + $external_net = trim($external_net, ', ') . "]"; } // Set the PASS LIST and write its contents to disk diff --git a/config/suricata/suricata_list_view.php b/config/suricata/suricata_list_view.php index dc5a2b04..ec335abd 100644 --- a/config/suricata/suricata_list_view.php +++ b/config/suricata/suricata_list_view.php @@ -42,7 +42,7 @@ $type = htmlspecialchars($_GET['type']); $title = "List"; if (isset($id) && isset($wlist)) { - $a_rule = $config['installedpackages']['suricataglobal']['rule'][$id]; + $a_rule = $config['installedpackages']['suricata']['rule'][$id]; if ($type == "homenet") { $list = suricata_build_list($a_rule, $wlist); $contents = implode("\n", $list); @@ -59,8 +59,17 @@ if (isset($id) && isset($wlist)) { $title = "Suppress List"; } elseif ($type == "externalnet") { - $list = suricata_build_list($a_rule, $wlist, false, true); - $contents = implode("\n", $list); + if ($wlist == "default") { + $list = suricata_build_list($a_rule, $a_rule['homelistname']); + $contents = ""; + foreach ($list as $ip) + $contents .= "!{$ip}\n"; + $contents = trim($contents, "\n"); + } + else { + $list = suricata_build_list($a_rule, $wlist, false, true); + $contents = implode("\n", $list); + } $title = "EXTERNAL_NET"; } else -- cgit v1.2.3 From 56f7c116d00eea10ef796ac41c477330a4d1daac Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 1 Sep 2014 16:27:09 -0400 Subject: Include new 'dns-events.rules' file for Suricata 2.0.3 --- config/suricata/dns-events.rules | 15 +++++++++++++++ config/suricata/suricata.xml | 5 +++++ config/suricata/suricata_check_for_rule_updates.php | 2 +- config/suricata/suricata_interfaces_edit.php | 2 +- config/suricata/suricata_migrate_config.php | 8 ++++++++ config/suricata/suricata_post_install.php | 5 +++++ config/suricata/suricata_rulesets.php | 2 +- 7 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 config/suricata/dns-events.rules (limited to 'config') diff --git a/config/suricata/dns-events.rules b/config/suricata/dns-events.rules new file mode 100644 index 00000000..693f2f1b --- /dev/null +++ b/config/suricata/dns-events.rules @@ -0,0 +1,15 @@ +# Response (answer) we didn't see a Request for. Could be packet loss. +alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;) +# Malformed data in request. Malformed means length fields are wrong, etc. +alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;) +alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;) +# Response flag set on to_server packet +alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;) +# Response flag not set on to_client packet +alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;) +# Z flag (reserved) not 0 +alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;) +# Request Flood Detected +alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;) +# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting. +alert dns any any -> any any (msg:"SURICATA DNS flow memcap reached"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:2;) diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index d5ea59ad..f9bbd379 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -107,6 +107,11 @@ /usr/local/pkg/suricata/ 0755 + + https://packages.pfsense.org/packages/config/suricata/dns-events.rules + /usr/local/pkg/suricata/ + 0755 + https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php /usr/local/www/suricata/ diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 5e977f36..6a3e51f7 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -486,7 +486,7 @@ if ($emergingthreats == 'on') { // The code below renames ET files with a prefix, so we // skip renaming the Suricata default events rule files // that are also bundled in the ET rules. - $default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ); + $default_rules = array( "decoder-events.rules", "dns-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ); $files = glob("{$tmpfname}/emerging/rules/*.rules"); // Determine the correct prefix to use based on which // Emerging Threats rules package is enabled. diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index 55c97efc..a3b2e78a 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -399,7 +399,7 @@ if ($_POST["save"] && !$input_errors) { $natent['libhtp_policy']['item'][] = $default; // Enable the basic default rules for the interface - $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules"; + $natent['rulesets'] = "decoder-events.rules||dns-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules"; // Adding a new interface, so set flag to build new rules $rebuild_rules = true; diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 97e3cde6..abbdcf64 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -115,6 +115,14 @@ foreach ($rule as &$r) { } } + /***********************************************************/ + /* Add the new 'dns-events.rules' file to the rulesets. */ + /***********************************************************/ + if (strpos("dns-events.rules", $pconfig['rulesets']) === FALSE) { + $pconfig['rulesets'] = rtrim($pconfig['rulesets'], "||") . "||dns-events.rules"; + $updated_cfg = true; + } + /***********************************************************/ /* Add new HTTP Log Extended Info setting if not present */ /***********************************************************/ diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 955751ad..47dd3ad7 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -112,6 +112,11 @@ safe_mkdir(SURICATALOGDIR); safe_mkdir(SID_MODS_PATH); safe_mkdir(IPREP_PATH); +// Copy the new dns-events.rules file to the +// Suricata directory if not already present. +if (!file_exists(SURICATADIR . "rules/dns-events.rules")) + @copy("/usr/local/pkg/suricata/dns-events.rules", SURICATADIR . "rules/dns-events.rules"); + // remake saved settings if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') { log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings...")); diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php index 14da068e..ce32af20 100644 --- a/config/suricata/suricata_rulesets.php +++ b/config/suricata/suricata_rulesets.php @@ -47,7 +47,7 @@ $suricatadir = SURICATADIR; $flowbit_rules_file = FLOWBITS_FILENAME; // Array of default events rules for Suricata -$default_rules = array( "decoder-events.rules", "files.rules", "http-events.rules", +$default_rules = array( "decoder-events.rules", "dns-events.rules", "files.rules", "http-events.rules", "smtp-events.rules", "stream-events.rules", "tls-events.rules" ); if (!is_array($config['installedpackages']['suricata']['rule'])) { -- cgit v1.2.3 From 3f34c4d3a8b7fa88ef4359bb8c800f0deabbe53b Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 2 Sep 2014 16:13:45 -0400 Subject: Change title in Suricata Widget column header to Priority/Rule Name. --- config/suricata/suricata_alerts.widget.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index 776cead9..77122f6d 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -238,7 +238,7 @@ function suricata_widget_get_alerts() { - + -- cgit v1.2.3 From b9dd2b74d87b1664360bd467b37baf604c53de30 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 2 Sep 2014 16:27:53 -0400 Subject: Change title for Widget column to Priority/Class instead. --- config/suricata/suricata_alerts.widget.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php index 77122f6d..bc7a0e2a 100644 --- a/config/suricata/suricata_alerts.widget.php +++ b/config/suricata/suricata_alerts.widget.php @@ -238,7 +238,7 @@ function suricata_widget_get_alerts() { - + -- cgit v1.2.3 From 2c4435fa4db6a4d24d7faf0b4cdbd7cde8d73089 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Wed, 3 Sep 2014 11:17:55 -0400 Subject: Strip any CR characters that may get pasted into some control fields. --- config/suricata/suricata_barnyard.php | 2 +- config/suricata/suricata_interfaces_edit.php | 2 +- config/suricata/suricata_passlist_edit.php | 2 +- config/suricata/suricata_rules.php | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index 630a3c35..f762477e 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -158,7 +158,7 @@ if ($_POST['save']) { if ($_POST['barnyard_syslog_priority']) $natent['barnyard_syslog_priority'] = $_POST['barnyard_syslog_priority']; else $natent['barnyard_syslog_priority'] = 'LOG_INFO'; if ($_POST['barnyard_bro_ids_rhost']) $natent['barnyard_bro_ids_rhost'] = $_POST['barnyard_bro_ids_rhost']; else unset($natent['barnyard_bro_ids_rhost']); if ($_POST['barnyard_bro_ids_dport']) $natent['barnyard_bro_ids_dport'] = $_POST['barnyard_bro_ids_dport']; else $natent['barnyard_bro_ids_dport'] = '47760'; - if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode($_POST['barnconfigpassthru']); else unset($natent['barnconfigpassthru']); + if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['barnconfigpassthru'])); else unset($natent['barnconfigpassthru']); $a_nat[$id] = $natent; write_config(); diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index a3b2e78a..ff21b48f 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -300,7 +300,7 @@ if ($_POST["save"] && !$input_errors) { if ($_POST['eve_log_files'] == "on") { $natent['eve_log_files'] = 'on'; }else{ $natent['eve_log_files'] = 'off'; } if ($_POST['eve_log_ssh'] == "on") { $natent['eve_log_ssh'] = 'on'; }else{ $natent['eve_log_ssh'] = 'off'; } if ($_POST['delayed_detect'] == "on") { $natent['delayed_detect'] = 'on'; }else{ $natent['delayed_detect'] = 'off'; } - if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode($_POST['configpassthru']); else unset($natent['configpassthru']); + if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['configpassthru'])); else unset($natent['configpassthru']); $if_real = get_real_interface($natent['interface']); if (isset($id) && $a_rule[$id] && $action == '') { diff --git a/config/suricata/suricata_passlist_edit.php b/config/suricata/suricata_passlist_edit.php index 0a9a8132..3e1502f3 100644 --- a/config/suricata/suricata_passlist_edit.php +++ b/config/suricata/suricata_passlist_edit.php @@ -171,7 +171,7 @@ if ($_POST['save']) { $p_list['vpnips'] = $_POST['vpnips']? 'yes' : 'no'; $p_list['address'] = $_POST['address']; - $p_list['descr'] = mb_convert_encoding($_POST['descr'],"HTML-ENTITIES","auto"); + $p_list['descr'] = mb_convert_encoding(str_replace("\r\n", "\n", $_POST['descr']),"HTML-ENTITIES","auto"); $p_list['detail'] = $final_address_details; if (isset($id) && $a_passlist[$id]) diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index f9d8fe07..aa420371 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -383,7 +383,7 @@ elseif ($_POST['cancel']) { elseif ($_POST['save']) { $pconfig['customrules'] = $_POST['customrules']; if ($_POST['customrules']) - $a_rule[$id]['customrules'] = base64_encode($_POST['customrules']); + $a_rule[$id]['customrules'] = base64_encode(str_replace("\r\n", "\n", $_POST['customrules'])); else unset($a_rule[$id]['customrules']); write_config("Suricata pkg: save modified custom rules for {$a_rule[$id]['interface']}."); -- cgit v1.2.3 From 46ba3729b4bbf7dd321fc3555677a66c67f4c784 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 4 Sep 2014 16:28:27 -0400 Subject: Add new GUI control for setting interface promisc mode on/off. --- config/suricata/suricata_generate_yaml.php | 5 +++++ config/suricata/suricata_interfaces_edit.php | 13 +++++++++++++ config/suricata/suricata_migrate_config.php | 8 ++++++++ config/suricata/suricata_yaml_template.inc | 1 + 4 files changed, 27 insertions(+) (limited to 'config') diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php index 0715471d..8e3e538c 100644 --- a/config/suricata/suricata_generate_yaml.php +++ b/config/suricata/suricata_generate_yaml.php @@ -165,6 +165,11 @@ if ($suricatacfg['delayed_detect'] == 'on') else $delayed_detect = "no"; +if ($suricatacfg['intf_promisc_mode'] == 'on') + $intf_promisc_mode = "yes"; +else + $intf_promisc_mode = "no"; + // Add interface-specific blocking settings if ($suricatacfg['blockoffenders'] == 'on') $suri_blockoffenders = "yes"; diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index ff21b48f..e1e6675f 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -169,6 +169,8 @@ if (empty($pconfig['eve_log_files'])) $pconfig['eve_log_files'] = "on"; if (empty($pconfig['eve_log_ssh'])) $pconfig['eve_log_ssh'] = "on"; +if (empty($pconfig['intf_promisc_mode'])) + $pconfig['intf_promisc_mode'] = "on"; // See if creating a new interface by duplicating an existing one if (strcasecmp($action, 'dup') == 0) { @@ -300,6 +302,7 @@ if ($_POST["save"] && !$input_errors) { if ($_POST['eve_log_files'] == "on") { $natent['eve_log_files'] = 'on'; }else{ $natent['eve_log_files'] = 'off'; } if ($_POST['eve_log_ssh'] == "on") { $natent['eve_log_ssh'] = 'on'; }else{ $natent['eve_log_ssh'] = 'off'; } if ($_POST['delayed_detect'] == "on") { $natent['delayed_detect'] = 'on'; }else{ $natent['delayed_detect'] = 'off'; } + if ($_POST['intf_promisc_mode'] == "on") { $natent['intf_promisc_mode'] = 'on'; }else{ $natent['intf_promisc_mode'] = 'off'; } if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['configpassthru'])); else unset($natent['configpassthru']); $if_real = get_real_interface($natent['interface']); @@ -367,6 +370,7 @@ if ($_POST["save"] && !$input_errors) { $natent['enable_midstream_sessions'] = 'off'; $natent['enable_async_sessions'] = 'off'; $natent['delayed_detect'] = 'off'; + $natent['intf_promisc_mode'] = 'on'; $natent['asn1_max_frames'] = '256'; $natent['dns_global_memcap'] = "16777216"; @@ -884,6 +888,14 @@ if ($savemsg) { " . gettext("Not Checked") . "."; ?> + + + + @@ -1197,6 +1209,7 @@ function enable_change(enable_change) { document.iform.btnPasslist.disabled=endis; document.iform.btnSuppressList.disabled=endis; document.iform.delayed_detect.disabled=endis; + document.iform.intf_promisc_mode.disabled=endis; } function wopen(url, name, w, h) { diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index abbdcf64..ba13155b 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -123,6 +123,14 @@ foreach ($rule as &$r) { $updated_cfg = true; } + /***********************************************************/ + /* Add new interface promisc mode value and default 'on'. */ + /***********************************************************/ + if (empty($pconfig['intf_promisc_mode'])) { + $pconfig['intf_promisc_mode'] = "on"; + $updated_cfg = true; + } + /***********************************************************/ /* Add new HTTP Log Extended Info setting if not present */ /***********************************************************/ diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc index e75a1148..82c449d3 100644 --- a/config/suricata/suricata_yaml_template.inc +++ b/config/suricata/suricata_yaml_template.inc @@ -256,6 +256,7 @@ logging: pcap: - interface: {$if_real} checksum-checks: auto + promisc: {$intf_promisc_mode} # For FreeBSD ipfw(8) divert(4) support. # ipfw add 100 divert 8000 ip from any to any -- cgit v1.2.3 From 2ad46791c5b1b2ad74a5119fee13086b9480fcea Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 4 Sep 2014 16:37:24 -0400 Subject: Prevent setting filesystem to read-only during post-install rule update. --- config/suricata/suricata_check_for_rule_updates.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php index 6a3e51f7..eeb7be6c 100644 --- a/config/suricata/suricata_check_for_rule_updates.php +++ b/config/suricata/suricata_check_for_rule_updates.php @@ -762,7 +762,11 @@ if ($pkg_interface <> "console") { } log_error(gettext("[Suricata] The Rules update has finished.")); error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $suricata_rules_upd_log); -conf_mount_ro(); + +// Remount filesystem read-only unless we are in package post-install. +// The post-install code will remount read-only when it completes. +if (!$g['suricata_postinstall']) + conf_mount_ro(); // Restore the state of $pkg_interface $pkg_interface = $pkg_interface_orig; -- cgit v1.2.3 From 12960cc35261a40916f02e2f5883d5fbfa2e9b0f Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 4 Sep 2014 16:39:48 -0400 Subject: Fix spelling error typo in a comment line. --- config/suricata/suricata_post_install.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 47dd3ad7..3c362055 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -141,7 +141,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = $suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}"; // Pull in the PHP code that generates the suricata.yaml file - // variables that will be substitued further down below. + // variables that will be substituted further down below. include("/usr/local/pkg/suricata/suricata_generate_yaml.php"); // Pull in the boilerplate template for the suricata.yaml -- cgit v1.2.3 From 5810a967278f80a4f54cb3313f31acdaf3fa906b Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 4 Sep 2014 16:47:49 -0400 Subject: Disable EVE log options when interface is disabled. --- config/suricata/suricata_interfaces_edit.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'config') diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index e1e6675f..f46f88f5 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -1191,6 +1191,12 @@ function enable_change(enable_change) { document.iform.max_pcap_log_files.disabled = endis; document.iform.eve_output_type.disabled = endis; document.iform.enable_eve_log.disabled = endis; + document.iform.eve_log_alerts.disabled = endis; + document.iform.eve_log_http.disabled = endis; + document.iform.eve_log_dns.disabled = endis; + document.iform.eve_log_tls.disabled = endis; + document.iform.eve_log_files.disabled = endis; + document.iform.eve_log_ssh.disabled = endis; document.iform.max_pending_packets.disabled = endis; document.iform.detect_eng_profile.disabled = endis; document.iform.mpm_algo.disabled = endis; -- cgit v1.2.3 From 9d85e3d4ced9edbb9233a7df8e28b14ef0b00eae Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Thu, 4 Sep 2014 17:50:05 -0400 Subject: Default "forcekeepsettings" to 'on' for new installs (Issue #3838) --- config/suricata/suricata_post_install.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 3c362055..4ee50946 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -117,7 +117,7 @@ safe_mkdir(IPREP_PATH); if (!file_exists(SURICATADIR . "rules/dns-events.rules")) @copy("/usr/local/pkg/suricata/dns-events.rules", SURICATADIR . "rules/dns-events.rules"); -// remake saved settings +// remake saved settings if previously flagged if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') { log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings...")); update_status(gettext("Saved settings detected...")); @@ -194,6 +194,11 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = } } +// If this is first install and "forcekeepsettings" is empty, +// then default it to 'on'. +if (empty($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'])) + $config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = 'on'; + // Finished with file system mods, so remount it read-only conf_mount_ro(); -- cgit v1.2.3 From 204dee69b85897fee37df320a8cf3f899e8f172f Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 5 Sep 2014 11:24:04 -0400 Subject: Notify user on ALERTS tab when viewing filtered results. --- config/suricata/suricata_alerts.php | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'config') diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index 60a506ae..eab2a1d5 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -572,10 +572,17 @@ if ($savemsg) {
'; @@ -422,6 +481,7 @@ if ($savemsg) {
+ @@ -430,7 +490,7 @@ if ($savemsg) { @@ -544,7 +606,7 @@ if ($savemsg) { +
+ +
" class="formbtn" title=""/>

@@ -534,6 +595,7 @@ if ($savemsg) { gettext("clicking here") . ".";?>
- + @@ -555,8 +617,8 @@ if ($savemsg) { - - + + @@ -570,18 +632,35 @@ if ($savemsg) { $rulem) { foreach ($rulem as $k2 => $v) { $sid = suricata_get_sid($v['rule']); $gid = suricata_get_gid($v['rule']); - - if (isset($disablesid[$gid][$sid])) { + $ruleset = $currentruleset; + $style = ""; + + if ($v['managed'] == 1) { + if ($v['disabled'] == 1) { + $textss = ""; + $textse = ""; + $style= "style=\"opacity: 0.4; filter: alpha(opacity=40);\""; + $title = gettext("Auto-disabled by settings on SID Mgmt tab"); + } + else { + $textss = $textse = ""; + $ruleset = "suricata.rules"; + $title = gettext("Auto-managed by settings on SID Mgmt tab"); + } + $iconb = "icon_advanced.gif"; + $managed_count++; + } + elseif (isset($disablesid[$gid][$sid])) { $textss = ""; $textse = ""; $iconb = "icon_reject_d.gif"; $disable_cnt++; - $title = gettext("Disabled by user. Click to toggle to default state"); + $title = gettext("Disabled by user. Click to toggle to enabled state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { $textss = ""; @@ -594,7 +673,7 @@ if ($savemsg) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; - $title = gettext("Enabled by user. Click to toggle to default state"); + $title = gettext("Enabled by user. Click to toggle to disabled state"); } else { $textss = $textse = ""; @@ -623,36 +702,44 @@ if ($savemsg) { $message = suricata_get_msg($v['rule']); $sid_tooltip = gettext("View the raw text for this rule"); - echo " - + + - - - - - - - "; @@ -667,13 +754,15 @@ if ($savemsg) { +
 
 
{$textss} - {$textse} - + echo "
{$textss}"; + + if ($v['managed'] == 1) { + echo "{$textse}"; + } + else { + echo "{$textse}"; + } + echo " {$textss}{$gid}{$textse} + {$textss}{$sid}{$textse} + {$textss}{$protocol}{$textse} + {$srcspan}{$source} + {$srcprtspan}{$source_port} + {$dstspan}{$destination} + {$dstprtspan}{$destination_port} + {$textss}{$message}{$textse}
+ + gettext("Disabled: {$disable_cnt}") . "    " . + gettext("Auto-Managed: {$managed_count}"); ?> + + + + + + + + + + +

" . gettext("Total Rules: {$counter}") . "    " . gettext("Enabled: {$enable_cnt}") . "    " . - gettext("Disabled: {$disable_cnt}"); ?>
+ + diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php index 4f2e8d0d..2fd2deeb 100644 --- a/config/suricata/suricata_suppress.php +++ b/config/suricata/suricata_suppress.php @@ -127,18 +127,21 @@ if ($input_errors) {
+ @@ -172,6 +175,7 @@ if ($input_errors) { @@ -200,6 +205,7 @@ if ($input_errors) { @@ -224,6 +231,7 @@ if ($input_errors) { gettext("You must first unassign the Suppress List on the Interface Edit tab."); ?>

+
+ +
 
+ +
  ">
diff --git a/config/suricata/suricata_suppress_edit.php b/config/suricata/suricata_suppress_edit.php index d4549e56..24572789 100644 --- a/config/suricata/suricata_suppress_edit.php +++ b/config/suricata/suricata_suppress_edit.php @@ -157,15 +157,17 @@ if ($savemsg)
+ /> + " . gettext("Checked") . "."; ?>
+ + +    + + +    + -- cgit v1.2.3 From 179d7432250e40e8a7ca0e6e9c60045d14bbf47d Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 5 Sep 2014 12:15:57 -0400 Subject: Bug fix for cloning interface via DUP icon. --- config/suricata/suricata_interfaces_edit.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php index f46f88f5..c4a1775a 100644 --- a/config/suricata/suricata_interfaces_edit.php +++ b/config/suricata/suricata_interfaces_edit.php @@ -73,7 +73,7 @@ else $pconfig = array(); if (empty($suricataglob['rule'][$id]['uuid'])) { - /* Adding new interface, so flag rules to build. */ + /* Adding new interface, so generate a new UUID and flag rules to build. */ $pconfig['uuid'] = suricata_generate_id(); $rebuild_rules = true; } @@ -324,9 +324,12 @@ if ($_POST["save"] && !$input_errors) { $a_rule[$id] = $natent; } elseif (strcasecmp($action, 'dup') == 0) { - // Duplicating a new interface, so set flag to build new rules + // Duplicating an existing interface to a new interface, so set flag to build new rules $rebuild_rules = true; + // Duplicating an interface, so need to generate a new UUID for the cloned interface + $natent['uuid'] = suricata_generate_id(); + // Add the new duplicated interface configuration to the [rule] array in config $a_rule[] = $natent; } -- cgit v1.2.3 From 115e93c9e6fcb1269f470aca1cb0b72636845d6a Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 5 Sep 2014 13:56:11 -0400 Subject: Update static HTML text on page to reflect change in options. --- config/suricata/suricata_barnyard.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index f762477e..1463ed0b 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -384,7 +384,7 @@ include_once("head.inc"); onClick="toggle_local_syslog()"/>
- + -- cgit v1.2.3 From cd694599d995f30a0759259fbb9400f030161383 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 5 Sep 2014 14:56:25 -0400 Subject: Check if spaces in BY2 Sensor Name and show validation error. --- config/suricata/suricata_barnyard.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index 1463ed0b..cd233b5e 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -94,6 +94,12 @@ if ($_POST['save']) { $_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on") $input_errors[] = gettext("You must enable at least one output option when using Barnyard2."); + // Validate Sensor Name contains no spaces + if ($_POST['barnyard_enable'] == 'on') { + if (!empty(trim($_POST['barnyard_sensor_name'])) && strpos(trim($_POST['barnyard_sensor_name']), " ") !== FALSE) + $input_errors[] = gettext("The value for 'Sensor Name' cannot contain spaces."); + } + // Validate Sensor ID is a valid integer if ($_POST['barnyard_enable'] == 'on') { if (!is_numericint($_POST['barnyard_sensor_id']) || $_POST['barnyard_sensor_id'] < 0) @@ -147,7 +153,7 @@ if ($_POST['save']) { $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0'; - if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); + if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = trim($_POST['barnyard_sensor_name']); else unset($natent['barnyard_sensor_name']); if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); -- cgit v1.2.3 From ad7e3dca2b915b9f27ba01bade962305a0dd34bb Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Fri, 5 Sep 2014 18:05:00 -0400 Subject: Some changes no longer needed since dns-events.rules file is now in PBI. --- config/suricata/dns-events.rules | 15 --------------- config/suricata/suricata.xml | 5 ----- config/suricata/suricata_post_install.php | 5 ----- 3 files changed, 25 deletions(-) delete mode 100644 config/suricata/dns-events.rules (limited to 'config') diff --git a/config/suricata/dns-events.rules b/config/suricata/dns-events.rules deleted file mode 100644 index 693f2f1b..00000000 --- a/config/suricata/dns-events.rules +++ /dev/null @@ -1,15 +0,0 @@ -# Response (answer) we didn't see a Request for. Could be packet loss. -alert dns any any -> any any (msg:"SURICATA DNS Unsollicited response"; flow:to_client; app-layer-event:dns.unsollicited_response; sid:2240001; rev:1;) -# Malformed data in request. Malformed means length fields are wrong, etc. -alert dns any any -> any any (msg:"SURICATA DNS malformed request data"; flow:to_client; app-layer-event:dns.malformed_data; sid:2240002; rev:1;) -alert dns any any -> any any (msg:"SURICATA DNS malformed response data"; flow:to_server; app-layer-event:dns.malformed_data; sid:2240003; rev:1;) -# Response flag set on to_server packet -alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; sid:2240004; rev:1;) -# Response flag not set on to_client packet -alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; sid:2240005; rev:1;) -# Z flag (reserved) not 0 -alert dns any any -> any any (msg:"SURICATA DNS Z flag set"; app-layer-event:dns.z_flag_set; sid:2240006; rev:1;) -# Request Flood Detected -alert dns any any -> any any (msg:"SURICATA DNS request flood detected"; flow:to_server; app-layer-event:dns.flooded; sid:2240007; rev:1;) -# Per-flow (state) memcap reached. Relates to the app-layer.protocols.dns.state-memcap setting. -alert dns any any -> any any (msg:"SURICATA DNS flow memcap reached"; flow:to_server; app-layer-event:dns.state_memcap_reached; sid:2240008; rev:2;) diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index f9bbd379..d5ea59ad 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -107,11 +107,6 @@ /usr/local/pkg/suricata/ 0755 - - https://packages.pfsense.org/packages/config/suricata/dns-events.rules - /usr/local/pkg/suricata/ - 0755 - https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php /usr/local/www/suricata/ diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 4ee50946..7c8d03a5 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -112,11 +112,6 @@ safe_mkdir(SURICATALOGDIR); safe_mkdir(SID_MODS_PATH); safe_mkdir(IPREP_PATH); -// Copy the new dns-events.rules file to the -// Suricata directory if not already present. -if (!file_exists(SURICATADIR . "rules/dns-events.rules")) - @copy("/usr/local/pkg/suricata/dns-events.rules", SURICATADIR . "rules/dns-events.rules"); - // remake saved settings if previously flagged if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') { log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings...")); -- cgit v1.2.3