From 4f8c39dad0c17ef2e8f26c84fdf22c6f1066127e Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 7 Sep 2014 17:54:55 -0400 Subject: Remove unnecessary call to trim(). Causes error on 2.1.x systems. --- config/suricata/suricata_barnyard.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php index cd233b5e..987055fd 100644 --- a/config/suricata/suricata_barnyard.php +++ b/config/suricata/suricata_barnyard.php @@ -96,7 +96,7 @@ if ($_POST['save']) { // Validate Sensor Name contains no spaces if ($_POST['barnyard_enable'] == 'on') { - if (!empty(trim($_POST['barnyard_sensor_name'])) && strpos(trim($_POST['barnyard_sensor_name']), " ") !== FALSE) + if (!empty($_POST['barnyard_sensor_name']) && strpos($_POST['barnyard_sensor_name'], " ") !== FALSE) $input_errors[] = gettext("The value for 'Sensor Name' cannot contain spaces."); } @@ -153,7 +153,7 @@ if ($_POST['save']) { $natent['barnyard_syslog_proto'] = $_POST['barnyard_syslog_proto']; if ($_POST['barnyard_sensor_id']) $natent['barnyard_sensor_id'] = $_POST['barnyard_sensor_id']; else $natent['barnyard_sensor_id'] = '0'; - if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = trim($_POST['barnyard_sensor_name']); else unset($natent['barnyard_sensor_name']); + if ($_POST['barnyard_sensor_name']) $natent['barnyard_sensor_name'] = $_POST['barnyard_sensor_name']; else unset($natent['barnyard_sensor_name']); if ($_POST['barnyard_dbhost']) $natent['barnyard_dbhost'] = $_POST['barnyard_dbhost']; else unset($natent['barnyard_dbhost']); if ($_POST['barnyard_dbname']) $natent['barnyard_dbname'] = $_POST['barnyard_dbname']; else unset($natent['barnyard_dbname']); if ($_POST['barnyard_dbuser']) $natent['barnyard_dbuser'] = $_POST['barnyard_dbuser']; else unset($natent['barnyard_dbuser']); -- cgit v1.2.3 From 98d54bcb91d1d9775c28f566655d49b4d9962bb1 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 7 Sep 2014 17:55:47 -0400 Subject: Fix typo in tooltip & ignore invalid block.log entries when dispaying. --- config/suricata/suricata_blocked.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_blocked.php b/config/suricata/suricata_blocked.php index c29d5745..842d4073 100644 --- a/config/suricata/suricata_blocked.php +++ b/config/suricata/suricata_blocked.php @@ -208,7 +208,7 @@ if ($savemsg) { "/>     " - onClick="return confirm('');"/>  + onClick="return confirm('');"/>    @@ -260,8 +260,11 @@ if ($savemsg) { /* 0 1 2 3 4 5 6 7 8 9 10 */ /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,ip,port */ while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) { - if(count($fields) < 11) + if(count($fields) != 11) { + log_error("[suricata] ERROR: block.log entry failed to parse correctly with too many or not enough CSV entities, skipping this entry..."); + log_error("[suricata] Failed block.log entry fields are: " . print_r($fields, true)); continue; + } $fields[9] = inet_pton($fields[9]); if (isset($tmpblocked[$fields[9]])) { if (!is_array($src_ip_list[$fields[9]])) -- cgit v1.2.3 From e1be647aab970954f0c1312d3579c1e312add9ba Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 7 Sep 2014 17:56:35 -0400 Subject: Use $_POST instead of $_GET for DEL action to improve security. --- config/suricata/suricata_suppress.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php index 2fd2deeb..80249724 100644 --- a/config/suricata/suricata_suppress.php +++ b/config/suricata/suricata_suppress.php @@ -94,15 +94,16 @@ function suricata_find_suppresslist_interface($supplist) { return false; } -if ($_GET['act'] == "del") { - if ($a_suppress[$_GET['id']]) { +if ($_POST['del'] && is_numericint($_POST['list_id'])) { + if ($a_suppress[$_POST['list_id']]) { // make sure list is not being referenced by any Suricata-configured interface - if (suricata_suppresslist_used($a_suppress[$_GET['id']]['name'])) { + if (suricata_suppresslist_used($a_suppress[$_POST['list_id']]['name'])) { $input_errors[] = gettext("ERROR -- Suppress List is currently assigned to an interface and cannot be removed!"); } else { - unset($a_suppress[$_GET['id']]); - write_config(); + unset($a_suppress[$_POST['list_id']]); + write_config("Suricata pkg: deleted SUPPRESS LIST."); + sync_suricata_package_config(); header("Location: /suricata/suricata_suppress.php"); exit; } @@ -126,6 +127,7 @@ if ($input_errors) { ?>
+ - + -- cgit v1.2.3 From 1d9c1cc8e530352168b97fd8b9c552c2588b67f4 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 7 Sep 2014 17:57:15 -0400 Subject: Sync some changes to CARP slaves when enabled. --- config/suricata/suricata_alerts.php | 6 ++++++ config/suricata/suricata_app_parsers.php | 3 +++ config/suricata/suricata_define_vars.php | 3 +++ config/suricata/suricata_flow_stream.php | 3 +++ config/suricata/suricata_rules.php | 9 +++++++++ config/suricata/suricata_rulesets.php | 3 +++ config/suricata/suricata_sid_mgmt.php | 3 +++ 7 files changed, 30 insertions(+) (limited to 'config') diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php index eab2a1d5..57ccbe27 100644 --- a/config/suricata/suricata_alerts.php +++ b/config/suricata/suricata_alerts.php @@ -294,6 +294,9 @@ if (($_POST['addsuppress_srcip'] || $_POST['addsuppress_dstip'] || $_POST['addsu if (suricata_add_supplist_entry($suppress)) { suricata_reload_config($a_instance[$instanceid]); $savemsg = $success; + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); sleep(2); } else @@ -354,6 +357,9 @@ if ($_POST['togglesid'] && is_numeric($_POST['sidid']) && is_numeric($_POST['gen /* Signal Suricata to live-load the new rules */ suricata_reload_config($a_instance[$instanceid]); + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); sleep(2); $savemsg = gettext("The state for rule {$gid}:{$sid} has been modified. Suricata is 'live-reloading' the new rules list. Please wait at least 15 secs for the process to complete before toggling additional rules."); diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php index 16927092..51514ee5 100644 --- a/config/suricata/suricata_app_parsers.php +++ b/config/suricata/suricata_app_parsers.php @@ -420,6 +420,9 @@ elseif ($_POST['save'] || $_POST['apply']) { conf_mount_rw(); suricata_generate_yaml($natent); conf_mount_ro(); + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/suricata/suricata_define_vars.php b/config/suricata/suricata_define_vars.php index 3fe5de0d..040244b0 100644 --- a/config/suricata/suricata_define_vars.php +++ b/config/suricata/suricata_define_vars.php @@ -135,6 +135,9 @@ if ($_POST) { /* Soft-restart Suricaa to live-load new variables. */ suricata_reload_config($a_nat[$id]); + /* Sync to configured CARP slaves if any are enabled */ + suricata_sync_on_changes(); + /* after click go to this page */ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php index fa9edc16..53c4e010 100644 --- a/config/suricata/suricata_flow_stream.php +++ b/config/suricata/suricata_flow_stream.php @@ -319,6 +319,9 @@ elseif ($_POST['save'] || $_POST['apply']) { conf_mount_rw(); suricata_generate_yaml($natent); conf_mount_ro(); + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); } header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index aa420371..a787261d 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -375,6 +375,9 @@ elseif ($_POST['clear']) { conf_mount_ro(); $rebuild_rules = false; $pconfig['customrules'] = ''; + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); } elseif ($_POST['cancel']) { $pconfig['customrules'] = base64_decode($a_rule[$id]['customrules']); @@ -395,6 +398,9 @@ elseif ($_POST['save']) { /* Signal Suricata to "live reload" the rules */ suricata_reload_config($a_rule[$id]); clear_subsystem_dirty('suricata_rules'); + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); } elseif ($_POST['apply']) { @@ -416,6 +422,9 @@ elseif ($_POST['apply']) { // We have saved changes and done a soft restart, so clear "dirty" flag clear_subsystem_dirty('suricata_rules'); + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); } include_once("head.inc"); diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php index ce32af20..7ea672b1 100644 --- a/config/suricata/suricata_rulesets.php +++ b/config/suricata/suricata_rulesets.php @@ -165,6 +165,9 @@ if ($_POST["save"]) { $enabled_rulesets_array = explode("||", $enabled_items); if (suricata_is_running($suricata_uuid, $if_real)) $savemsg = gettext("Suricata is 'live-loading' the new rule set on this interface."); + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); } elseif ($_POST['unselectall']) { // Remove all but the default events and files rules diff --git a/config/suricata/suricata_sid_mgmt.php b/config/suricata/suricata_sid_mgmt.php index c69a9fcd..2224e81a 100644 --- a/config/suricata/suricata_sid_mgmt.php +++ b/config/suricata/suricata_sid_mgmt.php @@ -188,6 +188,9 @@ if (isset($_POST['save_auto_sid_conf'])) { $intf_msg .= convert_friendly_interface_to_friendly_descr($a_nat[$k]['interface']) . ", "; } $savemsg = gettext("Changes were applied to these interfaces: " . trim($intf_msg, ' ,') . " and Suricata signaled to live-load the new rules."); + + // Sync to configured CARP slaves if any are enabled + suricata_sync_on_changes(); } } -- cgit v1.2.3 From 42d7efbec7932f35f99e6b35a2d191f959b4ac6a Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 8 Sep 2014 10:36:56 -0400 Subject: Add count of USER ENABLED & DISABLED rules to page summary. --- config/suricata/suricata_rules.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php index a787261d..539a1daf 100644 --- a/config/suricata/suricata_rules.php +++ b/config/suricata/suricata_rules.php @@ -641,7 +641,7 @@ if ($savemsg) { $rulem) { foreach ($rulem as $k2 => $v) { $sid = suricata_get_sid($v['rule']); @@ -669,6 +669,7 @@ if ($savemsg) { $textse = ""; $iconb = "icon_reject_d.gif"; $disable_cnt++; + $user_disable_cnt++; $title = gettext("Disabled by user. Click to toggle to enabled state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$gid][$sid]))) { @@ -682,6 +683,7 @@ if ($savemsg) { $textss = $textse = ""; $iconb = "icon_reject.gif"; $enable_cnt++; + $user_enable_cnt++; $title = gettext("Enabled by user. Click to toggle to disabled state"); } else { @@ -771,6 +773,8 @@ if ($savemsg) { gettext("Total Rules: {$counter}") . "    " . gettext("Enabled: {$enable_cnt}") . "    " . gettext("Disabled: {$disable_cnt}") . "    " . + gettext("User Enabled: {$user_enable_cnt}") . "    " . + gettext("User Disabled: {$user_disable_cnt}") . "    " . gettext("Auto-Managed: {$managed_count}"); ?> -- cgit v1.2.3 From 6d1e6c31c7fcd7bb5d5dd48ff115ba8b09849164 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 8 Sep 2014 21:11:44 -0400 Subject: Fix any duplicate UUIDs and 'dns-events.rules' entries in config. --- config/suricata/suricata_migrate_config.php | 2 +- config/suricata/suricata_post_install.php | 39 +++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index ba13155b..3d6347ed 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -118,7 +118,7 @@ foreach ($rule as &$r) { /***********************************************************/ /* Add the new 'dns-events.rules' file to the rulesets. */ /***********************************************************/ - if (strpos("dns-events.rules", $pconfig['rulesets']) === FALSE) { + if (strpos($pconfig['rulesets'], "dns-events.rules") === FALSE) { $pconfig['rulesets'] = rtrim($pconfig['rulesets'], "||") . "||dns-events.rules"; $updated_cfg = true; } diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 7c8d03a5..55a43f35 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -116,6 +116,45 @@ safe_mkdir(IPREP_PATH); if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') { log_error(gettext("[Suricata] Saved settings detected... rebuilding installation with saved settings...")); update_status(gettext("Saved settings detected...")); + + /****************************************************************/ + /* Do test and fix for duplicate UUIDs if this install was */ + /* impacted by the DUP (clone) bug that generated a duplicate */ + /* UUID for the cloned interface. Also fix any duplicate */ + /* entries in ['rulesets'] for "dns-events.rules". */ + /****************************************************************/ + if (count($config['installedpackages']['suricata']['rule']) > 0) { + $uuids = array(); + $suriconf = &$config['installedpackages']['suricata']['rule']; + foreach ($suriconf as &$suricatacfg) { + // Remove any duplicate ruleset names from earlier bug + $rulesets = explode("||", $suricatacfg['rulesets']); + $suricatacfg['rulesets'] = implode("||", array_keys(array_flip($rulesets))); + + // Now check for and fix a duplicate UUID + $if_real = get_real_interface($suricatacfg['interface']); + if (!isset($uuids[$suricatacfg['uuid']])) { + $uuids[$suricatacfg['uuid']] = $if_real; + continue; + } + else { + // Found a duplicate UUID, so generate a + // new one for the affected interface. + $old_uuid = $suricatacfg['uuid']; + $new_uuid = suricata_generate_id(); + exec("mv -f {$suricatalogdir}suricata_{$if_real}" . $old_uuid . " {$suricatalogdir}suricata_{$if_real}" . $new_uuid); + $suricatacfg['uuid'] = $new_uuid; + write_config("Suricata pkg: updated UUID for interface " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "."); + $uuids[$new_uuid] = $if_real; + log_error(gettext("[Suricata] updated UUID for interface " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . " from {$old_uuid} to {$new_uuid}.")); + } + } + unset($uuids, $rulesets); + } + /****************************************************************/ + /* End of duplicate UUID and "dns-events.rules" bug fix. */ + /****************************************************************/ + /* Do one-time settings migration for new version configuration */ update_output_window(gettext("Please wait... migrating settings to new configuration...")); include('/usr/local/pkg/suricata/suricata_migrate_config.php'); -- cgit v1.2.3 From c13c641f7ae95d18df8e0bcdfaa67af2d1c2deb2 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 8 Sep 2014 22:56:52 -0400 Subject: Move call to write_config() so as not to invalidate the loop iterator. --- config/suricata/suricata_post_install.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 55a43f35..1d338a55 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -144,11 +144,11 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = $new_uuid = suricata_generate_id(); exec("mv -f {$suricatalogdir}suricata_{$if_real}" . $old_uuid . " {$suricatalogdir}suricata_{$if_real}" . $new_uuid); $suricatacfg['uuid'] = $new_uuid; - write_config("Suricata pkg: updated UUID for interface " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "."); $uuids[$new_uuid] = $if_real; log_error(gettext("[Suricata] updated UUID for interface " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . " from {$old_uuid} to {$new_uuid}.")); } } + write_config("Suricata pkg: updated interface UUIDs to eliminated duplicates."); unset($uuids, $rulesets); } /****************************************************************/ -- cgit v1.2.3 From 101c875be3cbc8158b787eb480a0077135f70d35 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 8 Sep 2014 23:28:54 -0400 Subject: Bump Suricata GUI package version to 2.0.3 v2.0.2 --- config/suricata/suricata.xml | 2 +- config/suricata/suricata_migrate_config.php | 2 +- config/suricata/suricata_post_install.php | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) (limited to 'config') diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml index 43ad68fa..995ed900 100644 --- a/config/suricata/suricata.xml +++ b/config/suricata/suricata.xml @@ -42,7 +42,7 @@ Suricata IDS/IPS Package None suricata - 2.0.3 pkg v2.0.1 + 2.0.3 pkg v2.0.2 Services: Suricata IDS /usr/local/pkg/suricata/suricata.inc diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php index 3d6347ed..4729109b 100644 --- a/config/suricata/suricata_migrate_config.php +++ b/config/suricata/suricata_migrate_config.php @@ -344,7 +344,7 @@ unset($r); // Write out the new configuration to disk if we changed anything if ($updated_cfg) { - $config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0"; + $config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0.2"; log_error("[Suricata] Saving configuration settings in new format..."); write_config("Suricata pkg: migrate existing settings to new format during package upgrade."); log_error("[Suricata] Settings successfully migrated to new configuration format..."); diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 1d338a55..47e42c38 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -148,7 +148,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = log_error(gettext("[Suricata] updated UUID for interface " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . " from {$old_uuid} to {$new_uuid}.")); } } - write_config("Suricata pkg: updated interface UUIDs to eliminated duplicates."); + write_config("Suricata pkg: updated interface UUIDs to eliminate duplicates."); unset($uuids, $rulesets); } /****************************************************************/ @@ -237,7 +237,7 @@ if (empty($config['installedpackages']['suricata']['config'][0]['forcekeepsettin conf_mount_ro(); // Update Suricata package version in configuration -$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0"; +$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0.2"; write_config("Suricata pkg: updated GUI package version number."); // Done with post-install, so clear flag -- cgit v1.2.3 From 942f82201a14aebc97f872aeddae893b9a1e0a55 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 9 Sep 2014 12:00:20 -0400 Subject: Use rename() instead of shell call for renaming directories. --- config/suricata/suricata_post_install.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php index 47e42c38..42f72eca 100644 --- a/config/suricata/suricata_post_install.php +++ b/config/suricata/suricata_post_install.php @@ -142,7 +142,8 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] = // new one for the affected interface. $old_uuid = $suricatacfg['uuid']; $new_uuid = suricata_generate_id(); - exec("mv -f {$suricatalogdir}suricata_{$if_real}" . $old_uuid . " {$suricatalogdir}suricata_{$if_real}" . $new_uuid); + if (file_exists("{$suricatalogdir}suricata_{$if_real}{$old_uuid}/")) + @rename("{$suricatalogdir}suricata_{$if_real}{$old_uuid}/", "{$suricatalogdir}suricata_{$if_real}{$new_uuid}/"); $suricatacfg['uuid'] = $new_uuid; $uuids[$new_uuid] = $if_real; log_error(gettext("[Suricata] updated UUID for interface " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . " from {$old_uuid} to {$new_uuid}.")); -- cgit v1.2.3
@@ -189,10 +191,8 @@ if ($input_errors) { width="17" height="17" border="0" title=""/> ')">">');" + src="/themes//images/icons/icon_x.gif" width="17" height="17" border="0" title=""/>