. * Copyright (C) 2003-2004 Manuel Kasper . * Copyright (C) 2006 Scott Ullrich * Copyright (C) 2009 Robert Zelaya Sr. Developer * Copyright (C) 2012 Ermal Luci * All rights reserved. * * Adapted for Suricata by: * Copyright (C) 2014 Bill Meeks * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. */ require_once("guiconfig.inc"); require_once("/usr/local/pkg/suricata/suricata.inc"); global $g, $rebuild_rules; $suricatadir = SURICATADIR; $suricatalogdir = SURICATALOGDIR; if (!is_array($config['installedpackages']['suricata'])) $config['installedpackages']['suricata'] = array(); $suricataglob = $config['installedpackages']['suricata']; if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_rule = &$config['installedpackages']['suricata']['rule']; if (isset($_POST['id']) && is_numericint($_POST['id'])) $id = $_POST['id']; elseif (isset($_GET['id']) && is_numericint($_GET['id'])); $id = htmlspecialchars($_GET['id'], ENT_QUOTES | ENT_HTML401); if (is_null($id)) $id = 0; $pconfig = array(); if (empty($suricataglob['rule'][$id]['uuid'])) { /* Adding new interface, so flag rules to build. */ $pconfig['uuid'] = suricata_generate_id(); $rebuild_rules = true; } else { $pconfig['uuid'] = $a_rule[$id]['uuid']; $pconfig['descr'] = $a_rule[$id]['descr']; $rebuild_rules = false; } $suricata_uuid = $pconfig['uuid']; // Get the physical configured interfaces on the firewall $interfaces = get_configured_interface_with_descr(); // See if interface is already configured, and use its values if (isset($id) && $a_rule[$id]) { $pconfig = $a_rule[$id]; if (!empty($pconfig['configpassthru'])) $pconfig['configpassthru'] = base64_decode($pconfig['configpassthru']); if (empty($pconfig['uuid'])) $pconfig['uuid'] = $suricata_uuid; } elseif (isset($id) && !isset($a_rule[$id])) { // Must be a new interface, so try to pick next available physical interface to use $ifaces = get_configured_interface_list(); $ifrules = array(); foreach($a_rule as $r) $ifrules[] = $r['interface']; foreach ($ifaces as $i) { if (!in_array($i, $ifrules)) { $pconfig['interface'] = $i; $pconfig['enable'] = 'on'; $pconfig['descr'] = strtoupper($i); $pconfig['inspect_recursion_limit'] = '3000'; break; } } if (count($ifrules) == count($ifaces)) { $input_errors[] = gettext("No more available interfaces to configure for Suricata!"); $interfaces = array(); $pconfig = array(); } } // Set defaults for any empty key parameters if (empty($pconfig['blockoffendersip'])) $pconfig['blockoffendersip'] = "both"; if (empty($pconfig['max_pending_packets'])) $pconfig['max_pending_packets'] = "1024"; if (empty($pconfig['detect_eng_profile'])) $pconfig['detect_eng_profile'] = "medium"; if (empty($pconfig['mpm_algo'])) $pconfig['mpm_algo'] = "ac"; if (empty($pconfig['sgh_mpm_context'])) $pconfig['sgh_mpm_context'] = "auto"; if (empty($pconfig['enable_http_log'])) $pconfig['enable_http_log'] = "on"; if (empty($pconfig['append_http_log'])) $pconfig['append_http_log'] = "on"; if (empty($pconfig['enable_tls_log'])) $pconfig['enable_tls_log'] = "off"; if (empty($pconfig['tls_log_extended'])) $pconfig['tls_log_extended'] = "on"; if (empty($pconfig['enable_stats_log'])) $pconfig['enable_stats_log'] = "off"; if (empty($pconfig['stats_upd_interval'])) $pconfig['stats_upd_interval'] = "10"; if (empty($pconfig['append_stats_log'])) $pconfig['append_stats_log'] = "off"; if (empty($pconfig['append_json_file_log'])) $pconfig['append_json_file_log'] = "on"; if (empty($pconfig['enable_pcap_log'])) $pconfig['enable_pcap_log'] = "off"; if (empty($pconfig['max_pcap_log_size'])) $pconfig['max_pcap_log_size'] = "32"; if (empty($pconfig['max_pcap_log_files'])) $pconfig['max_pcap_log_files'] = "1000"; if ($_POST["save"]) { // If the interface is not enabled, stop any running Suricata // instance on it, save the new state and exit. if (!isset($_POST['enable'])) { if (isset($id) && $a_rule[$id]) { $a_rule[$id]['enable'] = 'off'; $a_rule[$id]['interface'] = htmlspecialchars($_POST['interface']); $a_rule[$id]['descr'] = htmlspecialchars($_POST['descr']); suricata_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface'])); // Save configuration changes write_config(); // Update suricata.conf and suricata.sh files for this interface sync_suricata_package_config(); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); header("Location: /suricata/suricata_interfaces.php"); exit; } } // Validate inputs if (!isset($_POST['interface'])) $input_errors[] = gettext("Choosing an Interface is mandatory!"); if (isset($_POST['stats_upd_interval']) && !is_numericint($_POST['stats_upd_interval'])) $input_errors[] = gettext("The value for Stats Update Interval must contain only digits and evaluate to an integer."); if ($_POST['max_pending_packets'] < 1 || $_POST['max_pending_packets'] > 65000) $input_errors[] = gettext("The value for Maximum-Pending-Packets must be between 1 and 65,000!"); if (isset($_POST['max_pcap_log_size']) && !is_numeric($_POST['max_pcap_log_size'])) $input_errors[] = gettext("The value for 'Max Packet Log Size' must be numbers only. Do not include any alphabetic characters."); if (isset($_POST['max_pcap_log_files']) && !is_numeric($_POST['max_pcap_log_files'])) $input_errors[] = gettext("The value for 'Max Packet Log Files' must be numbers only."); if (!empty($_POST['inspect_recursion_limit']) && !is_numeric($_POST['inspect_recursion_limit'])) $input_errors[] = gettext("The value for Inspect Recursion Limit can either be blank or contain only digits evaluating to an integer greater than or equal to 0."); /* See if assigned interface is already in use */ if (isset($_POST['interface'])) { foreach ($a_rule as $k => $v) { if (($v['interface'] == $_POST['interface']) && ($id <> $k)) { $input_errors[] = gettext("The '{$_POST['interface']}' interface is already assigned to another Suricata instance."); break; } } } // if no errors write to suricata.yaml if (!$input_errors) { $natent = $a_rule[$id]; $natent['interface'] = $_POST['interface']; $natent['enable'] = $_POST['enable'] ? 'on' : 'off'; $natent['uuid'] = $pconfig['uuid']; if ($_POST['descr']) $natent['descr'] = htmlspecialchars($_POST['descr']); else $natent['descr'] = strtoupper($natent['interface']); if ($_POST['max_pcap_log_size']) $natent['max_pcap_log_size'] = $_POST['max_pcap_log_size']; else unset($natent['max_pcap_log_size']); if ($_POST['max_pcap_log_files']) $natent['max_pcap_log_files'] = $_POST['max_pcap_log_files']; else unset($natent['max_pcap_log_files']); if ($_POST['enable_stats_log'] == "on") { $natent['enable_stats_log'] = 'on'; }else{ $natent['enable_stats_log'] = 'off'; } if ($_POST['append_stats_log'] == "on") { $natent['append_stats_log'] = 'on'; }else{ $natent['append_stats_log'] = 'off'; } if ($_POST['stats_upd_interval'] >= 1) $natent['stats_upd_interval'] = $_POST['stats_upd_interval']; else $natent['stats_upd_interval'] = "10"; if ($_POST['enable_http_log'] == "on") { $natent['enable_http_log'] = 'on'; }else{ $natent['enable_http_log'] = 'off'; } if ($_POST['append_http_log'] == "on") { $natent['append_http_log'] = 'on'; }else{ $natent['append_http_log'] = 'off'; } if ($_POST['enable_tls_log'] == "on") { $natent['enable_tls_log'] = 'on'; }else{ $natent['enable_tls_log'] = 'off'; } if ($_POST['tls_log_extended'] == "on") { $natent['tls_log_extended'] = 'on'; }else{ $natent['tls_log_extended'] = 'off'; } if ($_POST['enable_pcap_log'] == "on") { $natent['enable_pcap_log'] = 'on'; }else{ $natent['enable_pcap_log'] = 'off'; } if ($_POST['enable_json_file_log'] == "on") { $natent['enable_json_file_log'] = 'on'; }else{ $natent['enable_json_file_log'] = 'off'; } if ($_POST['append_json_file_log'] == "on") { $natent['append_json_file_log'] = 'on'; }else{ $natent['append_json_file_log'] = 'off'; } if ($_POST['enable_tracked_files_magic'] == "on") { $natent['enable_tracked_files_magic'] = 'on'; }else{ $natent['enable_tracked_files_magic'] = 'off'; } if ($_POST['enable_tracked_files_md5'] == "on") { $natent['enable_tracked_files_md5'] = 'on'; }else{ $natent['enable_tracked_files_md5'] = 'off'; } if ($_POST['enable_file_store'] == "on") { $natent['enable_file_store'] = 'on'; }else{ $natent['enable_file_store'] = 'off'; } if ($_POST['max_pending_packets']) $natent['max_pending_packets'] = $_POST['max_pending_packets']; else unset($natent['max_pending_packets']); if ($_POST['inspect_recursion_limit'] >= '0') $natent['inspect_recursion_limit'] = $_POST['inspect_recursion_limit']; else unset($natent['inspect_recursion_limit']); if ($_POST['detect_eng_profile']) $natent['detect_eng_profile'] = $_POST['detect_eng_profile']; else unset($natent['detect_eng_profile']); if ($_POST['mpm_algo']) $natent['mpm_algo'] = $_POST['mpm_algo']; else unset($natent['mpm_algo']); if ($_POST['sgh_mpm_context']) $natent['sgh_mpm_context'] = $_POST['sgh_mpm_context']; else unset($natent['sgh_mpm_context']); if ($_POST['blockoffenders'] == "on") $natent['blockoffenders'] = 'on'; else $natent['blockoffenders'] = 'off'; if ($_POST['blockoffenderskill'] == "on") $natent['blockoffenderskill'] = 'on'; else unset($natent['blockoffenderskill']); if ($_POST['blockoffendersip']) $natent['blockoffendersip'] = $_POST['blockoffendersip']; else unset($natent['blockoffendersip']); if ($_POST['passlistname']) $natent['passlistname'] = $_POST['passlistname']; else unset($natent['passlistname']); if ($_POST['homelistname']) $natent['homelistname'] = $_POST['homelistname']; else unset($natent['homelistname']); if ($_POST['externallistname']) $natent['externallistname'] = $_POST['externallistname']; else unset($natent['externallistname']); if ($_POST['suppresslistname']) $natent['suppresslistname'] = $_POST['suppresslistname']; else unset($natent['suppresslistname']); if ($_POST['alertsystemlog'] == "on") { $natent['alertsystemlog'] = 'on'; }else{ $natent['alertsystemlog'] = 'off'; } if ($_POST['delayed_detect'] == "on") { $natent['delayed_detect'] = 'on'; }else{ $natent['delayed_detect'] = 'off'; } if ($_POST['configpassthru']) $natent['configpassthru'] = base64_encode($_POST['configpassthru']); else unset($natent['configpassthru']); $if_real = get_real_interface($natent['interface']); if (isset($id) && $a_rule[$id]) { // See if moving an existing Suricata instance to another physical interface if ($natent['interface'] != $a_rule[$id]['interface']) { $oif_real = get_real_interface($a_rule[$id]['interface']); if (suricata_is_running($a_rule[$id]['uuid'], $oif_real)) { suricata_stop($a_rule[$id], $oif_real); $suricata_start = true; } else $suricata_start = false; exec("mv -f {$suricatalogdir}suricata_{$oif_real}" . $a_rule[$id]['uuid'] . " {$suricatalogdir}suricata_{$if_real}" . $a_rule[$id]['uuid']); conf_mount_rw(); exec("mv -f {$suricatadir}suricata_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$suricatadir}suricata_" . $a_rule[$id]['uuid'] . "_{$if_real}"); conf_mount_ro(); } $a_rule[$id] = $natent; } else { // Adding new interface, so set interface configuration parameter defaults $natent['ip_max_frags'] = "65535"; $natent['ip_frag_timeout'] = "60"; $natent['frag_memcap'] = '33554432'; $natent['ip_max_trackers'] = '65535'; $natent['frag_hash_size'] = '65536'; $natent['flow_memcap'] = '33554432'; $natent['flow_prealloc'] = '10000'; $natent['flow_hash_size'] = '65536'; $natent['flow_emerg_recovery'] = '30'; $natent['flow_prune'] = '5'; $natent['flow_tcp_new_timeout'] = '60'; $natent['flow_tcp_established_timeout'] = '3600'; $natent['flow_tcp_closed_timeout'] = '120'; $natent['flow_tcp_emerg_new_timeout'] = '10'; $natent['flow_tcp_emerg_established_timeout'] = '300'; $natent['flow_tcp_emerg_closed_timeout'] = '20'; $natent['flow_udp_new_timeout'] = '30'; $natent['flow_udp_established_timeout'] = '300'; $natent['flow_udp_emerg_new_timeout'] = '10'; $natent['flow_udp_emerg_established_timeout'] = '100'; $natent['flow_icmp_new_timeout'] = '30'; $natent['flow_icmp_established_timeout'] = '300'; $natent['flow_icmp_emerg_new_timeout'] = '10'; $natent['flow_icmp_emerg_established_timeout'] = '100'; $natent['stream_memcap'] = '33554432'; $natent['stream_max_sessions'] = '262144'; $natent['stream_prealloc_sessions'] = '32768'; $natent['reassembly_memcap'] = '67108864'; $natent['reassembly_depth'] = '1048576'; $natent['reassembly_to_server_chunk'] = '2560'; $natent['reassembly_to_client_chunk'] = '2560'; $natent['enable_midstream_sessions'] = 'off'; $natent['enable_async_sessions'] = 'off'; $natent['delayed_detect'] = 'off'; $natent['asn1_max_frames'] = '256'; $default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd" ); if (!is_array($natent['host_os_policy']['item'])) $natent['host_os_policy']['item'] = array(); $natent['host_os_policy']['item'][] = $default; $default = array( "name" => "default", "bind_to" => "all", "personality" => "IDS", "request-body-limit" => 4096, "response-body-limit" => 4096, "double-decode-path" => "no", "double-decode-query" => "no" ); if (!is_array($natent['libhtp_policy']['item'])) $natent['libhtp_policy']['item'] = array(); $natent['libhtp_policy']['item'][] = $default; // Enable the basic default rules for the interface $natent['rulesets'] = "decoder-events.rules||files.rules||http-events.rules||smtp-events.rules||stream-events.rules||tls-events.rules"; // Adding a new interface, so set flag to build new rules $rebuild_rules = true; // Add the new interface configuration to the [rule] array in config $a_rule[] = $natent; } // If Suricata is disabled on this interface, stop any running instance if ($natent['enable'] != 'on') suricata_stop($natent, $if_real); // Save configuration changes write_config(); // Update suricata.conf and suricata.sh files for this interface sync_suricata_package_config(); header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' ); header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' ); header( 'Cache-Control: no-store, no-cache, must-revalidate' ); header( 'Cache-Control: post-check=0, pre-check=0', false ); header( 'Pragma: no-cache' ); header("Location: /suricata/suricata_interfaces.php"); exit; } else $pconfig = $_POST; } $if_friendly = convert_friendly_interface_to_friendly_descr($pconfig['interface']); $pgtitle = gettext("Suricata: Interface {$if_friendly} - Edit Settings"); include_once("head.inc"); ?>
" method="post" name="iform" id="iform"> '; echo '
'; $tab_array = array(); $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface "); $tab_array[] = array($menu_iface . gettext("Settings"), true, "/suricata/suricata_interfaces_edit.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Categories"), false, "/suricata/suricata_rulesets.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Rules"), false, "/suricata/suricata_rules.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Flow/Stream"), false, "/suricata/suricata_flow_stream.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}"); $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}"); display_top_tabs($tab_array, true); ?>
onClick="enable_change(false)"/>
  
 



/>
onClick="toggle_stats_log();" id="enable_stats_log"/> " . gettext("Not Checked") . "."; ?>
  " . gettext("seconds") . "" . gettext(" for stats updating. Default is ") . "" . gettext("10") . "."; ?>
/> " . gettext("Not Checked") . "."; ?>
onClick="toggle_http_log()" id="enable_http_log"/> " . gettext("Checked") . "."; ?>
/> " . gettext("Checked") . "."; ?>
onClick="toggle_tls_log()" id="enable_tls_log"/> " . gettext("Not Checked") . "."; ?>
/> " . gettext("Checked") . "."; ?>
onClick="toggle_json_file_log()" id="enable_json_file_log"/> " . gettext("Not Checked") . "."; ?>
id="append_json_file_log"/> " . gettext("Checked") . "."; ?>
id="enable_tracked_files_magic"/> " . gettext("Not Checked") . "."; ?>
id="enable_tracked_files_md5"/> " . gettext("Not Checked") . "."; ?>
onClick="toggle_file_store()" id="enable_file_store"/> " . gettext("Not Checked") . "."; ?>
onClick="toggle_pcap_log()"/> " . gettext("Not Checked") . "."; ?>
  " . gettext("MB") . "" . gettext(" for a packet log file. Default is ") . "" . gettext("32") . "."; ?>

  " . gettext("1000") . "."; ?>

onClick="enable_blockoffenders()"/>
/>
  
 " . gettext("Choosing BOTH is suggested, and it is the default value."); ?>
  " . gettext("1024") . "."; ?>

" . gettext("Warning: ") . "" . gettext("Setting this too high can lead to degradation and a possible system crash by exhausting available memory.") ?>
   " . gettext("Default") . "" . gettext(" is ") . "" . gettext("Medium") . ""; ?>.


   " . gettext("Default") . "" . gettext(" is ") . "" . gettext("AC") . ""; ?>.


   " . gettext("Default") . "" . gettext(" is ") . "" . gettext("Auto") . ""; ?>.


  " . gettext("3000") . "."; ?>

/> " . gettext("Not Checked") . "."; ?>
     "/>


 
 
    

 
 
     "/>


 
 
     "/>

 
" . gettext("Default option disables suppression and filtering."); ?>
"/>
" . gettext("Please save your settings before you attempt to start Suricata."); ?>