# File where the addresses of the used DNS servers are stored.
our $dns_servers_file = "$settingsdir/suricata-dns-servers.yaml";
+# File where the HTTP ports definition is stored.
+our $http_ports_file = "$settingsdir/suricata-http-ports.yaml";
+
# File which contains the enabled sids.
our $enabled_sids_file = "$settingsdir/oinkmaster-enabled-sids.conf";
# Array with supported cron intervals.
my @cron_intervals = ('off', 'daily', 'weekly' );
+# Array which contains the HTTP ports, which statically will be declared as HTTP_PORTS in the
+# http_ports_file.
+my @http_ports = ('80', '81');
+
#
## Function to check and create all IDS related files, if the does not exist.
#
close(FILE);
}
+#
+# Function to generate and write the file which contains the HTTP_PORTS definition.
+#
+sub generate_http_ports_file() {
+ my %proxysettings;
+
+ # Read-in proxy settings
+ &General::readhash("${General::swroot}/proxy/advanced/settings", \%proxysettings);
+
+ # Check if the proxy is enabled.
+ if (( -e "${General::swroot}/proxy/enable") || (-e "${General::swroot}/proxy/enable_blue")) {
+ # Add the proxy port to the array of HTTP ports.
+ push(@http_ports, $proxysettings{'PROXY_PORT'});
+ }
+
+ # Check if the transparent mode of the proxy is enabled.
+ if ((-e "${General::swroot}/proxy/transparent") || (-e "${General::swroot}/proxy/transparent_blue")) {
+ # Add the transparent proxy port to the array of HTTP ports.
+ push(@http_ports, $proxysettings{'TRANSPARENT_PORT'});
+ }
+
+ # Format HTTP_PORTS declaration.
+ my $line = "";
+
+ # Generate line which will be written to the http ports file.
+ $line = join(",", @http_ports);
+
+ # Open file to store the HTTP_PORTS.
+ open(FILE, ">$http_ports_file") or die "Could not open $http_ports_file. $!\n";
+
+ # Print yaml header.
+ print FILE "%YAML 1.1\n";
+ print FILE "---\n\n";
+
+ # Print notice about autogenerated file.
+ print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+ # Print the generated HTTP_PORTS declaration to the file.
+ print FILE "HTTP_PORTS:\t\"[$line]\"\n";
+
+ # Close file handle.
+ close(FILE);
+}
+
#
## Function to generate and write the file for used rulefiles.
#
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2019 IPFire Development Team <info@ipfire.org> #
+# Copyright (C) 2020 IPFire Development Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
&IDS::set_ownership("$IDS::dns_servers_file");
#
-## Step 11: Setup automatic ruleset updates.
+## Step 11: Generate file which contains the HTTP ports.
+#
+
+# Call subfunction to generate the file.
+&IDS::generate_http_ports_file();
+
+# Set correct ownership for the http_ports_file.
+&IDS::set_ownership("$IDS::http_ports_file");
+
+#
+## Step 12: Setup automatic ruleset updates.
#
# Check if a ruleset is configured.
}
#
-## Step 12: Grab used ruleset files from snort config file and convert
+## Step 13: Grab used ruleset files from snort config file and convert
## them into the new format.
#
&IDS::write_used_rulefiles_file(@enabled_rule_files);
#
-## Step 13: Start the IDS if enabled.
+## Step 14: Start the IDS if enabled.
#
# Check if the IDS should be started.
--- /dev/null
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2012 IPFire Development Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/ids-functions.pl";
+
+exit unless(-f $IDS::ids_settings_file and -f $IDS::rules_settings_file);
+
+#
+## Step 1: Generate and write the HTTP ports file.
+#
+
+# Call subfunction to generate the HTTP ports file.
+&IDS::generate_http_ports_file();
+
+# Set correct ownership.
+&IDS::set_ownership("$IDS::http_ports_file");
+
+#
+## Step 2: Restart suricata if necessary.
+#
+
+# Check if the IDS should be started.
+if(&IDS::ids_is_running()) {
+ # Call suricatactrl and reload the rules.
+ &IDS::call_suricatactrl("restart");
+}
ENIP_SERVER: "$HOME_NET"
port-groups:
- HTTP_PORTS: "[80,81]"
+ # Incluse HTTP_PORTS declaration from external file.
+ include: /var/ipfire/suricata/suricata-http-ports.yaml
+
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: "[22,222]"
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# Generate file to the store the DNS servers.
&IDS::generate_dns_servers_file();
+ # Generate file to store the HTTP ports.
+ &IDS::generate_http_ports_file();
+
# Write the modify sid's file and pass the taken ruleaction.
&IDS::write_modify_sids_file();
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2013 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
+require "${General::swroot}/ids-functions.pl";
+
my @squidversion = `/usr/sbin/squid -v`;
my $http_port='81';
my $https_port='444';
if ($proxysettings{'VALID'} eq 'yes')
{
+ # Determine if suricata may needs to be restarted.
+ my $suricata_proxy_ports_changed;
+
+ # Check if the IDS is running
+ if(&IDS::ids_is_running()) {
+ my %oldproxysettings;
+
+ # Read-in current proxy settings and store them as oldsettings hash.
+ &General::readhash("${General::swroot}/proxy/advanced/settings", \%oldproxysettings);
+
+ # Check if the proxy port has been changed.
+ unless ($proxysettings{'PROXY_PORT'} eq $oldproxysettings{'PROXY_PORT'}) {
+ # Port has changed, suricata needs to be adjusted.
+ $suricata_proxy_ports_changed = 1;
+ }
+
+ # Check if the transparent port has been changed.
+ unless ($proxysettings{'TRANSPARENT_PORT'} eq $oldproxysettings{'TRANSPARENT_PORT'}) {
+ # Transparent port has changed, suricata needs to be adjusted.
+ $suricata_proxy_ports_changed = 1;
+ }
+ }
+
&write_acls;
delete $proxysettings{'SRC_SUBNETS'};
if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); }
+
+ # Check if the suricata_proxy_ports_changed flag has been set.
+ if ($suricata_proxy_ports_changed) {
+ # Re-generate HTTP ports file.
+ &IDS::generate_http_ports_file();
+
+ # Restart suricata.
+ &IDS::call_suricatactrl("restart");
+ }
}
}