X-Git-Url: http://git.ipfire.org/?a=blobdiff_plain;f=html%2Fcgi-bin%2Fids.cgi;h=604d216c8938fea9aee7055cb95f399b4bf89866;hb=cf02bf2f7d23f9755a6e08383dd46fa9033d924b;hp=6a5dce80275d49bad006b986949b47c143eafb68;hpb=b02e30fd81e3e095ea3cd74cb8f0b056d68e10e7;p=ipfire-2.x.git diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 6a5dce8027..604d216c89 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -131,7 +131,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq &General::writehasharray($IDS::ignored_file, \%ignored); # Regenerate the ignore file. - &GenerateIgnoreFile(); + &IDS::generate_ignore_file(); } # Check if the IDS is running. @@ -174,7 +174,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq &General::writehasharray($IDS::ignored_file, \%ignored); # Regenerate the ignore file. - &GenerateIgnoreFile(); + &IDS::generate_ignore_file(); # Check if the IDS is running. if(&IDS::ids_is_running()) { @@ -201,7 +201,7 @@ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq &General::writehasharray($IDS::ignored_file, \%ignored); # Regenerate the ignore file. - &GenerateIgnoreFile(); + &IDS::generate_ignore_file(); # Check if the IDS is running. if(&IDS::ids_is_running()) { @@ -225,7 +225,6 @@ if (-e $IDS::storederrorfile) { unlink($IDS::storederrorfile); } - ## Grab all available snort rules and store them in the idsrules hash. # # Open snort rules directory and do a directory listing. @@ -324,6 +323,40 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { &IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'}); } + # Check if a ruleset is present - if not download it. + unless (%idsrules) { + # Check if the red device is active. + unless (-e "${General::swroot}/red/active") { + $errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}"; + } + + # Check if enought free disk space is availabe. + if(&IDS::checkdiskspace()) { + $errormessage = "$Lang::tr{'not enough disk space'}"; + } + + # Check if any errors happend. + unless ($errormessage) { + # Lock the webpage and print notice about downloading + # a new ruleset. + &working_notice("$Lang::tr{'snort working'}"); + + # Call subfunction to download the ruleset. + if(&IDS::downloadruleset()) { + $errormessage = $Lang::tr{'could not download latest updates'}; + + # Call function to store the errormessage. + &IDS::_store_error_message($errormessage); + } else { + # Call subfunction to launch oinkmaster. + &IDS::oinkmaster(); + } + + # Perform a reload of the page. + &reload(); + } + } + # Save ruleset. } elsif ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { # Arrays to store which rulefiles have been enabled and will be used. @@ -441,10 +474,10 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { &reload(); # Download new ruleset. -} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'download new ruleset'}) { +} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'update ruleset'}) { # Check if the red device is active. unless (-e "${General::swroot}/red/active") { - $errormessage = $Lang::tr{'could not download latest updates'}; + $errormessage = "$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}"; } # Check if enought free disk space is availabe. @@ -527,20 +560,19 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { # Generate file to store the home net. &IDS::generate_home_net_file(); - # Open modify sid's file for writing. - open(FILE, ">$IDS::modify_sids_file") or die "Could not write to $IDS::modify_sids_file. $!\n"; - - # Write file header. - print FILE "#Autogenerated file. Any custom changes will be overwritten!\n"; + # Temporary variable to set the ruleaction. + # Default is "drop" to use suricata as IPS. + my $ruleaction="drop"; # Check if the traffic only should be monitored. - unless($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') { - # Tell oinkmaster to switch all rules from alert to drop. - print FILE "modifysid \* \"alert\" \| \"drop\"\n"; + if($cgiparams{'MONITOR_TRAFFIC_ONLY'} eq 'on') { + # Switch the ruleaction to "alert". + # Suricata acts as an IDS only. + $ruleaction="alert"; } - # Close file handle. - close(FILE); + # Write the modify sid's file and pass the taken ruleaction. + &IDS::write_modify_sids_file($ruleaction); # Check if "MONITOR_TRAFFIC_ONLY" has been changed. if($cgiparams{'MONITOR_TRAFFIC_ONLY'} ne $oldidssettings{'MONITOR_TRAFFIC_ONLY'}) { @@ -614,6 +646,22 @@ $selected{'AUTOUPDATE_INTERVAL'}{$rulessettings{'AUTOUPDATE_INTERVAL'}} = "selec ### Java Script ### print < + // JQuery function to show/hide the text input field for + // Oinkcode/Subscription code. + \$(function() { + \$('#RULES').change(function(){ + if(\$('#RULES').val() == 'registered') { + \$('#code').show(); + } else if(\$('#RULES').val() == 'subscripted') { + \$('#code').show(); + } else if(\$('#RULES').val() == 'emerging_pro') { + \$('#code').show(); + } else { + \$('#code').hide(); + } + }); + }); + // Tiny java script function to show/hide the rules // of a given category. function showhide(tblname) { @@ -682,7 +730,6 @@ END END } -&Header::closebox(); my $rulesdate; @@ -695,79 +742,84 @@ if ( -f "$IDS::rulestarball"){ $rulesdate = localtime($Info[9]); } -# Draw elements for IDS configuration. -&Header::openbox('100%', 'center', $Lang::tr{'settings'}); +# Only show this area, if a ruleset is present. +if (%idsrules) { -print < - - - + print <

$Lang::tr{'settings'}

+ +
+
- $Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'} -
+ + - - + - - - - - - + + + + + + - - - + + + - + END ; -# Loop through the array of available networks and print config options. -foreach my $zone (@network_zones) { - my $checked_input; - my $checked_forward; + # Loop through the array of available networks and print config options. + foreach my $zone (@network_zones) { + my $checked_input; + my $checked_forward; - # Convert current zone name to upper case. - my $zone_upper = uc($zone); + # Convert current zone name to upper case. + my $zone_upper = uc($zone); - # Set zone name. - my $zone_name = $zone; + # Set zone name. + my $zone_name = $zone; - # Dirty hack to get the correct language string for the red zone. - if ($zone eq "red") { - $zone_name = "red1"; - } + # Dirty hack to get the correct language string for the red zone. + if ($zone eq "red") { + $zone_name = "red1"; + } - # Grab checkbox status from settings hash. - if ($idssettings{"ENABLE_IDS_$zone_upper"} eq "on") { - $checked_input = "checked = 'checked'"; - } + # Grab checkbox status from settings hash. + if ($idssettings{"ENABLE_IDS_$zone_upper"} eq "on") { + $checked_input = "checked = 'checked'"; + } - print "\n"; -} + print "\n"; + } print < -
+ $Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'} + - $Lang::tr{'ids monitor traffic only'} + + $Lang::tr{'ids monitor traffic only'}
















$Lang::tr{'ids monitored interfaces'}
$Lang::tr{'ids monitored interfaces'}
\n"; - print "\n"; - print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n"; - print "\n"; + print "\n"; + print " $Lang::tr{'enabled on'} $Lang::tr{$zone_name}\n"; + print "
+ + -

+

- - - - -
- + + + + +
+ END ; +} + &Header::closebox(); # Draw elements for ruleset configuration. @@ -782,8 +834,9 @@ print < - + @@ -800,14 +853,11 @@ print < - -
$Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}
-
$Lang::tr{'ids rules license2'} Get an Oinkcode, $Lang::tr{'ids rules license3'}
- +

- - Oinkcode:  + + Oinkcode:  @@ -816,19 +866,10 @@ print < END ; - # Check if a ruleset source has been configured yet. - unless($rulessettings{'RULES'}) { - # If no ruleset settings have been saved yet, disable the button to download / update the ruleset. - print"\n"; - } else { - # Ruleset setting have been saved. - Check if a ruleset already is downloaded. + # Check if a ruleset has been downloaded yet. if (%idsrules) { - # Allow to press the button and show it as "update ruleset". + # Display button to update the ruleset. print"\n"; - } else { - # Also allow to press the button, but show it as "download new ruleset". - print"\n"; - } } print < @@ -1210,54 +1251,6 @@ sub get_memory_usage($) { return; } -# -## Function to generate the rules file with whitelisted addresses. -# -sub GenerateIgnoreFile() { - my %ignored = (); - - # SID range 1000000-1999999 Reserved for Local Use - # Put your custom rules in this range to avoid conflicts - my $sid = 1500000; - - # Read-in ignoredfile. - &General::readhasharray($IDS::ignored_file, \%ignored); - - # Open ignorefile for writing. - open(FILE, ">$IDS::whitelist_file") or die "Could not write to $IDS::whitelist_file. $!\n"; - - # Config file header. - print FILE "# Autogenerated file.\n"; - print FILE "# All user modifications will be overwritten.\n\n"; - - # Add all user defined addresses to the whitelist. - # - # Check if the hash contains any elements. - if (keys (%ignored)) { - # Loop through the entire hash and write the host/network - # and remark to the ignore file. - while ( (my $key) = each %ignored) { - my $address = $ignored{$key}[0]; - my $remark = $ignored{$key}[1]; - my $status = $ignored{$key}[2]; - - # Check if the status of the entry is "enabled". - if ($status eq "enabled") { - # Check if the address/network is valid. - if ((&General::validip($address)) || (&General::validipandmask($address))) { - # Write rule line to the file to pass any traffic from this IP - print FILE "pass ip $address any -> any any (msg:\"pass all traffic from/to $address\"\; sid:$sid\;)\n"; - - # Increment sid. - $sid++; - } - } - } - } - - close(FILE); -} - # ## Function to read-in the given enabled or disables sids file. #