From c5a5eae15a002eb5d851554a13f3862f3993250b Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Mon, 11 Aug 2025 12:47:55 +0100 Subject: [PATCH] suricata: Automatically email reports once per month/week/day Signed-off-by: Michael Tremer --- config/cron/crontab | 5 + config/rootfiles/common/suricata | 1 + config/suricata/suricata-report-cron | 144 +++++++++++++++++++++++++++ lfs/suricata | 4 + 4 files changed, 154 insertions(+) create mode 100644 config/suricata/suricata-report-cron diff --git a/config/cron/crontab b/config/cron/crontab index 7088e0b750..f516bcf357 100644 --- a/config/cron/crontab +++ b/config/cron/crontab @@ -65,6 +65,11 @@ HOME=/ # Perform a surciata rules update every 12 hours. @ 12h [ -f "/var/ipfire/red/active" ] && /usr/local/bin/update-ids-ruleset >/dev/null 2>&1 +# Send IPS reports +&nice(5),bootrun 0 9 * * * /usr/bin/suricata-report-cron daily +&nice(5),bootrun 0 9 * * MON /usr/bin/suricata-report-cron weekly +&nice(5),bootrun 0 9 1 * * /usr/bin/suricata-report-cron monthly + # Update Lists for IP-based blocking every 15 minutes. @ 15 [ -f "/var/ipfire/red/active" ] && /usr/local/bin/update-ipblocklists >/dev/null 2>&1 diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 1237ecfb8a..c961b21f20 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -2,6 +2,7 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata usr/bin/suricata-reporter +usr/bin/suricata-report-cron usr/bin/suricata-watcher #usr/bin/suricatactl #usr/bin/suricatasc diff --git a/config/suricata/suricata-report-cron b/config/suricata/suricata-report-cron new file mode 100644 index 0000000000..3aa4cc8f89 --- /dev/null +++ b/config/suricata/suricata-report-cron @@ -0,0 +1,144 @@ +#!/bin/bash +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2025 Michael Tremer # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### + +. /etc/sysconfig/rc +. "${rc_functions}" + +# Read the IPS settings +readhash CONFIG "/var/ipfire/suricata/settings" + +send_report() { + local args=( "$@" ) + local address + + # Add the email sender + if [ -n "${CONFIG[EMAIL_SENDER]}" ]; then + args+=( "--email-sender=${CONFIG[EMAIL_SENDER]}" ) + + # Fail if we don't have a sender + else + echo "${0}: Cannot send reports with EMAIL_SENDER being set" >&2 + return 2 + fi + + local IFS=',' + + # Append the email recipients + for address in ${CONFIG[EMAIL_RECIPIENTS]}; do + args+=( "--email-recipient=${address}" ) + done + + # Generate the report + if ! suricata-report-generator "${args[@]}"; then + return 1 + fi + + return 0 +} + +send_monthly_report() { + # Check if we are supposed to send monthly reports + case "${CONFIG[ENABLE_REPORT_MONTHLY]}" in + on) + ;; + *) + return 0 + ;; + esac + + # Determine the last month + local y="$(date --date="last month" +"%Y")" + local m="$(date --date="last month" +"%m")" + + # Send the report + send_report --year="${y}" --month="${m}" +} + +send_weekly_report() { + # Check if we are supposed to send weekly reports + case "${CONFIG[ENABLE_REPORT_WEEKLY]}" in + on) + ;; + *) + return 0 + ;; + esac + + # Determine last week + local y="$(date --date="last week" +"%Y")" + local w="$(date --date="last week" +"%V")" + + # Send the report + send_report --year="${y}" --week="${w}" +} + +# Sends a daily report for "yesterday" +send_daily_report() { + # Check if we are supposed to send daily reports + case "${CONFIG[ENABLE_REPORT_DAILY]}" in + on) + ;; + *) + return 0 + ;; + esac + + # Determine yesterday's date + local y="$(date --date="yesterday" +"%Y")" + local m="$(date --date="yesterday" +"%m")" + local d="$(date --date="yesterday" +"%d")" + + # Send the report + send_report --year="${y}" --month="${m}" --day="${d}" +} + +main() { + local interval="${1}" + shift + + case "${interval}" in + monthly) + if ! send_monthly_report "$@"; then + return $? + fi + ;; + + weekly) + if ! send_weekly_report "$@"; then + return $? + fi + ;; + + daily) + if ! send_daily_report "$@"; then + return $? + fi + ;; + *) + echo "${0}: Unknown interval '${interval}'" >&2 + return 2 + ;; + esac + + return 0 +} + +main "$@" || exit 1 diff --git a/lfs/suricata b/lfs/suricata index 62759ecea0..576c62e22b 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -142,6 +142,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) /var/ipfire/suricata/reporter.conf chown -v nobody:nobody /var/ipfire/suricata/reporter.conf + # Install the cron script + install -v -m 755 $(DIR_SRC)/config/suricata/suricata-report-cron \ + /usr/bin/suricata-report-cron + # Install the watcher install -v -m 755 $(DIR_SRC)/config/suricata/suricata-watcher /usr/bin/suricata-watcher -- 2.47.3