X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=config%2Fcfgroot%2Fids-functions.pl;h=5530da11eb1f6cddcfd98ab59cdc41e4a7a1804d;hp=2a358b1cc114faede8a879d14113a6c5807ac837;hb=40407aee99546b4f25632bcaeb796d2a53cb1bcb;hpb=e4840020ed9962e3fac83c7a52670ed2cfd56672

diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl
index 2a358b1cc1..5530da11eb 100644
--- a/config/cfgroot/ids-functions.pl
+++ b/config/cfgroot/ids-functions.pl
@@ -58,6 +58,9 @@ our $rulestarball = "/var/tmp/idsrules.tar.gz";
 # File to store any errors, which also will be read and displayed by the wui.
 our $storederrorfile = "/tmp/ids_storederror";
 
+# File to lock the WUI, while the autoupdate script runs.
+our $ids_page_lock_file = "/tmp/ids_page_locked";
+
 # Location where the rulefiles are stored.
 our $rulespath = "/var/lib/suricata";
 
@@ -171,28 +174,18 @@ sub downloadruleset {
 
 	# Check if an upstream proxy is configured.
 	if ($proxysettings{'UPSTREAM_PROXY'}) {
-		my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
 		my $proxy_url;
 
-		# Check if we got a peer.
-		if ($peer) {
-			$proxy_url = "http://";
-
-			# Check if the proxy requires authentication.
-			if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
-				$proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
-			}
-
-			# Add proxy server address and port.
-			$proxy_url .= "$peer\:$peerport";
-		} else {
-			# Log error message and break.
-			&_log_to_syslog("Could not proper configure the proxy server access.");
+		$proxy_url = "http://";
 
-			# Return "1" - false.
-			return 1;
+		# Check if the proxy requires authentication.
+		if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
+			$proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
 		}
 
+		# Add proxy server address and port.
+		$proxy_url .= $proxysettings{'UPSTREAM_PROXY'};
+
 		# Setup proxy settings.
 		$downloader->proxy(['http', 'https'], $proxy_url);
 	}
@@ -210,33 +203,42 @@ sub downloadruleset {
 		return 1;
 	}
 
-	# Pass the requrested url to the downloader.
-	my $request = HTTP::Request->new(HEAD => $url);
+	# Variable to store the filesize of the remote object.
+	my $remote_filesize;
 
-	# Accept the html header.
-	$request->header('Accept' => 'text/html');
+	# The sourcfire (snort rules) does not allow to send "HEAD" requests, so skip this check
+	# for this webserver.
+	#
+	# Check if the ruleset source contains "snort.org".
+	unless ($url =~ /\.snort\.org/) {
+		# Pass the requrested url to the downloader.
+		my $request = HTTP::Request->new(HEAD => $url);
 
-	# Perform the request and fetch the html header.
-	my $response = $downloader->request($request);
+		# Accept the html header.
+		$request->header('Accept' => 'text/html');
 
-	# Check if there was any error.
-	unless ($response->is_success) {
-		# Obtain error.
-		my $error = $response->content;
+		# Perform the request and fetch the html header.
+		my $response = $downloader->request($request);
 
-		# Log error message.
-		&_log_to_syslog("Unable to download the ruleset. \($error\)");
+		# Check if there was any error.
+		unless ($response->is_success) {
+			# Obtain error.
+			my $error = $response->status_line();
 
-		# Return "1" - false.
-		return 1;
-	}
+			# Log error message.
+			&_log_to_syslog("Unable to download the ruleset. \($error\)");
+
+			# Return "1" - false.
+			return 1;
+		}
 
-	# Assign the fetched header object.
-	my $header = $response->headers;
+		# Assign the fetched header object.
+		my $header = $response->headers();
 
-	# Grab the remote file size from the object and store it in the
-	# variable.
-	my $remote_filesize = $header->content_length;
+		# Grab the remote file size from the object and store it in the
+		# variable.
+		$remote_filesize = $header->content_length;
+	}
 
 	# Load perl module to deal with temporary files.
 	use File::Temp;
@@ -273,7 +275,7 @@ sub downloadruleset {
 	my $local_filesize = $stat->size;
 
 	# Check if both file sizes match.
-	unless ($remote_filesize eq $local_filesize) {
+	if (($remote_filesize) && ($remote_filesize ne $local_filesize)) {
 		# Log error message.
 		&_log_to_syslog("Unable to completely download the ruleset. ");
 		&_log_to_syslog("Only got $local_filesize Bytes instead of $remote_filesize Bytes. ");
@@ -312,7 +314,7 @@ sub oinkmaster () {
 	openlog('oinkmaster', 'cons,pid', 'user');
 
 	# Call oinkmaster to generate ruleset.
-	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C $settingsdir/oinkmaster.conf -o $rulespath|") or die "Could not execute oinkmaster $!\n";
+	open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -s -u file://$rulestarball -C $settingsdir/oinkmaster.conf -o $rulespath 2>&1 |") or die "Could not execute oinkmaster $!\n";
 
 	# Log output of oinkmaster to syslog.
 	while(<OINKMASTER>) {
@@ -387,6 +389,9 @@ sub _store_error_message ($) {
 
         # Close file.
         close (ERRORFILE);
+
+	# Set correct ownership for the file.
+	&set_ownership("$storederrorfile");
 }
 
 #
@@ -594,30 +599,58 @@ sub generate_home_net_file() {
 
 	# Loop through the array of available network zones.
 	foreach my $zone (@network_zones) {
-		# Skip the red network - It never can be part to the home_net!
-		next if($zone eq "red");
+		# Check if the current processed zone is red.
+		if($zone eq "red") {
+			# Grab the IP-address of the red interface.
+			my $red_address = &get_red_address();
+
+			# Check if an address has been obtained.
+			if ($red_address) {
+				# Generate full network string.
+				my $red_network = join("/", $red_address, "32");
+
+				# Add the red network to the array of networks.
+				push(@networks, $red_network);
+			}
 
-		# Convert current zone name into upper case.
-		$zone = uc($zone);
+			# Check if the configured RED_TYPE is static.
+			if ($netsettings{'RED_TYPE'} eq "STATIC") {
+				# Get configured and enabled aliases.
+				my @aliases = &get_aliases();
 
-		# Generate key to access the required data from the netsettings hash.
-		my $zone_netaddress = $zone . "_NETADDRESS";
-		my $zone_netmask = $zone . "_NETMASK";
+				# Loop through the array.
+				foreach my $alias (@aliases) {
+					# Add "/32" prefix.
+					my $network = join("/", $alias, "32");
 
-		# Obtain the settings from the netsettings hash.
-		my $netaddress = $netsettings{$zone_netaddress};
-		my $netmask = $netsettings{$zone_netmask};
+					# Add the generated network to the array of networks.
+					push(@networks, $network);
+				}
+			}
+		# Process remaining network zones.
+		} else {
+			# Convert current zone name into upper case.
+			$zone = uc($zone);
+
+			# Generate key to access the required data from the netsettings hash.
+			my $zone_netaddress = $zone . "_NETADDRESS";
+			my $zone_netmask = $zone . "_NETMASK";
+
+			# Obtain the settings from the netsettings hash.
+			my $netaddress = $netsettings{$zone_netaddress};
+			my $netmask = $netsettings{$zone_netmask};
 
-		# Convert the subnetmask into prefix notation.
-		my $prefix = &Network::convert_netmask2prefix($netmask);
+			# Convert the subnetmask into prefix notation.
+			my $prefix = &Network::convert_netmask2prefix($netmask);
 
-		# Generate full network string.
-		my $network = join("/", $netaddress,$prefix);
+			# Generate full network string.
+			my $network = join("/", $netaddress,$prefix);
 
-		# Check if the network is valid.
-		if(&Network::check_subnet($network)) {
-			# Add the generated network to the array of networks.
-			push(@networks, $network);
+			# Check if the network is valid.
+			if(&Network::check_subnet($network)) {
+				# Add the generated network to the array of networks.
+				push(@networks, $network);
+			}
 		}
 	}
 
@@ -794,4 +827,142 @@ sub generate_ignore_file() {
 	close(FILE);
 }
 
+#
+## Function to set correct ownership for single files and directories.
+#
+
+sub set_ownership($) {
+	my ($target) = @_;
+
+	# User and group of the WUI.
+	my $uname = "nobody";
+	my $grname = "nobody";
+
+	# The chown function implemented in perl requies the user and group as nummeric id's.
+	my $uid = getpwnam($uname);
+	my $gid = getgrnam($grname);
+
+	# Check if the given target exists.
+	unless ($target) {
+		# Stop the script and print error message.
+		die "The $target does not exist. Cannot change the ownership!\n";
+	}
+
+	# Check weather the target is a file or directory.
+	if (-f $target) {
+		# Change ownership ot the single file.
+		chown($uid, $gid, "$target");
+	} elsif (-d $target) {
+		# Do a directory listing.
+		opendir(DIR, $target) or die $!;
+			# Loop through the direcory.
+			while (my $file = readdir(DIR)) {
+
+				# We only want files.
+				next unless (-f "$target/$file");
+
+				# Set correct ownership for the files.
+				chown($uid, $gid, "$target/$file");
+			}
+
+		closedir(DIR);
+
+		# Change ownership of the directory.
+		chown($uid, $gid, "$target");
+	}
+}
+
+#
+## Function to read-in the aliases file and returns all configured and enabled aliases.
+#
+sub get_aliases() {
+	# Location of the aliases file.
+	my $aliases_file = "${General::swroot}/ethernet/aliases";
+
+	# Array to store the aliases.
+	my @aliases;
+
+	# Check if the file is empty.
+	if (-z $aliases_file) {
+		# Abort nothing to do.
+		return;
+	}
+
+	# Open the aliases file.
+	open(ALIASES, $aliases_file) or die "Could not open $aliases_file. $!\n";
+
+	# Loop through the file content.
+	while (my $line = <ALIASES>) {
+		# Remove newlines.
+		chomp($line);
+
+		# Splitt line content into single chunks.
+		my ($address, $state, $remark) = split(/\,/, $line);
+
+		# Check if the state of the current processed alias is "on".
+		if ($state eq "on") {
+			# Check if the address is valid.
+			if(&Network::check_ip_address($address)) {
+				# Add the alias to the array of aliases.
+				push(@aliases, $address);
+			}
+		}
+	}
+
+	# Close file handle.
+	close(ALIASES);
+
+	# Return the array.
+	return @aliases;
+}
+
+#
+## Function to grab the current assigned IP-address on red.
+#
+sub get_red_address() {
+	# File, which contains the current IP-address of the red interface.
+	my $file = "${General::swroot}/red/local-ipaddress";
+
+	# Check if the file exists.
+	if (-e $file) {
+		# Open the given file.
+		open(FILE, "$file") or die "Could not open $file.";
+
+		# Obtain the address from the first line of the file.
+		my $address = <FILE>;
+
+		# Close filehandle
+		close(FILE);
+
+		# Remove newlines.
+		chomp $address;
+
+		# Check if the grabbed address is valid.
+		if (&General::validip($address)) {
+			# Return the address.
+			return $address;
+		}
+	}
+
+	# Return nothing.
+	return;
+}
+
+#
+## Function to write the lock file for locking the WUI, while
+## the autoupdate script runs.
+#
+sub lock_ids_page() {
+	# Call subfunction to create the file.
+	&create_empty_file($ids_page_lock_file);
+}
+
+#
+## Function to release the lock of the WUI, again.
+#
+sub unlock_ids_page() {
+	# Delete lock file.
+	unlink($ids_page_lock_file);
+}
+
 1;