From: Stefan Schantl Date: Sun, 23 Dec 2018 20:06:14 +0000 (+0100) Subject: ids.cgi: Seperate IPS and ruleset settings X-Git-Tag: v2.23-core131~117^2~121 X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=commitdiff_plain;h=ea5c8eeb83a65791960d6cb5de6c7dc78db02fda ids.cgi: Seperate IPS and ruleset settings Now each of both have their own corresponding configuration areas. The taken settings will be saved in "/var/ipfire/suricata/settings" for all IDS/IPS related settings and in "/var/ipfire/suricata/rules-settings" for ruleset related settings. Signed-off-by: Stefan Schantl --- diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index 90059e1799..ffbe0e2396 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -34,6 +34,7 @@ my %color = (); my %mainsettings = (); my %idsrules = (); my %idssettings=(); +my %rulessettings=(); my %rulesetsources = (); my %cgiparams=(); my %checked=(); @@ -63,6 +64,12 @@ my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf"; # File which contains wheater the rules should be changed. my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf"; +# File which stores the configured IPS settings. +my $idssettingsfile = "$IDS::settingsdir/settings"; + +# File which stores the configured rules-settings. +my $rulessettingsfile = "$IDS::settingsdir/rules-settings"; + # File which stores the configured settings for whitelisted addresses. my $ignoredfile = "$IDS::settingsdir/ignored"; @@ -76,6 +83,8 @@ unless (-f "$enabled_sids_file") { &IDS::create_empty_file($enabled_sids_file); unless (-f "$disabled_sids_file") { &IDS::create_empty_file($disabled_sids_file); } unless (-f "$modify_sids_file") { &IDS::create_empty_file($modify_sids_file); } unless (-f "$idsusedrulefilesfile") { &IDS::create_empty_file($idsusedrulefilesfile); } +unless (-f "$idssettingsfile") { &IDS::create_empty_file($idssettingsfile); } +unless (-f "$rulessettingsfile") { &IDS::create_empty_file($rulessettingsfile); } unless (-f "$ignoredfile") { &IDS::create_empty_file($ignoredfile); } unless (-f "$whitelistfile" ) { &IDS::create_empty_file($whitelistfile); } @@ -311,8 +320,38 @@ if(-f $idsusedrulefilesfile) { } } +# Save ruleset configuration. +if ($cgiparams{'RULESET'} eq $Lang::tr{'save'}) { + my %oldsettings; + + # Read-in current (old) IDS settings. + &General::readhash("$rulessettingsfile", \%oldsettings); + + # Prevent form name from been stored in conf file. + delete $cgiparams{'RULESET'}; + + # Check if an oinkcode has been provided. + if ($cgiparams{'OINKCODE'}) { + # Check if the oinkcode contains unallowed chars. + unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) { + $errormessage = $Lang::tr{'invalid input for oink code'}; + } + } + + # Go on if there are no error messages. + if (!$errormessage) { + # Store settings into settings file. + &General::writehash("$rulessettingsfile", \%cgiparams); + } + + # Check if the the automatic rule update hass been touched. + if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldsettings{'AUTOUPDATE_INTERVAL'}) { + # Call suricatactrl to set the new interval. + &IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'}); + } + # Save ruleset. -if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { +} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { # Arrays to store which rulefiles have been enabled and will be used. my @enabled_rulefiles; @@ -496,19 +535,11 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { my $monitored_zones = 0; # Read-in current (old) IDS settings. - &General::readhash("$IDS::settingsdir/settings", \%oldidssettings); + &General::readhash("$idssettingsfile", \%oldidssettings); # Prevent form name from been stored in conf file. delete $cgiparams{'IDS'}; - # Check if an oinkcode has been provided. - if ($cgiparams{'OINKCODE'}) { - # Check if the oinkcode contains unallowed chars. - unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) { - $errormessage = $Lang::tr{'invalid input for oink code'}; - } - } - # Check if the IDS should be enabled. if ($cgiparams{'ENABLE_IDS'} eq "on") { # Check if any ruleset is available. Otherwise abort and display an error. @@ -537,18 +568,12 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { # Go on if there are no error messages. if (!$errormessage) { # Store settings into settings file. - &General::writehash("$IDS::settingsdir/settings", \%cgiparams); + &General::writehash("$idssettingsfile", \%cgiparams); } # Generate file to store the home net. &generate_home_net_file(); - # Check if the the automatic rule update hass been touched. - if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldidssettings{'AUTOUPDATE_INTERVAL'}) { - # Call suricatactrl to set the new interval. - &IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'}); - } - # Check if the runmode has been changed. if($cgiparams{'RUN_MODE'} ne $oldidssettings{'RUN_MODE'}) { # Open modify sid's file for writing. @@ -601,8 +626,9 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { } } -# Read-in idssettings -&General::readhash("$IDS::settingsdir/settings", \%idssettings); +# Read-in idssettings and rulesetsettings +&General::readhash("$idssettingsfile", \%idssettings); +&General::readhash("$rulessettingsfile", \%rulessettings); # If the runmode has not been configured yet, set default value. unless(exists($idssettings{'RUN_MODE'})) { @@ -610,6 +636,12 @@ unless(exists($idssettings{'RUN_MODE'})) { $idssettings{'RUN_MODE'} = 'IPS'; } +# If no autoupdate intervall has been configured yet, set default value. +unless(exists($rulessettings{'AUTOUPDATE_INTERVAL'})) { + # Set default to "weekly". + $rulessettings{'AUTOUPDATE_INTERVAL'} = 'weekly'; +} + # Read-in ignored hosts. &General::readhasharray("$IDS::settingsdir/ignored", \%ignored); @@ -624,11 +656,11 @@ $selected{'RULES'}{'community'} = ''; $selected{'RULES'}{'emerging'} = ''; $selected{'RULES'}{'registered'} = ''; $selected{'RULES'}{'subscripted'} = ''; -$selected{'RULES'}{$idssettings{'RULES'}} = "selected='selected'"; +$selected{'RULES'}{$rulessettings{'RULES'}} = "selected='selected'"; $selected{'AUTOUPDATE_INTERVAL'}{'off'} = ''; $selected{'AUTOUPDATE_INTERVAL'}{'daily'} = ''; $selected{'AUTOUPDATE_INTERVAL'}{'weekly'} = ''; -$selected{'AUTOUPDATE_INTERVAL'}{$idssettings{'AUTOUPDATE_INTERVAL'}} = "selected='selected'"; +$selected{'AUTOUPDATE_INTERVAL'}{$rulessettings{'AUTOUPDATE_INTERVAL'}} = "selected='selected'"; &Header::openpage($Lang::tr{'intrusion detection system'}, 1, ''); @@ -708,17 +740,6 @@ END # Draw elements for IDS configuration. &Header::openbox('100%', 'center', $Lang::tr{'settings'}); -my $rulesdate; - -# Check if a ruleset allready has been downloaded. -if ( -f "$IDS::rulestarball"){ - # Call stat on the filename to obtain detailed information. - my @Info = stat("$IDS::rulestarball"); - - # Grab details about the creation time. - $rulesdate = localtime($Info[9]); -} - print < @@ -775,19 +796,45 @@ foreach my $zone (@network_zones) { print < +
- -

- +

+ + + + + +
+ +END +; + +&Header::closebox(); + +# Draw elements for ruleset configuration. +&Header::openbox('100%', 'center', $Lang::tr{'ids ruleset settings'}); + +my $rulesdate; + +# Check if a ruleset allready has been downloaded. +if ( -f "$IDS::rulestarball"){ + # Call stat on the filename to obtain detailed information. + my @Info = stat("$IDS::rulestarball"); + # Grab details about the creation time. + $rulesdate = localtime($Info[9]); +} + +print < + - - + + - - - - + - - - -
$Lang::tr{'ids rules update'}$Lang::tr{'ids automatic rules update'}$Lang::tr{'ids rules update'}$Lang::tr{'ids automatic rules update'}
+
+
$Lang::tr{'ids rules license'} www.snort.org$Lang::tr{'ids rules license1'}

$Lang::tr{'ids rules license2'} Get an Oinkcode, $Lang::tr{'ids rules license3'}
Oinkcode: Oinkcode: 

-  $Lang::tr{'updates installed'}: $rulesdate -
+   -

+ +END +; + # Check if a ruleset source has been configured yet. + unless($rulessettings{'RULES'}) { + # If no ruleset settings have been saved yet, disable the button to download / update the ruleset. + print"\n"; + } else { + # Ruleset setting have been saved. - Check if a ruleset already is downloaded. + if (%idsrules) { + # Allow to press the button and show it as "update ruleset". + print"\n"; + } else { + # Also allow to press the button, but show it as "download new ruleset". + print"\n"; + } + } +print < + - - -
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index f25074065d..43fd917a03 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1331,6 +1331,7 @@ 'ids logs' => 'IDS-Protokolldateien', 'ids no network zone' => 'Mindestends eine Netzwerk-Zone muss überwacht werden!', 'ids no ruleset available' => 'Kein Regelset verfügbar, bitte downloaden Sie eines!', +'ids ruleset settings' => 'Regelset-Einstellungen', 'ids preprocessor' => 'IDS-Präprozessor', 'ids rules license' => 'Um Sourcefire VRT Zertifizierte Regeln zu nutzen, müssen Sie sich unter', 'ids rules license1' => ' registrieren.', @@ -2368,6 +2369,7 @@ 'unnamed' => 'Unbenannt', 'update' => 'Aktualisieren', 'update accelerator' => 'Update-Accelerator', +'update ruleset' => 'Regelsatz aktualisieren', 'update time' => 'Aktualisiere die Uhrzeit:', 'update transcript' => 'Aktualisieren', 'updatedatabase' => 'Datenbank auf Stand der letzten Reports setzen', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 670a38e83f..467bd2351c 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1361,6 +1361,7 @@ 'ids logs' => 'IDS Logs', 'ids no network zone' => 'At least one network zone has to be monitored!', 'ids no ruleset available' => 'No ruleset available, please download one!', +'ids ruleset settings' => 'Ruleset settings', 'ids preprocessor' => 'IDS preprocessor', 'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on', 'ids rules license1' => '.', @@ -2409,6 +2410,7 @@ 'unnamed' => 'Unnamed', 'update' => 'Update', 'update accelerator' => 'Update Accelerator', +'update ruleset' => 'Update ruleset', 'update time' => 'Update the time:', 'update transcript' => 'Update transcript', 'updatedatabase' => 'Update Database with last report',