ipfire-2.x.git
16 months agoSuricata: Start service on red.up event if requested
Stefan Schantl [Fri, 15 Feb 2019 12:26:55 +0000 (13:26 +0100)] 
Suricata: Start service on red.up event if requested

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
16 months agocollectd: Stop collecting process details for snort
Stefan Schantl [Fri, 15 Feb 2019 11:39:56 +0000 (12:39 +0100)] 
collectd: Stop collecting process details for snort

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
16 months agoservices.cgi: Show status of suricata instead of snort
Stefan Schantl [Fri, 15 Feb 2019 11:18:45 +0000 (12:18 +0100)] 
services.cgi: Show status of suricata instead of snort

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
16 months agologrotate: Rotate suricata logs instead of snort ones
Stefan Schantl [Fri, 15 Feb 2019 10:22:14 +0000 (11:22 +0100)] 
logrotate: Rotate suricata logs instead of snort ones

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
16 months agoconvert-snort: Always create directory and filelayout
Stefan Schantl [Thu, 14 Feb 2019 11:37:13 +0000 (12:37 +0100)] 
convert-snort: Always create directory and filelayout

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
16 months agoconvert-snort: Call subfunction to change ownership of rulestarball
Stefan Schantl [Thu, 14 Feb 2019 11:15:41 +0000 (12:15 +0100)] 
convert-snort: Call subfunction to change ownership of rulestarball

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
16 months agoids-ruleset-sources: Fix rootfile
Stefan Schantl [Thu, 14 Feb 2019 10:43:31 +0000 (11:43 +0100)] 
ids-ruleset-sources: Fix rootfile

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
16 months agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
Stefan Schantl [Wed, 13 Feb 2019 18:46:45 +0000 (19:46 +0100)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata

16 months agocore128: Ship kdig
Michael Tremer [Wed, 13 Feb 2019 11:32:00 +0000 (11:32 +0000)] 
core128: Ship kdig

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agoknot: Reduced version of knot with kdig only
Erik Kapfer [Sat, 9 Feb 2019 07:41:15 +0000 (08:41 +0100)] 
knot: Reduced version of knot with kdig only

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocore128: Ship libedit
Michael Tremer [Wed, 13 Feb 2019 11:31:24 +0000 (11:31 +0000)] 
core128: Ship libedit

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agolibedit: A command line editor library
Erik Kapfer [Sat, 9 Feb 2019 07:41:14 +0000 (08:41 +0100)] 
libedit: A command line editor library

Dependency for knot (kdig).

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agopowertop: Update to 2.10
Matthias Fischer [Sun, 10 Feb 2019 19:13:17 +0000 (20:13 +0100)] 
powertop: Update to 2.10

Hi,

Triggered by:
https://forum.ipfire.org/viewtopic.php?f=69&t=22274

For details see:
https://01.org/powertop/downloads/powertop-v2.10

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agodhcpcd: Update to 7.1.1
Matthias Fischer [Sat, 9 Feb 2019 09:59:08 +0000 (10:59 +0100)] 
dhcpcd: Update to 7.1.1

For details see:
https://roy.marples.name/blog/dhcpcd-7-1-1-released

"A minor update, highlights include:

 IPv4LL: Fixed build with this disabled
 IPv4LL: Remember last address between carrier resets
 BSD: Fixed initial link infos reported as LINK_STATE_UNKNOWN
 FreeBSD: Avoid panicing kernel when RTA_IFP is set for IPv6 prefix routes"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
16 months agocurl: Update to 7.64.0
Matthias Fischer [Sat, 9 Feb 2019 09:37:22 +0000 (10:37 +0100)] 
curl: Update to 7.64.0

Hi,

For details see:
https://curl.haxx.se/changes.html

This came rather unexpected - if I'd known, I'd have waited with 7.63.0.

"Changes:
cookies: leave secure cookies alone
hostip: support wildcard hosts
http: Implement trailing headers for chunked transfers
http: added options for allowing HTTP/0.9 responses
timeval: Use high resolution timestamps on Windows

Bugfixes:
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
CVE-2019-3823: SMTP end-of-response out-of-bounds read
FAQ: remove mention of sourceforge for github
OS400: handle memory error in list conversion
OS400: upgrade ILE/RPG binding.
README: add codacy code quality badge
Revert http_negotiate: do not close connection
THANKS: added several missing names from year <= 2000
build: make 'tidy' target work for metalink builds
cmake: added checks for variadic macros
cmake: updated check for HAVE_POLL_FINE to match autotools
cmake: use lowercase for function name like the rest of the code
configure: detect xlclang separately from clang
configure: fix recv/send/select detection on Android
configure: rewrite --enable-code-coverage
conncache_unlock: avoid indirection by changing input argument type
cookie: fix comment typo
cookies: allow secure override when done over HTTPS
cookies: extend domain checks to non psl builds
cookies: skip custom cookies when redirecting cross-site
curl --xattr: strip credentials from any URL that is stored
curl -J: refuse to append to the destination file
curl/urlapi.h: include "curl.h" first
curl_multi_remove_handle() don't block terminating c-ares requests
darwinssl: accept setting max-tls with default min-tls
disconnect: separate connections and easy handles better
disconnect: set conn->data for protocol disconnect
docs/version.d: mention MultiSSL
docs: fix the --tls-max description
docs: use $(INSTALL_DATA) to install man page
docs: use meaningless port number in CURLOPT_LOCALPORT example
gopher: always include the entire gopher-path in request
http2: clear pause stream id if it gets closed
if2ip: remove unused function Curl_if_is_interface_name
libssh: do not let libssh create socket
libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
libssh: free sftp_canonicalize_path() data correctly
libtest/stub_gssapi: use "real" snprintf
mbedtls: use VERIFYHOST
multi: multiplexing improvements
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
ntlm: fix NTMLv2 compliance
ntlm_sspi: add support for channel binding
openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
openssl: fix the SSL_get_tlsext_status_ocsp_resp call
openvms: fix OpenSSL discovery on VAX
openvms: fix typos in documentation
os400: add a missing closing bracket
os400: fix extra parameter syntax error
pingpong: change default response timeout to 120 seconds
pingpong: ignore regular timeout in disconnect phase
printf: fix format specifiers
runtests.pl: Fix perl call to include srcdir
schannel: fix compiler warning
schannel: preserve original certificate path parameter
schannel: stop calling it "winssl"
sigpipe: if mbedTLS is used, ignore SIGPIPE
smb: fix incorrect path in request if connection reused
ssh: log the libssh2 error message when ssh session startup fails
test1558: verify CURLINFO_PROTOCOL on file:// transfer
test1561: improve test name
test1653: make it survive torture tests
tests: allow tests to pass by 2037-02-12
tests: move objnames-* from lib into tests
timediff: fix math for unsigned time_t
timeval: Disable MSVC Analyzer GetTickCount warning
tool_cb_prg: avoid integer overflow
travis: added cmake build for osx
urlapi: Fix port parsing of eol colon
urlapi: distinguish possibly empty query
urlapi: fix parsing ipv6 with zone index
urldata: rename easy_conn to just conn
winbuild: conditionally use /DZLIB_WINAPI
wolfssl: fix memory-leak in threaded use
spnego_sspi: add support for channel binding"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agokernel: update to 4.14.98
Arne Fitzenreiter [Fri, 8 Feb 2019 19:50:37 +0000 (20:50 +0100)] 
kernel: update to 4.14.98

todo: check if RPi dwc dma patch still need to reverted before release

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
17 months agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
Stefan Schantl [Fri, 8 Feb 2019 08:59:31 +0000 (09:59 +0100)] 
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata

17 months agolibhtp: Update to 0.5.29
Stefan Schantl [Fri, 8 Feb 2019 08:56:36 +0000 (09:56 +0100)] 
libhtp: Update to 0.5.29

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoruleset-sources: Update sourcefire rulesets to latest snapshot version
Stefan Schantl [Fri, 8 Feb 2019 08:55:46 +0000 (09:55 +0100)] 
ruleset-sources: Update sourcefire rulesets to latest snapshot version

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoborgbackup: Fix build on i586
Matthias Fischer [Fri, 8 Feb 2019 11:01:42 +0000 (12:01 +0100)] 
borgbackup: Fix build on i586

Fixes

...
'/usr/src/config/rootfiles/packages//borgbackup' -> '/install/packages/package/ROOTFILES'
tar: usr/lib/python3.6/site-packages/borg/chunker.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/compress.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/crypto.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/hashindex.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/platform_linux.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
make: *** [borgbackup:58: dist] Error 2
...

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agopython3-llfuse: Fix build on i586
Matthias Fischer [Fri, 8 Feb 2019 10:57:47 +0000 (11:57 +0100)] 
python3-llfuse: Fix build on i586

Fixes

"tar: usr/lib/python3.6/site-packages/llfuse.cpython-36m-i586-linux-gnu.so:
Cannot stat: No such file or directory"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoSuricata: detect DNS events on port 853, too
Peter Müller [Thu, 7 Feb 2019 17:47:00 +0000 (17:47 +0000)] 
Suricata: detect DNS events on port 853, too

As DNS over TLS popularity is increasing, port 853 becomes
more interesting for an attacker as a bypass method. Enabling
this port for DNS monitoring makes sense in order to avoid
unusual activity (non-DNS traffic) as well as "normal" DNS
attacks.

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoSuricata: enable full detection for missing protocols
Peter Müller [Thu, 7 Feb 2019 17:41:00 +0000 (17:41 +0000)] 
Suricata: enable full detection for missing protocols

These are IMAP and MSN, which can be safely enabled.

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoSuricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports as, well
Peter Müller [Thu, 7 Feb 2019 17:38:00 +0000 (17:38 +0000)] 
Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports as, well

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agocore128: Ship updated firewall initscript
Michael Tremer [Thu, 7 Feb 2019 15:13:50 +0000 (15:13 +0000)] 
core128: Ship updated firewall initscript

Require reboot after the update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoapply default firewall policy for ORANGE, too
Peter Müller [Wed, 6 Feb 2019 21:00:00 +0000 (21:00 +0000)] 
apply default firewall policy for ORANGE, too

If firewall default policy is set to DROP, this setting was not
applied to outgoing ORANGE traffic as well, which was misleading.

Fixes #11973

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoTor: update to 0.3.5.7
Peter Müller [Wed, 6 Feb 2019 19:21:00 +0000 (19:21 +0000)] 
Tor: update to 0.3.5.7

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoids.cgi: Format and show date of the current ruleset again
Stefan Schantl [Thu, 7 Feb 2019 09:33:29 +0000 (10:33 +0100)] 
ids.cgi: Format and show date of the current ruleset again

Fixes #11992

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Change name of the button to apply the ruleset changes
Stefan Schantl [Thu, 7 Feb 2019 08:46:01 +0000 (09:46 +0100)] 
ids.cgi: Change name of the button to apply the ruleset changes

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agolangs: Remove snort related and unused strings
Stefan Schantl [Thu, 7 Feb 2019 08:02:32 +0000 (09:02 +0100)] 
langs: Remove snort related and unused strings

Fixes #11993.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agologs.cgi/ids.dat: Do not call the IDS snort again
Stefan Schantl [Thu, 7 Feb 2019 08:00:35 +0000 (09:00 +0100)] 
logs.cgi/ids.dat: Do not call the IDS snort again

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Improve showed messages while the IDS is working
Stefan Schantl [Thu, 7 Feb 2019 07:51:31 +0000 (08:51 +0100)] 
ids.cgi: Improve showed messages while the IDS is working

Reference #11993

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoAdd german translation for "system is offline"
Stefan Schantl [Thu, 7 Feb 2019 07:28:29 +0000 (08:28 +0100)] 
Add german translation for "system is offline"

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Lock page while autoupdate script is running
Stefan Schantl [Thu, 7 Feb 2019 07:24:15 +0000 (08:24 +0100)] 
ids.cgi: Lock page while autoupdate script is running

Fixes #11991

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoupdate-ids-ruleset: Lock and Unlock the IDS page during runtime
Stefan Schantl [Thu, 7 Feb 2019 07:06:49 +0000 (08:06 +0100)] 
update-ids-ruleset: Lock and Unlock the IDS page during runtime

Reference #11991

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids-functions.pl: Add code to lock/unlock ids page while autoupdating the ruleset
Stefan Schantl [Thu, 7 Feb 2019 06:59:20 +0000 (07:59 +0100)] 
ids-functions.pl: Add code to lock/unlock ids page while autoupdating the ruleset

Reference #11991

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Show "Update Ruleset"-Button only if automatic updates are disabled
Stefan Schantl [Thu, 7 Feb 2019 06:44:11 +0000 (07:44 +0100)] 
ids.cgi: Show "Update Ruleset"-Button only if automatic updates are disabled

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoaliases.cgi: Handle suricata related actions when dealing with aliases
Stefan Schantl [Wed, 6 Feb 2019 14:59:02 +0000 (15:59 +0100)] 
aliases.cgi: Handle suricata related actions when dealing with aliases

When working with aliases (adding/modifying/removing), the file which
contains the HOME_NET declarations needs to be re-generated and suricata
requires a restart afterwards.

Fixes #11990

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoIDS: Call helper script when red interface gets up
Stefan Schantl [Wed, 6 Feb 2019 14:23:46 +0000 (15:23 +0100)] 
IDS: Call helper script when red interface gets up

The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.

Fixes #11989

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoIDS: Edit german translation for "ids oinkcode required".
Stefan Schantl [Wed, 6 Feb 2019 12:12:50 +0000 (13:12 +0100)] 
IDS: Edit german translation for "ids oinkcode required".

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Check if the selected ruleset requires an oinkcode
Stefan Schantl [Wed, 6 Feb 2019 11:49:01 +0000 (12:49 +0100)] 
ids.cgi: Check if the selected ruleset requires an oinkcode

Fixes #11983

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Only perform actions when saving ruleset settings, if there are no error...
Stefan Schantl [Wed, 6 Feb 2019 11:48:08 +0000 (12:48 +0100)] 
ids.cgi: Only perform actions when saving ruleset settings, if there are no error messages

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids-functions.pl: Do not send HEAD requests to sourcefire (snort.org) servers
Stefan Schantl [Wed, 6 Feb 2019 09:58:59 +0000 (10:58 +0100)] 
ids-functions.pl: Do not send HEAD requests to sourcefire (snort.org) servers

Using this feature to fetch the size of the requested tarball is not allowed by these
servers, so skip this feature for their rulesets.

Fixes #11987

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoRevert "ids-functions.pl: Use GET method to fetch Header data of a file"
Stefan Schantl [Wed, 6 Feb 2019 09:00:17 +0000 (10:00 +0100)] 
Revert "ids-functions.pl: Use GET method to fetch Header data of a file"

Using the GET method will download the file twice and does not provide the
desired mechanism here.

This reverts commit 81592314ebe93ae942f28a1bc9037185f155ccda.

17 months agoids.cgi: Fix HTML formated spaces.
Stefan Schantl [Tue, 5 Feb 2019 13:34:44 +0000 (14:34 +0100)] 
ids.cgi: Fix HTML formated spaces.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Rework "Enable IPS" section
Stefan Schantl [Tue, 5 Feb 2019 13:14:11 +0000 (14:14 +0100)] 
ids.cgi: Rework "Enable IPS" section

Just use one language string for a maximum of flexiblity for the
transloators.

Fixes #11986

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agosuricata: Do not display messages when starting up
Stefan Schantl [Tue, 5 Feb 2019 12:57:40 +0000 (13:57 +0100)] 
suricata: Do not display messages when starting up

Fixes #11979.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Change lang string from "Activate IPS" to "Enable IPS"
Stefan Schantl [Tue, 5 Feb 2019 12:51:08 +0000 (13:51 +0100)] 
ids.cgi: Change lang string from "Activate IPS" to "Enable IPS"

Reference #11986

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoIDS: Rename IDS strings to IPS
Stefan Schantl [Tue, 5 Feb 2019 12:25:27 +0000 (13:25 +0100)] 
IDS: Rename IDS strings to IPS

Reference: #11986

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Stop suricata when the rulest source has been changed
Stefan Schantl [Tue, 5 Feb 2019 11:43:49 +0000 (12:43 +0100)] 
ids.cgi: Stop suricata when the rulest source has been changed

If the ruleset source has been changed, it has to be configured again.
This happens because of different rule categories, filenames rule ID's etc.

In case suricata currently is running it has to be stopped and after the configuration
has been done by the user, it can be launched again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Fix downloading rules if source changed
Stefan Schantl [Tue, 5 Feb 2019 11:36:30 +0000 (12:36 +0100)] 
ids.cgi: Fix downloading rules if source changed

Fix the if statement to detect wheater the ruleset has been
changed and automatically download the new one.

Fixes #11984.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Update automatic download texts
Stefan Schantl [Tue, 5 Feb 2019 11:13:28 +0000 (12:13 +0100)] 
ids.cgi: Update automatic download texts

Update the showed texts in the dropdown box as mentioned in the
bug report.

Fixes #11985

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids-functions.pl: Use GET method to fetch Header data of a file
Stefan Schantl [Tue, 5 Feb 2019 11:01:43 +0000 (12:01 +0100)] 
ids-functions.pl: Use GET method to fetch Header data of a file

The sourcfire web servers does not support the HEAD request so we have to do
this with a GET here.

Fixes #11987

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids-functions.pl: Fix show HTTP error code and message
Stefan Schantl [Tue, 5 Feb 2019 10:55:37 +0000 (11:55 +0100)] 
ids-functions.pl: Fix show HTTP error code and message

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agopython3-msgpack: Fix build on i586
Jonatan Schlag [Tue, 5 Feb 2019 18:33:31 +0000 (18:33 +0000)] 
python3-msgpack: Fix build on i586

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agopython3-dateutil: Update rootfiles
Michael Tremer [Mon, 4 Feb 2019 07:00:13 +0000 (07:00 +0000)] 
python3-dateutil: Update rootfiles

Changed because of new python3-setuptools

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agocore128: Ship updated dhcpcd
Michael Tremer [Mon, 4 Feb 2019 00:40:02 +0000 (00:40 +0000)] 
core128: Ship updated dhcpcd

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agodhcpcd: Update to 7.1.0
Matthias Fischer [Mon, 4 Feb 2019 17:38:44 +0000 (18:38 +0100)] 
dhcpcd: Update to 7.1.0

For some informations about this update see:
https://roy.marples.name/blog/dhcpcd-7-1-0-released

"dhcpcd-7.1.0 has been released with the following changes:

- OpenBSD: works alongside slaacd(8)
- NetBSD: sets SO_RERROR on to detect receive socket overflow
- BSD: route improvements to avoid listening for own changes
- Linux: use NETLINK_BROADCAST_ERROR
- BSD: avoid late address deletion messages by testing address existance
- IP6: implement IP6 address sharing
- BSD: catch UP/DOWN events when interfaces does support media changes
- IPv4LL: remember old address when carrier is lost

Many other minor fixes and documenation updates have been submitted by various
community members for this release..."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agocore128: Ship updated curl
Michael Tremer [Mon, 4 Feb 2019 00:15:24 +0000 (00:15 +0000)] 
core128: Ship updated curl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agocurl: Update to 7.63.0
Matthias Fischer [Mon, 4 Feb 2019 17:30:54 +0000 (18:30 +0100)] 
curl: Update to 7.63.0

For details see:
https://curl.haxx.se/changes.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoupdate.sh: Delete .rnd files
Erik Kapfer [Sat, 2 Feb 2019 07:46:12 +0000 (08:46 +0100)] 
update.sh: Delete .rnd files

Since RANDFILE has been disabled in OpenSSL configurations, .rnd files are not needed anymore.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agocore128: Ship updated apr
Michael Tremer [Sun, 3 Feb 2019 21:42:43 +0000 (21:42 +0000)] 
core128: Ship updated apr

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoUpdated apr, stabilized apache build
Wolfgang Apolinarski [Sun, 3 Feb 2019 14:11:58 +0000 (15:11 +0100)] 
Updated apr, stabilized apache build

- Updated apr to 1.6.5
- Stabilized apache build (rebuild)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agopython3-llfuse: fix rootfile for non x86_64 builds
Arne Fitzenreiter [Sun, 3 Feb 2019 14:28:52 +0000 (15:28 +0100)] 
python3-llfuse: fix rootfile for non x86_64 builds

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
17 months agokernel: update to 4.14.97
Arne Fitzenreiter [Sun, 3 Feb 2019 11:45:52 +0000 (12:45 +0100)] 
kernel: update to 4.14.97

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
17 months agohaproxy: Bump version to support TLSv1.3 (and PCRE JIT)
Michael Tremer [Fri, 1 Feb 2019 17:34:02 +0000 (17:34 +0000)] 
haproxy: Bump version to support TLSv1.3 (and PCRE JIT)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agocore128: Restart updated apache
Michael Tremer [Fri, 1 Feb 2019 17:12:23 +0000 (17:12 +0000)] 
core128: Restart updated apache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoapache: Update to 2.4.38
Matthias Fischer [Fri, 1 Feb 2019 17:06:38 +0000 (18:06 +0100)] 
apache: Update to 2.4.38

For details see:
http://mirror.checkdomain.de/apache//httpd/CHANGES_2.4.38

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agocore128: Ship AWS scripts again
Michael Tremer [Fri, 1 Feb 2019 17:08:44 +0000 (17:08 +0000)] 
core128: Ship AWS scripts again

It seems that this was missing in Core Update 125/126 so not all
bug fixes made it into the release.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoAdd new package borgbackup
Jonatan Schlag [Fri, 1 Feb 2019 11:52:45 +0000 (11:52 +0000)] 
Add new package borgbackup

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoAdd new package python3-msgpack
Jonatan Schlag [Fri, 1 Feb 2019 11:52:44 +0000 (11:52 +0000)] 
Add new package python3-msgpack

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoAdd new package python3-llfuse
Jonatan Schlag [Fri, 1 Feb 2019 11:52:43 +0000 (11:52 +0000)] 
Add new package python3-llfuse

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoAdd new package python3-setuptools-scm
Jonatan Schlag [Fri, 1 Feb 2019 11:52:42 +0000 (11:52 +0000)] 
Add new package python3-setuptools-scm

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoAdd new package python3-settuptools
Jonatan Schlag [Fri, 1 Feb 2019 11:52:41 +0000 (11:52 +0000)] 
Add new package python3-settuptools

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agosuricata.yaml: Add port 222 to list of SSH Ports
Stefan Schantl [Fri, 1 Feb 2019 13:34:25 +0000 (14:34 +0100)] 
suricata.yaml: Add port 222 to list of SSH Ports

The SSH-server listened on port "222" as default on IPFire in the past.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids-functions.pl: Grab address for RED by using get_red_address() function.
Stefan Schantl [Thu, 31 Jan 2019 08:50:47 +0000 (09:50 +0100)] 
ids-functions.pl: Grab address for RED by using get_red_address() function.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids-functions.pl: Add function to the the current assigned IP-address of RED.
Stefan Schantl [Thu, 31 Jan 2019 08:41:35 +0000 (09:41 +0100)] 
ids-functions.pl: Add function to the the current assigned IP-address of RED.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Automatically download ruleset if the ruleset source has been changed.
Stefan Schantl [Thu, 31 Jan 2019 07:55:05 +0000 (08:55 +0100)] 
ids.cgi: Automatically download ruleset if the ruleset source has been changed.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agocore128: Delete SSE2-optimised legacy OpenSSL libraries, too
Michael Tremer [Wed, 30 Jan 2019 18:37:26 +0000 (18:37 +0000)] 
core128: Delete SSE2-optimised legacy OpenSSL libraries, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agoinitscripts/suricata: Generate firewall rules on start and reload
Stefan Schantl [Wed, 30 Jan 2019 12:43:38 +0000 (13:43 +0100)] 
initscripts/suricata: Generate firewall rules on start and reload

Fixes #11978

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids-functions.pl: Add RED address and aliases to the HOME_NET
Stefan Schantl [Wed, 30 Jan 2019 11:04:54 +0000 (12:04 +0100)] 
ids-functions.pl: Add RED address and aliases to the HOME_NET

Reference: #11981

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids-functions.pl: Add get_aliases()
Stefan Schantl [Wed, 30 Jan 2019 10:57:49 +0000 (11:57 +0100)] 
ids-functions.pl: Add get_aliases()

This subfunction is used to get all configured and enabled aliases
for the RED network zone. They will be returned as an array.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoupdate-ids-ruleset: Improve error reporting if the system is offline
Stefan Schantl [Wed, 30 Jan 2019 09:57:31 +0000 (10:57 +0100)] 
update-ids-ruleset: Improve error reporting if the system is offline

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Dynamically generate SHOW/HIDE for expanding or collapsing a ruleset category
Stefan Schantl [Wed, 30 Jan 2019 09:53:17 +0000 (10:53 +0100)] 
ids.cgi: Dynamically generate SHOW/HIDE for expanding or collapsing a ruleset category

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Show IDS setting area only if a ruleset is present.
Stefan Schantl [Wed, 30 Jan 2019 09:12:11 +0000 (10:12 +0100)] 
ids.cgi: Show IDS setting area only if a ruleset is present.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Diplay reason, why a ruleset could not be downloaded, if the system is offline.
Stefan Schantl [Wed, 30 Jan 2019 09:05:14 +0000 (10:05 +0100)] 
ids.cgi: Diplay reason, why a ruleset could not be downloaded, if the system is offline.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Also download the ruleset when saving the ruleset settings
Stefan Schantl [Wed, 30 Jan 2019 08:57:49 +0000 (09:57 +0100)] 
ids.cgi: Also download the ruleset when saving the ruleset settings

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Add dropdown option for Emergingthreats.net Pro rules.
Stefan Schantl [Wed, 30 Jan 2019 08:42:28 +0000 (09:42 +0100)] 
ids.cgi: Add dropdown option for Emergingthreats.net Pro rules.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Only show "update ruleset" button if a ruleset is present
Stefan Schantl [Wed, 30 Jan 2019 08:39:17 +0000 (09:39 +0100)] 
ids.cgi: Only show "update ruleset" button if a ruleset is present

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Draw daemon status and setting in the same box.
Stefan Schantl [Wed, 30 Jan 2019 08:33:47 +0000 (09:33 +0100)] 
ids.cgi: Draw daemon status and setting in the same box.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Show/Hide subscription code area dynamically.
Stefan Schantl [Wed, 30 Jan 2019 08:27:37 +0000 (09:27 +0100)] 
ids.cgi: Show/Hide subscription code area dynamically.

Dynamically (Java Script) show/hide the area for entering the
subscription code / oinkcode based on the choosen ruleset.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoids.cgi: Remove help text for obtaining an oinkcode
Stefan Schantl [Wed, 30 Jan 2019 08:25:34 +0000 (09:25 +0100)] 
ids.cgi: Remove help text for obtaining an oinkcode

This information is only valid for sourcefire (snort) rulesets, may
confuse users and therefore should be handled in the wiki.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agocore128: Ship updated OpenSSL configuration files
Michael Tremer [Tue, 29 Jan 2019 13:51:37 +0000 (13:51 +0000)] 
core128: Ship updated OpenSSL configuration files

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agodel_rand: Deletion of RAND file in openssl config
Erik Kapfer [Tue, 8 Jan 2019 19:33:32 +0000 (20:33 +0100)] 
del_rand: Deletion of RAND file in openssl config

Fixes #11943

Since the kernel RNG should do this, there is no need for this anymore.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
17 months agosuricata: Scan outgoing traffic, too
Michael Tremer [Tue, 29 Jan 2019 12:03:37 +0000 (12:03 +0000)] 
suricata: Scan outgoing traffic, too

Connections from the firewall and through the proxy must be filtered, too

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoSuricata: drop unused cuda HW acceleration
Peter Müller [Wed, 23 Jan 2019 20:22:41 +0000 (21:22 +0100)] 
Suricata: drop unused cuda HW acceleration

As stated in https://bugzilla.ipfire.org/show_bug.cgi?id=11808#c5 ,
Cuda hardware acceleration is unused and so the configuration file
section can be removed.

This partially addresses #11808.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoRevert "Add DDNS to core 107."
Stefan Schantl [Tue, 29 Jan 2019 10:23:54 +0000 (11:23 +0100)] 
Revert "Add DDNS to core 107."

This reverts commit 197033fab234d4698b097fdb1b653b8ae39b1aae.

17 months agoupdate-ids-ruleset: Set correct ownership for rulesdir and files
Stefan Schantl [Tue, 29 Jan 2019 08:09:11 +0000 (09:09 +0100)] 
update-ids-ruleset: Set correct ownership for rulesdir and files

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoconvert-snort: Use set_ownership() from ids-functions.pl
Stefan Schantl [Tue, 29 Jan 2019 08:05:29 +0000 (09:05 +0100)] 
convert-snort: Use set_ownership() from ids-functions.pl

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
17 months agoruleset-sources: Add Emerging-Threads Pro ruleset
Stefan Schantl [Tue, 29 Jan 2019 08:01:20 +0000 (09:01 +0100)] 
ruleset-sources: Add Emerging-Threads Pro ruleset

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>