From ebdd0f9a90da800cc6173f6f30fb0621dddc354b Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Thu, 20 Dec 2018 13:18:48 +0100 Subject: [PATCH] ids.cgi: Prevent from starting suricata without ruleset or selected network zone Signed-off-by: Stefan Schantl --- html/cgi-bin/ids.cgi | 26 ++++++++++++++++++++++++++ langs/de/cgi-bin/de.pl | 2 ++ langs/en/cgi-bin/en.pl | 2 ++ 3 files changed, 30 insertions(+) diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi index ae7f8b4273..90059e1799 100644 --- a/html/cgi-bin/ids.cgi +++ b/html/cgi-bin/ids.cgi @@ -493,6 +493,7 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { } elsif ($cgiparams{'IDS'} eq $Lang::tr{'save'}) { my %oldidssettings; my $reload_page; + my $monitored_zones = 0; # Read-in current (old) IDS settings. &General::readhash("$IDS::settingsdir/settings", \%oldidssettings); @@ -508,6 +509,31 @@ if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) { } } + # Check if the IDS should be enabled. + if ($cgiparams{'ENABLE_IDS'} eq "on") { + # Check if any ruleset is available. Otherwise abort and display an error. + unless(%idsrules) { + $errormessage = $Lang::tr{'ids no ruleset available'}; + } + + # Loop through the array of available interfaces. + foreach my $zone (@network_zones) { + # Convert interface name into upper case. + my $zone_upper = uc($zone); + + # Check if the IDS is enabled for this interaces. + if ($cgiparams{"ENABLE_IDS_$zone_upper"}) { + # Increase count. + $monitored_zones++; + } + } + + # Check if at least one zone should be monitored, or show an error. + unless ($monitored_zones >= 1) { + $errormessage = $Lang::tr{'ids no network zone'}; + } + } + # Go on if there are no error messages. if (!$errormessage) { # Store settings into settings file. diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index e32c22fb68..f25074065d 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1329,6 +1329,8 @@ 'ids active on' => 'Aktiv auf', 'ids log viewer' => 'Ansicht IDS-Protokoll', 'ids logs' => 'IDS-Protokolldateien', +'ids no network zone' => 'Mindestends eine Netzwerk-Zone muss überwacht werden!', +'ids no ruleset available' => 'Kein Regelset verfügbar, bitte downloaden Sie eines!', 'ids preprocessor' => 'IDS-Präprozessor', 'ids rules license' => 'Um Sourcefire VRT Zertifizierte Regeln zu nutzen, müssen Sie sich unter', 'ids rules license1' => ' registrieren.', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 09d7fa1c47..3b8ae2a70d 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1359,6 +1359,8 @@ 'ids active on' => 'Active on', 'ids log viewer' => 'IDS log viewer', 'ids logs' => 'IDS Logs', +'ids no network zone' => 'At least one network zone has to be monitored!'; +'ids no ruleset available' => 'No ruleset available, please download one!', 'ids preprocessor' => 'IDS preprocessor', 'ids rules license' => 'To utilize Sourcefire VRT Certified Rules, you need to register on', 'ids rules license1' => '.', -- 2.39.2