/var/ipfire/proxy
/var/ipfire/qos/*
/var/ipfire/qos/bin/qos.sh
+/var/ipfire/suricata/*.conf
+/var/ipfire/suricata/*.yaml
/var/ipfire/*/settings
/var/ipfire/time/
/var/ipfire/urlfilter
/var/ipfire/vpn
+/var/lib/suricata
/var/log/ip-acct/*
/var/log/rrd/*
/var/log/rrd/collectd
while (<FILE>)
{
chop;
+
+ # Skip comments.
+ next if ($_ =~ /\#/);
+
($var, $val) = split /=/, $_, 2;
if ($var)
{
--- /dev/null
+#!/usr/bin/perl -w
+############################################################################
+# #
+# This file is part of the IPFire Firewall. #
+# #
+# IPFire is free software; you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation; either version 2 of the License, or #
+# (at your option) any later version. #
+# #
+# IPFire is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with IPFire; if not, write to the Free Software #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
+# #
+# Copyright (C) 2018 IPFire Team <info@ipfire.org>. #
+# #
+############################################################################
+
+package IDS;
+
+require '/var/ipfire/general-functions.pl';
+
+# Location where all config and settings files are stored.
+our $settingsdir = "${General::swroot}/suricata";
+
+# Location and name of the tarball which contains the ruleset.
+our $rulestarball = "/var/tmp/idsrules.tar.gz";
+
+# File to store any errors, which also will be read and displayed by the wui.
+our $storederrorfile = "/tmp/ids_storederror";
+
+# Location where the rulefiles are stored.
+our $rulespath = "/var/lib/suricata";
+
+# File which contains a list of all supported ruleset sources.
+# (Sourcefire, Emergingthreads, etc..)
+our $rulesetsourcesfile = "$settingsdir/ruleset-sources";
+
+# The pidfile of the IDS.
+our $idspidfile = "/var/run/suricata.pid";
+
+# Location of suricatactrl.
+my $suricatactrl = "/usr/local/bin/suricatactrl";
+
+# Array with allowed commands of suricatactrl.
+my @suricatactrl_cmds = ( 'start', 'stop', 'restart', 'reload', 'fix-rules-dir', 'cron' );
+
+# Array with supported cron intervals.
+my @cron_intervals = ('off', 'daily', 'weekly' );
+
+#
+## Function for checking if at least 300MB of free disk space are available
+## on the "/var" partition.
+#
+sub checkdiskspace () {
+ # Call diskfree to gather the free disk space of /var.
+ my @df = `/bin/df -B M /var`;
+
+ # Loop through the output.
+ foreach my $line (@df) {
+ # Ignore header line.
+ next if $line =~ m/^Filesystem/;
+
+ # Search for a line with the device information.
+ if ($line =~ m/dev/ ) {
+ # Split the line into single pieces.
+ my @values = split(' ', $line);
+ my ($filesystem, $blocks, $used, $available, $used_perenctage, $mounted_on) = @values;
+
+ # Check if the available disk space is more than 300MB.
+ if ($available < 300) {
+ # Log error to syslog.
+ &_log_to_syslog("Not enough free disk space on /var. Only $available MB from 300 MB available.");
+
+ # Exit function and return "1" - False.
+ return 1;
+ }
+ }
+ }
+
+ # Everything okay, return nothing.
+ return;
+}
+
+#
+## This function is responsible for downloading the configured snort ruleset.
+##
+## * At first it obtains from the stored snortsettings which ruleset should be downloaded.
+## * The next step is to get the download locations for all available rulesets.
+## * After that, the function will check if an upstream proxy should be used and grab the settings.
+## * The last step will be to generate the final download url, by obtaining the URL for the desired
+## ruleset, add the settings for the upstream proxy and final grab the rules tarball from the server.
+#
+sub downloadruleset {
+ # Get snort settings.
+ my %snortsettings=();
+ &General::readhash("$settingsdir/settings", \%snortsettings);
+
+ # Check if a ruleset has been configured.
+ unless($snortsettings{'RULES'}) {
+ # Log that no ruleset has been configured and abort.
+ &_log_to_syslog("No ruleset source has been configured.");
+
+ # Return "1".
+ return 1;
+ }
+
+ # Get all available ruleset locations.
+ my %rulesetsources=();
+ &General::readhash($rulesetsourcesfile, \%rulesetsources);
+
+ # Read proxysettings.
+ my %proxysettings=();
+ &General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
+
+ # Load required perl module to handle the download.
+ use LWP::UserAgent;
+
+ # Init the download module.
+ my $downloader = LWP::UserAgent->new;
+
+ # Set timeout to 10 seconds.
+ $downloader->timeout(10);
+
+ # Check if an upstream proxy is configured.
+ if ($proxysettings{'UPSTREAM_PROXY'}) {
+ my ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
+ my $proxy_url;
+
+ # Check if we got a peer.
+ if ($peer) {
+ $proxy_url = "http://";
+
+ # Check if the proxy requires authentication.
+ if (($proxysettings{'UPSTREAM_USER'}) && ($proxysettings{'UPSTREAM_PASSWORD'})) {
+ $proxy_url .= "$proxysettings{'UPSTREAM_USER'}\:$proxysettings{'UPSTREAM_PASSWORD'}\@";
+ }
+
+ # Add proxy server address and port.
+ $proxy_url .= "$peer\:$peerport";
+ } else {
+ # Log error message and break.
+ &_log_to_syslog("Could not proper configure the proxy server access.");
+
+ # Return "1" - false.
+ return 1;
+ }
+
+ # Setup proxy settings.
+ $downloader->proxy('http', $proxy_url);
+ }
+
+ # Grab the right url based on the configured vendor.
+ my $url = $rulesetsources{$snortsettings{'RULES'}};
+
+ # Check if the vendor requires an oinkcode and add it if needed.
+ $url =~ s/\<oinkcode\>/$snortsettings{'OINKCODE'}/g;
+
+ # Abort if no url could be determined for the vendor.
+ unless ($url) {
+ # Log error and abort.
+ &_log_to_syslog("Unable to gather a download URL for the selected ruleset.");
+ return 1;
+ }
+
+ # Pass the requested url to the downloader.
+ my $request = HTTP::Request->new(GET => $url);
+
+ # Perform the request and save the output into the "$rulestarball" file.
+ my $response = $downloader->request($request, $rulestarball);
+
+ # Check if there was any error.
+ unless ($response->is_success) {
+ # Obtain error.
+ my $error = $response->content;
+
+ # Log error message.
+ &_log_to_syslog("Unable to download the ruleset. \($error\)");
+
+ # Return "1" - false.
+ return 1;
+ }
+
+ # If we got here, everything worked fine. Return nothing.
+ return;
+}
+
+#
+## A tiny wrapper function to call the oinkmaster script.
+#
+sub oinkmaster () {
+ # Check if the files in rulesdir have the correct permissions.
+ &_check_rulesdir_permissions();
+
+ # Cleanup the rules directory before filling it with the new rulest.
+ &_cleanup_rulesdir();
+
+ # Load perl module to talk to the kernel syslog.
+ use Sys::Syslog qw(:DEFAULT setlogsock);
+
+ # Establish the connection to the syslog service.
+ openlog('oinkmaster', 'cons,pid', 'user');
+
+ # Call oinkmaster to generate ruleset.
+ open(OINKMASTER, "/usr/local/bin/oinkmaster.pl -v -s -u file://$rulestarball -C $settingsdir/oinkmaster.conf -o $rulespath|") or die "Could not execute oinkmaster $!\n";
+
+ # Log output of oinkmaster to syslog.
+ while(<OINKMASTER>) {
+ # The syslog function works best with an array based input,
+ # so generate one before passing the message details to syslog.
+ my @syslog = ("INFO", "$_");
+
+ # Send the log message.
+ syslog(@syslog);
+ }
+
+ # Close the pipe to oinkmaster process.
+ close(OINKMASTER);
+
+ # Close the log handle.
+ closelog();
+}
+
+#
+## Function to do all the logging stuff if the downloading or updating of the ruleset fails.
+#
+sub log_error ($) {
+ my ($error) = @_;
+
+ # Remove any newline.
+ chomp($error);
+
+ # Call private function to log the error message to syslog.
+ &_log_to_syslog($error);
+
+ # Call private function to write/store the error message in the storederrorfile.
+ &_store_error_message($error);
+}
+
+#
+## Function to log a given error message to the kernel syslog.
+#
+sub _log_to_syslog ($) {
+ my ($message) = @_;
+
+ # Load perl module to talk to the kernel syslog.
+ use Sys::Syslog qw(:DEFAULT setlogsock);
+
+ # The syslog function works best with an array based input,
+ # so generate one before passing the message details to syslog.
+ my @syslog = ("ERR", "<ERROR> $message");
+
+ # Establish the connection to the syslog service.
+ openlog('oinkmaster', 'cons,pid', 'user');
+
+ # Send the log message.
+ syslog(@syslog);
+
+ # Close the log handle.
+ closelog();
+}
+
+#
+## Private function to write a given error message to the storederror file.
+#
+sub _store_error_message ($) {
+ my ($message) = @_;
+
+ # Remove any newline.
+ chomp($message);
+
+ # Open file for writing.
+ open (ERRORFILE, ">$storederrorfile") or die "Could not write to $storederrorfile. $!\n";
+
+ # Write error to file.
+ print ERRORFILE "$message\n";
+
+ # Close file.
+ close (ERRORFILE);
+}
+
+#
+## Function to get a list of all available network zones.
+#
+sub get_available_network_zones () {
+ # Get netsettings.
+ my %netsettings = ();
+ &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+
+ # Obtain the configuration type from the netsettings hash.
+ my $config_type = $netsettings{'CONFIG_TYPE'};
+
+ # Hash which contains the conversation from the config mode
+ # to the existing network interface names. They are stored like
+ # an array.
+ #
+ # Mode "0" red is a modem and green
+ # Mode "1" red is a netdev and green
+ # Mode "2" red, green and orange
+ # Mode "3" red, green and blue
+ # Mode "4" red, green, blue, orange
+ my %config_type_to_interfaces = (
+ "0" => [ "red", "green" ],
+ "1" => [ "red", "green" ],
+ "2" => [ "red", "green", "orange" ],
+ "3" => [ "red", "green", "blue" ],
+ "4" => [ "red", "green", "blue", "orange" ]
+ );
+
+ # Obtain and dereference the corresponding network interaces based on the read
+ # network config type.
+ my @network_zones = @{ $config_type_to_interfaces{$config_type} };
+
+ # Return them.
+ return @network_zones;
+}
+
+#
+## Function to check if the IDS is running.
+#
+sub ids_is_running () {
+ if(-f $idspidfile) {
+ # Open PID file for reading.
+ open(PIDFILE, "$idspidfile") or die "Could not open $idspidfile. $!\n";
+
+ # Grab the process-id.
+ my $pid = <PIDFILE>;
+
+ # Close filehandle.
+ close(PIDFILE);
+
+ # Remove any newline.
+ chomp($pid);
+
+ # Check if a directory for the process-id exists in proc.
+ if(-d "/proc/$pid") {
+ # The IDS daemon is running return the process id.
+ return $pid;
+ }
+ }
+
+ # Return nothing - IDS is not running.
+ return;
+}
+
+#
+## Function to call suricatactrl binary with a given command.
+#
+sub call_suricatactrl ($) {
+ # Get called option.
+ my ($option, $interval) = @_;
+
+ # Loop through the array of supported commands and check if
+ # the given one is part of it.
+ foreach my $cmd (@suricatactrl_cmds) {
+ # Skip current command unless the given one has been found.
+ next unless($cmd eq $option);
+
+ # Check if the given command is "cron".
+ if ($option eq "cron") {
+ # Check if an interval has been given.
+ if ($interval) {
+ # Check if the given interval is valid.
+ foreach my $element (@cron_intervals) {
+ # Skip current element until the given one has been found.
+ next unless($element eq $interval);
+
+ # Call the suricatactrl binary and pass the "cron" command
+ # with the requrested interval.
+ system("$suricatactrl $option $interval &>/dev/null");
+
+ # Return "1" - True.
+ return 1;
+ }
+ }
+
+ # If we got here, the given interval is not supported or none has been given. - Return nothing.
+ return;
+ } else {
+ # Call the suricatactrl binary and pass the requrested
+ # option to it.
+ system("$suricatactrl $option &>/dev/null");
+
+ # Return "1" - True.
+ return 1;
+ }
+ }
+
+ # Command not found - return nothing.
+ return;
+}
+
+#
+## Function to create a new empty file.
+#
+sub create_empty_file($) {
+ my ($file) = @_;
+
+ # Check if the given file exists.
+ if(-e $file) {
+ # Do nothing to prevent from overwriting existing files.
+ return;
+ }
+
+ # Open the file for writing.
+ open(FILE, ">$file") or die "Could not write to $file. $!\n";
+
+ # Close file handle.
+ close(FILE);
+
+ # Return true.
+ return 1;
+}
+
+#
+## Private function to check if the file permission of the rulespath are correct.
+## If not, call suricatactrl to fix them.
+#
+sub _check_rulesdir_permissions() {
+ # Check if the rulepath main directory is writable.
+ unless (-W $rulespath) {
+ # If not call suricatctrl to fix it.
+ &call_suricatactrl("fix-rules-dir");
+ }
+
+ # Open snort rules directory and do a directory listing.
+ opendir(DIR, $rulespath) or die $!;
+ # Loop through the direcory.
+ while (my $file = readdir(DIR)) {
+ # We only want files.
+ next unless (-f "$rulespath/$file");
+
+ # Check if the file is writable by the user.
+ if (-W "$rulespath/$file") {
+ # Everything is okay - go on to the next file.
+ next;
+ } else {
+ # There are wrong permissions, call suricatactrl to fix it.
+ &call_suricatactrl("fix-rules-dir");
+ }
+ }
+}
+
+#
+## Private function to cleanup the directory which contains
+## the IDS rules, before extracting and modifing the new ruleset.
+#
+sub _cleanup_rulesdir() {
+ # Open rules directory and do a directory listing.
+ opendir(DIR, $rulespath) or die $!;
+
+ # Loop through the direcory.
+ while (my $file = readdir(DIR)) {
+ # We only want files.
+ next unless (-f "$rulespath/$file");
+
+ # Skip element if it has config as file extension.
+ next if ($file =~ m/\.config$/);
+
+ # Delete the current processed file, if not, exit this function
+ # and return an error message.
+ unlink($rulespath/$file) or return "Could not delete $rulespath/$file. $!\n";
+ }
+
+ # Return nothing;
+ return;
+}
+
+1;
--- /dev/null
+# $Id: oinkmaster.conf,v 1.132 2006/02/02 12:05:08 andreas_o Exp $ #
+
+# This file is pretty big by default, but don't worry.
+# The only things required are "path" and "update_files". You must also
+# set "url" to point to the correct rules archive for your version of
+# Snort, unless you prefer to specify this on the command line.
+# The rest in here is just a few recommended defaults, and examples
+# how to use all the other optional features and give some ideas how they
+# could be used.
+
+# Remember not to let untrusted users edit Oinkmaster configuration
+# files, as things like the PATH to use during execution is defined
+# in here.
+
+
+# Use "url = <url>" to specify the location of the rules archive to
+# download. The url must begin with http://, https://, ftp://, file://
+# or scp:// and end with .tar.gz or .tgz, and the file must be a
+# gzipped tarball what contains a directory named "rules".
+# You can also point to a local directory with dir://<directory>.
+# Multiple "url = <url>" lines can be specified to grab multiple rules
+# archives from different locations.
+#
+# Note: if URL is specified on the command line, it overrides all
+# possible URLs specified in the configuration file(s).
+#
+# The location of the official Snort rules you should use depends
+# on which Snort version you run. Basically, you should go to
+# http://www.snort.org/rules/ and follow the instructions
+# there to pick the right URL for your version of Snort
+# (and remember to update the URL when upgrading Snort in the
+# future). You can of course also specify locations to third party
+# rules.
+#
+# As of March 2005, you must register on the Snort site to get access
+# to the official Snort rules. This will get you an "oinkcode".
+# You then specify the URL as
+# http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/<filename>
+# For example, if your code is 5a081649c06a277e1022e1284b and
+# you use Snort 2.4, the url to use would be (without the wrap):
+# http://www.snort.org/pub-bin/oinkmaster.cgi/
+# 5a081649c06a277e1022e1284bdc8fabda70e2a4/snortrules-snapshot-2.4.tar.gz
+# See the Oinkmaster FAQ Q1 and http://www.snort.org/rules/ for
+# more information.
+
+
+# URL examples follows. Replace <oinkcode> with the code you get on the
+# Snort site in your registered user profile.
+
+# Example for Snort 2.4
+# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz
+# url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-2.4.tar.gz
+
+# Example for Snort-current ("current" means cvs snapshots).
+#url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode>/snortrules-snapshot-CURRENT.tar.gz
+
+# Example for Community rules
+# url = http://www.snort.org/pub-bin/downloads.cgi/Download/comm_rules/Community-Rules.tar.gz
+
+# Example for rules from the Bleeding Snort project
+# url = http://www.bleedingsnort.com/bleeding.rules.tar.gz
+
+# If you prefer to download the rules archive from outside Oinkmaster,
+# you can then point to the file on your local filesystem by using
+# file://<filename>, for example:
+# url = file:///tmp/snortrules.tar.gz
+
+# In rare cases you may want to grab the rules directly from a
+# local directory (don't confuse this with the output directory).
+# url = dir:///etc/snort/src/rules
+
+# Example to use scp to copy the rules archive from another host.
+# Only OpenSSH is tested. See the FAQ for more information.
+# url = scp://user@somehost.example.com:/somedir/snortrules.tar.gz
+
+# If you use -u scp://... and need to specify a private ssh key (passed
+# as -i <key> to the scp command) you can specify it here or add an
+# entry in ~/.ssh/config for the Oinkmaster user as described in the
+# OpenSSH manual.
+# scp_key = /home/oinkmaster/oinkmaster_privkey
+
+
+# The PATH to use during execution. If you prefer to use external
+# binaries (i.e. use_external_bins=1, see below), tar and gzip must be
+# found, and also wget if downloading via ftp, http or https. All with
+# optional .exe suffix. If you're on Cygwin, make sure that the path
+# contains the Cygwin binaries and not the native Win32 binaries or
+# you will get problems.
+# Assume UNIX style by default:
+path = /bin:/usr/bin:/usr/local/bin
+
+# Example if running native Win32 or standalone Cygwin:
+# path = c:\oinkmaster;c:\oinkmaster\bin
+
+# Example if running standalone Cygwin and you prefer Cygwin style path:
+# path = /cygdrive/c/oinkmaster:/cygdrive/c/oinkmaster/bin
+
+
+# We normally use external binaries (wget, tar and gzip) since they're
+# already available on most systems and do a good job. If you have the
+# Perl modules Archive::Tar, IO::Zlib and LWP::UserAgent, you can use
+# those instead if you like. You can set use_external_bins below to
+# choose which method you prefer. It's set to 0 by default on Win32
+# (i.e. use Perl modules), and 1 on other systems (i.e. use external
+# binaries). The reason for that is that the required Perl modules
+# are included on Windows/ActivePerl 5.8.1+, so it's easier to use
+# those than to install the ported Unix tools. (Note that if you're
+# using scp to download the archive, external scp binary is still
+# used.)
+# use_external_bins = 0
+
+
+# Temporary directory to use. This directory must exist when starting and
+# Oinkmaster will then create a temporary sub directory in here.
+# Keep it as a #comment if you want to use the default.
+# The default will be checked for in the environment variables TMP,
+# TMPDIR or TEMPDIR, or otherwise use "/tmp" if none of them was set.
+
+# Example for UNIX.
+# tmpdir = /home/oinkmaster/tmp/
+
+# Example if running native Win32 or Cygwin.
+# tmpdir = c:\tmp
+
+# Example if running Cygwin and you prefer Cygwin style path.
+# tmpdir = /cygdrive/c/tmp
+
+
+# The umask to use during execution if you want it to be something
+# else than the current value when starting Oinkmaster.
+# This will affect the mode bits when writing new files.
+# Keep it commented out to keep your system's current umask.
+# umask = 0027
+
+
+# Files in the archive(s) matching this regular expression will be
+# checked for changes, and then updated or added if needed.
+# All other files will be ignored. You can then choose to skip
+# individual files by specifying the "skipfile" keyword below.
+# Normally you shouldn't need to change this one.
+update_files = \.rules$|\.config$|\.conf$|\.txt$|\.map$
+
+
+# Regexp of keywords that starts a Snort rule.
+# May be useful if you create your own ruletypes and want those
+# lines to be regarded as rules as well.
+# rule_actions = alert|drop|log|pass|reject|sdrop|activate|dynamic
+
+
+# If the number of rules files in the downloaded archive matching the
+# 'update_files' regexp is below min_files, or if the number
+# of rules is below min_rules, the rules are regarded as broken
+# and the update is aborted with an error message.
+# Both are set to 1 by default (i.e. the archive is only regarded as
+# broken if it's totally empty).
+# If you download from multiple URLs, the count is the total number
+# of files/rules across all archives.
+# min_files = 1
+# min_rules = 1
+
+
+# By default, a basic sanity check is performed on most paths/filenames
+# to see if they contain illegal characters that may screw things up.
+# If this check is too strict for your system (e.g. you get bogus
+# "illegal characters in filename" errors because of your local language
+# etc) and you're sure you want to disable the checks completely,
+# set use_path_checks to 0.
+# use_path_checks = 1
+
+
+# If you want Oinkmaster to send a User-Agent HTTP header string
+# other than the default one for wget/LWP, set this variable.
+# user_agent = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
+
+
+# You can include other files anywhere in here by using
+# "include <file>". <file> will be parsed just like a regular
+# oinkmaster.conf as soon as the include statement is seen, and then
+# return and continue parsing the rest of the original file. If an
+# option is redefined, it will override the previous value. You can use
+# as many "include" statements as you wish, and also include even more
+# files from included files. Example to load stuff from "/etc/foo.conf".
+# include /etc/foo.conf
+
+# Include file for enabled sids.
+include /var/ipfire/suricata/oinkmaster-enabled-sids.conf
+
+# Include file for disabled sids.
+include /var/ipfire/suricata/oinkmaster-disabled-sids.conf
+
+# Include file which defines the runmode of suricata.
+include /var/ipfire/suricata/oinkmaster-modify-sids.conf
+
+#######################################################################
+# Files to totally skip (i.e. never update or check for changes) #
+# #
+# Syntax: skipfile filename #
+# or: skipfile filename1, filename2, filename3, ... #
+#######################################################################
+
+# Ignore local.rules from the rules archive by default since we might
+# have put some local rules in our own local.rules and we don't want it
+# to get overwritten by the empty one from the archive after each
+# update.
+skipfile local.rules
+
+# The file deleted.rules contains rules that have been deleted from
+# other files, so there is usually no point in updating it.
+skipfile deleted.rules
+
+# Also skip snort.conf by default since we don't want to overwrite our
+# own snort.conf if we have it in the same directory as the rules. If
+# you have your own production copy of snort.conf in another directory,
+# it may be really nice to check for changes in this file though,
+# especially since variables are sometimes added or modified and
+# new/old files are included/excluded.
+#skipfile snort.conf
+
+# You may want to consider ignoring threshold.conf for the same reasons
+# as for snort.conf, i.e. if you customize it locally and don't want it
+# to become overwritten by the default one. It may be better to put
+# local thresholding/suppressing in some local file and still update
+# and use the official one though, in case important stuff is added to
+# it some day. We do update it by default, but it's your call.
+# skipfile threshold.conf
+
+# If you update from multiple URLs at the same time you may need to
+# ignore the sid-msg.map (and generate it yourself if you need one) as
+# it's usually included in each rules tarball. See the FAQ for more info.
+# skipfile sid-msg.map
+
+
+
+##########################################################################
+# SIDs to modify after each update (only for the skilled/stupid/brave). #
+# Don't use it unless you have to. There is nothing that stops you from #
+# modifying rules in such ways that they become invalid or generally #
+# break things. You have been warned. #
+# If you just want to disable SIDs, please skip this section and have a #
+# look at the "disablesid" keyword below. #
+# #
+# You may specify multiple modifysid directives for the same SID (they #
+# will be processed in order of appearance), and you may also specify a #
+# list of SIDs on which the substitution should be applied. #
+# If the argument is in the form something.something it's regarded #
+# as a filename and the substitution will apply on all rules in that #
+# file. The wildcard ("*") can be used to apply the substitution on all #
+# rules regardless of the SID or file. Please avoid using #comments #
+# at the end of modifysid lines, they may confuse the parser in some #
+# situations. #
+# #
+# Syntax: #
+# modifysid SID "replacethis" | "withthis" #
+# or: #
+# modifysid SID1, SID2, SID3, ... "replacethis" | "withthis" #
+# or: #
+# modifysid file "replacethis" | "withthis" #
+# or: #
+# modifysid * "replacethis" | "withthis" #
+# #
+# The strings within the quotes will basically be passed to a #
+# s/replacethis/withthis/ statement in Perl, so they must be valid #
+# regular expressions. The strings are case-insensitive and only the #
+# first occurrence will be replaced. If there are multiple occurrences #
+# you want to replace, simply repeat the same modifysid line. #
+# As the strings are regular expressions, you MUST escape special #
+# characters like $ \ / ( ) | by prepending a "\" to them. #
+# #
+# If you specify a modifysid statement for a multi-line rule, Oinkmaster #
+# will first translate the rule into a single-line version and then #
+# perform the substitution, so you don't have to care about the trailing #
+# backslashes and newlines. #
+# #
+# If you use backreference variables in the substitution expression, #
+# it's strongly recommended to specify them as ${1} instead of $1 and so #
+# on, to avoid parsing confusion with unexpected results in some #
+# situations. Note that modifysid statements will process both active #
+# and inactive (disabled) rules. #
+# #
+# You may want to check out README.templates and template-examples.conf #
+# to find how you can simplify the modifysid usage by using templates. #
+##########################################################################
+
+# Example to enable a rule (in this case SID 1325) that is disabled by
+# default, by simply replacing leading "#alert" with "alert".
+# (You should really use 'enablesid' for this though.)
+# Oinkmaster removes whitespaces next to the leading "#" so you don't
+# have to worry about that, but be careful about possible whitespace in
+# other places when writing the regexps.
+# modifysid 1325 "^#alert" | "alert"
+
+# You could also do this to enable it no matter what type of rule it is
+# (alert, log, pass, etc).
+# modifysid 1325 "^#" | ""
+
+# Example to add "tag" stuff to SID 1325.
+# modifysid 1325 "sid:1325;" | "sid:1325; tag: host, src, 300, seconds;"
+
+# Example to make SID 1378 a 'drop' rule (valid if you're running
+# Snort_inline).
+# modifysid 1378 "^alert" | "drop"
+
+# Example to replace first occurrence of $EXTERNAL_NET with $HOME_NET
+# in SID 302.
+# modifysid 302 "\$EXTERNAL_NET" | "\$HOME_NET"
+
+# You can also specify that a substitution should apply on multiple SIDs.
+# modifysid 302,429,1821 "\$EXTERNAL_NET" | "\$HOME_NET"
+
+# You can take advantage of the fact that it's regular expressions and
+# do more complex stuff. This example (for Snort_inline) adds a 'replace'
+# statement to SID 1324 that replaces "/bin/sh" with "/foo/sh".
+# modifysid 1324 "(content\s*:\s*"\/bin\/sh"\s*;)" | \
+# "${1} replace:"\/foo\/sh";"
+
+# If you for some reason would like to add a comment inside the actual
+# rules file, like the reason why you disabled this rule, you can do
+# like this (you would normally add such comments in oinkmaster.conf
+# though).
+# modifysid 1324 "(.+)" | "# 20020101: disabled this rule just for fun:\n#${1}"
+
+# Here is an example that is actually useful. Let's say you don't care
+# about incoming welchia pings (detected by SID 483 at the time of
+# writing) but you want to know when infected hosts on your network
+# scans hosts on the outside. (Remember that watching for outgoing
+# malicious packets is often just as important as watching for incoming
+# ones, especially in this case.) The rule currently looks like
+# "alert icmp $EXTERNAL_NET any -> $HOME_NET any ..."
+# but we want to switch that so it becomes
+# "alert icmp $HOME_NET any -> $EXTERNAL_NET any ...".
+# Here is how it could be done.
+# modifysid 483 \
+# "(.+) \$EXTERNAL_NET (.+) \$HOME_NET (.+)" | \
+# "${1} \$HOME_NET ${2} \$EXTERNAL_NET ${3}"
+
+# The wildcard (modifysid * ...) can be used to do all kinds of
+# interesting things. The substitution expression will be applied on all
+# matching rules. First, a silly example to replace "foo" with "bar" in
+# all rules (that have the string "foo" in them, that is.)
+# modifysid * "foo" | "bar"
+
+# If you for some reason don't want to use the stream preprocessor to
+# match established streams, you may want to replace the 'flow'
+# statement with 'flags:A+;' in all those rules.
+# modifysid * "flow:[a-z,_ ]+;" | "flags:A+;"
+
+# Example to convert all rules of classtype attempted-admin to 'drop'
+# rules (for Snort_inline only, obviously).
+# modifysid * "^alert (.*classtype\s*:\s*attempted-admin)" | "drop ${1}"
+
+# This one will append some text to the 'msg' string for all rules that
+# have the 'tag' keyword in them.
+# modifysid * "(.*msg:\s*".+?)"(\s*;.+;\s*tag:.*)" | \
+# "${1}, going to tag this baby"${2}"
+
+# There may be times when you want to replace multiple occurrences of a
+# certain keyword/string in a rule and not just the first one. To
+# replace the first two occurrences of "foo" with "bar" in SID 100,
+# simply repeat the modifysid statement:
+# modifysid 100 "foo" | "bar"
+# modifysid 100 "foo" | "bar"
+
+# Or you can even specify a SID list but repeat the same SID as many
+# times as required, like:
+# modifysid 100,100,100 "foo" | "bar"
+
+# Enable all rules in the file exploit.rules.
+# modifysid exploit.rules "^#" | ""
+
+# Enable all rules in exploit.rules, icmp-info.rules and also SID 1171.
+# modifysid exploit.rules, snmp.rules, 1171 "^#" | ""
+
+
+
+########################################################################
+# SIDs that we don't want to update. #
+# If you for some reason don't want a specific rule to be updated #
+# (e.g. you made local modifications to it and you never want to #
+# update it and don't care about changes in the official version), you #
+# can specify a "localsid" statement for it. This means that the old #
+# version of the rule (i.e. the one in the rules file on your #
+# harddrive) is always kept, regardless if the official version has #
+# been updated. Please do not use this feature unless in special #
+# cases as it's easy to end up with many signatures that aren't #
+# maintained anymore. See the FAQ for details about this and hints #
+# about better solutions regarding customization of rules. #
+# #
+# Syntax: localsid SID #
+# or: localsid SID1, SID2, SID3, ... #
+########################################################################
+
+# Example to never update SID 1325.
+# localsid 1325
+
+
+
+########################################################################
+# SIDs to enable after each update. #
+# Will simply remove all the leading '#' for a specified SID (if it's #
+# a multi-line rule, the leading '#' for all lines are removed.) #
+# These will be processed after all the modifysid and disablesid #
+# statements. Using 'enablesid' on a rule that is not disabled is a #
+# NOOP. #
+# #
+# Syntax: enablesid SID #
+# or: enablesid SID1, SID2, SID3, ... #
+########################################################################
+
+# Example to enable SID 1325.
+# enablesid 1325
+
+
+
+########################################################################
+# SIDs to comment out, i.e. disable, after each update by placing a #
+# '#' in front of the rule (if it's a multi-line rule, it will be put #
+# in front of all lines). #
+# #
+# Syntax: disablesid SID #
+# or: disablesid SID1, SID2, SID3, ... #
+########################################################################
+
+# You can specify one SID per line.
+# disablesid 1
+# disablesid 2
+# disablesid 3
+
+# And also as comma-separated lists.
+# disablesid 4,5,6
+
+# It's a good idea to also add comment about why you disable the sid:
+# disablesid 1324 # 20020101: disabled this SID just because I can
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-RS-suricata
etc/rc.d/init.d/networking/red.up/24-RS-qos
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
etc/rc.d/init.d/sendsignals
etc/rc.d/init.d/setclock
etc/rc.d/init.d/smartenabler
-etc/rc.d/init.d/snort
etc/rc.d/init.d/squid
etc/rc.d/init.d/sshd
etc/rc.d/init.d/static-routes
+etc/rc.d/init.d/suricata
etc/rc.d/init.d/swap
etc/rc.d/init.d/swconfig
etc/rc.d/init.d/sysctl
etc/rc.d/rc0.d/K47setclock
etc/rc.d/rc0.d/K49cyrus-sasl
etc/rc.d/rc0.d/K51vnstat
-etc/rc.d/rc0.d/K78snort
+etc/rc.d/rc0.d/K78suricata
etc/rc.d/rc0.d/K79leds
etc/rc.d/rc0.d/K79unbound
etc/rc.d/rc0.d/K80network
etc/rc.d/rc6.d/K47setclock
etc/rc.d/rc6.d/K49cyrus-sasl
etc/rc.d/rc6.d/K51vnstat
-etc/rc.d/rc6.d/K78snort
+etc/rc.d/rc6.d/K78suricata
etc/rc.d/rc6.d/K79leds
etc/rc.d/rc6.d/K79unbound
etc/rc.d/rc6.d/K80network
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-RS-suricata
etc/rc.d/init.d/networking/red.up/24-RS-qos
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
etc/rc.d/init.d/sendsignals
etc/rc.d/init.d/setclock
etc/rc.d/init.d/smartenabler
-etc/rc.d/init.d/snort
etc/rc.d/init.d/squid
etc/rc.d/init.d/sshd
etc/rc.d/init.d/static-routes
+etc/rc.d/init.d/suricata
etc/rc.d/init.d/swap
etc/rc.d/init.d/swconfig
etc/rc.d/init.d/sysctl
etc/rc.d/rc0.d/K47setclock
etc/rc.d/rc0.d/K49cyrus-sasl
etc/rc.d/rc0.d/K51vnstat
-etc/rc.d/rc0.d/K78snort
+etc/rc.d/rc0.d/K78suricata
etc/rc.d/rc0.d/K79leds
etc/rc.d/rc0.d/K79unbound
etc/rc.d/rc0.d/K80network
etc/rc.d/rc6.d/K47setclock
etc/rc.d/rc6.d/K49cyrus-sasl
etc/rc.d/rc6.d/K51vnstat
-etc/rc.d/rc6.d/K78snort
+etc/rc.d/rc6.d/K78suricata
etc/rc.d/rc6.d/K79leds
etc/rc.d/rc6.d/K79unbound
etc/rc.d/rc6.d/K80network
var/ipfire/geoip-functions.pl
var/ipfire/graphs.pl
var/ipfire/header.pl
+var/ipfire/ids-functions.pl
var/ipfire/isdn
#var/ipfire/isdn/settings
var/ipfire/key
#var/ipfire/remote/settings
var/ipfire/sensors
#var/ipfire/sensors/settings
-var/ipfire/snort
-#var/ipfire/snort/settings
+var/ipfire/suricata
+#var/ipfire/suricata/settings
var/ipfire/time
#var/ipfire/time/settings
var/ipfire/updatexlrator
+++ /dev/null
-#usr/bin/daq-modules-config
-#usr/include/daq.h
-#usr/include/daq_api.h
-#usr/include/daq_common.h
-#usr/include/sfbpf.h
-#usr/include/sfbpf_dlt.h
-usr/lib/daq
-#usr/lib/daq/daq_afpacket.la
-#usr/lib/daq/daq_afpacket.so
-#usr/lib/daq/daq_dump.la
-#usr/lib/daq/daq_dump.so
-#usr/lib/daq/daq_ipfw.la
-#usr/lib/daq/daq_ipfw.so
-#usr/lib/daq/daq_ipq.la
-#usr/lib/daq/daq_ipq.so
-#usr/lib/daq/daq_nfq.la
-#usr/lib/daq/daq_nfq.so
-#usr/lib/daq/daq_pcap.la
-#usr/lib/daq/daq_pcap.so
-#usr/lib/libdaq.a
-#usr/lib/libdaq.la
-#usr/lib/libdaq.so
-usr/lib/libdaq.so.2
-usr/lib/libdaq.so.2.0.4
-#usr/lib/libdaq_static.a
-#usr/lib/libdaq_static.la
-#usr/lib/libdaq_static_modules.a
-#usr/lib/libdaq_static_modules.la
-#usr/lib/libsfbpf.a
-#usr/lib/libsfbpf.la
-#usr/lib/libsfbpf.so
-usr/lib/libsfbpf.so.0
-usr/lib/libsfbpf.so.0.0.1
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-RS-suricata
etc/rc.d/init.d/networking/red.up/24-RS-qos
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
etc/rc.d/init.d/sendsignals
etc/rc.d/init.d/setclock
etc/rc.d/init.d/smartenabler
-etc/rc.d/init.d/snort
etc/rc.d/init.d/squid
etc/rc.d/init.d/sshd
etc/rc.d/init.d/static-routes
+etc/rc.d/init.d/suricata
etc/rc.d/init.d/swap
etc/rc.d/init.d/sysctl
etc/rc.d/init.d/sysklogd
etc/rc.d/rc0.d/K47setclock
etc/rc.d/rc0.d/K49cyrus-sasl
etc/rc.d/rc0.d/K51vnstat
-etc/rc.d/rc0.d/K78snort
+etc/rc.d/rc0.d/K78suricata
etc/rc.d/rc0.d/K79leds
etc/rc.d/rc0.d/K79unbound
etc/rc.d/rc0.d/K80network
etc/rc.d/rc6.d/K47setclock
etc/rc.d/rc6.d/K49cyrus-sasl
etc/rc.d/rc6.d/K51vnstat
-etc/rc.d/rc6.d/K78snort
+etc/rc.d/rc6.d/K78suricata
etc/rc.d/rc6.d/K79leds
etc/rc.d/rc6.d/K79unbound
etc/rc.d/rc6.d/K80network
--- /dev/null
+/var/ipfire/suricata/ruleset-sources
--- /dev/null
+#usr/include/htp
+#usr/include/htp/bstr.h
+#usr/include/htp/bstr_builder.h
+#usr/include/htp/htp.h
+#usr/include/htp/htp_base64.h
+#usr/include/htp/htp_config.h
+#usr/include/htp/htp_connection_parser.h
+#usr/include/htp/htp_core.h
+#usr/include/htp/htp_decompressors.h
+#usr/include/htp/htp_hooks.h
+#usr/include/htp/htp_list.h
+#usr/include/htp/htp_multipart.h
+#usr/include/htp/htp_table.h
+#usr/include/htp/htp_transaction.h
+#usr/include/htp/htp_urlencoded.h
+#usr/include/htp/htp_utf8_decoder.h
+#usr/include/htp/htp_version.h
+#usr/lib/libhtp.la
+#usr/lib/libhtp.so
+usr/lib/libhtp.so.2
+usr/lib/libhtp.so.2.0.0
+#usr/lib/pkgconfig/htp.pc
#usr/local/bin/sambactrl
usr/local/bin/setaliases
usr/local/bin/smartctrl
-usr/local/bin/snortctrl
usr/local/bin/squidctrl
+usr/local/bin/suricatactrl
usr/local/bin/sshctrl
usr/local/bin/syslogdctrl
usr/local/bin/timectrl
usr/local/bin/oinkmaster.pl
-var/ipfire/snort/oinkmaster.conf
+var/ipfire/suricata/oinkmaster.conf
+++ /dev/null
-#etc/snort
-etc/snort/rules
-#etc/snort/rules/classification.config
-#etc/snort/rules/reference.config
-etc/snort/snort.conf
-etc/snort/snort.conf.template
-etc/snort/unicode.map
-usr/bin/u2boat
-usr/bin/u2spewfoo
-#usr/include/snort
-#usr/include/snort/dynamic_output
-#usr/include/snort/dynamic_output/bitop.h
-#usr/include/snort/dynamic_output/ipv6_port.h
-#usr/include/snort/dynamic_output/obfuscation.h
-#usr/include/snort/dynamic_output/output_api.h
-#usr/include/snort/dynamic_output/output_common.h
-#usr/include/snort/dynamic_output/output_lib.h
-#usr/include/snort/dynamic_output/preprocids.h
-#usr/include/snort/dynamic_output/sfPolicy.h
-#usr/include/snort/dynamic_output/sf_dynamic_common.h
-#usr/include/snort/dynamic_output/sf_ip.h
-#usr/include/snort/dynamic_output/sf_protocols.h
-#usr/include/snort/dynamic_output/sf_snort_packet.h
-#usr/include/snort/dynamic_output/sfrt.h
-#usr/include/snort/dynamic_output/sfrt_dir.h
-#usr/include/snort/dynamic_output/sfrt_trie.h
-#usr/include/snort/dynamic_output/snort_debug.h
-#usr/include/snort/dynamic_output/stream_api.h
-#usr/include/snort/dynamic_preproc
-#usr/include/snort/dynamic_preproc/appdata_adjuster.h
-#usr/include/snort/dynamic_preproc/bitop.h
-#usr/include/snort/dynamic_preproc/cpuclock.h
-#usr/include/snort/dynamic_preproc/file_api.h
-#usr/include/snort/dynamic_preproc/idle_processing.h
-#usr/include/snort/dynamic_preproc/ipv6_port.h
-#usr/include/snort/dynamic_preproc/mempool.h
-#usr/include/snort/dynamic_preproc/mpse_methods.h
-#usr/include/snort/dynamic_preproc/obfuscation.h
-#usr/include/snort/dynamic_preproc/packet_time.h
-#usr/include/snort/dynamic_preproc/perf_indicators.h
-#usr/include/snort/dynamic_preproc/preprocids.h
-#usr/include/snort/dynamic_preproc/profiler.h
-#usr/include/snort/dynamic_preproc/reg_test.h
-#usr/include/snort/dynamic_preproc/reload_api.h
-#usr/include/snort/dynamic_preproc/segment_mem.h
-#usr/include/snort/dynamic_preproc/session_api.h
-#usr/include/snort/dynamic_preproc/sfPolicy.h
-#usr/include/snort/dynamic_preproc/sfPolicyUserData.h
-#usr/include/snort/dynamic_preproc/sf_decompression.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_common.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_define.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_engine.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_meta.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_preproc_lib.h
-#usr/include/snort/dynamic_preproc/sf_dynamic_preprocessor.h
-#usr/include/snort/dynamic_preproc/sf_ip.h
-#usr/include/snort/dynamic_preproc/sf_preproc_info.h
-#usr/include/snort/dynamic_preproc/sf_protocols.h
-#usr/include/snort/dynamic_preproc/sf_sdlist_types.h
-#usr/include/snort/dynamic_preproc/sf_seqnums.h
-#usr/include/snort/dynamic_preproc/sf_snort_packet.h
-#usr/include/snort/dynamic_preproc/sf_snort_plugin_api.h
-#usr/include/snort/dynamic_preproc/sfcommon.h
-#usr/include/snort/dynamic_preproc/sfcontrol.h
-#usr/include/snort/dynamic_preproc/sfrt.h
-#usr/include/snort/dynamic_preproc/sfrt_dir.h
-#usr/include/snort/dynamic_preproc/sfrt_flat.h
-#usr/include/snort/dynamic_preproc/sfrt_flat_dir.h
-#usr/include/snort/dynamic_preproc/sfrt_trie.h
-#usr/include/snort/dynamic_preproc/sidechannel_define.h
-#usr/include/snort/dynamic_preproc/snort_bounds.h
-#usr/include/snort/dynamic_preproc/snort_debug.h
-#usr/include/snort/dynamic_preproc/ssl.h
-#usr/include/snort/dynamic_preproc/ssl_config.h
-#usr/include/snort/dynamic_preproc/ssl_ha.h
-#usr/include/snort/dynamic_preproc/ssl_include.h
-#usr/include/snort/dynamic_preproc/ssl_inspect.h
-#usr/include/snort/dynamic_preproc/ssl_session.h
-#usr/include/snort/dynamic_preproc/str_search.h
-#usr/include/snort/dynamic_preproc/stream_api.h
-#usr/lib/pkgconfig/snort.pc
-#usr/lib/pkgconfig/snort_output.pc
-#usr/lib/pkgconfig/snort_preproc.pc
-#usr/lib/snort
-usr/lib/snort/dynamic_output
-#usr/lib/snort/dynamic_output/libsf_dynamic_output.a
-#usr/lib/snort/dynamic_output/libsf_dynamic_output.la
-usr/lib/snort/dynamic_preproc
-#usr/lib/snort/dynamic_preproc/libsf_dynamic_preproc.a
-#usr/lib/snort/dynamic_preproc/libsf_dynamic_preproc.la
-#usr/lib/snort/dynamic_preproc/libsf_dynamic_utils.a
-#usr/lib/snort/dynamic_preproc/libsf_dynamic_utils.la
-usr/lib/snort_dynamicengine
-#usr/lib/snort_dynamicengine/libsf_engine.a
-#usr/lib/snort_dynamicengine/libsf_engine.la
-#usr/lib/snort_dynamicengine/libsf_engine.so
-#usr/lib/snort_dynamicengine/libsf_engine.so.0
-#usr/lib/snort_dynamicengine/libsf_engine.so.0.0.0
-usr/lib/snort_dynamicpreprocessor
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dce2_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dnp3_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_dns_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ftptelnet_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_gtp_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_imap_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_modbus_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_pop_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_reputation_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_sdf_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_sip_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_smtp_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ssh_preproc.so.0.0.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.a
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.la
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0
-#usr/lib/snort_dynamicpreprocessor/libsf_ssl_preproc.so.0.0.0
-usr/sbin/snort
-#usr/share/doc/snort
-#usr/share/doc/snort/AUTHORS
-#usr/share/doc/snort/BUGS
-#usr/share/doc/snort/CREDITS
-#usr/share/doc/snort/INSTALL
-#usr/share/doc/snort/NEWS
-#usr/share/doc/snort/OpenDetectorDeveloperGuide.pdf
-#usr/share/doc/snort/PROBLEMS
-#usr/share/doc/snort/README
-#usr/share/doc/snort/README.GTP
-#usr/share/doc/snort/README.PLUGINS
-#usr/share/doc/snort/README.PerfProfiling
-#usr/share/doc/snort/README.SMTP
-#usr/share/doc/snort/README.UNSOCK
-#usr/share/doc/snort/README.WIN32
-#usr/share/doc/snort/README.active
-#usr/share/doc/snort/README.alert_order
-#usr/share/doc/snort/README.appid
-#usr/share/doc/snort/README.asn1
-#usr/share/doc/snort/README.counts
-#usr/share/doc/snort/README.csv
-#usr/share/doc/snort/README.daq
-#usr/share/doc/snort/README.dcerpc2
-#usr/share/doc/snort/README.decode
-#usr/share/doc/snort/README.decoder_preproc_rules
-#usr/share/doc/snort/README.dnp3
-#usr/share/doc/snort/README.dns
-#usr/share/doc/snort/README.event_queue
-#usr/share/doc/snort/README.file
-#usr/share/doc/snort/README.file_ips
-#usr/share/doc/snort/README.filters
-#usr/share/doc/snort/README.flowbits
-#usr/share/doc/snort/README.frag3
-#usr/share/doc/snort/README.ftptelnet
-#usr/share/doc/snort/README.gre
-#usr/share/doc/snort/README.ha
-#usr/share/doc/snort/README.http_inspect
-#usr/share/doc/snort/README.imap
-#usr/share/doc/snort/README.ipip
-#usr/share/doc/snort/README.ipv6
-#usr/share/doc/snort/README.modbus
-#usr/share/doc/snort/README.multipleconfigs
-#usr/share/doc/snort/README.normalize
-#usr/share/doc/snort/README.pcap_readmode
-#usr/share/doc/snort/README.pop
-#usr/share/doc/snort/README.ppm
-#usr/share/doc/snort/README.reload
-#usr/share/doc/snort/README.reputation
-#usr/share/doc/snort/README.sensitive_data
-#usr/share/doc/snort/README.sfportscan
-#usr/share/doc/snort/README.sip
-#usr/share/doc/snort/README.ssh
-#usr/share/doc/snort/README.ssl
-#usr/share/doc/snort/README.stream5
-#usr/share/doc/snort/README.tag
-#usr/share/doc/snort/README.thresholding
-#usr/share/doc/snort/README.u2boat
-#usr/share/doc/snort/README.unified2
-#usr/share/doc/snort/README.variables
-#usr/share/doc/snort/TODO
-#usr/share/doc/snort/USAGE
-#usr/share/doc/snort/WISHLIST
-#usr/share/doc/snort/generators
-#usr/share/man/man8/snort.8
-var/log/snort
usr/local/bin/timecheck
usr/local/bin/timezone-transition
usr/local/bin/update-lang-cache
+usr/local/bin/update-ids-ruleset
usr/local/bin/xt_geoip_build
usr/local/bin/xt_geoip_update
#usr/local/include
--- /dev/null
+etc/suricata
+etc/suricata/suricata.yaml
+usr/bin/suricata
+#usr/bin/suricatasc
+#usr/lib/python2.7/site-packages/suricatasc
+#usr/lib/python2.7/site-packages/suricatasc-0.9-py2.7.egg-info
+#usr/lib/python2.7/site-packages/suricatasc/__init__.py
+#usr/lib/python2.7/site-packages/suricatasc/__init__.pyc
+#usr/lib/python2.7/site-packages/suricatasc/suricatasc.py
+#usr/lib/python2.7/site-packages/suricatasc/suricatasc.pyc
+#usr/share/doc/suricata
+#usr/share/doc/suricata/AUTHORS
+#usr/share/doc/suricata/Basic_Setup.txt
+#usr/share/doc/suricata/CentOS5.txt
+#usr/share/doc/suricata/CentOS_56_Installation.txt
+#usr/share/doc/suricata/Debian_Installation.txt
+#usr/share/doc/suricata/Fedora_Core.txt
+#usr/share/doc/suricata/FreeBSD_8.txt
+#usr/share/doc/suricata/GITGUIDE
+#usr/share/doc/suricata/HTP_library_installation.txt
+#usr/share/doc/suricata/INSTALL
+#usr/share/doc/suricata/INSTALL.PF_RING
+#usr/share/doc/suricata/INSTALL.WINDOWS
+#usr/share/doc/suricata/Installation_from_GIT_with_PCRE-JIT.txt
+#usr/share/doc/suricata/Installation_from_GIT_with_PF_RING_on_Ubuntu_server_1104.txt
+#usr/share/doc/suricata/Installation_with_CUDA_and_PFRING_on_Scientific_Linux_6.txt
+#usr/share/doc/suricata/Installation_with_CUDA_and_PF_RING_on_Ubuntu_server_1104.txt
+#usr/share/doc/suricata/Installation_with_CUDA_on_Scientific_Linux_6.txt
+#usr/share/doc/suricata/Installation_with_CUDA_on_Ubuntu_server_1104.txt
+#usr/share/doc/suricata/Installation_with_PF_RING.txt
+#usr/share/doc/suricata/Mac_OS_X_106x.txt
+#usr/share/doc/suricata/NEWS
+#usr/share/doc/suricata/OpenBSD_Installation_from_GIT.txt
+#usr/share/doc/suricata/README
+#usr/share/doc/suricata/Setting_up_IPSinline_for_Linux.txt
+#usr/share/doc/suricata/TODO
+#usr/share/doc/suricata/Third_Party_Installation_Guides.txt
+#usr/share/doc/suricata/Ubuntu_Installation.txt
+#usr/share/doc/suricata/Ubuntu_Installation_from_GIT.txt
+#usr/share/doc/suricata/Windows.txt
+#usr/share/man/man1/suricata.1
+var/lib/suricata
+var/lib/suricata/classification.config
+var/lib/suricata/reference.config
+var/lib/suricata/threshold.config
+var/log/suricata
+#var/log/suricata/certs
+#var/log/suricata/files
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes
etc/rc.d/init.d/networking/red.up/20-firewall
-etc/rc.d/init.d/networking/red.up/23-RS-snort
+etc/rc.d/init.d/networking/red.up/23-RS-suricata
etc/rc.d/init.d/networking/red.up/24-RS-qos
etc/rc.d/init.d/networking/red.up/27-RS-squid
etc/rc.d/init.d/networking/red.up/30-ddns
etc/rc.d/init.d/sendsignals
etc/rc.d/init.d/setclock
etc/rc.d/init.d/smartenabler
-etc/rc.d/init.d/snort
etc/rc.d/init.d/squid
etc/rc.d/init.d/sshd
etc/rc.d/init.d/static-routes
+etc/rc.d/init.d/suricata
etc/rc.d/init.d/swap
etc/rc.d/init.d/sysctl
etc/rc.d/init.d/sysklogd
etc/rc.d/rc0.d/K47setclock
etc/rc.d/rc0.d/K49cyrus-sasl
etc/rc.d/rc0.d/K51vnstat
-etc/rc.d/rc0.d/K78snort
+etc/rc.d/rc0.d/K78suricata
etc/rc.d/rc0.d/K79leds
etc/rc.d/rc0.d/K79unbound
etc/rc.d/rc0.d/K80network
etc/rc.d/rc6.d/K47setclock
etc/rc.d/rc6.d/K49cyrus-sasl
etc/rc.d/rc6.d/K51vnstat
-etc/rc.d/rc6.d/K78snort
+etc/rc.d/rc6.d/K78suricata
etc/rc.d/rc6.d/K79leds
etc/rc.d/rc6.d/K79unbound
etc/rc.d/rc6.d/K80network
--- /dev/null
+#usr/include/yaml.h
+usr/lib/libyaml-0.so.2
+usr/lib/libyaml-0.so.2.0.5
+#usr/lib/libyaml.la
+#usr/lib/libyaml.so
+#usr/lib/pkgconfig/yaml-0.1.pc
--- /dev/null
+../../../common/ddns
\ No newline at end of file
+++ /dev/null
-###################################################
-# IPFire snort.conf
-#
-# some parts of this file are changed/updated by the webif
-###################################################
-# VERSIONS : 2.9.5.0
-
-include /etc/snort/vars
-
-###################################################
-# Step #1: Set the network variables. For more information, see README.variables
-###################################################
-
-# taken from /etc/snort vars
-#ipvar HOME_NET any
-
-# Set up the external network addresses. Leave as "any" in most situations
-ipvar EXTERNAL_NET any
-
-# List of DNS servers on your network
-#ipvar DNS_SERVERS $HOME_NET
-
-# List of SMTP servers on your network
-ipvar SMTP_SERVERS $HOME_NET
-
-# List of web servers on your network
-ipvar HTTP_SERVERS $HOME_NET
-
-# List of sql servers on your network
-ipvar SQL_SERVERS $HOME_NET
-
-# List of telnet servers on your network
-ipvar TELNET_SERVERS $HOME_NET
-
-# List of ssh servers on your network
-ipvar SSH_SERVERS $HOME_NET
-
-# List of ftp servers on your network
-ipvar FTP_SERVERS $HOME_NET
-
-# List of sip servers on your network
-ipvar SIP_SERVERS $HOME_NET
-
-# List of ports you run web servers on
-portvar HTTP_PORTS [80,81,82,83,84,85,86,87,88,89,311,383,444,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]
-
-# List of ports you want to look for SHELLCODE on.
-portvar SHELLCODE_PORTS !80
-
-# List of ports you might see oracle attacks on
-portvar ORACLE_PORTS 1024:
-
-# List of ports you want to look for SSH connections on:
-portvar SSH_PORTS [22,222]
-
-# List of ports you run ftp servers on
-portvar FTP_PORTS [21,2100,3535]
-
-# List of ports you run SIP servers on
-portvar SIP_PORTS [5060,5061,5600]
-
-# List of file data ports for file inspection
-portvar FILE_DATA_PORTS [$HTTP_PORTS,110,143]
-
-# List of GTP ports for GTP preprocessor
-portvar GTP_PORTS [2123,2152,3386]
-
-# other variables, these should not be modified
-ipvar AIM_SERVERS [64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24]
-
-# Path to your rules files (this can be a relative path)
-# Note for Windows users: You are advised to make this an absolute path,
-# such as: c:\snort\rules
-var RULE_PATH /etc/snort/rules
-var SO_RULE_PATH /etc/snort/so_rules
-var PREPROC_RULE_PATH /etc/snort/preproc_rules
-
-# If you are using reputation preprocessor set these
-# Currently there is a bug with relative paths, they are relative to where snort is
-# not relative to snort.conf like the above variables
-# This is completely inconsistent with how other vars work, BUG 89986
-# Set the absolute path appropriately
-var WHITE_LIST_PATH /etc/snort/rules
-var BLACK_LIST_PATH /etc/snort/rules
-
-
-###################################################
-# Step #2: Configure the decoder. For more information, see README.decode
-###################################################
-
-# Stop generic decode events:
-config disable_decode_alerts
-
-# Stop Alerts on experimental TCP options
-config disable_tcpopt_experimental_alerts
-
-# Stop Alerts on obsolete TCP options
-config disable_tcpopt_obsolete_alerts
-
-# Stop Alerts on T/TCP alerts
-# config disable_tcpopt_ttcp_alerts
-
-# Stop Alerts on all other TCPOption type events:
-config disable_tcpopt_alerts
-
-# Stop Alerts on invalid ip options
-# config disable_ipopt_alerts
-
-# Alert if value in length field (IP, TCP, UDP) is greater th elength of the packet
-# config enable_decode_oversized_alerts
-
-# Same as above, but drop packet if in Inline mode (requires enable_decode_oversized_alerts)
-# config enable_decode_oversized_drops
-
-# Configure IP / TCP checksum mode
-config checksum_mode: all
-
-# Configure maximum number of flowbit references. For more information, see README.flowbits
-# config flowbits_size: 64
-
-# Configure ports to ignore
-# config ignore_ports: tcp 21 6667:6671 1356
-# config ignore_ports: udp 1:17 53
-
-# Configure active response for non inline operation. For more information, see REAMDE.active
-# config response: eth0 attempts 2
-
-# Configure DAQ related options for inline operation. For more information, see README.daq
-#
-# config daq: <type>
-# config daq_dir: <dir>
-# config daq_mode: <mode>
-# config daq_var: <var>
-#
-# <type> ::= pcap | afpacket | dump | nfq | ipq | ipfw
-# <mode> ::= read-file | passive | inline
-# <var> ::= arbitrary <name>=<value passed to DAQ
-# <dir> ::= path as to where to look for DAQ module so's
-
-# Configure specific UID and GID to run snort as after dropping privs. For more information see snort -h command line options
-#
-# config set_gid:
-# config set_uid:
-
-# Configure default snaplen. Snort defaults to MTU of in use interface. For more information see README
-#
-# config snaplen:
-#
-
-# Configure default bpf_file to use for filtering what traffic reaches snort. For more information see snort -h command line options (-F)
-#
-# config bpf_file:
-#
-
-# Configure default log directory for snort to log to. For more information see snort -h command line options (-l)
-#
-# config logdir:
-
-
-###################################################
-# Step #3: Configure the base detection engine. For more information, see README.decode
-###################################################
-
-# Configure PCRE match limitations
-config pcre_match_limit: 3500
-config pcre_match_limit_recursion: 1500
-
-# Configure the detection engine See the Snort Manual, Configuring Snort - Includes - Config
-config detection: search-method ac-split search-optimize max-pattern-len 20
-
-# Configure the event queue. For more information, see README.event_queue
-config event_queue: max_queue 8 log 5 order_events content_length
-
-###################################################
-## Configure GTP if it is to be used.
-## For more information, see README.GTP
-####################################################
-
-# config enable_gtp
-
-###################################################
-# Per packet and rule latency enforcement
-# For more information see README.ppm
-###################################################
-
-# Per Packet latency configuration
-#config ppm: max-pkt-time 250, \
-# fastpath-expensive-packets, \
-# pkt-log
-
-# Per Rule latency configuration
-#config ppm: max-rule-time 200, \
-# threshold 3, \
-# suspend-expensive-rules, \
-# suspend-timeout 20, \
-# rule-log alert
-
-###################################################
-# Configure Perf Profiling for debugging
-# For more information see README.PerfProfiling
-###################################################
-
-#config profile_rules: print all, sort avg_ticks
-#config profile_preprocs: print all, sort avg_ticks
-
-###################################################
-# Configure protocol aware flushing
-# For more information see README.stream5
-###################################################
-config paf_max: 16000
-
-###################################################
-# Step #4: Configure dynamic loaded libraries.
-# For more information, see Snort Manual, Configuring Snort - Dynamic Modules
-###################################################
-
-# path to dynamic preprocessor libraries
-dynamicpreprocessor directory /usr/lib/snort_dynamicpreprocessor/
-
-# path to base preprocessor engine
-dynamicengine /usr/lib/snort_dynamicengine/libsf_engine.so
-
-# path to dynamic rules libraries
-# dynamicdetection directory /usr/local/lib/snort_dynamicrules
-
-
-###################################################
-# Step #5: Configure preprocessors
-# For more information, see the Snort Manual, Configuring Snort - Preprocessors
-###################################################
-
-# GTP Control Channle Preprocessor. For more information, see README.GTP
-# preprocessor gtp: ports { 2123 3386 2152 }
-
-# Inline packet normalization. For more information, see README.normalize
-# Does nothing in IDS mode
-preprocessor normalize_ip4
-preprocessor normalize_tcp: ips ecn stream
-preprocessor normalize_icmp4
-preprocessor normalize_ip6
-preprocessor normalize_icmp6
-
-# Target-based IP defragmentation. For more inforation, see README.frag3
-preprocessor frag3_global: max_frags 65536
-preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
-
-# Target-Based stateful inspection/stream reassembly. For more inforation, see README.stream5
-preprocessor stream5_global: track_tcp yes, \
- track_udp yes, \
- track_icmp no, \
- max_tcp 262144, \
- max_udp 131072, \
- max_active_responses 2, \
- min_response_seconds 5
-preprocessor stream5_tcp: policy windows, detect_anomalies, require_3whs 180, \
- overlap_limit 10, small_segments 3 bytes 150, timeout 180, \
- ports client 21 22 23 25 42 53 70 79 109 110 111 113 119 135 136 137 139 143 \
- 161 222 445 513 514 587 593 691 1433 1521 1741 2100 3306 6070 6665 6666 6667 6668 6669 \
- 7000 8181 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779, \
- ports both 80 81 82 83 84 85 86 87 88 89 110 311 383 443 444 465 563 591 593 631 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \
- 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \
- 7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555
-preprocessor stream5_udp: timeout 180
-
-# performance statistics. For more information, see the Snort Manual, Configuring Snort - Preprocessors - Performance Monitor
-# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
-
-# HTTP normalization and anomaly detection. For more information, see README.http_inspect
-preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535
-preprocessor http_inspect_server: server default \
- http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE SUBSCRIBE UNSUBSCRIBE PROPFIND PROPPATCH BPROPFIND BPROPPATCH RPC_CONNECT PROXY_SUCCESS BITS_POST CCM_POST SMS_POST RPC_IN_DATA RPC_OUT_DATA RPC_ECHO_DATA } \
- chunk_length 500000 \
- server_flow_depth 0 \
- client_flow_depth 0 \
- post_depth 65495 \
- oversize_dir_length 500 \
- max_header_length 750 \
- max_headers 100 \
- max_spaces 200 \
- small_chunk_length { 10 5 } \
- ports { 80 81 82 83 84 85 86 87 88 89 311 383 444 591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8500 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 } \
- non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
- enable_cookie \
- extended_response_inspection \
- inspect_gzip \
- normalize_utf \
- unlimited_decompress \
- normalize_javascript \
- apache_whitespace no \
- ascii no \
- bare_byte no \
- directory no \
- double_decode no \
- iis_backslash no \
- iis_delimiter no \
- iis_unicode no \
- multi_slash no \
- utf_8 no \
- u_encode yes \
- webroot no
-
-# ONC-RPC normalization and anomaly detection. For more information, see the Snort Manual, Configuring Snort - Preprocessors - RPC Decode
-preprocessor rpc_decode: 111 32770 32771 32772 32773 32774 32775 32776 32777 32778 32779 no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete
-
-# Back Orifice detection.
-preprocessor bo
-
-# FTP / Telnet normalization and anomaly detection. For more information, see README.ftptelnet
-preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no check_encrypted
-preprocessor ftp_telnet_protocol: telnet \
- ayt_attack_thresh 20 \
- normalize ports { 23 } \
- detect_anomalies
-preprocessor ftp_telnet_protocol: ftp server default \
- def_max_param_len 100 \
- ports { 21 2100 3535 } \
- telnet_cmds yes \
- ignore_telnet_erase_cmds yes \
- ftp_cmds { ABOR ACCT ADAT ALLO APPE AUTH CCC CDUP } \
- ftp_cmds { CEL CLNT CMD CONF CWD DELE ENC EPRT } \
- ftp_cmds { EPSV ESTA ESTP FEAT HELP LANG LIST LPRT } \
- ftp_cmds { LPSV MACB MAIL MDTM MIC MKD MLSD MLST } \
- ftp_cmds { MODE NLST NOOP OPTS PASS PASV PBSZ PORT } \
- ftp_cmds { PROT PWD QUIT REIN REST RETR RMD RNFR } \
- ftp_cmds { RNTO SDUP SITE SIZE SMNT STAT STOR STOU } \
- ftp_cmds { STRU SYST TEST TYPE USER XCUP XCRC XCWD } \
- ftp_cmds { XMAS XMD5 XMKD XPWD XRCP XRMD XRSQ XSEM } \
- ftp_cmds { XSEN XSHA1 XSHA256 } \
- alt_max_param_len 0 { ABOR CCC CDUP ESTA FEAT LPSV NOOP PASV PWD QUIT REIN STOU SYST XCUP XPWD } \
- alt_max_param_len 200 { ALLO APPE CMD HELP NLST RETR RNFR STOR STOU XMKD } \
- alt_max_param_len 256 { CWD RNTO } \
- alt_max_param_len 400 { PORT } \
- alt_max_param_len 512 { SIZE } \
- chk_str_fmt { ACCT ADAT ALLO APPE AUTH CEL CLNT CMD } \
- chk_str_fmt { CONF CWD DELE ENC EPRT EPSV ESTP HELP } \
- chk_str_fmt { LANG LIST LPRT MACB MAIL MDTM MIC MKD } \
- chk_str_fmt { MLSD MLST MODE NLST OPTS PASS PBSZ PORT } \
- chk_str_fmt { PROT REST RETR RMD RNFR RNTO SDUP SITE } \
- chk_str_fmt { SIZE SMNT STAT STOR STRU TEST TYPE USER } \
- chk_str_fmt { XCRC XCWD XMAS XMD5 XMKD XRCP XRMD XRSQ } \
- chk_str_fmt { XSEM XSEN XSHA1 XSHA256 } \
- cmd_validity ALLO < int [ char R int ] > \
- cmd_validity EPSV < [ { char 12 | char A char L char L } ] > \
- cmd_validity MACB < string > \
- cmd_validity MDTM < [ date nnnnnnnnnnnnnn[.n[n[n]]] ] string > \
- cmd_validity MODE < char ASBCZ > \
- cmd_validity PORT < host_port > \
- cmd_validity PROT < char CSEP > \
- cmd_validity STRU < char FRPO [ string ] > \
- cmd_validity TYPE < { char AE [ char NTC ] | char I | char L [ number ] } >
-preprocessor ftp_telnet_protocol: ftp client default \
- max_resp_len 256 \
- bounce yes \
- ignore_telnet_erase_cmds yes \
- telnet_cmds yes
-
-
-# SMTP normalization and anomaly detection. For more information, see README.SMTP
-preprocessor smtp: ports { 25 465 587 691 } \
- inspection_type stateful \
- b64_decode_depth 0 \
- qp_decode_depth 0 \
- bitenc_decode_depth 0 \
- uu_decode_depth 0 \
- log_mailfrom \
- log_rcptto \
- log_filename \
- log_email_hdrs \
- normalize cmds \
- normalize_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
- normalize_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
- normalize_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
- normalize_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
- max_command_line_len 512 \
- max_header_line_len 1000 \
- max_response_line_len 512 \
- alt_max_command_line_len 260 { MAIL } \
- alt_max_command_line_len 300 { RCPT } \
- alt_max_command_line_len 500 { HELP HELO ETRN EHLO } \
- alt_max_command_line_len 255 { EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET } \
- alt_max_command_line_len 246 { SEND SAML SOML AUTH TURN ETRN DATA RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
- valid_cmds { ATRN AUTH BDAT CHUNKING DATA DEBUG EHLO EMAL ESAM ESND ESOM ETRN EVFY } \
- valid_cmds { EXPN HELO HELP IDENT MAIL NOOP ONEX QUEU QUIT RCPT RSET SAML SEND SOML } \
- valid_cmds { STARTTLS TICK TIME TURN TURNME VERB VRFY X-ADAT X-DRCP X-ERCP X-EXCH50 } \
- valid_cmds { X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUE XSTA XTRN XUSR } \
- xlink2state { enabled }
-
-# Portscan detection. For more information, see README.sfportscan
-preprocessor sfportscan: proto { all } memcap { 10000000 } sense_level { medium }
-
-# ARP spoof detection. For more information, see the Snort Manual - Configuring Snort - Preprocessors - ARP Spoof Preprocessor
-# preprocessor arpspoof
-# preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
-
-# SSH anomaly detection. For more information, see README.ssh
-preprocessor ssh: server_ports { 22 222 } \
- autodetect \
- max_client_bytes 19600 \
- max_encrypted_packets 20 \
- max_server_version_len 100 \
- enable_respoverflow enable_ssh1crc32 \
- enable_srvoverflow enable_protomismatch
-
-# SMB / DCE-RPC normalization and anomaly detection. For more information, see README.dcerpc2
-preprocessor dcerpc2: memcap 102400, events [co ]
-preprocessor dcerpc2_server: default, policy WinXP, \
- detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
- autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
- smb_max_chain 3, smb_invalid_shares ["C$", "D$", "ADMIN$"]
-
-# DNS anomaly detection. For more information, see README.dns
-preprocessor dns: ports { 53 } enable_rdata_overflow
-
-# SSL anomaly detection and traffic bypass. For more information, see README.ssl
-preprocessor ssl: ports { 443 444 465 563 636 989 992 993 994 995 7801 7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912 7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted
-
-# SDF sensitive data preprocessor. For more information see README.sensitive_data
-preprocessor sensitive_data: alert_threshold 25
-
-# SIP Session Initiation Protocol preprocessor. For more information see README.sip
-preprocessor sip: max_sessions 40000, \
- ports { 5060 5061 5600 }, \
- methods { invite \
- cancel \
- ack \
- bye \
- register \
- options \
- refer \
- subscribe \
- update \
- join \
- info \
- message \
- notify \
- benotify \
- do \
- qauth \
- sprack \
- publish \
- service \
- unsubscribe \
- prack }, \
- max_uri_len 512, \
- max_call_id_len 80, \
- max_requestName_len 20, \
- max_from_len 256, \
- max_to_len 256, \
- max_via_len 1024, \
- max_contact_len 512, \
- max_content_len 2048
-
-# IMAP preprocessor. For more information see README.imap
-preprocessor imap: \
- ports { 143 } \
- b64_decode_depth 0 \
- qp_decode_depth 0 \
- bitenc_decode_depth 0 \
- uu_decode_depth 0
-
-# POP preprocessor. For more information see README.pop
-preprocessor pop: \
- ports { 110 } \
- b64_decode_depth 0 \
- qp_decode_depth 0 \
- bitenc_decode_depth 0 \
- uu_decode_depth 0
-
-# Modbus preprocessor. For more information see README.modbus
-preprocessor modbus: ports { 502 }
-
-# DNP3 preprocessor. For more information see README.dnp3
-preprocessor dnp3: ports { 20000 } \
- memcap 262144 \
- check_crc
-
-# Reputation preprocessor. For more information see README.reputation
-#preprocessor reputation: \
-# memcap 500, \
-# priority whitelist, \
-# nested_ip inner, \
-# whitelist $WHITE_LIST_PATH/white_list.rules, \
-# blacklist $BLACK_LIST_PATH/black_list.rules
-
-
-###################################################
-# Step #6: Configure output plugins
-# For more information, see Snort Manual, Configuring Snort - Output Modules
-###################################################
-
-# unified2
-# Recommended for most installs
-# output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
-
-# Additional configuration for specific types of installs
-# output alert_unified2: filename snort.alert, limit 128, nostamp
-# output log_unified2: filename snort.log, limit 128, nostamp
-
-# syslog
-# output alert_syslog: LOG_AUTH LOG_ALERT
-
-# pcap
-# output log_tcpdump: tcpdump.log
-
-# database
-# output database: alert, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
-# output database: log, <db_type>, user=<username> password=<password> test dbname=<name> host=<hostname>
-
-# prelude
-# output alert_prelude
-
-# metadata reference data. do not modify these lines
-include /etc/snort/rules/classification.config
-include /etc/snort/rules/reference.config
-
-
-###################################################
-# Step #7: Customize your rule set
-# For more information, see Snort Manual, Writing Snort Rules
-###################################################
-
-#
-# site specific rules
-#
--- /dev/null
+# Ruleset for registered sourcefire users.
+registered = https://www.snort.org/downloads/registered/snortrules-snapshot-29111.tar.gz?oinkcode=<oinkcode>
+
+# Ruleset for registered sourcefire users with valid subscription.
+subscripted = https://www.snort.org/downloads/registered/snortrules-snapshot-29111.tar.gz?oinkcode=<oinkcode>
+
+# Community rules from sourcefire.
+community = https://www.snort.org/downloads/community/community-rules.tar.gz
+
+# Emerging threads community rules.
+emerging = https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
--- /dev/null
+%YAML 1.1
+---
+
+##
+## IPFire specific configuration file - an untouched example configuration
+## can be found in suricata-example.yaml.
+##
+
+vars:
+ address-groups:
+ # Include HOME_NET declaration from external file.
+ include: /var/ipfire/suricata/suricata-homenet.yaml
+
+ EXTERNAL_NET: "!$HOME_NET"
+ #EXTERNAL_NET: "any"
+
+ HTTP_SERVERS: "$HOME_NET"
+ SMTP_SERVERS: "$HOME_NET"
+ SQL_SERVERS: "$HOME_NET"
+ DNS_SERVERS: "$HOME_NET"
+ TELNET_SERVERS: "$HOME_NET"
+ AIM_SERVERS: "$EXTERNAL_NET"
+ DNP3_SERVER: "$HOME_NET"
+ DNP3_CLIENT: "$HOME_NET"
+ MODBUS_CLIENT: "$HOME_NET"
+ MODBUS_SERVER: "$HOME_NET"
+ ENIP_CLIENT: "$HOME_NET"
+ ENIP_SERVER: "$HOME_NET"
+
+ port-groups:
+ HTTP_PORTS: "80"
+ SHELLCODE_PORTS: "!80"
+ ORACLE_PORTS: 1521
+ SSH_PORTS: 22
+ DNP3_PORTS: 20000
+ MODBUS_PORTS: 502
+ FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]"
+ FTP_PORTS: 21
+
+##
+## Ruleset specific options.
+##
+default-rule-path: /var/lib/suricata
+rule-files:
+ # Include enabled ruleset files from external file.
+ include: /var/ipfire/suricata/suricata-used-rulefiles.yaml
+
+classification-file: /var/lib/suricata/classification.config
+reference-config-file: /var/lib/suricata/reference.config
+threshold-file: /var/lib/suricata/threshold.config
+
+
+##
+## Logging options.
+##
+default-log-dir: /var/log/suricata/
+
+# global stats configuration
+stats:
+ enabled: yes
+ # The interval field (in seconds) controls at what interval
+ # the loggers are invoked.
+ interval: 8
+
+# Configure the type of alert (and other) logging you would like.
+outputs:
+ # a line based alerts log similar to Snort's fast.log
+ - fast:
+ enabled: yes
+ filename: fast.log
+ append: yes
+ #filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
+
+ # Stats.log contains data from various counters of the suricata engine.
+ - stats:
+ enabled: yes
+ filename: stats.log
+ append: no # append to file (yes) or overwrite it (no)
+ totals: yes # stats for all threads merged together
+ threads: no # per thread stats
+ #null-values: yes # print counters that have value 0
+
+logging:
+ # The default log level, can be overridden in an output section.
+ # Note that debug level logging will only be emitted if Suricata was
+ # compiled with the --enable-debug configure option.
+ #
+ # This value is overriden by the SC_LOG_LEVEL env var.
+ default-log-level: notice
+
+ # A regex to filter output. Can be overridden in an output section.
+ # Defaults to empty (no filter).
+ #
+ # This value is overriden by the SC_LOG_OP_FILTER env var.
+ default-output-filter:
+
+ # Define your logging outputs. If none are defined, or they are all
+ # disabled you will get the default - console output.
+ outputs:
+ - console:
+ enabled: no
+ # type: json
+ - file:
+ enabled: no
+ level: info
+ filename: /var/log/suricata/suricata.log
+ # type: json
+ - syslog:
+ enabled: yes
+ facility: local5
+ format: "[%i] <%d> -- "
+ # type: json
+
+##
+## Netfilter configuration
+##
+
+nfq:
+ mode: repeat
+ repeat-mark: 1
+ repeat-mask: 1
+ bypass-mark: 1
+ bypass-mask: 1
+# route-queue: 2
+# batchcount: 20
+ fail-open: yes
+
+##
+## Step 5: App Layer Protocol Configuration
+##
+
+# Configure the app-layer parsers. The protocols section details each
+# protocol.
+#
+# The option "enabled" takes 3 values - "yes", "no", "detection-only".
+# "yes" enables both detection and the parser, "no" disables both, and
+# "detection-only" enables protocol detection only (parser disabled).
+app-layer:
+ protocols:
+ tls:
+ enabled: yes
+ detection-ports:
+ dp: 443
+
+ # Completely stop processing TLS/SSL session after the handshake
+ # completed. If bypass is enabled this will also trigger flow
+ # bypass. If disabled (the default), TLS/SSL session is still
+ # tracked for Heartbleed and other anomalies.
+ #no-reassemble: yes
+ dcerpc:
+ enabled: yes
+ ftp:
+ enabled: yes
+ ssh:
+ enabled: yes
+ smtp:
+ enabled: yes
+ # Configure SMTP-MIME Decoder
+ mime:
+ # Decode MIME messages from SMTP transactions
+ # (may be resource intensive)
+ # This field supercedes all others because it turns the entire
+ # process on or off
+ decode-mime: yes
+
+ # Decode MIME entity bodies (ie. base64, quoted-printable, etc.)
+ decode-base64: yes
+ decode-quoted-printable: yes
+
+ # Maximum bytes per header data value stored in the data structure
+ # (default is 2000)
+ header-value-depth: 2000
+
+ # Extract URLs and save in state data structure
+ extract-urls: yes
+ # Set to yes to compute the md5 of the mail body. You will then
+ # be able to journalize it.
+ body-md5: no
+ # Configure inspected-tracker for file_data keyword
+ inspected-tracker:
+ content-limit: 100000
+ content-inspect-min-size: 32768
+ content-inspect-window: 4096
+ imap:
+ enabled: detection-only
+ msn:
+ enabled: detection-only
+ smb:
+ enabled: yes
+ detection-ports:
+ dp: 139, 445
+ # smb2 detection is disabled internally inside the engine.
+ #smb2:
+ # enabled: yes
+ # Note: NFS parser depends on Rust support: pass --enable-rust
+ # to configure.
+ nfs:
+ enabled: no
+ dns:
+ # memcaps. Globally and per flow/state.
+ #global-memcap: 16mb
+ #state-memcap: 512kb
+
+ # How many unreplied DNS requests are considered a flood.
+ # If the limit is reached, app-layer-event:dns.flooded; will match.
+ #request-flood: 500
+
+ tcp:
+ enabled: yes
+ detection-ports:
+ dp: 53
+ udp:
+ enabled: yes
+ detection-ports:
+ dp: 53
+ http:
+ enabled: yes
+ # memcap: 64mb
+
+ # default-config: Used when no server-config matches
+ # personality: List of personalities used by default
+ # request-body-limit: Limit reassembly of request body for inspection
+ # by http_client_body & pcre /P option.
+ # response-body-limit: Limit reassembly of response body for inspection
+ # by file_data, http_server_body & pcre /Q option.
+ # double-decode-path: Double decode path section of the URI
+ # double-decode-query: Double decode query section of the URI
+ # response-body-decompress-layer-limit:
+ # Limit to how many layers of compression will be
+ # decompressed. Defaults to 2.
+ #
+ # server-config: List of server configurations to use if address matches
+ # address: List of ip addresses or networks for this block
+ # personalitiy: List of personalities used by this block
+ # request-body-limit: Limit reassembly of request body for inspection
+ # by http_client_body & pcre /P option.
+ # response-body-limit: Limit reassembly of response body for inspection
+ # by file_data, http_server_body & pcre /Q option.
+ # double-decode-path: Double decode path section of the URI
+ # double-decode-query: Double decode query section of the URI
+ #
+ # uri-include-all: Include all parts of the URI. By default the
+ # 'scheme', username/password, hostname and port
+ # are excluded. Setting this option to true adds
+ # all of them to the normalized uri as inspected
+ # by http_uri, urilen, pcre with /U and the other
+ # keywords that inspect the normalized uri.
+ # Note that this does not affect http_raw_uri.
+ # Also, note that including all was the default in
+ # 1.4 and 2.0beta1.
+ #
+ # meta-field-limit: Hard size limit for request and response size
+ # limits. Applies to request line and headers,
+ # response line and headers. Does not apply to
+ # request or response bodies. Default is 18k.
+ # If this limit is reached an event is raised.
+ #
+ # Currently Available Personalities:
+ # Minimal, Generic, IDS (default), IIS_4_0, IIS_5_0, IIS_5_1, IIS_6_0,
+ # IIS_7_0, IIS_7_5, Apache_2
+ libhtp:
+ default-config:
+ personality: IDS
+
+ # Can be specified in kb, mb, gb. Just a number indicates
+ # it's in bytes.
+ request-body-limit: 100kb
+ response-body-limit: 100kb
+
+ # inspection limits
+ request-body-minimal-inspect-size: 32kb
+ request-body-inspect-window: 4kb
+ response-body-minimal-inspect-size: 40kb
+ response-body-inspect-window: 16kb
+
+ # response body decompression (0 disables)
+ response-body-decompress-layer-limit: 2
+
+ # auto will use http-body-inline mode in IPS mode, yes or no set it statically
+ http-body-inline: auto
+
+ # Take a random value for inspection sizes around the specified value.
+ # This lower the risk of some evasion technics but could lead
+ # detection change between runs. It is set to 'yes' by default.
+ #randomize-inspection-sizes: yes
+ # If randomize-inspection-sizes is active, the value of various
+ # inspection size will be choosen in the [1 - range%, 1 + range%]
+ # range
+ # Default value of randomize-inspection-range is 10.
+ #randomize-inspection-range: 10
+
+ # decoding
+ double-decode-path: no
+ double-decode-query: no
+
+ server-config:
+
+ #- apache:
+ # address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
+ # personality: Apache_2
+ # # Can be specified in kb, mb, gb. Just a number indicates
+ # # it's in bytes.
+ # request-body-limit: 4096
+ # response-body-limit: 4096
+ # double-decode-path: no
+ # double-decode-query: no
+
+ #- iis7:
+ # address:
+ # - 192.168.0.0/24
+ # - 192.168.10.0/24
+ # personality: IIS_7_0
+ # # Can be specified in kb, mb, gb. Just a number indicates
+ # # it's in bytes.
+ # request-body-limit: 4096
+ # response-body-limit: 4096
+ # double-decode-path: no
+ # double-decode-query: no
+
+ # Note: Modbus probe parser is minimalist due to the poor significant field
+ # Only Modbus message length (greater than Modbus header length)
+ # And Protocol ID (equal to 0) are checked in probing parser
+ # It is important to enable detection port and define Modbus port
+ # to avoid false positive
+ modbus:
+ # How many unreplied Modbus requests are considered a flood.
+ # If the limit is reached, app-layer-event:modbus.flooded; will match.
+ #request-flood: 500
+
+ enabled: no
+ detection-ports:
+ dp: 502
+ # According to MODBUS Messaging on TCP/IP Implementation Guide V1.0b, it
+ # is recommended to keep the TCP connection opened with a remote device
+ # and not to open and close it for each MODBUS/TCP transaction. In that
+ # case, it is important to set the depth of the stream reassembling as
+ # unlimited (stream.reassembly.depth: 0)
+
+ # Stream reassembly size for modbus. By default track it completely.
+ stream-depth: 0
+
+ # DNP3
+ dnp3:
+ enabled: no
+ detection-ports:
+ dp: 20000
+
+ # SCADA EtherNet/IP and CIP protocol support
+ enip:
+ enabled: no
+ detection-ports:
+ dp: 44818
+ sp: 44818
+
+ # Note: parser depends on experimental Rust support
+ # with --enable-rust-experimental passed to configure
+ ntp:
+ enabled: no
+
+# Limit for the maximum number of asn1 frames to decode (default 256)
+asn1-max-frames: 256
+
+
+##############################################################################
+##
+## Advanced settings below
+##
+##############################################################################
+
+##
+## Run Options
+##
+
+# Run suricata as user and group.
+#run-as:
+# user: suri
+# group: suri
+
+# Some logging module will use that name in event as identifier. The default
+# value is the hostname
+#sensor-name: suricata
+
+# Default location of the pid file. The pid file is only used in
+# daemon mode (start Suricata with -D). If not running in daemon mode
+# the --pidfile command line option must be used to create a pid file.
+#pid-file: /var/run/suricata.pid
+
+# Daemon working directory
+# Suricata will change directory to this one if provided
+# Default: "/"
+#daemon-directory: "/"
+
+# Suricata core dump configuration. Limits the size of the core dump file to
+# approximately max-dump. The actual core dump size will be a multiple of the
+# page size. Core dumps that would be larger than max-dump are truncated. On
+# Linux, the actual core dump size may be a few pages larger than max-dump.
+# Setting max-dump to 0 disables core dumping.
+# Setting max-dump to 'unlimited' will give the full core dump file.
+# On 32-bit Linux, a max-dump value >= ULONG_MAX may cause the core dump size
+# to be 'unlimited'.
+
+coredump:
+ max-dump: unlimited
+
+# If suricata box is a router for the sniffed networks, set it to 'router'. If
+# it is a pure sniffing setup, set it to 'sniffer-only'.
+# If set to auto, the variable is internally switch to 'router' in IPS mode
+# and 'sniffer-only' in IDS mode.
+# This feature is currently only used by the reject* keywords.
+host-mode: auto
+
+# Number of packets preallocated per thread. The default is 1024. A higher number
+# will make sure each CPU will be more easily kept busy, but may negatively
+# impact caching.
+#
+# If you are using the CUDA pattern matcher (mpm-algo: ac-cuda), different rules
+# apply. In that case try something like 60000 or more. This is because the CUDA
+# pattern matcher buffers and scans as many packets as possible in parallel.
+#max-pending-packets: 1024
+
+# Runmode the engine should use. Please check --list-runmodes to get the available
+# runmodes for each packet acquisition method. Defaults to "autofp" (auto flow pinned
+# load balancing).
+#runmode: autofp
+
+# Specifies the kind of flow load balancer used by the flow pinned autofp mode.
+#
+# Supported schedulers are:
+#
+# round-robin - Flows assigned to threads in a round robin fashion.
+# active-packets - Flows assigned to threads that have the lowest number of
+# unprocessed packets (default).
+# hash - Flow alloted usihng the address hash. More of a random
+# technique. Was the default in Suricata 1.2.1 and older.
+#
+#autofp-scheduler: active-packets
+
+# Preallocated size for packet. Default is 1514 which is the classical
+# size for pcap on ethernet. You should adjust this value to the highest
+# packet size (MTU + hardware header) on your system.
+#default-packet-size: 1514
+
+# Unix command socket can be used to pass commands to suricata.
+# An external tool can then connect to get information from suricata
+# or trigger some modifications of the engine. Set enabled to yes
+# to activate the feature. In auto mode, the feature will only be
+# activated in live capture mode. You can use the filename variable to set
+# the file name of the socket.
+unix-command:
+ enabled: no
+ #filename: custom.socket
+
+# Magic file. The extension .mgc is added to the value here.
+#magic-file: /usr/share/file/magic
+#magic-file:
+
+legacy:
+ uricontent: enabled
+
+##
+## Detection settings
+##
+
+# Set the order of alerts bassed on actions
+# The default order is pass, drop, reject, alert
+# action-order:
+# - pass
+# - drop
+# - reject
+# - alert
+
+# IP Reputation
+#reputation-categories-file: /etc/suricata/iprep/categories.txt
+#default-reputation-path: /etc/suricata/iprep
+#reputation-files:
+# - reputation.list
+
+# When run with the option --engine-analysis, the engine will read each of
+# the parameters below, and print reports for each of the enabled sections
+# and exit. The reports are printed to a file in the default log dir
+# given by the parameter "default-log-dir", with engine reporting
+# subsection below printing reports in its own report file.
+engine-analysis:
+ # enables printing reports for fast-pattern for every rule.
+ rules-fast-pattern: yes
+ # enables printing reports for each rule
+ rules: yes
+
+#recursion and match limits for PCRE where supported
+pcre:
+ match-limit: 3500
+ match-limit-recursion: 1500
+
+##
+## Advanced Traffic Tracking and Reconstruction Settings
+##
+
+# Host specific policies for defragmentation and TCP stream
+# reassembly. The host OS lookup is done using a radix tree, just
+# like a routing table so the most specific entry matches.
+host-os-policy:
+ # Make the default policy windows.
+ windows: [0.0.0.0/0]
+ bsd: []
+ bsd-right: []
+ old-linux: []
+ linux: []
+ old-solaris: []
+ solaris: []
+ hpux10: []
+ hpux11: []
+ irix: []
+ macos: []
+ vista: []
+ windows2k3: []
+
+# Defrag settings:
+
+defrag:
+ memcap: 32mb
+ hash-size: 65536
+ trackers: 65535 # number of defragmented flows to follow
+ max-frags: 65535 # number of fragments to keep (higher than trackers)
+ prealloc: yes
+ timeout: 60
+
+# Enable defrag per host settings
+# host-config:
+#
+# - dmz:
+# timeout: 30
+# address: [192.168.1.0/24, 127.0.0.0/8, 1.1.1.0/24, 2.2.2.0/24, "1.1.1.1", "2.2.2.2", "::1"]
+#
+# - lan:
+# timeout: 45
+# address:
+# - 192.168.0.0/24
+# - 192.168.10.0/24
+# - 172.16.14.0/24
+
+# Flow settings:
+# By default, the reserved memory (memcap) for flows is 32MB. This is the limit
+# for flow allocation inside the engine. You can change this value to allow
+# more memory usage for flows.
+# The hash-size determine the size of the hash used to identify flows inside
+# the engine, and by default the value is 65536.
+# At the startup, the engine can preallocate a number of flows, to get a better
+# performance. The number of flows preallocated is 10000 by default.
+# emergency-recovery is the percentage of flows that the engine need to
+# prune before unsetting the emergency state. The emergency state is activated
+# when the memcap limit is reached, allowing to create new flows, but
+# prunning them with the emergency timeouts (they are defined below).
+# If the memcap is reached, the engine will try to prune flows
+# with the default timeouts. If it doens't find a flow to prune, it will set
+# the emergency bit and it will try again with more agressive timeouts.
+# If that doesn't work, then it will try to kill the last time seen flows
+# not in use.
+# The memcap can be specified in kb, mb, gb. Just a number indicates it's
+# in bytes.
+
+flow:
+ memcap: 128mb
+ hash-size: 65536
+ prealloc: 10000
+ emergency-recovery: 30
+ #managers: 1 # default to one flow manager
+ #recyclers: 1 # default to one flow recycler thread
+
+# This option controls the use of vlan ids in the flow (and defrag)
+# hashing. Normally this should be enabled, but in some (broken)
+# setups where both sides of a flow are not tagged with the same vlan
+# tag, we can ignore the vlan id's in the flow hashing.
+vlan:
+ use-for-tracking: true
+
+# Specific timeouts for flows. Here you can specify the timeouts that the
+# active flows will wait to transit from the current state to another, on each
+# protocol. The value of "new" determine the seconds to wait after a hanshake or
+# stream startup before the engine free the data of that flow it doesn't
+# change the state to established (usually if we don't receive more packets
+# of that flow). The value of "established" is the amount of
+# seconds that the engine will wait to free the flow if it spend that amount
+# without receiving new packets or closing the connection. "closed" is the
+# amount of time to wait after a flow is closed (usually zero). "bypassed"
+# timeout controls locally bypassed flows. For these flows we don't do any other
+# tracking. If no packets have been seen after this timeout, the flow is discarded.
+#
+# There's an emergency mode that will become active under attack circumstances,
+# making the engine to check flow status faster. This configuration variables
+# use the prefix "emergency-" and work similar as the normal ones.
+# Some timeouts doesn't apply to all the protocols, like "closed", for udp and
+# icmp.
+
+flow-timeouts:
+
+ default:
+ new: 30
+ established: 300
+ closed: 0
+ bypassed: 100
+ emergency-new: 10
+ emergency-established: 100
+ emergency-closed: 0
+ emergency-bypassed: 50
+ tcp:
+ new: 60
+ established: 600
+ closed: 60
+ bypassed: 100
+ emergency-new: 5
+ emergency-established: 100
+ emergency-closed: 10
+ emergency-bypassed: 50
+ udp:
+ new: 30
+ established: 300
+ bypassed: 100
+ emergency-new: 10
+ emergency-established: 100
+ emergency-bypassed: 50
+ icmp:
+ new: 30
+ established: 300
+ bypassed: 100
+ emergency-new: 10
+ emergency-established: 100
+ emergency-bypassed: 50
+
+# Stream engine settings. Here the TCP stream tracking and reassembly
+# engine is configured.
+#
+# stream:
+# memcap: 32mb # Can be specified in kb, mb, gb. Just a
+# # number indicates it's in bytes.
+# checksum-validation: yes # To validate the checksum of received
+# # packet. If csum validation is specified as
+# # "yes", then packet with invalid csum will not
+# # be processed by the engine stream/app layer.
+# # Warning: locally generated trafic can be
+# # generated without checksum due to hardware offload
+# # of checksum. You can control the handling of checksum
+# # on a per-interface basis via the 'checksum-checks'
+# # option
+# prealloc-sessions: 2k # 2k sessions prealloc'd per stream thread
+# midstream: false # don't allow midstream session pickups
+# async-oneside: false # don't enable async stream handling
+# inline: no # stream inline mode
+# drop-invalid: yes # in inline mode, drop packets that are invalid with regards to streaming engine
+# max-synack-queued: 5 # Max different SYN/ACKs to queue
+# bypass: no # Bypass packets when stream.depth is reached
+#
+# reassembly:
+# memcap: 64mb # Can be specified in kb, mb, gb. Just a number
+# # indicates it's in bytes.
+# depth: 1mb # Can be specified in kb, mb, gb. Just a number
+# # indicates it's in bytes.
+# toserver-chunk-size: 2560 # inspect raw stream in chunks of at least
+# # this size. Can be specified in kb, mb,
+# # gb. Just a number indicates it's in bytes.
+# toclient-chunk-size: 2560 # inspect raw stream in chunks of at least
+# # this size. Can be specified in kb, mb,
+# # gb. Just a number indicates it's in bytes.
+# randomize-chunk-size: yes # Take a random value for chunk size around the specified value.
+# # This lower the risk of some evasion technics but could lead
+# # detection change between runs. It is set to 'yes' by default.
+# randomize-chunk-range: 10 # If randomize-chunk-size is active, the value of chunk-size is
+# # a random value between (1 - randomize-chunk-range/100)*toserver-chunk-size
+# # and (1 + randomize-chunk-range/100)*toserver-chunk-size and the same
+# # calculation for toclient-chunk-size.
+# # Default value of randomize-chunk-range is 10.
+#
+# raw: yes # 'Raw' reassembly enabled or disabled.
+# # raw is for content inspection by detection
+# # engine.
+#
+# segment-prealloc: 2048 # number of segments preallocated per thread
+#
+# check-overlap-different-data: true|false
+# # check if a segment contains different data
+# # than what we've already seen for that
+# # position in the stream.
+# # This is enabled automatically if inline mode
+# # is used or when stream-event:reassembly_overlap_different_data;
+# # is used in a rule.
+#
+stream:
+ memcap: 64mb
+ checksum-validation: yes # reject wrong csums
+ inline: auto # auto will use inline mode in IPS mode, yes or no set it statically
+ reassembly:
+ memcap: 256mb
+ depth: 1mb # reassemble 1mb into a stream
+ toserver-chunk-size: 2560
+ toclient-chunk-size: 2560
+ randomize-chunk-size: yes
+ #randomize-chunk-range: 10
+ #raw: yes
+ #segment-prealloc: 2048
+ #check-overlap-different-data: true
+
+# Host table:
+#
+# Host table is used by tagging and per host thresholding subsystems.
+#
+host:
+ hash-size: 4096
+ prealloc: 1000
+ memcap: 32mb
+
+# IP Pair table:
+#
+# Used by xbits 'ippair' tracking.
+#
+#ippair:
+# hash-size: 4096
+# prealloc: 1000
+# memcap: 32mb
+
+# Decoder settings
+
+decoder:
+ # Teredo decoder is known to not be completely accurate
+ # it will sometimes detect non-teredo as teredo.
+ teredo:
+ enabled: true
+
+
+##
+## Performance tuning and profiling
+##
+
+# The detection engine builds internal groups of signatures. The engine
+# allow us to specify the profile to use for them, to manage memory on an
+# efficient way keeping a good performance. For the profile keyword you
+# can use the words "low", "medium", "high" or "custom". If you use custom
+# make sure to define the values at "- custom-values" as your convenience.
+# Usually you would prefer medium/high/low.
+#
+# "sgh mpm-context", indicates how the staging should allot mpm contexts for
+# the signature groups. "single" indicates the use of a single context for
+# all the signature group heads. "full" indicates a mpm-context for each
+# group head. "auto" lets the engine decide the distribution of contexts
+# based on the information the engine gathers on the patterns from each
+# group head.
+#
+# The option inspection-recursion-limit is used to limit the recursive calls
+# in the content inspection code. For certain payload-sig combinations, we
+# might end up taking too much time in the content inspection code.
+# If the argument specified is 0, the engine uses an internally defined
+# default limit. On not specifying a value, we use no limits on the recursion.
+detect:
+ profile: medium
+ custom-values:
+ toclient-groups: 3
+ toserver-groups: 25
+ sgh-mpm-context: auto
+ inspection-recursion-limit: 3000
+ # If set to yes, the loading of signatures will be made after the capture
+ # is started. This will limit the downtime in IPS mode.
+ #delayed-detect: yes
+
+ prefilter:
+ # default prefiltering setting. "mpm" only creates MPM/fast_pattern
+ # engines. "auto" also sets up prefilter engines for other keywords.
+ # Use --list-keywords=all to see which keywords support prefiltering.
+ default: mpm
+
+ # the grouping values above control how many groups are created per
+ # direction. Port whitelisting forces that port to get it's own group.
+ # Very common ports will benefit, as well as ports with many expensive
+ # rules.
+ grouping:
+ #tcp-whitelist: 53, 80, 139, 443, 445, 1433, 3306, 3389, 6666, 6667, 8080
+ #udp-whitelist: 53, 135, 5060
+
+ profiling:
+ # Log the rules that made it past the prefilter stage, per packet
+ # default is off. The threshold setting determines how many rules
+ # must have made it past pre-filter for that rule to trigger the
+ # logging.
+ #inspect-logging-threshold: 200
+ grouping:
+ dump-to-disk: false
+ include-rules: false # very verbose
+ include-mpm-stats: false
+
+# Select the multi pattern algorithm you want to run for scan/search the
+# in the engine.
+#
+# The supported algorithms are:
+# "ac" - Aho-Corasick, default implementation
+# "ac-bs" - Aho-Corasick, reduced memory implementation
+# "ac-cuda" - Aho-Corasick, CUDA implementation
+# "ac-ks" - Aho-Corasick, "Ken Steele" variant
+# "hs" - Hyperscan, available when built with Hyperscan support
+#
+# The default mpm-algo value of "auto" will use "hs" if Hyperscan is
+# available, "ac" otherwise.
+#
+# The mpm you choose also decides the distribution of mpm contexts for
+# signature groups, specified by the conf - "detect.sgh-mpm-context".
+# Selecting "ac" as the mpm would require "detect.sgh-mpm-context"
+# to be set to "single", because of ac's memory requirements, unless the
+# ruleset is small enough to fit in one's memory, in which case one can
+# use "full" with "ac". Rest of the mpms can be run in "full" mode.
+#
+# There is also a CUDA pattern matcher (only available if Suricata was
+# compiled with --enable-cuda: b2g_cuda. Make sure to update your
+# max-pending-packets setting above as well if you use b2g_cuda.
+
+mpm-algo: auto
+
+# Select the matching algorithm you want to use for single-pattern searches.
+#
+# Supported algorithms are "bm" (Boyer-Moore) and "hs" (Hyperscan, only
+# available if Suricata has been built with Hyperscan support).
+#
+# The default of "auto" will use "hs" if available, otherwise "bm".
+
+spm-algo: auto
+
+# Suricata is multi-threaded. Here the threading can be influenced.
+threading:
+ set-cpu-affinity: no
+ # Tune cpu affinity of threads. Each family of threads can be bound
+ # on specific CPUs.
+ #
+ # These 2 apply to the all runmodes:
+ # management-cpu-set is used for flow timeout handling, counters
+ # worker-cpu-set is used for 'worker' threads
+ #
+ # Additionally, for autofp these apply:
+ # receive-cpu-set is used for capture threads
+ # verdict-cpu-set is used for IPS verdict threads
+ #
+ cpu-affinity:
+ - management-cpu-set:
+ cpu: [ 0 ] # include only these cpus in affinity settings
+ - receive-cpu-set:
+ cpu: [ 0 ] # include only these cpus in affinity settings
+ - worker-cpu-set:
+ cpu: [ "all" ]
+ mode: "exclusive"
+ # Use explicitely 3 threads and don't compute number by using
+ # detect-thread-ratio variable:
+ # threads: 3
+ prio:
+ low: [ 0 ]
+ medium: [ "1-2" ]
+ high: [ 3 ]
+ default: "medium"
+ #- verdict-cpu-set:
+ # cpu: [ 0 ]
+ # prio:
+ # default: "high"
+ #
+ # By default Suricata creates one "detect" thread per available CPU/CPU core.
+ # This setting allows controlling this behaviour. A ratio setting of 2 will
+ # create 2 detect threads for each CPU/CPU core. So for a dual core CPU this
+ # will result in 4 detect threads. If values below 1 are used, less threads
+ # are created. So on a dual core CPU a setting of 0.5 results in 1 detect
+ # thread being created. Regardless of the setting at a minimum 1 detect
+ # thread will always be created.
+ #
+ detect-thread-ratio: 1.0
+
+# Profiling settings. Only effective if Suricata has been built with the
+# the --enable-profiling configure flag.
+#
+profiling:
+ # Run profiling for every xth packet. The default is 1, which means we
+ # profile every packet. If set to 1000, one packet is profiled for every
+ # 1000 received.
+ #sample-rate: 1000
+
+ # rule profiling
+ rules:
+
+ # Profiling can be disabled here, but it will still have a
+ # performance impact if compiled in.
+ enabled: yes
+ filename: rule_perf.log
+ append: yes
+
+ # Sort options: ticks, avgticks, checks, matches, maxticks
+ # If commented out all the sort options will be used.
+ #sort: avgticks
+
+ # Limit the number of sids for which stats are shown at exit (per sort).
+ limit: 10
+
+ # output to json
+ json: yes
+
+ # per keyword profiling
+ keywords:
+ enabled: yes
+ filename: keyword_perf.log
+ append: yes
+
+ # per rulegroup profiling
+ rulegroups:
+ enabled: yes
+ filename: rule_group_perf.log
+ append: yes
+
+ # packet profiling
+ packets:
+
+ # Profiling can be disabled here, but it will still have a
+ # performance impact if compiled in.
+ enabled: yes
+ filename: packet_stats.log
+ append: yes
+
+ # per packet csv output
+ csv:
+
+ # Output can be disabled here, but it will still have a
+ # performance impact if compiled in.
+ enabled: no
+ filename: packet_stats.csv
+
+ # profiling of locking. Only available when Suricata was built with
+ # --enable-profiling-locks.
+ locks:
+ enabled: no
+ filename: lock_stats.log
+ append: yes
+
+ pcap-log:
+ enabled: no
+ filename: pcaplog_stats.log
+ append: yes
+
+##
+## Hardware accelaration
+##
+
+# Cuda configuration.
+cuda:
+ # The "mpm" profile. On not specifying any of these parameters, the engine's
+ # internal default values are used, which are same as the ones specified in
+ # in the default conf file.
+ mpm:
+ # The minimum length required to buffer data to the gpu.
+ # Anything below this is MPM'ed on the CPU.
+ # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
+ # A value of 0 indicates there's no limit.
+ data-buffer-size-min-limit: 0
+ # The maximum length for data that we would buffer to the gpu.
+ # Anything over this is MPM'ed on the CPU.
+ # Can be specified in kb, mb, gb. Just a number indicates it's in bytes.
+ data-buffer-size-max-limit: 1500
+ # The ring buffer size used by the CudaBuffer API to buffer data.
+ cudabuffer-buffer-size: 500mb
+ # The max chunk size that can be sent to the gpu in a single go.
+ gpu-transfer-size: 50mb
+ # The timeout limit for batching of packets in microseconds.
+ batching-timeout: 2000
+ # The device to use for the mpm. Currently we don't support load balancing
+ # on multiple gpus. In case you have multiple devices on your system, you
+ # can specify the device to use, using this conf. By default we hold 0, to
+ # specify the first device cuda sees. To find out device-id associated with
+ # the card(s) on the system run "suricata --list-cuda-cards".
+ device-id: 0
+ # No of Cuda streams used for asynchronous processing. All values > 0 are valid.
+ # For this option you need a device with Compute Capability > 1.0.
+ cuda-streams: 2
+
+##
+## Include other configs
+##
+
+# Includes. Files included here will be handled as if they were
+# inlined in this configuration file.
+#include: include1.yaml
+#include: include2.yaml
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2015 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';
-use File::Copy;
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
-
-sub refreshpage{&Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='1;'>" );print "<center><img src='/images/clock.gif' alt='' /><br/><font color='red'>$Lang::tr{'pagerefresh'}</font></center>";&Header::closebox();}
-
-$a = new CGI;
+require "${General::swroot}/ids-functions.pl";
my %color = ();
my %mainsettings = ();
+my %idsrules = ();
+my %idssettings=();
+my %rulesetsources = ();
+my %cgiparams=();
+my %checked=();
+my %selected=();
+my %ignored=();
+
+# Read-in main settings, for language, theme and colors.
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
-my %snortsettings=();
-my %checked=();
-my %selected=();
-my %netsettings=();
-our $errormessage = '';
-our $results = '';
-our $tempdir = '';
-our $url='';
-&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+# Get the available network zones, based on the config type of the system and store
+# the list of zones in an array.
+my @network_zones = &IDS::get_available_network_zones();
+
+# File where the used rulefiles are stored.
+my $idsusedrulefilesfile = "$IDS::settingsdir/suricata-used-rulefiles.yaml";
+
+# File where the addresses of the homenet are stored.
+my $idshomenetfile = "$IDS::settingsdir/suricata-homenet.yaml";
+
+# File which contains the enabled sids.
+my $enabled_sids_file = "$IDS::settingsdir/oinkmaster-enabled-sids.conf";
+
+# File which contains the disabled sids.
+my $disabled_sids_file = "$IDS::settingsdir/oinkmaster-disabled-sids.conf";
+
+# File which contains wheater the rules should be changed.
+my $modify_sids_file = "$IDS::settingsdir/oinkmaster-modify-sids.conf";
+
+# File which stores the configured settings for whitelisted addresses.
+my $ignoredfile = "$IDS::settingsdir/ignored";
+
+# File which contains the rules to whitelist addresses on suricata.
+my $whitelistfile = "$IDS::rulespath/whitelist.rules";
+
+my $errormessage;
+
+# Create files if they does not exist yet.
+unless (-f "$enabled_sids_file") { &IDS::create_empty_file($enabled_sids_file); }
+unless (-f "$disabled_sids_file") { &IDS::create_empty_file($disabled_sids_file); }
+unless (-f "$modify_sids_file") { &IDS::create_empty_file($modify_sids_file); }
+unless (-f "$idsusedrulefilesfile") { &IDS::create_empty_file($idsusedrulefilesfile); }
+unless (-f "$ignoredfile") { &IDS::create_empty_file($ignoredfile); }
+unless (-f "$whitelistfile" ) { &IDS::create_empty_file($whitelistfile); }
&Header::showhttpheaders();
-$snortsettings{'ENABLE_SNORT'} = 'off';
-$snortsettings{'ENABLE_SNORT_GREEN'} = 'off';
-$snortsettings{'ENABLE_SNORT_BLUE'} = 'off';
-$snortsettings{'ENABLE_SNORT_ORANGE'} = 'off';
-$snortsettings{'ACTION'} = '';
-$snortsettings{'RULES'} = '';
-$snortsettings{'OINKCODE'} = '';
-$snortsettings{'INSTALLDATE'} = '';
-$snortsettings{'FILE'} = '';
-$snortsettings{'UPLOAD'} = '';
-
-&Header::getcgihash(\%snortsettings, {'wantfile' => 1, 'filevar' => 'FH'});
-
-####################### Added for snort rules control #################################
-my $snortrulepath; # change to "/etc/snort/rules" - maniac
-my @snortconfig;
-my $restartsnortrequired = 0;
-my %snortrules;
-my $rule = '';
-my $table1colour = '';
-my $table2colour = '';
-my $var = '';
-my $value = '';
-my $tmp = '';
-my $linkedrulefile = '';
-my $border = '';
-my $checkboxname = '';
-
-if (-e "/etc/snort/snort.conf") {
-
-
- # Open snort.conf file, read it in, close it, and re-open for writing
- open(FILE, "/etc/snort/snort.conf") or die 'Unable to read snort config file.';
- @snortconfig = <FILE>;
- close(FILE);
- open(FILE, ">/etc/snort/snort.conf") or die 'Unable to write snort config file.';
-
- my @rules = `cd /etc/snort/rules/ && ls *.rules 2>/dev/null`; # With this loop the rule might be display with correct rulepath set
- foreach (@rules) {
- chomp $_;
- my $temp = join(";",@snortconfig);
- if ( $temp =~ /$_/ ){next;}
- else { push(@snortconfig,"#include \$RULE_PATH/".$_);}
- }
-
- # Loop over each line
- foreach my $line (@snortconfig) {
- # Trim the line
- chomp $line;
+#Get GUI values
+&Header::getcgihash(\%cgiparams);
- # Check for a line with .rules
- if ($line =~ /\.rules$/) {
- # Parse out rule file name
- $rule = $line;
- $rule =~ s/\$RULE_PATH\///i;
- $rule =~ s/ ?include ?//i;
- $rule =~ s/\#//i;
- my $snortrulepathrule = "$snortrulepath/$rule";
-
- # Open rule file and read in contents
- open(RULEFILE, "$snortrulepath/$rule") or die "Unable to read snort rule file for reading => $snortrulepath/$rule.";
- my @snortrulefile = <RULEFILE>;
- close(RULEFILE);
- open(RULEFILE, ">$snortrulepath/$rule") or die "Unable to write snort rule file for writing $snortrulepath/$rule";
+## Add/edit an entry to the ignore file.
+#
+if (($cgiparams{'WHITELIST'} eq $Lang::tr{'add'}) || ($cgiparams{'WHITELIST'} eq $Lang::tr{'update'})) {
- # Local vars
- my $dashlinecnt = 0;
- my $desclook = 1;
- my $snortruledesc = '';
- my %snortruledef = ();
- my $rulecnt = 1;
-
- # Loop over rule file contents
- foreach my $ruleline (@snortrulefile) {
- chomp $ruleline;
-
- # If still looking for a description
- if ($desclook) {
- # If line does not start with a # anymore, then done looking for a description
- if ($ruleline !~ /^\#/) {
- $desclook = 0;
- }
+ # Check if any input has been performed.
+ if ($cgiparams{'IGNORE_ENTRY_ADDRESS'} ne '') {
- # If see more than one dashed line, (start to) create rule file description
- if ($dashlinecnt > 1) {
- # Check for a line starting with a #
- if ($ruleline =~ /^\#/ and $ruleline !~ /^\#alert/) {
- # Create tempruleline
- my $tempruleline = $ruleline;
-
- # Strip off # and clean up line
- $tempruleline =~ s/\# ?//i;
-
- # Check for part of a description
- if ($snortruledesc eq '') {
- $snortruledesc = $tempruleline;
- } else {
- $snortruledesc .= " $tempruleline";
- }
- } else {
- # Must be done
- $desclook = 0;
- }
- }
+ # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
+ if ((!&General::validip($cgiparams{'IGNORE_ENTRY_ADDRESS'})) && (!&General::validipandmask($cgiparams{'IGNORE_ENTRY_ADDRESS'}))) {
+ $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
+ }
+ } else {
+ $errormessage = "$Lang::tr{'guardian empty input'}";
+ }
- # If have a dashed line, increment count
- if ($ruleline =~ /\# ?\-+/) {
- $dashlinecnt++;
- }
- } else {
- # Parse out rule file rule's message for display
- if ($ruleline =~ /(msg\:\"[^\"]+\";)/) {
- my $msg = '';
- $msg = $1;
- $msg =~ s/msg\:\"//i;
- $msg =~ s/\";//i;
- $snortruledef{$rulecnt}{'Description'} = $msg;
-
- # Check for 'Save' and rule file displayed in query string
- if (($snortsettings{'ACTION'} eq $Lang::tr{'update'}) && ($ENV{'QUERY_STRING'} =~ /$rule/i)) {
- # Check for a disable rule which is now enabled, or an enabled rule which is now disabled
- if ((($ruleline =~ /^\#/) && (exists $snortsettings{"SNORT_RULE_$rule\_$rulecnt"})) || (($ruleline !~ /^\#/) && (!exists $snortsettings{"SNORT_RULE_$rule\_$rulecnt"}))) {
- $restartsnortrequired = 1;
- }
-
- # Strip out leading # from rule line
- $ruleline =~ s/\# ?//i;
-
- # Check if it does not exists (which means it is disabled), append a #
- if (!exists $snortsettings{"SNORT_RULE_$rule\_$rulecnt"}) {
- $ruleline = "#"." $ruleline";
- }
- }
-
- # Check if ruleline does not begin with a #, so it is enabled
- if ($ruleline !~ /^\#/) {
- $snortruledef{$rulecnt++}{'State'} = 'Enabled';
- } else {
- # Otherwise it is disabled
- $snortruledef{$rulecnt++}{'State'} = 'Disabled';
- }
- }
- }
+ # Go further if there was no error.
+ if ($errormessage eq '') {
+ my %ignored = ();
+ my $id;
+ my $status;
- # Print ruleline to RULEFILE
- print RULEFILE "$ruleline\n";
- }
+ # Assign hash values.
+ my $new_entry_address = $cgiparams{'IGNORE_ENTRY_ADDRESS'};
+ my $new_entry_remark = $cgiparams{'IGNORE_ENTRY_REMARK'};
- # Close RULEFILE
- close(RULEFILE);
+ # Read-in ignoredfile.
+ &General::readhasharray($ignoredfile, \%ignored);
- # Check for 'Save'
- if ($snortsettings{'ACTION'} eq $Lang::tr{'update'}) {
- # Check for a disable rule which is now enabled, or an enabled rule which is now disabled
- if ((($line =~ /^\#/) && (exists $snortsettings{"SNORT_RULE_$rule"})) || (($line !~ /^\#/) && (!exists $snortsettings{"SNORT_RULE_$rule"}))) {
- $restartsnortrequired = 1;
- }
+ # Check if we should edit an existing entry and got an ID.
+ if (($cgiparams{'WHITELIST'} eq $Lang::tr{'update'}) && ($cgiparams{'ID'})) {
+ # Assin the provided id.
+ $id = $cgiparams{'ID'};
- # Strip out leading # from rule line
- $line =~ s/\# ?//i;
+ # Undef the given ID.
+ undef($cgiparams{'ID'});
- # Check if it does not exists (which means it is disabled), append a #
- if (!exists $snortsettings{"SNORT_RULE_$rule"}) {
- $line = "# $line";
- }
+ # Grab the configured status of the corresponding entry.
+ $status = $ignored{$id}[2];
+ } else {
+ # Each newly added entry automatically should be enabled.
+ $status = "enabled";
- }
+ # Generate the ID for the new entry.
+ #
+ # Sort the keys by their ID and store them in an array.
+ my @keys = sort { $a <=> $b } keys %ignored;
- # Check for rule state
- if ($line =~ /^\#/) {
- $snortrules{$rule}{"State"} = "Disabled";
- } else {
- $snortrules{$rule}{"State"} = "Enabled";
- }
+ # Reverse the key array.
+ my @reversed = reverse(@keys);
- # Set rule description
- $snortrules{$rule}{"Description"} = $snortruledesc;
+ # Obtain the last used id.
+ my $last_id = @reversed[0];
- # Loop over sorted rules
- foreach my $ruledef (sort {$a <=> $b} keys(%snortruledef)) {
- $snortrules{$rule}{"Definition"}{$ruledef}{'Description'} = $snortruledef{$ruledef}{'Description'};
- $snortrules{$rule}{"Definition"}{$ruledef}{'State'} = $snortruledef{$ruledef}{'State'};
- }
+ # Increase the last id by one and use it as id for the new entry.
+ $id = ++$last_id;
+ }
+
+ # Add/Modify the entry to/in the ignored hash.
+ $ignored{$id} = ["$new_entry_address", "$new_entry_remark", "$status"];
+
+ # Write the changed ignored hash to the ignored file.
+ &General::writehasharray($ignoredfile, \%ignored);
+
+ # Regenerate the ignore file.
+ &GenerateIgnoreFile();
+ }
+
+ # Check if the IDS is running.
+ if(&IDS::ids_is_running()) {
+ # Call suricatactrl to perform a reload.
+ &IDS::call_suricatactrl("reload");
+ }
+
+## Toggle Enabled/Disabled for an existing entry on the ignore list.
+#
- $snortruledesc = '';
- print FILE "$line\n";
- } elsif ($line =~ /var RULE_PATH/) {
- ($tmp, $tmp, $snortrulepath) = split(' ', $line);
- print FILE "$line\n";
+} elsif ($cgiparams{'WHITELIST'} eq $Lang::tr{'toggle enable disable'}) {
+ my %ignored = ();
+
+ # Only go further, if an ID has been passed.
+ if ($cgiparams{'ID'}) {
+ # Assign the given ID.
+ my $id = $cgiparams{'ID'};
+
+ # Undef the given ID.
+ undef($cgiparams{'ID'});
+
+ # Read-in ignoredfile.
+ &General::readhasharray($ignoredfile, \%ignored);
+
+ # Grab the configured status of the corresponding entry.
+ my $status = $ignored{$id}[2];
+
+ # Switch the status.
+ if ($status eq "disabled") {
+ $status = "enabled";
} else {
- print FILE "$line\n";
+ $status = "disabled";
+ }
+
+ # Modify the status of the existing entry.
+ $ignored{$id} = ["$ignored{$id}[0]", "$ignored{$id}[1]", "$status"];
+
+ # Write the changed ignored hash to the ignored file.
+ &General::writehasharray($ignoredfile, \%ignored);
+
+ # Regenerate the ignore file.
+ &GenerateIgnoreFile();
+
+ # Check if the IDS is running.
+ if(&IDS::ids_is_running()) {
+ # Call suricatactrl to perform a reload.
+ &IDS::call_suricatactrl("reload");
}
}
- close(FILE);
- if ($restartsnortrequired) {
- system('/usr/local/bin/snortctrl restart >/dev/null');
+## Remove entry from ignore list.
+#
+} elsif ($cgiparams{'WHITELIST'} eq $Lang::tr{'remove'}) {
+ my %ignored = ();
+
+ # Read-in ignoredfile.
+ &General::readhasharray($ignoredfile, \%ignored);
+
+ # Drop entry from the hash.
+ delete($ignored{$cgiparams{'ID'}});
+
+ # Undef the given ID.
+ undef($cgiparams{'ID'});
+
+ # Write the changed ignored hash to the ignored file.
+ &General::writehasharray($ignoredfile, \%ignored);
+
+ # Regenerate the ignore file.
+ &GenerateIgnoreFile();
+
+ # Check if the IDS is running.
+ if(&IDS::ids_is_running()) {
+ # Call suricatactrl to perform a reload.
+ &IDS::call_suricatactrl("reload");
}
}
-####################### End added for snort rules control #################################
+# Check if any error has been stored.
+if (-e $IDS::storederrorfile) {
+ # Open file to read in the stored error message.
+ open(FILE, "<$IDS::storederrorfile") or die "Could not open $IDS::storederrorfile. $!\n";
-if ($snortsettings{'OINKCODE'} ne "") {
- $errormessage = $Lang::tr{'invalid input for oink code'} unless ($snortsettings{'OINKCODE'} =~ /^[a-z0-9]+$/);
+ # Read the stored error message.
+ $errormessage = <FILE>;
+
+ # Close file.
+ close (FILE);
+
+ # Delete the file, which is now not longer required.
+ unlink($IDS::storederrorfile);
}
-if (!$errormessage) {
- if ($snortsettings{'RULES'} eq 'subscripted') {
- $url=" https://www.snort.org/rules/snortrules-snapshot-29111.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
- } elsif ($snortsettings{'RULES'} eq 'registered') {
- $url=" https://www.snort.org/rules/snortrules-snapshot-29111.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
- } elsif ($snortsettings{'RULES'} eq 'community') {
- $url=" https://www.snort.org/rules/community";
- } else {
- $url="https://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz";
+
+## Grab all available snort rules and store them in the idsrules hash.
+#
+# Open snort rules directory and do a directory listing.
+opendir(DIR, $IDS::rulespath) or die $!;
+ # Loop through the direcory.
+ while (my $file = readdir(DIR)) {
+
+ # We only want files.
+ next unless (-f "$IDS::rulespath/$file");
+
+ # Ignore empty files.
+ next if (-z "$IDS::rulespath/$file");
+
+ # Use a regular expression to find files ending in .rules
+ next unless ($file =~ m/\.rules$/);
+
+ # Ignore files which are not read-able.
+ next unless (-R "$IDS::rulespath/$file");
+
+ # Skip whitelist rules file.
+ next if( $file eq "whitelist.rules");
+
+ # Call subfunction to read-in rulefile and add rules to
+ # the idsrules hash.
+ &readrulesfile("$file");
}
- if ($snortsettings{'ACTION'} eq $Lang::tr{'save'} && $snortsettings{'ACTION2'} eq "snort" ) {
- &General::writehash("${General::swroot}/snort/settings", \%snortsettings);
- if ($snortsettings{'ENABLE_SNORT'} eq 'on')
- {
- system ('/usr/bin/touch', "${General::swroot}/snort/enable");
- } else {
- unlink "${General::swroot}/snort/enable";
+closedir(DIR);
+
+# Gather used rulefiles.
+#
+# Check if the file for activated rulefiles is not empty.
+if(-f $idsusedrulefilesfile) {
+ # Open the file for used rulefile and read-in content.
+ open(FILE, $idsusedrulefilesfile) or die "Could not open $idsusedrulefilesfile. $!\n";
+
+ # Read-in content.
+ my @lines = <FILE>;
+
+ # Close file.
+ close(FILE);
+
+ # Loop through the array.
+ foreach my $line (@lines) {
+ # Remove newlines.
+ chomp($line);
+
+ # Skip comments.
+ next if ($line =~ /\#/);
+
+ # Skip blank lines.
+ next if ($line =~ /^\s*$/);
+
+ # Gather rule sid and message from the ruleline.
+ if ($line =~ /.*- (.*)/) {
+ my $rulefile = $1;
+
+ # Check if the current rulefile exists in the %idsrules hash.
+ # If not, the file probably does not exist anymore or contains
+ # no rules.
+ if($idsrules{$rulefile}) {
+ # Add the rulefile state to the %idsrules hash.
+ $idsrules{$rulefile}{'Rulefile'}{'State'} = "on";
+ }
}
- if ($snortsettings{'ENABLE_SNORT_GREEN'} eq 'on')
- {
- system ('/usr/bin/touch', "${General::swroot}/snort/enable_green");
- } else {
- unlink "${General::swroot}/snort/enable_green";
+ }
+}
+
+# Save ruleset.
+if ($cgiparams{'RULESET'} eq $Lang::tr{'update'}) {
+ # Arrays to store which rulefiles have been enabled and will be used.
+ my @enabled_rulefiles;
+
+ # Hash to store the user-enabled and disabled sids.
+ my %enabled_disabled_sids;
+
+ # Loop through the hash of idsrules.
+ foreach my $rulefile(keys %idsrules) {
+ # Check if the rulefile is enabled.
+ if ($cgiparams{$rulefile} eq "on") {
+ # Add rulefile to the array of enabled rulefiles.
+ push(@enabled_rulefiles, $rulefile);
+
+ # Drop item from cgiparams hash.
+ delete $cgiparams{$rulefile};
}
- if ($snortsettings{'ENABLE_SNORT_BLUE'} eq 'on')
- {
- system ('/usr/bin/touch', "${General::swroot}/snort/enable_blue");
- } else {
- unlink "${General::swroot}/snort/enable_blue";
+ }
+
+ # Read-in the files for enabled/disabled sids.
+ # This will be done by calling the read_enabled_disabled_sids_file function two times
+ # and merge the returned hashes together into the enabled_disabled_sids hash.
+ %enabled_disabled_sids = (
+ &read_enabled_disabled_sids_file($disabled_sids_file),
+ &read_enabled_disabled_sids_file($enabled_sids_file));
+
+ # Loop through the hash of idsrules.
+ foreach my $rulefile (keys %idsrules) {
+ # Loop through the single rules of the rulefile.
+ foreach my $sid (keys %{$idsrules{$rulefile}}) {
+ # Skip the current sid if it is not numeric.
+ next unless ($sid =~ /\d+/ );
+
+ # Check if there exists a key in the cgiparams hash for this sid.
+ if (exists($cgiparams{$sid})) {
+ # Look if the rule is disabled.
+ if ($idsrules{$rulefile}{$sid}{'State'} eq "off") {
+ # Check if the state has been set to 'on'.
+ if ($cgiparams{$sid} eq "on") {
+ # Add/Modify the sid to/in the enabled_disabled_sids hash.
+ $enabled_disabled_sids{$sid} = "enabled";
+
+ # Drop item from cgiparams hash.
+ delete $cgiparams{$rulefile}{$sid};
+ }
+ }
+ } else {
+ # Look if the rule is enabled.
+ if ($idsrules{$rulefile}{$sid}{'State'} eq "on") {
+ # Check if the state is 'on' and should be disabled.
+ # In this case there is no entry
+ # for the sid in the cgiparams hash.
+ # Add/Modify it to/in the enabled_disabled_sids hash.
+ $enabled_disabled_sids{$sid} = "disabled";
+
+ # Drop item from cgiparams hash.
+ delete $cgiparams{$rulefile}{$sid};
+ }
+ }
}
- if ($snortsettings{'ENABLE_SNORT_ORANGE'} eq 'on')
- {
- system ('/usr/bin/touch', "${General::swroot}/snort/enable_orange");
- } else {
- unlink "${General::swroot}/snort/enable_orange";
+ }
+
+ # Open enabled sid's file for writing.
+ open(ENABLED_FILE, ">$enabled_sids_file") or die "Could not write to $enabled_sids_file. $!\n";
+
+ # Open disabled sid's file for writing.
+ open(DISABLED_FILE, ">$disabled_sids_file") or die "Could not write to $disabled_sids_file. $!\n";
+
+ # Write header to the files.
+ print ENABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+ print DISABLED_FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+ # Check if the hash for enabled/disabled files contains any entries.
+ if (%enabled_disabled_sids) {
+ # Loop through the hash.
+ foreach my $sid (keys %enabled_disabled_sids) {
+ # Check if the sid is enabled.
+ if ($enabled_disabled_sids{$sid} eq "enabled") {
+ # Print the sid to the enabled_sids file.
+ print ENABLED_FILE "enablesid $sid\n";
+ # Check if the sid is disabled.
+ } elsif ($enabled_disabled_sids{$sid} eq "disabled") {
+ # Print the sid to the disabled_sids file.
+ print DISABLED_FILE "disablesid $sid\n";
+ # Something strange happende - skip the current sid.
+ } else {
+ next;
+ }
}
- if ($snortsettings{'ENABLE_PREPROCESSOR_HTTP_INSPECT'} eq 'on')
- {
- system ('/usr/bin/touch', "${General::swroot}/snort/enable_preprocessor_http_inspect");
- } else {
- unlink "${General::swroot}/snort/enable_preprocessor_http_inspect";
+ }
+
+ # Close file for enabled_sids after writing.
+ close(ENABLED_FILE);
+
+ # Close file for disabled_sids after writing.
+ close(DISABLED_FILE);
+
+ # Open file for used rulefiles.
+ open (FILE, ">$idsusedrulefilesfile") or die "Could not write to $idsusedrulefilesfile. $!\n";
+
+ # Write yaml header to the file.
+ print FILE "%YAML 1.1\n";
+ print FILE "---\n\n";
+
+ # Write header to file.
+ print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+ # Check if the enabled_rulefiles array contains any entries.
+ if (@enabled_rulefiles) {
+ # Allways load the whitelist.
+ print FILE " - whitelist.rules\n";
+
+ # Loop through the array of rulefiles which should be loaded and write them to the file.
+ foreach my $file (@enabled_rulefiles) {
+ print FILE " - $file\n";
}
+ }
+
+ # Close file after writing.
+ close(FILE);
- system('/usr/local/bin/snortctrl restart >/dev/null');
+ # Lock the webpage and print message.
+ &working_notice("$Lang::tr{'snort working'}");
+
+ # Call oinkmaster to alter the ruleset.
+ &IDS::oinkmaster();
+
+ # Check if the IDS is running.
+ if(&IDS::ids_is_running()) {
+ # Call suricatactrl to perform a reload.
+ &IDS::call_suricatactrl("reload");
}
- # INSTALLMD5 is not in the form, so not retrieved by getcgihash
- &General::readhash("${General::swroot}/snort/settings", \%snortsettings);
+ # Reload page.
+ &reload();
- if ($snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'} || $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) {
- my @df = `/bin/df -B M /var`;
- foreach my $line (@df) {
- next if $line =~ m/^Filesystem/;
- my $return;
+# Download new ruleset.
+} elsif ($cgiparams{'RULESET'} eq $Lang::tr{'download new ruleset'}) {
+ # Check if the red device is active.
+ unless (-e "${General::swroot}/red/active") {
+ $errormessage = $Lang::tr{'could not download latest updates'};
+ }
- if ($line =~ m/dev/ ) {
- $line =~ m/^.* (\d+)M.*$/;
- my @temp = split(/ +/,$line);
- if ($1<300) {
- $errormessage = "$Lang::tr{'not enough disk space'} < 300MB, /var $1MB";
- } else {
- if ( $snortsettings{'ACTION'} eq $Lang::tr{'download new ruleset'}) {
- &downloadrulesfile();
- sleep(3);
- $return = `cat /var/tmp/log 2>/dev/null`;
-
- } elsif ( $snortsettings{'ACTION'} eq $Lang::tr{'upload new ruleset'}) {
- my $upload = $a->param("UPLOAD");
- open UPLOADFILE, ">/var/tmp/snortrules.tar.gz";
- binmode $upload;
- while ( <$upload> ) {
- print UPLOADFILE;
- }
- close UPLOADFILE;
- }
+ # Check if enought free disk space is availabe.
+ if(&IDS::checkdiskspace()) {
+ $errormessage = "$Lang::tr{'not enough disk space'}";
+ }
- if ($return =~ "ERROR") {
- $errormessage = "<br /><pre>".$return."</pre>";
- } else {
- system("/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &");
- sleep(2);
- }
- }
+ # Check if any errors happend.
+ unless ($errormessage) {
+ # Lock the webpage and print notice about downloading
+ # a new ruleset.
+ &working_notice("$Lang::tr{'snort working'}");
+
+ # Call subfunction to download the ruleset.
+ if(&IDS::downloadruleset()) {
+ $errormessage = $Lang::tr{'could not download latest updates'};
+
+ # Call function to store the errormessage.
+ &IDS::_store_error_message($errormessage);
+
+ # Preform a reload of the page.
+ &reload();
+ } else {
+ # Call subfunction to launch oinkmaster.
+ &IDS::oinkmaster();
+
+ # Check if the IDS is running.
+ if(&IDS::ids_is_running()) {
+ # Call suricatactrl to perform a reload.
+ &IDS::call_suricatactrl("reload");
}
+
+ # Perform a reload of the page.
+ &reload();
+ }
+ }
+# Save snort settings.
+} elsif ($cgiparams{'IDS'} eq $Lang::tr{'save'}) {
+ my %oldidssettings;
+ my $reload_page;
+
+ # Read-in current (old) IDS settings.
+ &General::readhash("$IDS::settingsdir/settings", \%oldidssettings);
+
+ # Prevent form name from been stored in conf file.
+ delete $cgiparams{'IDS'};
+
+ # Check if an oinkcode has been provided.
+ if ($cgiparams{'OINKCODE'}) {
+ # Check if the oinkcode contains unallowed chars.
+ unless ($cgiparams{'OINKCODE'} =~ /^[a-z0-9]+$/) {
+ $errormessage = $Lang::tr{'invalid input for oink code'};
+ }
+ }
+
+ # Go on if there are no error messages.
+ if (!$errormessage) {
+ # Store settings into settings file.
+ &General::writehash("$IDS::settingsdir/settings", \%cgiparams);
+ }
+
+ # Generate file to store the home net.
+ &generate_home_net_file();
+
+ # Check if the the automatic rule update hass been touched.
+ if($cgiparams{'AUTOUPDATE_INTERVAL'} ne $oldidssettings{'AUTOUPDATE_INTERVAL'}) {
+ # Call suricatactrl to set the new interval.
+ &IDS::call_suricatactrl("cron", $cgiparams{'AUTOUPDATE_INTERVAL'});
+ }
+
+ # Check if the runmode has been changed.
+ if($cgiparams{'RUN_MODE'} ne $oldidssettings{'RUN_MODE'}) {
+ # Open modify sid's file for writing.
+ open(FILE, ">$modify_sids_file") or die "Could not write to $modify_sids_file. $!\n";
+
+ # Write file header.
+ print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+ # Check if the configured runmode is IPS.
+ if ($cgiparams{'RUN_MODE'} eq 'IPS') {
+ # Tell oinkmaster to switch all rules from alert to drop.
+ print FILE "modifysid \* \"alert\" \| \"drop\"\n";
+ }
+
+ # Close file handle.
+ close(FILE);
+
+ # Check if a ruleset exists.
+ if (%idsrules) {
+ # Lock the webpage and print message.
+ &working_notice("$Lang::tr{'snort working'}");
+
+ # Call oinkmaster to alter the ruleset.
+ &IDS::oinkmaster();
+
+ # Set reload_page to "True".
+ $reload_page="True";
}
}
+
+ # Check if the IDS currently is running.
+ if(&IDS::ids_is_running()) {
+ # Check if ENABLE_IDS is set to on.
+ if($cgiparams{'ENABLE_IDS'} eq "on") {
+ # Call suricatactrl to perform a reload of suricata.
+ &IDS::call_suricatactrl("reload");
+ } else {
+ # Call suricatactrl to stop suricata.
+ &IDS::call_suricatactrl("stop");
+ }
+ } else {
+ # Call suricatactrl to start suricata.
+ &IDS::call_suricatactrl("start");
+ }
+
+ # Check if the page should be reloaded.
+ if ($reload_page) {
+ # Perform a reload of the page.
+ &reload();
+ }
+}
+
+# Read-in idssettings
+&General::readhash("$IDS::settingsdir/settings", \%idssettings);
+
+# If the runmode has not been configured yet, set default value.
+unless(exists($idssettings{'RUN_MODE'})) {
+ # Set default to IPS.
+ $idssettings{'RUN_MODE'} = 'IPS';
}
-$checked{'ENABLE_SNORT'}{'off'} = '';
-$checked{'ENABLE_SNORT'}{'on'} = '';
-$checked{'ENABLE_SNORT'}{$snortsettings{'ENABLE_SNORT'}} = "checked='checked'";
-$checked{'ENABLE_SNORT_GREEN'}{'off'} = '';
-$checked{'ENABLE_SNORT_GREEN'}{'on'} = '';
-$checked{'ENABLE_SNORT_GREEN'}{$snortsettings{'ENABLE_SNORT_GREEN'}} = "checked='checked'";
-$checked{'ENABLE_SNORT_BLUE'}{'off'} = '';
-$checked{'ENABLE_SNORT_BLUE'}{'on'} = '';
-$checked{'ENABLE_SNORT_BLUE'}{$snortsettings{'ENABLE_SNORT_BLUE'}} = "checked='checked'";
-$checked{'ENABLE_SNORT_ORANGE'}{'off'} = '';
-$checked{'ENABLE_SNORT_ORANGE'}{'on'} = '';
-$checked{'ENABLE_SNORT_ORANGE'}{$snortsettings{'ENABLE_SNORT_ORANGE'}} = "checked='checked'";
+# Read-in ignored hosts.
+&General::readhasharray("$IDS::settingsdir/ignored", \%ignored);
+
+$checked{'ENABLE_IDS'}{'off'} = '';
+$checked{'ENABLE_IDS'}{'on'} = '';
+$checked{'ENABLE_IDS'}{$idssettings{'ENABLE_IDS'}} = "checked='checked'";
+$checked{'RUN_MODE'}{'IDS'} = '';
+$checked{'RUN_MODE'}{'IPS'} = '';
+$checked{'RUN_MODE'}{$idssettings{'RUN_MODE'}} = "checked='checked'";
$selected{'RULES'}{'nothing'} = '';
$selected{'RULES'}{'community'} = '';
$selected{'RULES'}{'emerging'} = '';
$selected{'RULES'}{'registered'} = '';
$selected{'RULES'}{'subscripted'} = '';
-$selected{'RULES'}{$snortsettings{'RULES'}} = "selected='selected'";
+$selected{'RULES'}{$idssettings{'RULES'}} = "selected='selected'";
+$selected{'AUTOUPDATE_INTERVAL'}{'off'} = '';
+$selected{'AUTOUPDATE_INTERVAL'}{'daily'} = '';
+$selected{'AUTOUPDATE_INTERVAL'}{'weekly'} = '';
+$selected{'AUTOUPDATE_INTERVAL'}{$idssettings{'AUTOUPDATE_INTERVAL'}} = "selected='selected'";
&Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
-####################### Added for snort rules control #################################
-print "<script type='text/javascript' src='/include/snortupdateutility.js'></script>";
+### Java Script ###
print <<END
-<style type="text/css">
-<!--
-.section {
- border: groove;
-}
-.row1color {
- border: ridge;
- background-color: $color{'color22'};
-}
-.row2color {
- border: ridge;
- background-color: $color{'color20'};
-}
-.rowselected {
- border: double #FF0000;
- background-color: #DCDCDC;
-}
--->
-</style>
+<script>
+ // Tiny java script function to show/hide the rules
+ // of a given category.
+ function showhide(tblname) {
+ \$("#" + tblname).toggle();
+ }
+</script>
END
;
-####################### End added for snort rules control #################################
&Header::openbigbox('100%', 'left', '', $errormessage);
-###############
-# DEBUG DEBUG
-# &Header::openbox('100%', 'left', 'DEBUG');
-# my $debugCount = 0;
-# foreach my $line (sort keys %snortsettings) {
-# print "$line = $snortsettings{$line}<br />\n";
-# $debugCount++;
-# }
-# print " Count: $debugCount\n";
-# &Header::closebox();
-# DEBUG DEBUG
-###############
-
if ($errormessage) {
&Header::openbox('100%', 'left', $Lang::tr{'error messages'});
print "<class name='base'>$errormessage\n";
&Header::closebox();
}
-my $return = `pidof oinkmaster.pl -x`;
-chomp($return);
-if ($return) {
- &Header::openbox( 'Waiting', 1, "<meta http-equiv='refresh' content='10;'>" );
+# Draw current state of the IDS
+&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'});
+
+# Check if the IDS is running and obtain the process-id.
+my $pid = &IDS::ids_is_running();
+
+# Display some useful information, if suricata daemon is running.
+if ($pid) {
+ # Gather used memory.
+ my $memory = &get_memory_usage($pid);
+
print <<END;
- <table>
- <tr><td>
- <img src='/images/indicator.gif' alt='$Lang::tr{'aktiv'}' />
- <td>
- $Lang::tr{'snort working'}
- <tr><td colspan='2' align='center'>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='image' alt='$Lang::tr{'reload'}' title='$Lang::tr{'reload'}' src='/images/view-refresh.png' />
- </form>
- <tr><td colspan='2' align='left'><pre>
+ <table width='95%' cellspacing='0' class='tbl'>
+ <tr>
+ <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'intrusion detection'}</strong></th>
+ </tr>
+
+ <tr>
+ <td class='base'>$Lang::tr{'guardian daemon'}</td>
+ <td align='center' colspan='2' width='75%' bgcolor='${Header::colourgreen}'><font color='white'><strong>$Lang::tr{'running'}</strong></font></td>
+ </tr>
+
+ <tr>
+ <td class='base'></td>
+ <td bgcolor='$color{'color20'}' align='center'><strong>PID</strong></td>
+ <td bgcolor='$color{'color20'}' align='center'><strong>$Lang::tr{'memory'}</strong></td>
+ </tr>
+
+ <tr>
+ <td class='base'></td>
+ <td bgcolor='$color{'color22'}' align='center'>$pid</td>
+ <td bgcolor='$color{'color22'}' align='center'>$memory KB</td>
+ </tr>
+ </table>
END
- my @output = `tail -20 /var/tmp/log`;
- foreach (@output) {
- print "$_";
- }
+} else {
+ # Otherwise display a hint that the service is not launched.
print <<END;
- </pre>
+ <table width='95%' cellspacing='0' class='tbl'>
+ <tr>
+ <th bgcolor='$color{'color20'}' colspan='3' align='left'><strong>$Lang::tr{'intrusion detection'}</strong></th>
+ </tr>
+
+ <tr>
+ <td class='base'>$Lang::tr{'guardian daemon'}</td>
+ <td align='center' width='75%' bgcolor='${Header::colourred}'><font color='white'><strong>$Lang::tr{'stopped'}</strong></font></td>
+ </tr>
</table>
END
- &Header::closebox();
- &Header::closebigbox();
- &Header::closepage();
- exit;
- refreshpage();
+}
+&Header::closebox();
+
+# Draw elements for IDS configuration.
+&Header::openbox('100%', 'center', $Lang::tr{'settings'});
+
+my $rulesdate;
+
+# Check if a ruleset allready has been downloaded.
+if ( -f "$IDS::rulestarball"){
+ # Call stat on the filename to obtain detailed information.
+ my @Info = stat("$IDS::rulestarball");
+
+ # Grab details about the creation time.
+ $rulesdate = localtime($Info[9]);
}
-&Header::openbox('100%', 'left', $Lang::tr{'intrusion detection system'});
print <<END
-<form method='post' action='$ENV{'SCRIPT_NAME'}'><table width='100%'>
-<tr><td class='base'><input type='checkbox' name='ENABLE_SNORT_GREEN' $checked{'ENABLE_SNORT_GREEN'}{'on'} />GREEN Snort
+<form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <table width='100%' border='0'>
+ <tr>
+ <td class='base' colspan='4'>
+ <input type='checkbox' name='ENABLE_IDS' $checked{'ENABLE_IDS'}{'on'}>$Lang::tr{'ids activate'} $Lang::tr{'intrusion detection system'}
+ </td>
+ </tr>
+
+ <tr>
+ <td colspan='4'><br><br></td>
+ </tr>
+
+ <tr>
+ <td class='base' colspan='4'><b>$Lang::tr{'runmode'}</b></td>
+ </tr>
+
+ <tr>
+ <td class='base' colspan='4'>
+ <input type='radio' name='RUN_MODE' value='IDS' $checked{'RUN_MODE'}{'IDS'}>$Lang::tr{'intrusion detection system2'}    
+ <input type='radio' name='RUN_MODE' value='IPS' $checked{'RUN_MODE'}{'IPS'}>$Lang::tr{'intrusion prevention system'}
+ </td>
+ </tr>
+
+ <tr>
+ <td colspan='4'><br></td>
+ </tr>
+
+ <tr>
+ <td colspan='4'><b>$Lang::tr{'ids traffic analyze'}</b><br></td>
+ </tr>
+
+ <tr>
END
;
-if ($netsettings{'BLUE_DEV'} ne '') {
- print " <input type='checkbox' name='ENABLE_SNORT_BLUE' $checked{'ENABLE_SNORT_BLUE'}{'on'} /> BLUE Snort";
-}
-if ($netsettings{'ORANGE_DEV'} ne '') {
- print " <input type='checkbox' name='ENABLE_SNORT_ORANGE' $checked{'ENABLE_SNORT_ORANGE'}{'on'} /> ORANGE Snort";
+
+# Loop through the array of available networks and print config options.
+foreach my $zone (@network_zones) {
+ my $checked_input;
+ my $checked_forward;
+
+ # Convert current zone name to upper case.
+ my $zone_upper = uc($zone);
+
+ # Grab checkbox status from settings hash.
+ if ($idssettings{"ENABLE_IDS_$zone_upper"} eq "on") {
+ $checked_input = "checked = 'checked'";
+ }
+
+ print "<td class='base' width='25%'>\n";
+ print "<input type='checkbox' name='ENABLE_IDS_$zone_upper' $checked_input>$Lang::tr{'enabled on'} $Lang::tr{$zone}\n";
+ print "</td>\n";
}
- print " <input type='checkbox' name='ENABLE_SNORT' $checked{'ENABLE_SNORT'}{'on'} /> RED Snort";
print <<END
-</td></tr>
-<tr>
- <td><br><br></td>
-</tr>
-<tr>
- <td><b>$Lang::tr{'ids rules update'}</b></td>
-</tr>
-<tr>
- <td><select name='RULES'>
+ </tr>
+
+ <tr>
+ <td colspan='4'><br><br></td>
+ </tr>
+
+ <tr>
+ <td colspan='2'><b>$Lang::tr{'ids rules update'}</b></td>
+ <td colspan='2'><b>$Lang::tr{'ids automatic rules update'}</b></td>
+ </tr>
+
+ <tr>
+ <td colspan='2'><select name='RULES'>
<option value='nothing' $selected{'RULES'}{'nothing'} >$Lang::tr{'no'}</option>
<option value='emerging' $selected{'RULES'}{'emerging'} >$Lang::tr{'emerging rules'}</option>
<option value='community' $selected{'RULES'}{'community'} >$Lang::tr{'community rules'}</option>
<option value='registered' $selected{'RULES'}{'registered'} >$Lang::tr{'registered user rules'}</option>
<option value='subscripted' $selected{'RULES'}{'subscripted'} >$Lang::tr{'subscripted user rules'}</option>
</select>
- </td>
-</tr>
-<tr>
- <td><br />
- $Lang::tr{'ids rules license'} <a href='https://www.snort.org/subscribe' target='_blank'>www.snort.org</a>$Lang::tr{'ids rules license1'}<br /><br />
- $Lang::tr{'ids rules license2'} <a href='https://www.snort.org/account/oinkcode' target='_blank'>Get an Oinkcode</a>, $Lang::tr{'ids rules license3'}
- </td>
-</tr>
-<tr>
- <td nowrap='nowrap'>Oinkcode: <input type='text' size='40' name='OINKCODE' value='$snortsettings{'OINKCODE'}' /></td>
-</tr>
-<tr>
- <td width='30%' align='left'><br><input type='submit' name='ACTION' value='$Lang::tr{'download new ruleset'}' />
+ </td>
+
+ <td colspan='2'>
+ <select name='AUTOUPDATE_INTERVAL'>
+ <option value='off' $selected{'AUTOUPDATE_INTERVAL'}{'off'} >$Lang::tr{'no'}</option>
+ <option value='daily' $selected{'AUTOUPDATE_INTERVAL'}{'daily'} >$Lang::tr{'urlfilter daily'}</option>
+ <option value='weekly' $selected{'AUTOUPDATE_INTERVAL'}{'weekly'} >$Lang::tr{'urlfilter weekly'}</option>
+ </select>
+ </td>
+ </tr>
+
+ <tr>
+ <td colspan='4'>
+ <br>$Lang::tr{'ids rules license'} <a href='https://www.snort.org/subscribe' target='_blank'>www.snort.org</a>$Lang::tr{'ids rules license1'}</br>
+ <br>$Lang::tr{'ids rules license2'} <a href='https://www.snort.org/account/oinkcode' target='_blank'>Get an Oinkcode</a>, $Lang::tr{'ids rules license3'}</br>
+ </td>
+ </tr>
+
+ <tr>
+ <td colspan='4' nowrap='nowrap'>Oinkcode: <input type='text' size='40' name='OINKCODE' value='$idssettings{'OINKCODE'}'></td>
+ </tr>
+
+ <tr>
+ <td colspan='4' align='left'><br>
+ <input type='submit' name='RULESET' value='$Lang::tr{'download new ruleset'}'> $Lang::tr{'updates installed'}: $rulesdate
+ </td>
+
+ </tr>
+ </table>
+
+ <br><br>
+
+ <table width='100%'>
+ <tr>
+ <td align='right'><input type='submit' name='IDS' value='$Lang::tr{'save'}' /></td>
+ </tr>
+ </table>
+</form>
END
;
-if ( -e "/var/tmp/snortrules.tar.gz"){
- my @Info = stat("/var/tmp/snortrules.tar.gz");
- $snortsettings{'INSTALLDATE'} = localtime($Info[9]);
-}
-print " $Lang::tr{'updates installed'}: $snortsettings{'INSTALLDATE'}</td>";
-print <<END
-</tr>
-</table>
-<br><br>
-<table width='100%'>
-<tr>
- <td align='right'><input type='hidden' name='ACTION2' value='snort' /><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
-</tr>
-</table>
-</form>
+&Header::closebox();
+
+#
+# Whitelist / Ignorelist
+#
+&Header::openbox('100%', 'center', $Lang::tr{'guardian ignored hosts'});
+
+print <<END;
+ <table width='100%'>
+ <tr>
+ <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'ip address'}</b></td>
+ <td class='base' bgcolor='$color{'color20'}'><b>$Lang::tr{'remark'}</b></td>
+ <td class='base' colspan='3' bgcolor='$color{'color20'}'></td>
+ </tr>
END
-;
+ # Check if some hosts have been added to be ignored.
+ if (keys (%ignored)) {
+ my $col = "";
+
+ # Loop through all entries of the hash.
+ while( (my $key) = each %ignored) {
+ # Assign data array positions to some nice variable names.
+ my $address = $ignored{$key}[0];
+ my $remark = $ignored{$key}[1];
+ my $status = $ignored{$key}[2];
+
+ # Check if the key (id) number is even or not.
+ if ($cgiparams{'ID'} eq $key) {
+ $col="bgcolor='${Header::colouryellow}'";
+ } elsif ($key % 2) {
+ $col="bgcolor='$color{'color22'}'";
+ } else {
+ $col="bgcolor='$color{'color20'}'";
+ }
-if ($results ne '') {
- print "$results";
-}
+ # Choose icon for the checkbox.
+ my $gif;
+ my $gdesc;
+
+ # Check if the status is enabled and select the correct image and description.
+ if ($status eq 'enabled' ) {
+ $gif = 'on.gif';
+ $gdesc = $Lang::tr{'click to disable'};
+ } else {
+ $gif = 'off.gif';
+ $gdesc = $Lang::tr{'click to enable'};
+ }
+
+print <<END;
+ <tr>
+ <td width='20%' class='base' $col>$address</td>
+ <td width='65%' class='base' $col>$remark</td>
+
+ <td align='center' $col>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='WHITELIST' value='$Lang::tr{'toggle enable disable'}' />
+ <input type='image' name='$Lang::tr{'toggle enable disable'}' src='/images/$gif' alt='$gdesc' title='$gdesc' />
+ <input type='hidden' name='ID' value='$key' />
+ </form>
+ </td>
+
+ <td align='center' $col>
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='WHITELIST' value='$Lang::tr{'edit'}' />
+ <input type='image' name='$Lang::tr{'edit'}' src='/images/edit.gif' alt='$Lang::tr{'edit'}' title='$Lang::tr{'edit'}' />
+ <input type='hidden' name='ID' value='$key' />
+ </form>
+ </td>
+
+ <td align='center' $col>
+ <form method='post' name='$key' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='image' name='$Lang::tr{'remove'}' src='/images/delete.gif' title='$Lang::tr{'remove'}' alt='$Lang::tr{'remove'}'>
+ <input type='hidden' name='ID' value='$key'>
+ <input type='hidden' name='WHITELIST' value='$Lang::tr{'remove'}'>
+ </form>
+ </td>
+ </tr>
+END
+ }
+ } else {
+ # Print notice that currently no hosts are ignored.
+ print "<tr>\n";
+ print "<td class='base' colspan='2'>$Lang::tr{'guardian no entries'}</td>\n";
+ print "</tr>\n";
+ }
+
+ print "</table>\n";
+
+ # Section to add new elements or edit existing ones.
+print <<END;
+ <br>
+ <hr>
+ <br>
+
+ <div align='center'>
+ <table width='100%'>
+END
+
+ # Assign correct headline and button text.
+ my $buttontext;
+ my $entry_address;
+ my $entry_remark;
+
+ # Check if an ID (key) has been given, in this case an existing entry should be edited.
+ if ($cgiparams{'ID'} ne '') {
+ $buttontext = $Lang::tr{'update'};
+ print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'update'}</b></td></tr>\n";
+
+ # Grab address and remark for the given key.
+ $entry_address = $ignored{$cgiparams{'ID'}}[0];
+ $entry_remark = $ignored{$cgiparams{'ID'}}[1];
+ } else {
+ $buttontext = $Lang::tr{'add'};
+ print "<tr><td class='boldbase' colspan='3'><b>$Lang::tr{'dnsforward add a new entry'}</b></td></tr>\n";
+ }
+
+print <<END;
+ <form method='post' action='$ENV{'SCRIPT_NAME'}'>
+ <input type='hidden' name='ID' value='$cgiparams{'ID'}'>
+ <tr>
+ <td width='30%'>$Lang::tr{'ip address'}: </td>
+ <td width='50%'><input type='text' name='IGNORE_ENTRY_ADDRESS' value='$entry_address' size='24' /></td>
+
+ <td width='30%'>$Lang::tr{'remark'}: </td>
+ <td wicth='50%'><input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' /></td>
+ <td align='center' width='20%'><input type='submit' name='WHITELIST' value='$buttontext' /></td>
+ </tr>
+ </form>
+ </table>
+ </div>
+END
&Header::closebox();
-####################### Added for snort rules control #################################
-if ( -e "${General::swroot}/snort/enable" || -e "${General::swroot}/snort/enable_green" || -e "${General::swroot}/snort/enable_blue" || -e "${General::swroot}/snort/enable_orange" ) {
+# Only show the section for configuring the ruleset if one is present.
+if (%idsrules) {
&Header::openbox('100%', 'LEFT', $Lang::tr{'intrusion detection system rules'});
- # Output display table for rule files
- print "<table width='100%'><tr><td valign='top'><table>";
- print "<form method='post'>";
+ print"<form method='POST' action='$ENV{'SCRIPT_NAME'}'>\n";
+
+ # Output display table for rule files
+ print "<table width='100%'>\n";
- # Local vars
- my $ruledisplaycnt = 1;
- my $rulecnt = keys %snortrules;
- $rulecnt++;
- $rulecnt = $rulecnt / 2;
+ # Local variable required for java script to show/hide
+ # rules of a rulefile.
+ my $rulesetcount = 1;
# Loop over each rule file
- foreach my $rulefile (sort keys(%snortrules)) {
+ foreach my $rulefile (sort keys(%idsrules)) {
my $rulechecked = '';
- # Hide inkompatible Block rules
- if ($rulefile =~'-BLOCK.rules') {
- next;
- }
-
- # Check if reached half-way through rule file rules to start new column
- if ($ruledisplaycnt > $rulecnt) {
- print "</table></td><td valign='top'><table>";
- $ruledisplaycnt = 0;
- }
-
# Check if rule file is enabled
- if ($snortrules{$rulefile}{"State"} eq 'Enabled') {
+ if ($idsrules{$rulefile}{'Rulefile'}{'State'} eq 'on') {
$rulechecked = 'CHECKED';
}
- # Create rule file link, vars array, and display flag
- my $rulefilelink = "?RULEFILE=$rulefile";
- my $rulefiletoclose = '';
- my @queryvars = ();
- my $displayrulefilerules = 0;
-
- # Check for passed in query string
- if ($ENV{'QUERY_STRING'}) {
- # Split out vars
- @queryvars = split(/\&/, $ENV{'QUERY_STRING'});
-
- # Loop over values
- foreach $value (@queryvars) {
- # Split out var pairs
- ($var, $linkedrulefile) = split(/=/, $value);
-
- # Check if var is 'RULEFILE'
- if ($var eq 'RULEFILE') {
- # Check if rulefile equals linkedrulefile
- if ($rulefile eq $linkedrulefile) {
- # Set display flag
- $displayrulefilerules = 1;
-
- # Strip out rulefile from rulefilelink
- $rulefilelink =~ s/RULEFILE=$linkedrulefile//g;
- } else {
- # Add linked rule file to rulefilelink
- $rulefilelink .= "&RULEFILE=$linkedrulefile";
- }
- }
- }
- }
-
- # Strip out extra & & ? from rulefilelink
- $rulefilelink =~ s/^\?\&/\?/i;
-
- # Check for a single '?' and replace with page for proper link display
- if ($rulefilelink eq '?') {
- $rulefilelink = "ids.cgi";
- }
-
- # Output rule file name and checkbox
- print "<tr><td class='base' valign='top'><input type='checkbox' NAME='SNORT_RULE_$rulefile' $rulechecked> <a href='$rulefilelink'>$rulefile</a></td></tr>";
- print "<tr><td class='base' valign='top'>";
+ # Table and rows for the rule files.
+ print"<tr>\n";
+ print"<td class='base' width='5%'>\n";
+ print"<input type='checkbox' name='$rulefile' $rulechecked>\n";
+ print"</td>\n";
+ print"<td class='base' width='90%'><b>$rulefile</b></td>\n";
+ print"<td class='base' width='5%' align='right'>\n";
+ print"<a href=\"javascript:showhide('ruleset$rulesetcount')\">SHOW</a>\n";
+ print"</td>\n";
+ print"</tr>\n";
+
+ # Rows which will be hidden per default and will contain the single rules.
+ print"<tr style='display:none' id='ruleset$rulesetcount'>\n";
+ print"<td colspan='3'>\n";
- # Check for empty 'Description'
- if ($snortrules{$rulefile}{'Description'} eq '') {
- print "<table width='100%'><tr><td class='base'>No description available</td></tr>";
- } else {
- # Output rule file 'Description'
- print "<table width='100%'><tr><td class='base'>$snortrules{$rulefile}{'Description'}</td></tr>";
- }
+ # Local vars
+ my $lines;
+ my $rows;
+ my $col;
- # Check for display flag
- if ($displayrulefilerules) {
- # Rule file definition rule display
- print "<tr><td class='base' valign='top'><table border='0'><tr>";
+ # New table for the single rules.
+ print "<table width='100%'>\n";
+ # Loop over rule file rules
+ foreach my $sid (sort {$a <=> $b} keys(%{$idsrules{$rulefile}})) {
# Local vars
- my $ruledefdisplaycnt = 0;
- my $ruledefcnt = keys %{$snortrules{$rulefile}{"Definition"}};
- $ruledefcnt++;
- $ruledefcnt = $ruledefcnt / 2;
-
- # Loop over rule file rules
- foreach my $ruledef (sort {$a <=> $b} keys(%{$snortrules{$rulefile}{"Definition"}})) {
- # Local vars
- my $ruledefchecked = '';
-
- # If have display 2 rules, start new row
- if (($ruledefdisplaycnt % 2) == 0) {
- print "</tr><tr>";
- $ruledefdisplaycnt = 0;
- }
+ my $ruledefchecked = '';
- # Check for rules state
- if ($snortrules{$rulefile}{'Definition'}{$ruledef}{'State'} eq 'Enabled') {
- $ruledefchecked = 'CHECKED';
- }
+ # Skip rulefile itself.
+ next if ($sid eq "Rulefile");
- # Create rule file rule's checkbox
- $checkboxname = "SNORT_RULE_$rulefile";
- $checkboxname .= "_$ruledef";
- print "<td class='base'><input type='checkbox' NAME='$checkboxname' $ruledefchecked> $snortrules{$rulefile}{'Definition'}{$ruledef}{'Description'}</td>";
+ # If 2 rules have been displayed, start a new row
+ if (($lines % 2) == 0) {
+ print "</tr><tr>\n";
- # Increment count
- $ruledefdisplaycnt++;
+ # Increase rows by once.
+ $rows++;
}
- # If do not have second rule for row, create empty cell
- if (($ruledefdisplaycnt % 2) != 0) {
- print "<td class='base'></td>";
+ # Colour lines.
+ if ($rows % 2) {
+ $col="bgcolor='$color{'color20'}'";
+ } else {
+ $col="bgcolor='$color{'color22'}'";
}
- # Close display table
- print "</tr></table></td></tr>";
- }
+ # Set rule state
+ if ($idsrules{$rulefile}{$sid}{'State'} eq 'on') {
+ $ruledefchecked = 'CHECKED';
+ }
+
+ # Create rule checkbox and display rule description
+ print "<td class='base' width='5%' align='right' $col>\n";
+ print "<input type='checkbox' NAME='$sid' $ruledefchecked>\n";
+ print "</td>\n";
+ print "<td class='base' width='45%' $col>$idsrules{$rulefile}{$sid}{'Description'}</td>";
+
+ # Increment rule count
+ $lines++;
+ }
+
+ # If do not have a second rule for row, create empty cell
+ if (($lines % 2) != 0) {
+ print "<td class='base'></td>";
+ }
# Close display table
- print "</table>";
+ print "</tr></table></td></tr>";
- # Increment ruledisplaycnt
- $ruledisplaycnt++;
+ # Finished whith the rule file, increase count.
+ $rulesetcount++;
}
- print "</td></tr></table></td></tr></table>";
- print <<END
+
+ # Close display table
+ print "</table>";
+
+print <<END
<table width='100%'>
<tr>
- <td width='100%' align='right'><input type='submit' name='ACTION' value='$Lang::tr{'update'}' /></td>
+ <td width='100%' align='right'><input type='submit' name='RULESET' value='$Lang::tr{'update'}'>
<!-- space for future online help link -->
</td>
</tr>
&Header::closebox();
}
-####################### End added for snort rules control #################################
&Header::closebigbox();
&Header::closepage();
-sub downloadrulesfile {
- my $peer;
- my $peerport;
+#
+## A function to display a notice, to lock the webpage and
+## tell the user which action currently will be performed.
+#
+sub working_notice ($) {
+ my ($message) = @_;
+
+ &Header::openpage($Lang::tr{'intrusion detection system'}, 1, '');
+ &Header::openbigbox('100%', 'left', '', $errormessage);
+ &Header::openbox( 'Waiting', 1,);
+ print <<END;
+ <table>
+ <tr>
+ <td><img src='/images/indicator.gif' alt='$Lang::tr{'aktiv'}' /></td>
+ <td>$message</td>
+ </tr>
+ </table>
+END
+ &Header::closebox();
+ &Header::closebigbox();
+ &Header::closepage();
+}
- unlink("/var/tmp/log");
+#
+## A tiny function to perform a reload of the webpage after one second.
+#
+sub reload () {
+ print "<meta http-equiv='refresh' content='1'>\n";
- unless (-e "${General::swroot}/red/active") {
- $errormessage = $Lang::tr{'could not download latest updates'};
- return undef;
+ # Stop the script.
+ exit;
+}
+
+#
+## Private function to read-in and parse rules of a given rulefile.
+#
+## The given file will be read, parsed and all valid rules will be stored by ID,
+## message/description and it's state in the idsrules hash.
+#
+sub readrulesfile ($) {
+ my $rulefile = shift;
+
+ # Open rule file and read in contents
+ open(RULEFILE, "$IDS::rulespath/$rulefile") or die "Unable to read $rulefile!";
+
+ # Store file content in an array.
+ my @lines = <RULEFILE>;
+
+ # Close file.
+ close(RULEFILE);
+
+ # Loop over rule file contents
+ foreach my $line (@lines) {
+ # Remove whitespaces.
+ chomp $line;
+
+ # Skip blank lines.
+ next if ($line =~ /^\s*$/);
+
+ # Local vars.
+ my $sid;
+ my $msg;
+
+ # Gather rule sid and message from the ruleline.
+ if ($line =~ m/.*msg:\"(.*?)\"\; .* sid:(.*?); /) {
+ $msg = $1;
+ $sid = $2;
+
+ # Check if a rule has been found.
+ if ($sid && $msg) {
+ # Add rule to the idsrules hash.
+ $idsrules{$rulefile}{$sid}{'Description'} = $msg;
+
+ # Grab status of the rule. Check if ruleline starts with a "dash".
+ if ($line =~ /^\#/) {
+ # If yes, the rule is disabled.
+ $idsrules{$rulefile}{$sid}{'State'} = "off";
+ } else {
+ # Otherwise the rule is enabled.
+ $idsrules{$rulefile}{$sid}{'State'} = "on";
+ }
+ }
+ }
+ }
+}
+
+#
+## Function to get the used memory of a given process-id.
+#
+sub get_memory_usage($) {
+ my ($pid) = @_;
+
+ my $memory = 0;
+
+ # Try to open the status file for the given process-id on the pseudo
+ # file system proc.
+ if (open(FILE, "/proc/$pid/status")) {
+ # Loop through the entire file.
+ while (<FILE>) {
+ # Splitt current line content and store them into variables.
+ my ($key, $value) = split(":", $_, 2);
+
+ # Check if the current key is the one which contains the memory usage.
+ # The wanted one is VmRSS which contains the Real-memory (resident set)
+ # of the entire process.
+ if ($key eq "VmRSS") {
+ # Found the memory usage add it to the memory variable.
+ $memory += $value;
+
+ # Break the loop.
+ last;
+ }
+ }
+
+ # Close file handle.
+ close(FILE);
+
+ # Return memory usage.
+ return $memory;
}
- my %proxysettings=();
- &General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
+ # If the file could not be open, return nothing.
+ return;
+}
+
+#
+## Function to generate the file which contains the home net information.
+#
+sub generate_home_net_file() {
+ my %netsettings;
+
+ # Read-in network settings.
+ &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
+
+ # Get available network zones.
+ my @network_zones = &IDS::get_available_network_zones();
+
+ # Temporary array to store network address and prefix of the configured
+ # networks.
+ my @networks;
+
+ # Loop through the array of available network zones.
+ foreach my $zone (@network_zones) {
+ # Skip the red network - It never can be part to the home_net!
+ next if($zone eq "red");
+
+ # Convert current zone name into upper case.
+ $zone = uc($zone);
- if ($_=$proxysettings{'UPSTREAM_PROXY'}) {
- ($peer, $peerport) = (/^(?:[a-zA-Z ]+\:\/\/)?(?:[A-Za-z0-9\_\.\-]*?(?:\:[A-Za-z0-9\_\.\-]*?)?\@)?([a-zA-Z0-9\.\_\-]*?)(?:\:([0-9]{1,5}))?(?:\/.*?)?$/);
+ # Generate key to access the required data from the netsettings hash.
+ my $zone_netaddress = $zone . "_NETADDRESS";
+ my $zone_netmask = $zone . "_NETMASK";
+
+ # Obtain the settings from the netsettings hash.
+ my $netaddress = $netsettings{$zone_netaddress};
+ my $netmask = $netsettings{$zone_netmask};
+
+ # Convert the subnetmask into prefix notation.
+ my $prefix = &Network::convert_netmask2prefix($netmask);
+
+ # Generate full network string.
+ my $network = join("/", $netaddress,$prefix);
+
+ # Check if the network is valid.
+ if(&Network::check_subnet($network)) {
+ # Add the generated network to the array of networks.
+ push(@networks, $network);
+ }
}
- if ($peer) {
- system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -e https_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url");
- } else {
- system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url");
+ # Format home net declaration.
+ my $line = "\"\[";
+
+ # Loop through the array of networks.
+ foreach my $network (@networks) {
+ # Add the network to the line.
+ $line = "$line" . "$network";
+
+ # Check if the current network was the last in the array.
+ if ($network eq $networks[-1]) {
+ # Close the line.
+ $line = "$line" . "\]\"";
+ } else {
+ # Add "," for the next network.
+ $line = "$line" . "\,";
+ }
}
+
+ # Open file to store the addresses of the home net.
+ open(FILE, ">$idshomenetfile") or die "Could not open $idshomenetfile. $!\n";
+
+ # Print yaml header.
+ print FILE "%YAML 1.1\n";
+ print FILE "---\n\n";
+
+ # Print notice about autogenerated file.
+ print FILE "#Autogenerated file. Any custom changes will be overwritten!\n";
+
+ # Print the generated and required HOME_NET declaration to the file.
+ print FILE "HOME_NET:\t$line\n";
+
+ # Close file handle.
+ close(FILE);
+
+}
+
+#
+## Function to generate the rules file with whitelisted addresses.
+#
+sub GenerateIgnoreFile() {
+ my %ignored = ();
+
+ # SID range 1000000-1999999 Reserved for Local Use
+ # Put your custom rules in this range to avoid conflicts
+ my $sid = 1500000;
+
+ # Read-in ignoredfile.
+ &General::readhasharray($ignoredfile, \%ignored);
+
+ # Open ignorefile for writing.
+ open(FILE, ">$whitelistfile") or die "Could not write to $whitelistfile. $!\n";
+
+ # Config file header.
+ print FILE "# Autogenerated file.\n";
+ print FILE "# All user modifications will be overwritten.\n\n";
+
+ # Add all user defined addresses to the whitelist.
+ #
+ # Check if the hash contains any elements.
+ if (keys (%ignored)) {
+ # Loop through the entire hash and write the host/network
+ # and remark to the ignore file.
+ while ( (my $key) = each %ignored) {
+ my $address = $ignored{$key}[0];
+ my $remark = $ignored{$key}[1];
+ my $status = $ignored{$key}[2];
+
+ # Check if the status of the entry is "enabled".
+ if ($status eq "enabled") {
+ # Check if the address/network is valid.
+ if ((&General::validip($address)) || (&General::validipandmask($address))) {
+ # Write rule line to the file to pass any traffic from this IP
+ print FILE "pass ip $address any -> any any (msg:\"pass all traffic from/to $address\"\; sid:$sid\;)\n";
+
+ # Increment sid.
+ $sid++;
+ }
+ }
+ }
+ }
+
+ close(FILE);
+}
+
+#
+## Function to read-in the given enabled or disables sids file.
+#
+sub read_enabled_disabled_sids_file($) {
+ my ($file) = @_;
+
+ # Temporary hash to store the sids and their state. It will be
+ # returned at the end of this function.
+ my %temphash;
+
+ # Open the given filename.
+ open(FILE, "$file") or die "Could not open $file. $!\n";
+
+ # Loop through the file.
+ while(<FILE>) {
+ # Remove newlines.
+ chomp $_;
+
+ # Skip blank lines.
+ next if ($_ =~ /^\s*$/);
+
+ # Skip coments.
+ next if ($_ =~ /^\#/);
+
+ # Splitt line into sid and state part.
+ my ($state, $sid) = split(" ", $_);
+
+ # Skip line if the sid is not numeric.
+ next unless ($sid =~ /\d+/ );
+
+ # Check if the sid was enabled.
+ if ($state eq "enablesid") {
+ # Add the sid and its state as enabled to the temporary hash.
+ $temphash{$sid} = "enabled";
+ # Check if the sid was disabled.
+ } elsif ($state eq "disablesid") {
+ # Add the sid and its state as disabled to the temporary hash.
+ $temphash{$sid} = "disabled";
+ # Invalid state - skip the current sid and state.
+ } else {
+ next;
+ }
+ }
+
+ # Close filehandle.
+ close(FILE);
+
+ # Return the hash.
+ return %temphash;
}
{
my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
$refs =~ s/,$//;
+
+ # Skip event if no datetime and title are available.
+ next unless (($datetime) && ($title));
+
print "Date: $datetime\n";
print "Name: $title\n";
print "Priority: $priority\n";
else {
print "<tr bgcolor='$color{'color22'}'><td>\n"; }
my ($datetime,$title,$priority,$classification,$srcip,$srcport,$destip,$destport,$sid,$refs) = split(/\|/);
+
+ # Only show the current event if at least datetime and title are available.
+ next unless (($datetime) && ($title));
+
print <<END
<table width='100%'>
<tr>
}
print <<END
</tr>
-</table>
+</table><br>
</td></tr>
END
;
our ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid, @refs);
my $filestr='';
+ my $readmode='';
if ($datediff==0) {
- $filestr="/var/log/snort/alert";
+ # If there is no datediff, directly assign the suricata fast.log.
+ $filestr="/var/log/suricata/fast.log";
} else {
- $filestr="/var/log/snort/alert.$datediff";
- $filestr = "$filestr.gz" if -f "$filestr.gz";
+ # If there is a datediff, assign the datediff to the filestring.
+ $filestr="/var/log/suricata/fast.log.$datediff";
+
+ # The files are compressed add the extension to the filestring.
+ $filestr="$filestr.gz";
+
+ # If the file does not exist, try to fallback to legacy snort alert file.
+ unless (-f $filestr) {
+ # Assign snort alert file, the datediff and extension for compressed file.
+ $filestr = "/var/log/snort/alert.$datediff";
+ $filestr = "$filestr.gz";
+
+ # Assign "snort" as readmode.
+ $readmode="snort";
+ }
}
if (!(open (LOG,($filestr =~ /.gz$/ ? "gzip -dc $filestr |" : $filestr)))) {
$errormessage="$errormessage$Lang::tr{'date not in logs'}: $filestr $Lang::tr{'could not be opened'}";
while(<LOG>) {
$line++;
- if ($_ =~ m/\[\*\*\]/) {
+ if (($_ =~ m/\[\*\*\]/) && ($readmode eq "snort")) {
unless ($line == 1 || $date ne "$monthstr/$daystr") {
&append;
$line = 1;
}
- ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport, $sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+ ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
@refs = ();
$_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
$title = &Header::cleanhtml($2,"y");
+ } else {
+ &append;
+ $line = 1;
+
+ # Assign default values.
+ ($title,$classification,$priority,$date,$time,$srcip,$srcport,$destip,$destport,$sid) = ("n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a","n/a", "n/a");
+ @refs = ();
+
+ # Gather title details from line.
+ $_ =~ m/:([0-9]{1,5})\] (.*) \[\*\*\]/;
+ $title = &Header::cleanhtml($2,"y");
}
if ($_ =~ m/Classification: (.*)\] \[Priority: (\d)\]/) {
$classification = &Header::cleanhtml($1,"y");
$destport = $10;
}
- if ($_ =~ m/^([0-9\/]{3,5})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
+ if ($_ =~ m/^([0-9\/]{3,10})\-([0-9\:]{5,8})\.([0-9]{1,14})/) {
($date,$time) = ($1,$2);
}
if ($_ =~ m/\[Xref \=\>.*\]/) {
'ipsec' => '(ipsec_[\w_]+: |pluto\[.*\]: |charon: |vpnwatch: )',
'kernel' => '(kernel: (?!DROP_))',
'ntp' => '(ntpd(?:ate)?\[.*\]: )',
+ 'oinkmaster' => '(oinkmaster\[.*\]: )',
'openvpn' => '(openvpnserver\[.*\]: |.*n2n\[.*\]: )',
'pakfire' => '(pakfire:)',
'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',
'ipsec' => 'IPSec',
'kernel' => "$Lang::tr{'kernel'}",
'ntp' => 'NTP',
+ 'oinkmaster' => 'Oinkmaster',
'openvpn' => 'OpenVPN',
'pakfire' => 'Pakfire',
'red' => 'RED',
'idle' => 'Leerlauf',
'idle timeout' => 'Leerlauf-Wartezeit in Min. (0 zum Deaktivieren):',
'idle timeout not set' => 'Leerlauf-Wartezeit nicht angegeben.',
+'ids activate' => 'Aktiviere',
+'ids automatic rules update' => 'Automatische Regeln-Aktualisierung',
+'ids traffic analyze' => 'Packet-Analyse',
+'ids active on' => 'Aktiv auf',
'ids log viewer' => 'Ansicht IDS-Protokoll',
'ids logs' => 'IDS-Protokolldateien',
'ids preprocessor' => 'IDS-Präprozessor',
'ids rules license1' => ' registrieren.',
'ids rules license2' => 'Bestätigen Sie die Lizenz; aktivieren Sie Ihren Account, indem Sie auf den Link, den Sie per Mail erhalten haben, klicken. Gehen Sie dann zu',
'ids rules license3' => 'klicken Sie den "Generate code"-Knopf und kopieren Sie den 40-Zeichen Oinkcode in das untere Feld.',
-'ids rules update' => 'Snort Regeln Update',
+'ids rules update' => 'IDS-Regeln',
'iface' => 'Iface',
'ignore filter' => '"Ignorieren"-Filter',
'ike encryption' => 'IKE Verschlüsselung:',
'intrusion detection system' => 'Einbruchsdetektierung',
'intrusion detection system log viewer' => 'Betrachter der IDS-Protokolldateien',
'intrusion detection system rules' => 'Regeln für die Einbruchsdetektierung',
-'intrusion detection system2' => 'Intrusion Detection System:',
+'intrusion detection system2' => 'Intrusion Detection System',
+'intrusion prevention system' => 'Intrusion Prevention System',
'invalid broadcast ip' => 'Ungültige Broadcast-IP',
'invalid cache size' => 'Ungültige Cache-Größe.',
'invalid characters found in pre-shared key' => 'Ungültige Zeichen im Pre-Shared Schlüssel gefunden.',
'rsvd dst port overlap' => 'Dieser Zielportbereich überlappt mit einem Port, der für die ausschließliche Benutzung durch IPFire reserviert ist:',
'rsvd src port overlap' => 'Dieser Quellportbereich überlappt mit einem Port, der für die ausschließliche Benutzung durch IPFire reserviert ist:',
'rules already up to date' => 'Regeln sind schon aktuell',
+'runmode' => 'Runmode',
'running' => 'LÄUFT',
'safe removal of umounted device' => 'Sie können gefahrlos das abgemeldete Gerät entfernen',
'samba' => 'Samba',
'idle' => 'Idle',
'idle timeout' => 'Idle timeout (mins; 0 to disable):',
'idle timeout not set' => 'Idle timeout not set.',
+'ids activate' => 'Activate',
+'ids automatic rules update' => 'Automatic rules update',
+'ids traffic analyze' => 'Traffic analyzing',
+'ids active on' => 'Active on',
'ids log viewer' => 'IDS log viewer',
'ids logs' => 'IDS Logs',
'ids preprocessor' => 'IDS preprocessor',
'ids rules license1' => '.',
'ids rules license2' => 'Acknowledge the license, activate your account by visiting the url you got via mail. Then go to',
'ids rules license3' => 'press the "Generate code"-button and copy the 40 character Oinkcode into the field below.',
-'ids rules update' => 'Snort rules update',
+'ids rules update' => 'IDS rules',
'iface' => 'Iface',
'ignore filter' => 'Ignore filter',
'ike encryption' => 'IKE Encryption:',
'intrusion detection system' => 'Intrusion Detection System',
'intrusion detection system log viewer' => 'Intrusion Detection System Log Viewer',
'intrusion detection system rules' => 'intrusion detection system rules',
-'intrusion detection system2' => 'Intrusion Detection System:',
+'intrusion detection system2' => 'Intrusion Detection System',
+'intrusion prevention system' => 'Intrusion Prevention System',
'invalid broadcast ip' => 'Invalid broadcast IP',
'invalid cache size' => 'Invalid cache size.',
'invalid characters found in pre-shared key' => 'Invalid characters found in pre-shared key.',
'rsvd dst port overlap' => 'Destination Port Range overlaps a port reserved for IPFire:',
'rsvd src port overlap' => 'Source Port Range overlaps a port reserved for IPFire:',
'rules already up to date' => 'Rules already up to date',
+'runmode' => 'Runmode',
'running' => 'RUNNING',
'safe removal of umounted device' => 'You can safely remove the unmounted device',
'samba' => 'Samba',
ethernet extrahd/bin fwlogs fwhosts firewall isdn key langs logging mac main \
menu.d modem optionsfw \
ovpn patches pakfire portfw ppp private proxy/advanced/cre \
- proxy/calamaris/bin qos/bin red remote sensors snort time \
+ proxy/calamaris/bin qos/bin red remote sensors suricata time \
updatexlrator/bin updatexlrator/autocheck urlfilter/autoupdate urlfilter/bin upnp vpn \
wakeonlan wireless ; do \
mkdir -p $(CONFIG_ROOT)/$$i; \
isdn/settings mac/settings main/hosts main/routing main/settings optionsfw/settings \
ovpn/ccd.conf ovpn/ccdroute ovpn/ccdroute2 pakfire/settings portfw/config ppp/settings-1 ppp/settings-2 ppp/settings-3 ppp/settings-4 \
ppp/settings-5 ppp/settings proxy/settings proxy/squid.conf proxy/advanced/settings proxy/advanced/cre/enable remote/settings qos/settings qos/classes qos/subclasses qos/level7config qos/portconfig \
- qos/tosconfig snort/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
+ qos/tosconfig suricata/settings upnp/settings vpn/config vpn/settings vpn/ipsec.conf \
vpn/ipsec.secrets vpn/caconfig wakeonlan/clients.conf wireless/config wireless/settings; do \
touch $(CONFIG_ROOT)/$$i; \
done
cp $(DIR_SRC)/config/cfgroot/network-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/geoip-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/aws-functions.pl $(CONFIG_ROOT)/
+ cp $(DIR_SRC)/config/cfgroot/ids-functions.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/lang.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/countries.pl $(CONFIG_ROOT)/
cp $(DIR_SRC)/config/cfgroot/graphs.pl $(CONFIG_ROOT)/
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = ipfire
+
+THISAPP = ids-ruleset-sources
+TARGET = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+install : $(TARGET)
+
+check :
+
+download :
+
+md5 :
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) :
+ @$(PREBUILD)
+ # Simple install the ruleset sources file.
+ install -m 644 $(DIR_SRC)/config/suricata/ruleset-sources \
+ /var/ipfire/suricata/
+ @$(POSTBUILD)
ln -sf ../init.d/fcron /etc/rc.d/rc0.d/K08fcron
ln -sf ../init.d/fcron /etc/rc.d/rc3.d/S40fcron
ln -sf ../init.d/fcron /etc/rc.d/rc6.d/K08fcron
- ln -sf ../init.d/snort /etc/rc.d/rc0.d/K78snort
- ln -sf ../init.d/snort /etc/rc.d/rc6.d/K78snort
+ ln -sf ../init.d/suricata /etc/rc.d/rc0.d/K78suricata
+ ln -sf ../init.d/suricata /etc/rc.d/rc6.d/K78suricata
ln -sf ../init.d/network /etc/rc.d/rc0.d/K80network
ln -sf ../init.d/network /etc/rc.d/rc3.d/S20network
ln -sf ../init.d/network /etc/rc.d/rc6.d/K80network
ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient
ln -sf ../init.d/wlanclient /etc/rc.d/rc6.d/K82wlanclient
- ln -sf ../../../../../usr/local/bin/snortctrl \
- /etc/rc.d/init.d/networking/red.up/23-RS-snort
+ ln -sf ../../../../../usr/local/bin/suricatactrl \
+ /etc/rc.d/init.d/networking/red.up/23-RS-suricata
ln -sf ../../../../../usr/local/bin/qosctrl \
/etc/rc.d/init.d/networking/red.up/24-RS-qos
ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
--- /dev/null
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2015 Michael Tremer & Christian Schmidt #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER = 0.5.27
+
+THISAPP = libhtp-$(VER)
+DL_FILE = $(THISAPP).tar.gz
+DL_FROM = $(URL_IPFIRE)
+DIR_APP = $(DIR_SRC)/$(THISAPP)
+TARGET = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 226def386a394911de75ffe9e038554a
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+ @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+ @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+ @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+ @$(PREBUILD)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && ./autogen.sh
+ cd $(DIR_APP) && ./configure \
+ --prefix=/usr \
+ --disable-static
+ cd $(DIR_APP) && make $(MAKETUNING)
+ cd $(DIR_APP) && make install
+ @rm -rf $(DIR_APP)
+ @$(POSTBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-2.0-add_community_rules.patch
cd $(DIR_APP) && chown nobody:nobody oinkmaster.pl
- cd $(DIR_APP) && cp -f oinkmaster.conf /var/ipfire/snort/
- cd /var/ipfire/snort && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-tmp.patch
+ cd $(DIR_APP) && install -m 0644 $(DIR_SRC)/config/oinkmaster/oinkmaster.conf \
+ /var/ipfire/suricata/
+ cd /var/ipfire/suricata && patch -Np1 < $(DIR_SRC)/src/patches/oinkmaster-tmp.patch
cd $(DIR_APP) && install -m 0755 oinkmaster.pl /usr/local/bin/
@rm -rf $(DIR_APP)
@$(POSTBUILD)
include Config
-VER = 2.9.11.1
+VER = 4.0.5
-THISAPP = snort-$(VER)
+THISAPP = suricata-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 378e3938b2b5c8e358f942d0ffce18cc
+$(DL_FILE)_MD5 = ea0cb823d6a86568152f75ade6de442f
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
- @rm -rf $(DIR_APP) $(DIR_SRC)/snort* && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+ @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure \
--prefix=/usr \
- --sysconfdir=/etc/snort \
- --target=i586 \
- --enable-linux-smp-stats \
- --enable-gre --enable-mpls \
- --enable-targetbased \
- --enable-ppm \
- --enable-non-ether-decoders \
- --enable-perfprofiling \
- --enable-active-response \
- --enable-normalizer \
- --enable-reload \
- --enable-react \
- --enable-flexresp3
-
- cd $(DIR_APP) && make
+ --sysconfdir=/etc \
+ --localstatedir=/var \
+ --enable-gccprotect \
+ --disable-gccmarch-native \
+ --enable-non-bundled-htp \
+ --enable-nfqueue \
+ --disable-static
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
- mv /usr/bin/snort /usr/sbin/
- -mkdir -p /etc/snort/rules
-
- cd $(DIR_APP) && install -m 0644 \
- etc/reference.config etc/classification.config /etc/snort/rules
- cd $(DIR_APP) && install -m 0644 etc/unicode.map /etc/snort
- install -m 0644 $(DIR_SRC)/config/snort/snort.conf /etc/snort
- cp /etc/snort/snort.conf /etc/snort/snort.conf.template
- chown -R nobody:nobody /etc/snort
- -mkdir -p /var/log/snort
- chown -R snort:snort /var/log/snort
- @rm -rf $(DIR_APP) $(DIR_SRC)/snort*
+ cd $(DIR_APP) && make install-conf
+
+ # Remove default suricata config file.
+ rm -rvf /etc/suricata/suricata.yaml
+
+ # Install IPFire related config file.
+ install -m 0644 $(DIR_SRC)/config/suricata/suricata.yaml /etc/suricata
+
+ # Create emtpy rules directory.
+ -mkdir -p /var/lib/suricata
+
+ # Move config files for references, threshold and classification
+ # to the rules directory.
+ mv /etc/suricata/*.config /var/lib/suricata
+
+ # Set correct ownership for /var/lib/suricata
+ chown nobody:nobody /var/lib/suricata
+
+ # Create logging directory.
+ -mkdir -p /var/log/suricata
+
+ @rm -rf $(DIR_APP)
@$(POSTBUILD)
include Config
-VER = 2.0.6
+VER = 0.2.1
-THISAPP = daq-$(VER)
+THISAPP = yaml-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 2cd6da422a72c129c685fc4bb848c24c
+$(DL_FILE)_MD5 = 72724b9736923c517e5a8fc6757ef03d
install : $(TARGET)
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && ./configure --prefix=/usr
- cd $(DIR_APP) && make
+ cd $(DIR_APP) && ./configure \
+ --prefix=/usr \
+ --disable-static
+ cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
@$(POSTBUILD)
lfsmake2 setserial
lfsmake2 setup
lfsmake2 libdnet
- lfsmake2 daq
- lfsmake2 snort
+ lfsmake2 yaml
+ lfsmake2 libhtp
+ lfsmake2 suricata
lfsmake2 oinkmaster
+ lfsmake2 ids-ruleset-sources
lfsmake2 squid
lfsmake2 squidguard
lfsmake2 calamaris
iptables -A INPUT -j GUARDIAN
iptables -A FORWARD -j GUARDIAN
+ # IPS (suricata) chains
+ iptables -N IPS
+ iptables -A INPUT -j IPS
+ iptables -A FORWARD -j IPS
+
# Block non-established IPsec networks
iptables -N IPSECBLOCK
iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
+++ /dev/null
-#!/bin/sh
-########################################################################
-# Begin $rc_base/init.d/snort
-#
-# Description : Snort Initscript
-#
-# Authors : Michael Tremer for ipfire.org - mitch@ipfire.org
-#
-# Version : 01.00
-#
-# Notes :
-#
-########################################################################
-
-. /etc/sysconfig/rc
-. ${rc_functions}
-
-PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
-
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-eval $(/usr/local/bin/readhash /var/ipfire/snort/settings)
-
-ALIASFILE="/var/ipfire/ethernet/aliases"
-
-case "$1" in
- start)
- if [ "$BLUE_NETADDRESS" ]; then
- BLUE_NET="$BLUE_NETADDRESS/$BLUE_NETMASK,"
- BLUE_IP="$BLUE_ADDRESS,"
- fi
-
- if [ "$ORANGE_NETADDRESS" ]; then
- ORANGE_NET="$ORANGE_NETADDRESS/$ORANGE_NETMASK,"
- ORANGE_IP="$ORANGE_ADDRESS,"
- fi
-
- if [ "$ENABLE_SNORT_ORANGE" == "on" ]; then
- DEVICES+="$ORANGE_DEV "
- HOMENET+="$ORANGE_IP"
- else
- HOMENET+="$ORANGE_NET"
- fi
-
- if [ "$ENABLE_SNORT_BLUE" == "on" ]; then
- DEVICES+="$BLUE_DEV "
- HOMENET+="$BLUE_IP"
- else
- HOMENET+="$BLUE_NET"
- fi
-
- if [ "$ENABLE_SNORT_GREEN" == "on" ]; then
- DEVICES+="$GREEN_DEV "
- HOMENET+="$GREEN_ADDRESS,"
- else
- HOMENET+="$GREEN_NETADDRESS/$GREEN_NETMASK,"
- fi
-
- if [ "$ENABLE_SNORT" == "on" ]; then
- DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
- LOCAL_IP=`cat /var/ipfire/red/local-ipaddress 2>/dev/null`
- if [ "$LOCAL_IP" ]; then
- HOMENET+="$LOCAL_IP,"
- fi
-
- # Check if the red device is set to static and
- # any aliases have been configured.
- if [ "${RED_TYPE}" == "STATIC" ] && [ -s "${ALIASFILE}" ]; then
- # Read in aliases file.
- while IFS="," read -r address mode remark; do
- # Check if the alias is enabled.
- [ "${mode}" = "on" ] || continue
-
- # Add alias to the list of HOMENET addresses.
- HOMENET+="${address},"
- done < "${ALIASFILE}"
- fi
- fi
- HOMENET+="127.0.0.1"
- echo "ipvar HOME_NET [$HOMENET]" > /etc/snort/vars
-
- DNS1=`cat /var/ipfire/red/dns1 2>/dev/null`
- DNS2=`cat /var/ipfire/red/dns2 2>/dev/null`
-
- if [ "$DNS2" ]; then
- echo "ipvar DNS_SERVERS [$DNS1,$DNS2]" >> /etc/snort/vars
- else
- echo "ipvar DNS_SERVERS $DNS1" >> /etc/snort/vars
- fi
-
- for DEVICE in $DEVICES; do
- boot_mesg "Starting Intrusion Detection System on $DEVICE..."
- /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
- evaluate_retval
- sleep 1
- chmod 644 /var/run/snort_$DEVICE.pid
- done
- ;;
-
- stop)
- DEVICES=""
- if [ -r /var/run/snort_$BLUE_DEV.pid ]; then
- DEVICES+="$BLUE_DEV "
- fi
-
- if [ -r /var/run/snort_$GREEN_DEV.pid ]; then
- DEVICES+="$GREEN_DEV "
- fi
-
- if [ -r /var/run/snort_$ORANGE_DEV.pid ]; then
- DEVICES+="$ORANGE_DEV "
- fi
-
- RED=`cat /var/ipfire/red/iface 2>/dev/null`
- if [ -r /var/run/snort_$RED.pid ]; then
- DEVICES+=`cat /var/ipfire/red/iface 2>/dev/null`
- fi
-
- for DEVICE in $DEVICES; do
- boot_mesg "Stopping Intrusion Detection System on $DEVICE..."
- killproc -p /var/run/snort_$DEVICE.pid /var/run
- done
-
- rm /var/run/snort_* >/dev/null 2>/dev/null
-
- # Don't report returncode of rm if snort was not started
- exit 0
- ;;
-
- status)
- statusproc /usr/sbin/snort
- ;;
-
- restart)
- $0 stop
- $0 start
- ;;
-
- *)
- echo "Usage: $0 {start|stop|restart|status}"
- exit 1
- ;;
-esac
-
-chmod 644 /var/log/snort/* 2>/dev/null
-
-# End $rc_base/init.d/snort
--- /dev/null
+#!/bin/sh
+########################################################################
+# Begin $rc_base/init.d/suricata
+#
+# Description : Suricata Initscript
+#
+# Author : Stefan Schantl <stefan.schantl@ipfire.org>
+#
+# Version : 01.00
+#
+# Notes :
+#
+########################################################################
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
+
+eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
+
+# Name of the firewall chain.
+FW_CHAIN="IPS"
+
+# Optional options for the Netfilter queue.
+NFQ_OPTS="--queue-bypass "
+
+# Array containing the 4 possible network zones.
+network_zones=( red green blue orange )
+
+# Mark and Mask options.
+MARK="0x1"
+MASK="0x1"
+
+# PID file of suricata.
+PID_FILE="/var/run/suricata.pid"
+
+case "$1" in
+ start)
+ # Get amount of CPU cores.
+ NFQUEUES=
+ CPUCOUNT=0
+ while read line; do
+ [ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++))
+ done </proc/cpuinfo
+
+ # Check if the IDS should be started.
+ if [ "$ENABLE_IDS" == "on" ]; then
+ # Loop through the array of network zones.
+ for zone in "${network_zones[@]}"; do
+ # Convert zone into upper case.
+ zone_upper=${zone^^}
+
+ # Generate variable name for checking if the IDS is
+ # enabled on the zone.
+ enable_ids_zone="ENABLE_IDS_$zone_upper"
+
+ # Check if the IDS is enabled for this network zone.
+ if [ "${!enable_ids_zone}" == "on" ]; then
+ # Generate name of the network interface.
+ network_device=$zone
+ network_device+="0"
+
+ # Assign NFQ_OPTS
+ NFQ_OPTIONS=$NFQ_OPTS
+
+ # Check if there are multiple cpu cores available.
+ if [ "$CPUCOUNT" -gt "1" ]; then
+ # Balance beetween all queues.
+ NFQ_OPTIONS+="--queue-balance 0:"
+ NFQ_OPTIONS+=$(($CPUCOUNT-1))
+ else
+ # Send all packets to queue 0.
+ NFQ_OPTIONS+="--queue-num 0"
+ fi
+
+ # Create firewall rules to queue the traffic and pass to
+ # the IDS.
+ iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+ iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE $NFQ_OPTIONS
+ fi
+ done
+
+ # Start the IDS.
+ boot_mesg "Starting Intrusion Detection System..."
+ /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
+ evaluate_retval
+
+ # Allow reading the pidfile.
+ chmod 644 $PID_FILE
+ fi
+ ;;
+
+ stop)
+ boot_mesg "Stopping Intrusion Detection System..."
+ killproc -p $PID_FILE /var/run
+
+ # Flush firewall chain.
+ iptables -F $FW_CHAIN
+
+ # Remove suricata control socket.
+ rm /var/run/suricata/* >/dev/null 2>/dev/null
+
+ # Don't report returncode of rm if suricata was not started
+ exit 0
+ ;;
+
+ status)
+ statusproc /usr/bin/suricata
+ ;;
+
+ restart)
+ $0 stop
+ $0 start
+ ;;
+ reload)
+ # Send SIGUSR2 to the suricata process to perform a reload
+ # of the ruleset.
+ kill -USR2 $(pidof suricata)
+ ;;
+
+ *)
+ echo "Usage: $0 {start|stop|restart|reload|status}"
+ exit 1
+ ;;
+esac
+
+chmod 644 /var/log/suricata/* 2>/dev/null
+
+# End $rc_base/init.d/suricata
PROGS = iowrap
SUID_PROGS = squidctrl sshctrl ipfirereboot \
- ipsecctrl timectrl dhcpctrl snortctrl \
+ ipsecctrl timectrl dhcpctrl suricatactrl \
applejuicectrl rebuildhosts backupctrl collectdctrl \
logwatch wioscan wiohelper openvpnctrl firewallctrl \
wirelessctrl getipstat qosctrl launch-ether-wake \
+++ /dev/null
-/* This file is part of the IPFire Firewall.
- *
- * This program is distributed under the terms of the GNU General Public
- * Licence. See the file COPYING for details.
- *
- */
-
-#include <stdlib.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include "setuid.h"
-
-int main(int argc, char *argv[]) {
-
- if (!(initsetuid()))
- exit(1);
-
- if (argc < 2) {
- fprintf(stderr, "\nNo argument given.\n\nsnortctrl (start|stop|restart)\n\n");
- exit(1);
- }
-
- if (strcmp(argv[1], "start") == 0) {
- safe_system("/etc/rc.d/init.d/snort start");
- } else if (strcmp(argv[1], "stop") == 0) {
- safe_system("/etc/rc.d/init.d/snort stop");
- } else if (strcmp(argv[1], "restart") == 0) {
- safe_system("/etc/rc.d/init.d/snort restart");
- } else {
- fprintf(stderr, "\nBad argument given.\n\nsnortctrl (start|stop|restart)\n\n");
- exit(1);
- }
-
- return 0;
-}
--- /dev/null
+/* This file is part of the IPFire Firewall.
+ *
+ * This program is distributed under the terms of the GNU General Public
+ * Licence. See the file COPYING for details.
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include "setuid.h"
+
+int main(int argc, char *argv[]) {
+
+ if (!(initsetuid()))
+ exit(1);
+
+ if (argc < 2) {
+ fprintf(stderr, "\nNo argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n");
+ exit(1);
+ }
+
+ if (strcmp(argv[1], "start") == 0) {
+ safe_system("/etc/rc.d/init.d/suricata start");
+ } else if (strcmp(argv[1], "stop") == 0) {
+ safe_system("/etc/rc.d/init.d/suricata stop");
+ } else if (strcmp(argv[1], "restart") == 0) {
+ safe_system("/etc/rc.d/init.d/suricata restart");
+ } else if (strcmp(argv[1], "reload") == 0) {
+ safe_system("/etc/rc.d/init.d/suricata reload");
+ } else if (strcmp(argv[1], "fix-rules-dir") == 0) {
+ safe_system("chown -R nobody:nobody /var/lib/suricata");
+ } else if (strcmp(argv[1], "cron") == 0) {
+ safe_system("rm /etc/fcron.*/suricata >/dev/null 2>&1");
+ if (strcmp(argv[2], "off") == 0) {
+ return(1);
+ } else if (strcmp(argv[2], "daily") == 0){
+ safe_system("ln -s /usr/local/bin/update-ids-ruleset /etc/fcron.daily/suricata");
+ } else if (strcmp(argv[2], "weekly") == 0){
+ safe_system("ln -s /usr/local/bin/update-ids-ruleset /etc/fcron.weekly/suricata");
+ } else{
+ printf("invalid parameter(s)\n");
+ return(1);
+ }
+ } else {
+ fprintf(stderr, "\nBad argument given.\n\nsuricatactrl (start|stop|restart|reload)\n\n");
+ exit(1);
+ }
+
+ return 0;
+}
--- /dev/null
+#!/usr/bin/perl
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2018 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
+
+use strict;
+
+require '/var/ipfire/general-functions.pl';
+require "${General::swroot}/ids-functions.pl";
+require "${General::swroot}/lang.pl";
+
+# Check if the red device is active.
+unless (-e "${General::swroot}/red/active") {
+ # Store notice in the syslog.
+ &IDS::_log_to_syslog("The system is offline.");
+
+ # Store error message for displaying in the WUI.
+ &IDS::_store_error_message("$Lang::tr{'could not download latest updates'}");
+
+ # Exit.
+ exit 0;
+}
+
+# Check if enought free disk space is availabe.
+if(&IDS::checkdiskspace()) {
+ # Store the error message for displaying in the WUI.
+ &IDS::_store_error_message("$Lang::tr{'not enough disk space'}");
+
+ # Exit.
+ exit 0;
+}
+
+# Call the download function and gather the new ruleset.
+if(&IDS::downloadruleset()) {
+ # Store error message for displaying in the WUI.
+ &IDS::_store_error_message("$Lang::tr{'could not download latest updates'}");
+
+ # Exit.
+ exit 0;
+}
+
+# Call oinkmaster to alter the ruleset.
+&IDS::oinkmaster();
+
+# Check if the IDS is running.
+if(&IDS::ids_is_running()) {
+ # Call suricatactrl to perform a reload.
+ &IDS::call_suricatactrl("reload");
+}
+
+1;
projects / people / pmueller / ipfire-2.x.git / commitdiff
