people/pmueller/ipfire-2.x.git
3 months agosuricata: Drop parsers I have never heard of
Michael Tremer [Sat, 2 Mar 2019 17:18:39 +0000 (17:18 +0000)]
suricata: Drop parsers I have never heard of

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Configure HTTP decoder
Michael Tremer [Sat, 2 Mar 2019 17:18:38 +0000 (17:18 +0000)]
suricata: Configure HTTP decoder

This will now scan all request and response bodies where possible
and use up to 256MB of RAM

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoRevert "Suricata: detect DNS events on port 853, too"
Michael Tremer [Sat, 2 Mar 2019 17:18:37 +0000 (17:18 +0000)]
Revert "Suricata: detect DNS events on port 853, too"

This reverts commit ad99f959e2b83dd9f1275c1d385140271c8926ae.

It does not make any sense to try to decode the TLS connection
with the DNS decoder.

Therefore should 853 (TCP only) be added to the TLS decoder.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Use highest bit to mark packets
Michael Tremer [Thu, 28 Feb 2019 19:37:38 +0000 (19:37 +0000)]
suricata: Use highest bit to mark packets

We are using the netfilter MARK in IPsec & QoS and this
is causing conflicts.

Therefore, we use the highest bit in the IPS chain now
and clear it afterwards because we do not really care about
this after the packets have been passed through suricata.

Then, no other application has to worry about suricata.

Fixes: #12010
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Fix syntax error
Michael Tremer [Thu, 28 Feb 2019 14:28:25 +0000 (14:28 +0000)]
suricata: Fix syntax error

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Start capture first and then load rules
Michael Tremer [Thu, 28 Feb 2019 14:28:24 +0000 (14:28 +0000)]
suricata: Start capture first and then load rules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Disable decoding for Teredo
Michael Tremer [Thu, 28 Feb 2019 14:28:23 +0000 (14:28 +0000)]
suricata: Disable decoding for Teredo

This decoder is not very accurate and Teredo has been
disabled in Windows by default. Nobody will use this.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Increase memory size for the stream engine
Michael Tremer [Thu, 28 Feb 2019 14:28:22 +0000 (14:28 +0000)]
suricata: Increase memory size for the stream engine

This change also ensures that suricata has a decent number
of streams preallocated to be able to handle any bursts in traffic.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Log to syslog like a normal process
Michael Tremer [Thu, 28 Feb 2019 14:28:21 +0000 (14:28 +0000)]
suricata: Log to syslog like a normal process

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Use up to 256MB of RAM for the flow cache
Michael Tremer [Thu, 28 Feb 2019 14:28:20 +0000 (14:28 +0000)]
suricata: Use up to 256MB of RAM for the flow cache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Use 64MB of RAM for defragmentation
Michael Tremer [Thu, 28 Feb 2019 14:28:19 +0000 (14:28 +0000)]
suricata: Use 64MB of RAM for defragmentation

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Use the correct path for the magic database
Michael Tremer [Thu, 28 Feb 2019 14:28:18 +0000 (14:28 +0000)]
suricata: Use the correct path for the magic database

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Log to syslog
Michael Tremer [Thu, 28 Feb 2019 14:28:17 +0000 (14:28 +0000)]
suricata: Log to syslog

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: We do not use any IP reputation lists
Michael Tremer [Thu, 28 Feb 2019 14:28:16 +0000 (14:28 +0000)]
suricata: We do not use any IP reputation lists

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Allow 32MB of RAM for DNS decoding
Michael Tremer [Thu, 28 Feb 2019 14:28:14 +0000 (14:28 +0000)]
suricata: Allow 32MB of RAM for DNS decoding

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Drop sections that require Rust
Michael Tremer [Thu, 28 Feb 2019 14:28:12 +0000 (14:28 +0000)]
suricata: Drop sections that require Rust

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Drop some commented stuff from configuration
Michael Tremer [Thu, 28 Feb 2019 14:28:11 +0000 (14:28 +0000)]
suricata: Drop some commented stuff from configuration

The file is really large and we should not carry anything we will
never use.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Drop profiling section from configuration
Michael Tremer [Thu, 28 Feb 2019 14:28:10 +0000 (14:28 +0000)]
suricata: Drop profiling section from configuration

This is not compiled in as it slows down detection and is
only really useful for debugging

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Set detection profile to high
Michael Tremer [Thu, 28 Feb 2019 14:28:09 +0000 (14:28 +0000)]
suricata: Set detection profile to high

This will merge rules more aggressively so that the engine
is only processing those that can actually match.

Memory is cheap. People with little memory should not run
suricata anyways.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Set default packet size to 1514
Michael Tremer [Thu, 28 Feb 2019 14:28:08 +0000 (14:28 +0000)]
suricata: Set default packet size to 1514

We usually use a MTU of 1500 + Ethernet header

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Set max-pending-packets to 1024
Michael Tremer [Thu, 28 Feb 2019 14:28:07 +0000 (14:28 +0000)]
suricata: Set max-pending-packets to 1024

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoSuricata: detect TLS traffic on port 444, too
Peter Müller [Fri, 22 Feb 2019 20:16:00 +0000 (20:16 +0000)]
Suricata: detect TLS traffic on port 444, too

This is the default port for IPFire's administrative web interface
and should be monitored by Suricata, too.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
c: Stefan Schantl <stefan.schantl@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoconvert-snort: Try to download ruleset if none is present.
Stefan Schantl [Fri, 22 Feb 2019 09:04:27 +0000 (10:04 +0100)]
convert-snort: Try to download ruleset if none is present.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoconvert-snort: Set correct ownership after modify_sids_file has been generated.
Stefan Schantl [Mon, 18 Feb 2019 12:33:41 +0000 (13:33 +0100)]
convert-snort: Set correct ownership after modify_sids_file has been generated.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoids.cgi: Add language string for ignored hosts section.
Stefan Schantl [Mon, 18 Feb 2019 12:29:47 +0000 (13:29 +0100)]
ids.cgi: Add language string for ignored hosts section.

Fixes #12002.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agogeneral-functions.pl: Only skip lines with a # at the beginning
Michael Tremer [Mon, 18 Feb 2019 10:28:13 +0000 (10:28 +0000)]
general-functions.pl: Only skip lines with a # at the beginning

This accidientially dropped all lines that include #. That resulted
in colour codes not being loaded from file any more.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoids-functions.pl: Tune rules to always monitor in both directions.
Stefan Schantl [Mon, 18 Feb 2019 09:55:27 +0000 (10:55 +0100)]
ids-functions.pl: Tune rules to always monitor in both directions.

This will allow to scan the traffic from an EXTERNAL_NET to the HOME_NET and from
the HOME_NET to the EXTERNAL_NET.

Reference: 10273

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agosuricata: Swith to "16" as repeat-mark and repeat-mask.
Stefan Schantl [Mon, 18 Feb 2019 09:01:47 +0000 (10:01 +0100)]
suricata: Swith to "16" as repeat-mark and repeat-mask.

Marks "1-3" are used for marking source-natted packets on the
interfaces and 4 up to 6 for TOS and QOS. The mark "32" is used by IPsec.

See commit: f5ad510e3c0f416a1507999f5ad20ab171df9c07

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoSuricata: Start service on red.up event if requested
Stefan Schantl [Fri, 15 Feb 2019 12:26:55 +0000 (13:26 +0100)]
Suricata: Start service on red.up event if requested

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agocollectd: Stop collecting process details for snort
Stefan Schantl [Fri, 15 Feb 2019 11:39:56 +0000 (12:39 +0100)]
collectd: Stop collecting process details for snort

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agoservices.cgi: Show status of suricata instead of snort
Stefan Schantl [Fri, 15 Feb 2019 11:18:45 +0000 (12:18 +0100)]
services.cgi: Show status of suricata instead of snort

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
3 months agologrotate: Rotate suricata logs instead of snort ones
Stefan Schantl [Fri, 15 Feb 2019 10:22:14 +0000 (11:22 +0100)]
logrotate: Rotate suricata logs instead of snort ones

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoconvert-snort: Always create directory and filelayout
Stefan Schantl [Thu, 14 Feb 2019 11:37:13 +0000 (12:37 +0100)]
convert-snort: Always create directory and filelayout

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoconvert-snort: Call subfunction to change ownership of rulestarball
Stefan Schantl [Thu, 14 Feb 2019 11:15:41 +0000 (12:15 +0100)]
convert-snort: Call subfunction to change ownership of rulestarball

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids-ruleset-sources: Fix rootfile
Stefan Schantl [Thu, 14 Feb 2019 10:43:31 +0000 (11:43 +0100)]
ids-ruleset-sources: Fix rootfile

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
Stefan Schantl [Wed, 13 Feb 2019 18:46:45 +0000 (19:46 +0100)]
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata

4 months agocore128: Ship kdig
Michael Tremer [Wed, 13 Feb 2019 11:32:00 +0000 (11:32 +0000)]
core128: Ship kdig

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoknot: Reduced version of knot with kdig only
Erik Kapfer [Sat, 9 Feb 2019 07:41:15 +0000 (08:41 +0100)]
knot: Reduced version of knot with kdig only

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agocore128: Ship libedit
Michael Tremer [Wed, 13 Feb 2019 11:31:24 +0000 (11:31 +0000)]
core128: Ship libedit

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agolibedit: A command line editor library
Erik Kapfer [Sat, 9 Feb 2019 07:41:14 +0000 (08:41 +0100)]
libedit: A command line editor library

Dependency for knot (kdig).

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agopowertop: Update to 2.10
Matthias Fischer [Sun, 10 Feb 2019 19:13:17 +0000 (20:13 +0100)]
powertop: Update to 2.10

Hi,

Triggered by:
https://forum.ipfire.org/viewtopic.php?f=69&t=22274

For details see:
https://01.org/powertop/downloads/powertop-v2.10

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agodhcpcd: Update to 7.1.1
Matthias Fischer [Sat, 9 Feb 2019 09:59:08 +0000 (10:59 +0100)]
dhcpcd: Update to 7.1.1

For details see:
https://roy.marples.name/blog/dhcpcd-7-1-1-released

"A minor update, highlights include:

 IPv4LL: Fixed build with this disabled
 IPv4LL: Remember last address between carrier resets
 BSD: Fixed initial link infos reported as LINK_STATE_UNKNOWN
 FreeBSD: Avoid panicing kernel when RTA_IFP is set for IPv6 prefix routes"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agocurl: Update to 7.64.0
Matthias Fischer [Sat, 9 Feb 2019 09:37:22 +0000 (10:37 +0100)]
curl: Update to 7.64.0

Hi,

For details see:
https://curl.haxx.se/changes.html

This came rather unexpected - if I'd known, I'd have waited with 7.63.0.

"Changes:
cookies: leave secure cookies alone
hostip: support wildcard hosts
http: Implement trailing headers for chunked transfers
http: added options for allowing HTTP/0.9 responses
timeval: Use high resolution timestamps on Windows

Bugfixes:
CVE-2018-16890: NTLM type-2 out-of-bounds buffer read
CVE-2019-3822: NTLMv2 type-3 header stack buffer overflow
CVE-2019-3823: SMTP end-of-response out-of-bounds read
FAQ: remove mention of sourceforge for github
OS400: handle memory error in list conversion
OS400: upgrade ILE/RPG binding.
README: add codacy code quality badge
Revert http_negotiate: do not close connection
THANKS: added several missing names from year <= 2000
build: make 'tidy' target work for metalink builds
cmake: added checks for variadic macros
cmake: updated check for HAVE_POLL_FINE to match autotools
cmake: use lowercase for function name like the rest of the code
configure: detect xlclang separately from clang
configure: fix recv/send/select detection on Android
configure: rewrite --enable-code-coverage
conncache_unlock: avoid indirection by changing input argument type
cookie: fix comment typo
cookies: allow secure override when done over HTTPS
cookies: extend domain checks to non psl builds
cookies: skip custom cookies when redirecting cross-site
curl --xattr: strip credentials from any URL that is stored
curl -J: refuse to append to the destination file
curl/urlapi.h: include "curl.h" first
curl_multi_remove_handle() don't block terminating c-ares requests
darwinssl: accept setting max-tls with default min-tls
disconnect: separate connections and easy handles better
disconnect: set conn->data for protocol disconnect
docs/version.d: mention MultiSSL
docs: fix the --tls-max description
docs: use $(INSTALL_DATA) to install man page
docs: use meaningless port number in CURLOPT_LOCALPORT example
gopher: always include the entire gopher-path in request
http2: clear pause stream id if it gets closed
if2ip: remove unused function Curl_if_is_interface_name
libssh: do not let libssh create socket
libssh: enable CURLOPT_SSH_KNOWNHOSTS and CURLOPT_SSH_KEYFUNCTION for libssh
libssh: free sftp_canonicalize_path() data correctly
libtest/stub_gssapi: use "real" snprintf
mbedtls: use VERIFYHOST
multi: multiplexing improvements
multi: set the EXPIRE_*TIMEOUT timers at TIMER_STARTSINGLE time
ntlm: fix NTMLv2 compliance
ntlm_sspi: add support for channel binding
openssl: adapt to 3.0.0, OpenSSL_version_num() is deprecated
openssl: fix the SSL_get_tlsext_status_ocsp_resp call
openvms: fix OpenSSL discovery on VAX
openvms: fix typos in documentation
os400: add a missing closing bracket
os400: fix extra parameter syntax error
pingpong: change default response timeout to 120 seconds
pingpong: ignore regular timeout in disconnect phase
printf: fix format specifiers
runtests.pl: Fix perl call to include srcdir
schannel: fix compiler warning
schannel: preserve original certificate path parameter
schannel: stop calling it "winssl"
sigpipe: if mbedTLS is used, ignore SIGPIPE
smb: fix incorrect path in request if connection reused
ssh: log the libssh2 error message when ssh session startup fails
test1558: verify CURLINFO_PROTOCOL on file:// transfer
test1561: improve test name
test1653: make it survive torture tests
tests: allow tests to pass by 2037-02-12
tests: move objnames-* from lib into tests
timediff: fix math for unsigned time_t
timeval: Disable MSVC Analyzer GetTickCount warning
tool_cb_prg: avoid integer overflow
travis: added cmake build for osx
urlapi: Fix port parsing of eol colon
urlapi: distinguish possibly empty query
urlapi: fix parsing ipv6 with zone index
urldata: rename easy_conn to just conn
winbuild: conditionally use /DZLIB_WINAPI
wolfssl: fix memory-leak in threaded use
spnego_sspi: add support for channel binding"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agokernel: update to 4.14.98
Arne Fitzenreiter [Fri, 8 Feb 2019 19:50:37 +0000 (20:50 +0100)]
kernel: update to 4.14.98

todo: check if RPi dwc dma patch still need to reverted before release

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 months agoMerge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
Stefan Schantl [Fri, 8 Feb 2019 08:59:31 +0000 (09:59 +0100)]
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata

4 months agolibhtp: Update to 0.5.29
Stefan Schantl [Fri, 8 Feb 2019 08:56:36 +0000 (09:56 +0100)]
libhtp: Update to 0.5.29

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoruleset-sources: Update sourcefire rulesets to latest snapshot version
Stefan Schantl [Fri, 8 Feb 2019 08:55:46 +0000 (09:55 +0100)]
ruleset-sources: Update sourcefire rulesets to latest snapshot version

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoborgbackup: Fix build on i586
Matthias Fischer [Fri, 8 Feb 2019 11:01:42 +0000 (12:01 +0100)]
borgbackup: Fix build on i586

Fixes

...
'/usr/src/config/rootfiles/packages//borgbackup' -> '/install/packages/package/ROOTFILES'
tar: usr/lib/python3.6/site-packages/borg/chunker.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/compress.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/crypto.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/hashindex.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: usr/lib/python3.6/site-packages/borg/platform_linux.cpython-36m-i586-linux-gnu.so: Cannot stat: No such file or directory
tar: Exiting with failure status due to previous errors
make: *** [borgbackup:58: dist] Error 2
...

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agopython3-llfuse: Fix build on i586
Matthias Fischer [Fri, 8 Feb 2019 10:57:47 +0000 (11:57 +0100)]
python3-llfuse: Fix build on i586

Fixes

"tar: usr/lib/python3.6/site-packages/llfuse.cpython-36m-i586-linux-gnu.so:
Cannot stat: No such file or directory"

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoSuricata: detect DNS events on port 853, too
Peter Müller [Thu, 7 Feb 2019 17:47:00 +0000 (17:47 +0000)]
Suricata: detect DNS events on port 853, too

As DNS over TLS popularity is increasing, port 853 becomes
more interesting for an attacker as a bypass method. Enabling
this port for DNS monitoring makes sense in order to avoid
unusual activity (non-DNS traffic) as well as "normal" DNS
attacks.

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoSuricata: enable full detection for missing protocols
Peter Müller [Thu, 7 Feb 2019 17:41:00 +0000 (17:41 +0000)]
Suricata: enable full detection for missing protocols

These are IMAP and MSN, which can be safely enabled.

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoSuricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports as, well
Peter Müller [Thu, 7 Feb 2019 17:38:00 +0000 (17:38 +0000)]
Suricata: detect TLS traffic on IMAPS/POP3S/SSMTP ports as, well

Partially fixes #11808

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agocore128: Ship updated firewall initscript
Michael Tremer [Thu, 7 Feb 2019 15:13:50 +0000 (15:13 +0000)]
core128: Ship updated firewall initscript

Require reboot after the update

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoapply default firewall policy for ORANGE, too
Peter Müller [Wed, 6 Feb 2019 21:00:00 +0000 (21:00 +0000)]
apply default firewall policy for ORANGE, too

If firewall default policy is set to DROP, this setting was not
applied to outgoing ORANGE traffic as well, which was misleading.

Fixes #11973

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Cc: Oliver Fuhrer <oliver.fuhrer@bluewin.ch>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoTor: update to 0.3.5.7
Peter Müller [Wed, 6 Feb 2019 19:21:00 +0000 (19:21 +0000)]
Tor: update to 0.3.5.7

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoids.cgi: Format and show date of the current ruleset again
Stefan Schantl [Thu, 7 Feb 2019 09:33:29 +0000 (10:33 +0100)]
ids.cgi: Format and show date of the current ruleset again

Fixes #11992

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Change name of the button to apply the ruleset changes
Stefan Schantl [Thu, 7 Feb 2019 08:46:01 +0000 (09:46 +0100)]
ids.cgi: Change name of the button to apply the ruleset changes

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agolangs: Remove snort related and unused strings
Stefan Schantl [Thu, 7 Feb 2019 08:02:32 +0000 (09:02 +0100)]
langs: Remove snort related and unused strings

Fixes #11993.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agologs.cgi/ids.dat: Do not call the IDS snort again
Stefan Schantl [Thu, 7 Feb 2019 08:00:35 +0000 (09:00 +0100)]
logs.cgi/ids.dat: Do not call the IDS snort again

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Improve showed messages while the IDS is working
Stefan Schantl [Thu, 7 Feb 2019 07:51:31 +0000 (08:51 +0100)]
ids.cgi: Improve showed messages while the IDS is working

Reference #11993

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoAdd german translation for "system is offline"
Stefan Schantl [Thu, 7 Feb 2019 07:28:29 +0000 (08:28 +0100)]
Add german translation for "system is offline"

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Lock page while autoupdate script is running
Stefan Schantl [Thu, 7 Feb 2019 07:24:15 +0000 (08:24 +0100)]
ids.cgi: Lock page while autoupdate script is running

Fixes #11991

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoupdate-ids-ruleset: Lock and Unlock the IDS page during runtime
Stefan Schantl [Thu, 7 Feb 2019 07:06:49 +0000 (08:06 +0100)]
update-ids-ruleset: Lock and Unlock the IDS page during runtime

Reference #11991

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids-functions.pl: Add code to lock/unlock ids page while autoupdating the ruleset
Stefan Schantl [Thu, 7 Feb 2019 06:59:20 +0000 (07:59 +0100)]
ids-functions.pl: Add code to lock/unlock ids page while autoupdating the ruleset

Reference #11991

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Show "Update Ruleset"-Button only if automatic updates are disabled
Stefan Schantl [Thu, 7 Feb 2019 06:44:11 +0000 (07:44 +0100)]
ids.cgi: Show "Update Ruleset"-Button only if automatic updates are disabled

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoaliases.cgi: Handle suricata related actions when dealing with aliases
Stefan Schantl [Wed, 6 Feb 2019 14:59:02 +0000 (15:59 +0100)]
aliases.cgi: Handle suricata related actions when dealing with aliases

When working with aliases (adding/modifying/removing), the file which
contains the HOME_NET declarations needs to be re-generated and suricata
requires a restart afterwards.

Fixes #11990

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoIDS: Call helper script when red interface gets up
Stefan Schantl [Wed, 6 Feb 2019 14:23:46 +0000 (15:23 +0100)]
IDS: Call helper script when red interface gets up

The helper script will be automatically called when the red interface gets up
and will re-generate the HOME_NET file, to take care if the IP-address of this
interface has changed.

Fixes #11989

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoIDS: Edit german translation for "ids oinkcode required".
Stefan Schantl [Wed, 6 Feb 2019 12:12:50 +0000 (13:12 +0100)]
IDS: Edit german translation for "ids oinkcode required".

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Check if the selected ruleset requires an oinkcode
Stefan Schantl [Wed, 6 Feb 2019 11:49:01 +0000 (12:49 +0100)]
ids.cgi: Check if the selected ruleset requires an oinkcode

Fixes #11983

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Only perform actions when saving ruleset settings, if there are no error...
Stefan Schantl [Wed, 6 Feb 2019 11:48:08 +0000 (12:48 +0100)]
ids.cgi: Only perform actions when saving ruleset settings, if there are no error messages

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids-functions.pl: Do not send HEAD requests to sourcefire (snort.org) servers
Stefan Schantl [Wed, 6 Feb 2019 09:58:59 +0000 (10:58 +0100)]
ids-functions.pl: Do not send HEAD requests to sourcefire (snort.org) servers

Using this feature to fetch the size of the requested tarball is not allowed by these
servers, so skip this feature for their rulesets.

Fixes #11987

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoRevert "ids-functions.pl: Use GET method to fetch Header data of a file"
Stefan Schantl [Wed, 6 Feb 2019 09:00:17 +0000 (10:00 +0100)]
Revert "ids-functions.pl: Use GET method to fetch Header data of a file"

Using the GET method will download the file twice and does not provide the
desired mechanism here.

This reverts commit 81592314ebe93ae942f28a1bc9037185f155ccda.

4 months agoids.cgi: Fix HTML formated spaces.
Stefan Schantl [Tue, 5 Feb 2019 13:34:44 +0000 (14:34 +0100)]
ids.cgi: Fix HTML formated spaces.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Rework "Enable IPS" section
Stefan Schantl [Tue, 5 Feb 2019 13:14:11 +0000 (14:14 +0100)]
ids.cgi: Rework "Enable IPS" section

Just use one language string for a maximum of flexiblity for the
transloators.

Fixes #11986

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agosuricata: Do not display messages when starting up
Stefan Schantl [Tue, 5 Feb 2019 12:57:40 +0000 (13:57 +0100)]
suricata: Do not display messages when starting up

Fixes #11979.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Change lang string from "Activate IPS" to "Enable IPS"
Stefan Schantl [Tue, 5 Feb 2019 12:51:08 +0000 (13:51 +0100)]
ids.cgi: Change lang string from "Activate IPS" to "Enable IPS"

Reference #11986

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoIDS: Rename IDS strings to IPS
Stefan Schantl [Tue, 5 Feb 2019 12:25:27 +0000 (13:25 +0100)]
IDS: Rename IDS strings to IPS

Reference: #11986

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Stop suricata when the rulest source has been changed
Stefan Schantl [Tue, 5 Feb 2019 11:43:49 +0000 (12:43 +0100)]
ids.cgi: Stop suricata when the rulest source has been changed

If the ruleset source has been changed, it has to be configured again.
This happens because of different rule categories, filenames rule ID's etc.

In case suricata currently is running it has to be stopped and after the configuration
has been done by the user, it can be launched again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Fix downloading rules if source changed
Stefan Schantl [Tue, 5 Feb 2019 11:36:30 +0000 (12:36 +0100)]
ids.cgi: Fix downloading rules if source changed

Fix the if statement to detect wheater the ruleset has been
changed and automatically download the new one.

Fixes #11984.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids.cgi: Update automatic download texts
Stefan Schantl [Tue, 5 Feb 2019 11:13:28 +0000 (12:13 +0100)]
ids.cgi: Update automatic download texts

Update the showed texts in the dropdown box as mentioned in the
bug report.

Fixes #11985

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids-functions.pl: Use GET method to fetch Header data of a file
Stefan Schantl [Tue, 5 Feb 2019 11:01:43 +0000 (12:01 +0100)]
ids-functions.pl: Use GET method to fetch Header data of a file

The sourcfire web servers does not support the HEAD request so we have to do
this with a GET here.

Fixes #11987

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agoids-functions.pl: Fix show HTTP error code and message
Stefan Schantl [Tue, 5 Feb 2019 10:55:37 +0000 (11:55 +0100)]
ids-functions.pl: Fix show HTTP error code and message

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
4 months agopython3-msgpack: Fix build on i586
Jonatan Schlag [Tue, 5 Feb 2019 18:33:31 +0000 (18:33 +0000)]
python3-msgpack: Fix build on i586

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agopython3-dateutil: Update rootfiles
Michael Tremer [Mon, 4 Feb 2019 07:00:13 +0000 (07:00 +0000)]
python3-dateutil: Update rootfiles

Changed because of new python3-setuptools

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agocore128: Ship updated dhcpcd
Michael Tremer [Mon, 4 Feb 2019 00:40:02 +0000 (00:40 +0000)]
core128: Ship updated dhcpcd

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agodhcpcd: Update to 7.1.0
Matthias Fischer [Mon, 4 Feb 2019 17:38:44 +0000 (18:38 +0100)]
dhcpcd: Update to 7.1.0

For some informations about this update see:
https://roy.marples.name/blog/dhcpcd-7-1-0-released

"dhcpcd-7.1.0 has been released with the following changes:

- OpenBSD: works alongside slaacd(8)
- NetBSD: sets SO_RERROR on to detect receive socket overflow
- BSD: route improvements to avoid listening for own changes
- Linux: use NETLINK_BROADCAST_ERROR
- BSD: avoid late address deletion messages by testing address existance
- IP6: implement IP6 address sharing
- BSD: catch UP/DOWN events when interfaces does support media changes
- IPv4LL: remember old address when carrier is lost

Many other minor fixes and documenation updates have been submitted by various
community members for this release..."

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agocore128: Ship updated curl
Michael Tremer [Mon, 4 Feb 2019 00:15:24 +0000 (00:15 +0000)]
core128: Ship updated curl

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agocurl: Update to 7.63.0
Matthias Fischer [Mon, 4 Feb 2019 17:30:54 +0000 (18:30 +0100)]
curl: Update to 7.63.0

For details see:
https://curl.haxx.se/changes.html

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoupdate.sh: Delete .rnd files
Erik Kapfer [Sat, 2 Feb 2019 07:46:12 +0000 (08:46 +0100)]
update.sh: Delete .rnd files

Since RANDFILE has been disabled in OpenSSL configurations, .rnd files are not needed anymore.

Signed-off-by: Erik Kapfer <ummeegge@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agocore128: Ship updated apr
Michael Tremer [Sun, 3 Feb 2019 21:42:43 +0000 (21:42 +0000)]
core128: Ship updated apr

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoUpdated apr, stabilized apache build
Wolfgang Apolinarski [Sun, 3 Feb 2019 14:11:58 +0000 (15:11 +0100)]
Updated apr, stabilized apache build

- Updated apr to 1.6.5
- Stabilized apache build (rebuild)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agopython3-llfuse: fix rootfile for non x86_64 builds
Arne Fitzenreiter [Sun, 3 Feb 2019 14:28:52 +0000 (15:28 +0100)]
python3-llfuse: fix rootfile for non x86_64 builds

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 months agokernel: update to 4.14.97
Arne Fitzenreiter [Sun, 3 Feb 2019 11:45:52 +0000 (12:45 +0100)]
kernel: update to 4.14.97

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
4 months agohaproxy: Bump version to support TLSv1.3 (and PCRE JIT)
Michael Tremer [Fri, 1 Feb 2019 17:34:02 +0000 (17:34 +0000)]
haproxy: Bump version to support TLSv1.3 (and PCRE JIT)

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agocore128: Restart updated apache
Michael Tremer [Fri, 1 Feb 2019 17:12:23 +0000 (17:12 +0000)]
core128: Restart updated apache

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoapache: Update to 2.4.38
Matthias Fischer [Fri, 1 Feb 2019 17:06:38 +0000 (18:06 +0100)]
apache: Update to 2.4.38

For details see:
http://mirror.checkdomain.de/apache//httpd/CHANGES_2.4.38

Best,
Matthias

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agocore128: Ship AWS scripts again
Michael Tremer [Fri, 1 Feb 2019 17:08:44 +0000 (17:08 +0000)]
core128: Ship AWS scripts again

It seems that this was missing in Core Update 125/126 so not all
bug fixes made it into the release.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoAdd new package borgbackup
Jonatan Schlag [Fri, 1 Feb 2019 11:52:45 +0000 (11:52 +0000)]
Add new package borgbackup

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoAdd new package python3-msgpack
Jonatan Schlag [Fri, 1 Feb 2019 11:52:44 +0000 (11:52 +0000)]
Add new package python3-msgpack

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
4 months agoAdd new package python3-llfuse
Jonatan Schlag [Fri, 1 Feb 2019 11:52:43 +0000 (11:52 +0000)]
Add new package python3-llfuse

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>